The document discusses the role of blockchain technology in auditing, highlighting its definition, types (public vs private), and useful applications such as traceability and international money transfers. It emphasizes the importance of evaluating whether blockchain is necessary for specific use cases, as it can often complicate processes rather than simplify them. Security considerations and the potential risks associated with blockchain implementations are also discussed, along with the author's credentials and experience in the field.

1. BLOCKCHAIN FOR AUDITORS
Andrew Clark
Data Economist
BlockScience

2. About Me
● B.S. in Business Administration with a concentration in Accounting, Summa Cum
Laude, from University of Tennessee at Chattanooga.
● M.S. in Data Science from Southern Methodist University.
● Ph.D. Candidate in Economics at the University Reading, specializing in
International Monetary Policy.
● American Statistical Association Graduate Statistician (GStat), INFORMS Certified
Analytics Professional (CAP) and AWS Certified Solutions Architect – Associate.
● Experienced in designing, built and deployed numerous machine learning and
continuous monitoring solutions using open source technologies.
● Successfully developed and deployed an Audit Analytics program for a publicly
traded decentralized manufacturing company.
● Working as a Data Economist creating ecosystem economic design specifications
by employing mathematical engineering technologies to create novel solutions to
solve business problems.

3. ● Understand what Blockchain is
● Describe the differences between public and private blockchains
● Understand where blockchain can be useful to companies, and where it is
unnecessary
● What security considerations exist
● Be able to perform a basic Blockchain audit
Objectives

4. ● A blockchain is a distributed ledger of transactions (DLT), recorded into blocks
that are linked together by cryptography into a ‘chain’.
● Originally introduced by Satoshi Nakamoto, an unknown individual or group of
individuals, in a whitepaper titled ‘Bitcoin: A Peer-to-Peer Electronic Cash
System’ via a cryptography email list.
What is Blockchain?

5. Signal vs Noise

6. ● Common confusion of Blockchain = Bitcoin
● Blockchain, as previously defined, was initially created as part of Bitcoin, but
it’s usefulness outside Bitcoin was quickly ascertained.
● Examples:
○ Traceability of fish, where they were farmed/caught.
○ Traceability of agriculture
○ International money transfers (see next two slides)
■ JP Coin
Blockchain != Cryptocurrrency

9. ● As Bitcoin has a finite amount coins that can be ‘minted’, imposing scarcity.
○ Sometimes called “digital gold”.
● Held for speculative purposes, used on a small scale as money.
● Grand dreams of creating a monetary system outside the reach of
governments and the banking system - “decentralized”.
● Plagued by:
○ Lack of respect of economics and history
○ Silicon Valley superiority complex
○ Lack of rigor in designing currencies
○ Too many cryptocurrencies vying for supremacy.
What are cryptocurrencies?

10. ● Are cryptocurrencies ‘real’ money?
● Are cryptocurrency viable, stable assets? Examined in detail by yours truly and
my PhD advisor, Dr. Alexander Mihailov, in a paper entitled: “Why private
cryptocurrencies cannot serve as international reserves but central bank digital
currencies can”.
○ Hint: they are not.
What are cryptocurrencies? Cont.

11. ● So far we have talked about public blockchains, were anyone can download
the entire blockchain, examine it, and/or begin mining.
● Private blockchains restrict access to only specific individuals/groups.
What is a public and what is a private blockchain?

12. ● As previously highlighted briefly, blockchain implementations are being
used/developed for:
○ Traceability/accountability applications, such as the Fair Trade product
tracking
○ International money movement:
■ SWIFT
■ JP Morgan
■ Etc
○ International trade
○ Digital Identity
When is blockchain useful?

13. ● Whenever possibly, try to use a regular database.
● Many companies wanting to ‘be innovative like Silicon Valley” - a pernicious
disease affecting most major consulting firms and Fortune 500 C suites -
implement blockchains for the ‘wow’ factor when they will actually turn into
expensive, unwieldy databases.
● As a rule, blockchain should never be used within a corporation.
○ JP Morgan breaks this rule, but it is for a very specific purpose.
● A blockchain should only be used when traditional means of data sharing
and/or databases will not allow the needed recording of data, or a solid
enough audit trail.
● Blockchains do not store data, can only point to it.
When is it not?

14. ● 51% attack
● Sybil attack (identity forging)
● SHA-256 hack - if quantum computing ever becomes a thing (don’t hold your
breath)
● Entry point attack
● Oracle attack
● In private blockchains
○ Access control
○ And all the other regular ITGC worries
Blockchain Security

15. ● Honestly, not that ‘new’
○ The same blocking and tackling of any other ITGC audit is required.
● New audit workpaper out by ISACA yours truly helped to develop.
● The biggest lift will be examining the use case, is a blockchain really needed,
and was a standard implementation, such as Hyperledger implemented?
● Was proper SDLC planning and implementation carried out?
● Does IT Department have the appropriate controls in place for who can access
the blockchain, and/or companies that run nodes?
● Key management, consensus, etc.
● Is third-party vendor risk mitigated?
The Blockchain Audit

16. Questions?

17. ContactLinkedIn
Email: andrew@block.science
Phone: 423-504-5024
Personal website
BlockScience website

18. THANK YOU
Andrew Clark
Data Economist
BlockScience