an introduction for cpas

Blockchain:

An Introduction for CPAs

Publication Date: March 2020

Blockchain: An Introduction for CPAs

Copyright © 2020 by

DeltaCPE LLC

All rights reserved. No part of this course may be reproduced in any form or by any means, without

permission in writing from the publisher.

The author is not engaged by this text or any accompanying lecture or electronic media in the

rendering of legal, tax, accounting, or similar professional services. While the legal, tax, and accounting

issues discussed in this material have been reviewed with sources believed to be reliable, concepts

discussed can be affected by changes in the law or in the interpretation of such laws since this text

was printed. For that reason, the accuracy and completeness of this information and the author's

opinions based thereon cannot be guaranteed. In addition, state or local tax laws and procedural rules

may have a material impact on the general discussion. As a result, the strategies suggested may not

be suitable for every individual. Before taking any action, all references and citations should be

checked and updated accordingly.

This publication is designed to provide accurate and authoritative information in regard to the subject

matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal,

accounting, or other professional services. If legal advice or other expert advice is required, the services

of a competent professional person should be sought.

—-From a Declaration of Principles jointly adopted by a committee of the American Bar Association

and a Committee of Publishers and Associations.

Course Description

Blockchain is essentially an accounting technology, and it enables the collaborative creation of a

universal ledger with capabilities going beyond traditional book-keeping systems. The emergence of

blockchain signals a fundamental change in how data, information, and assets can be authorized,

recorded, processed, reported and stored. With the growing adoption of this world-changing

technology, accountants and auditors with a strong knowledge of blockchains are already increasingly

in demand, as an intricate understanding of the technology and its impact is required to provide

appropriate guidance.

The focus of this course is to explain blockchain technology, specifically, how it could transform

methods to secure information, accounting processes, and auditing procedures. This course offers a

detailed examination of the blockchain technology model including blockchain features, consensus

models, smart contracts, and types of blockchains. To truly appreciate the value of this technology, we

need to understand the current accounting and auditing landscape and hurdles, which are addressed

in the second part of this course. Finally, it discusses the implications of blockchains to the accounting

and auditing profession.

Field of Study Accounting Level of Knowledge Overview Prerequisite None Advanced Preparation None

Table of Contents Introduction 1

Learning Objectives 1

I. What is Blockchain Technology? 2

The Language of Blockchain 2

A World without Middlemen 5

DLT: Distributed Architecture 5

Blockchain: A Self-Regulating Ecosystem 7

The Future of Record-Keeping 9

Triple-Entry Accounting 9

Tamper-Proof Record 10

Self-Executing Agreement 20

Illustration: Crypto Transactions on a Blockchain 22

Review Questions - Section 1 23

Types of Blockchains 25

Public Blockchains 27

Private Blockchains 29

Hybrid Blockchains 34

Whether to Deploy Blockchain Solutions 35


II. How Blockchain will Enhance the Accounting and Auditing Professions 38

Foundation of Accounting Principles 38

The Value of Accounting 38

The Development of Accounting Discipline 39

The Role of Auditor 42

The Functions of Intermediaries 44


Obstacles of the Current Practice 48

A Burden on Business 48

Inherent Limitations of Financial Audits 50

Erosion of Confidence: Audit Deficiencies 57

The Potential Impact on the Accounting and Auditing Professions 61

Enhancement of Book-Keeping Systems 61

Transformation of Auditing Practices 63


Appendix A: Blockchain Decision Tree 74

Appendix B: Blockchain’s Impacts on Auditing Practices 75

Answers to Review Questions 76





Glossary 88

Index 89

1

Introduction The creation of blockchain technology opens the door to revolutionary possibilities. It combines the

power of the Internet with the security of cryptography to offer, for example, cheaper and faster

payment options than those offered by traditional financial services businesses, without a trusted third

party. It is important to first understand how blockchains work before it becomes clear what they can

offer to accounting and auditing. As adoption becomes more widespread, accountants and auditors

should be getting on board. This course goes into well researched and newbie-friendly reflections

about the most important blockchain concepts by addressing the following frequently asked

questions:

• How does a distributed ledger differ from traditional databases?

• What are the components of a blockchain ecosystem?

• How does blockchain work?

• What does trustless mean in blockchain technology?

• What are the benefits of blockchain technology?

• How does triple-entry accounting work?

• What is a blockchain wallet?

• How is consensus reached in a blockchain?

• What is a 51% attack?

• What are blockchain forks?

• What are smart contracts?

• What are the different types of blockchains?

• How can block chains reshape accounting and auditing practices?

This course provides guidance to these, and many more, questions connected to this topic. It explains

block chain fundamentals and how this technology will enhance many of the core businesses of the

accounting and auditing profession.

Learning Objectives After completing this course, you will be able to:

• Recognize the technical terms associated with blockchain

• Identify the key components of blockchain technology and how they function

• Identify different types of blockchains

• Recall basic accounting and auditing principles

• Recognize how blockchains could reshape accounting and auditing practices

2

I. What is Blockchain Technology? As you will learn, Blockchains can function as constantly growing distributed ledgers where companies

record their transactions directly into activity registers. Distributed ledger technology (DLT) has many

advantages, including increased security in trustless environments, and has been successfully

implemented in a variety of industries. The Big 4 accounting firms are developing skills required to

understand and audit blockchain technology as clients start switching portions of their business onto

blockchain-based infrastructure.

This chapter defines the high-level components of a blockchain network architecture, including

distributed ledgers, cryptography, and consensus protocols. It also explains how blockchains have

profoundly changed the current organizational and technological infrastructure required to create

trust and revolutionize record-keeping systems.

The Language of Blockchain

Blockchains facilitate the digital transformation of business and social ecosystems. The growing

popularity and prevalence of technology is clear. Worldwide spending on blockchain solutions is

projected to grow from $1.5 billion in 2018 to $11.7 billion by 20221. Spending by the U.S., the largest

regional spender on blockchain solutions, is expected to reach $4.2 billion by 2020.2

The world of blockchain introduces many technical terms. Newcomers might be baffled by crypto

jargon. Knowing the vocabulary is essential to understanding. To help ease you into this landscape, we

created this section to introduce common terms and phrases relevant to blockchain technology.

Address: An address is basically a destination where a user sends and receives digital currency. It is

similar to a bank account. An address usually includes a long series of letters and numbers.

Algorithm: A process or set of rules to be followed in calculations or other problem-solving operations.

Altcoins: Altcoin is a blended word, derived from “alternative” and “coin”, and refers to any digital

currency that is not bitcoin.

Bitcoin: Bitcoin is both a concept (technology or movement) and a currency. As a concept, Bitcoin is

capitalized. The unit of the currency, bitcoin, is lowercase.

1 Blockchain statistics are from “Blockchain - Statistics & Facts,” statista, with values as accessed on December 22, 2019. 2 Blockchain statistics are from “Worldwide spending on blockchain solutions,” statista, with values as accessed on December 26, 2019.

3

Blockchain: A blockchain is a digital, decentralized ledger, consisting of a series of blocks. A block is

simply a group of cryptocurrency transactions that have been verified. Blockchain technology is used

for recording transactions made with cryptocurrencies, such as bitcoin, and has many other

applications.

Consensus Mechanism: A method to authenticate and validate a set of values or a transaction without

the need to trust or rely on a centralized authority. It allows each participant to trust the network as

they know each transaction will follow rules they ratified when the network launched. For example,

when a transaction is made, if all nodes on the network agree that it is valid on a blockchain, they have

a consensus.

Cryptocurrency: A cryptocurrency is a digital currency that relies on cryptography. Bitcoin, for

example, leverages cryptography in order to verify transactions.

Cryptography: Cryptography, the process of encoding and decoding information, is used to verify and

secure transactions on a blockchain.

Digital Signature: Digital signature provides validation and authentication in the same way signatures

do, in digital form; ensuring the security and integrity of the data recorded onto a blockchain.

Distributed Ledger: A distributed ledger is a system of independent computers (peer-to-peer) that are

simultaneously recording data. Identical copies of the recording are kept by each computer. Blockchain

is a distributed ledger that was originally created to keep track of all bitcoin transactions.

Double-Spending: Double-spending is the attempt to send cryptocurrency to two separate locations

at the same time. For example, this could happen if a cryptocurrency user tries to purchase something

with a coin she or he has already spent. Bitcoin was the first to implement a solution that protects

against double-spending by verifying each transaction added to a blockchain to ensure that the coins

for the transaction had not previously been spent.

Hashing: Hashing involves taking plain-text and converting it to a hash value of fixed size by a hash

function. This process ensures the integrity of the message as the hash value on both the sender’s and

receiver’s side should match if the message is unaltered.

Mining: Mining is the computer process of validating information, creating a new block and recording

that information into a blockchain.

Node: Blockchain is spread over network computers. Each user actively on the network is a node.

Peer-to-Peer: A connection between two or more computers without using a centralized third party

as an intermediary. Most cryptocurrencies operate on a peer-to-peer network.

4

PoA: Acronym for “proof of authority”, a reputation-based consensus algorithm, leveraging the value

of identity rather than staking digital assets. The principle behind this reputation mechanism is the

certainty of a pre-approved validator’s identity.

PoS: Acronym for "proof of stake”. A consensus mechanism, used to validate transactions recorded

on certain blockchains, is based upon a user’s proof of stake (how many units they have) in a

blockchain. Proof of stake is a common alternative to a proof of work protocol.

PoW: Acronym for "proof of work”. A consensus mechanism is used to validate transactions recorded

on certain blockchains. It generally requires the production of proof of complex cryptographic

computations and large amounts of computing power in order to validate transactions.

Private Key: Similar to a password to access one’s account, a private key is a string of letters and

numbers known only by the owner that allows them to spend their cryptocurrency. Thus, private keys

must never be revealed to anyone but the owner.

Public Key: A string of letters and numbers that allows cryptocurrency to be received.

Wallet (Virtual Wallet): Electronic device or online service that allows a user to receive

cryptocurrencies, store them, and send them to others.

5

A World without Middlemen

DLT: Distributed Architecture

“Distributed ledger technology is one such innovation that has been cited as a means of transforming

payment, clearing, and settlement (PCS) processes, including how funds are transferred and how

securities, commodities, and derivatives are cleared and settled.”

Finance and Economics Discussion Series Divisions of Research & Statistics and Monetary Affairs

Federal Reserve Board, Washington, D.C.

While blockchain technology was initially a means to create bitcoin, a global cryptocurrency, it is also

the foundation of most modern cryptocurrencies. The most popular and widely used cryptocurrency

is bitcoin; however, there are more than 2,300 cryptocurrencies in circulation3.

The term “blockchain”, is used because it describes a growing list of records, i.e. blocks, that are linked

to form a chain. Although it is true that blockchain is often associated with DLT, these words are not

interchangeable. There are other types of DLT that do not rely on a “chain of blocks”. DLT makes

blockchain distinct from a traditional centralized database that has one authoritative database

maintained by a trusted third party. The following figure shows the relationship between

cryptocurrency, blockchain, and DLT.

Source: Created based on “The Future of Blockchain: Applications and Implications of Distributed Ledger

Technology,” Chartered Accountants Australia and New Zealand.

DLT is a consensus database of replicated, shared, and synchronized data among the participants of a

decentralized network. Unlike a centralized system (e.g. banks, government), there is no central

administrator function or a single point of control. Elimination of the need for a central authority or

3 Data on cryptocurrency market valuations are from “Cryptocurrency Market Capitalizations,” CoinMarketCap, with values as accessed on November 28, 2019.

Distributed ledger technology

(DLT)

A system of independent computers

simultaneously recording, sharing and

synchronizing data

Blockchain Specific distributed ledger solutions

that facilitate functionality

Other

DLTs

Cryptocurrencies and other platforms supported by

blockchain

Bitcoin, Ethereum,

and other platforms

6

intermediary to process, validate or authenticate transactions is a major advantage of DLT as it

significantly reduces the cost involved in having the presence of a trusted third party. This

characteristic is particularly critical for financial services, an industry in which reputable middlemen

(intermediaries) are widely used to create trust and decrease risk as discussed in “The Functions of

Intermediaries”.

Lesson Note: Cost-saving is a potential benefit of DLT, especially for the loan market as it would allow

participants to reduce processing delays and operational costs.

Moreover, every participant in the network has a synchronized copy, allowing for local control of data

and transparency. For example, participants can all see and confirm that a transaction has occurred

and has been recorded, all at the same time. Instead of housing and maintaining separate records

based on receipts and invoices, companies can create a distributed ledger of transactions among a

network of participants in an automated, transparent, and auditable manner.

Source: “The Difference Between Blockchain & Distributed Ledger Technology”, Tradeix, accessed on November

28, 2019.

Finally, companies have the potential to eliminate manual intervention and processes used to gather

and share data which could improve the regulatory reporting and audit processes as well. The

distributed nature of the technology enhances transparency because every participant in the network

can access the history of transactions or confirm new transactions; every change is viewable and

traceable. Therefore, this technology could offer more secure, efficient and transparent accounting.

7

Companies have the following common motivations behind efforts to develop and deploy DLT

arrangements4:

✓ Reduce complexity (especially in multiparty, cross-border transactions)

✓ Improve end-to-end processing speed and availability of assets and funds

✓ Decrease need for reconciliation across multiple record-keeping infrastructures

✓ Increase transparency and immutability in transaction record-keeping

✓ Improve network resiliency through distributed data management

✓ Reduce operational and financial risks

The following table identifies the major differences of a distributed ledger and centralized ledger.

Distributed Ledger Centralized Ledger

• Consensus on data

• Immutable

• Distributed

• Decentralized

• Peer-to-Peer

• Cryptographic validation

• Cryptographic authentication and authorization

• Resiliency and availability increase with node

count

• Internal and external reconciliation required

• No restrictions

• Single point of failure

• Single point of control

• Unnecessary gateways and middlemen

• Cryptographic must be added as afterthought

• Actions are done on behalf of others

• Backup must be set up manually

Source: International Research Journal of Engineering and Technology (IRJET), “BlockChain Technology

Centralised Ledger to Distributed Ledger,” Volume: 04 Issue: 03 | Mar -2017.

Blockchain: A Self-Regulating Ecosystem

Blockchain is a type of distributed ledger that creates a peer-to-peer network, which establishes a

means for transacting and enables recording, transferring, tracking, authenticating, and storing of

digital assets. Blockchain is often referred to as a “trustless” system because it provides a secure and

decentralized ledger of all transactions across a network without the need for trusted intermediaries

by using three principal technologies, which is a significant innovation in traditional record-keeping:

1. Distributed Ledger enables a decentralized exchange of trusted data

2. Cryptography enforces the authentication and confidentiality of transactions

3. Consensus mechanism ensures correct sequencing of transactions on a blockchain

Each technology is explained in “The Future of Record-Keeping”.

4 Information collected through interviews with industry stakeholders is from “Distributed ledger technology in payments, clearing, and settlement,” Finance and Economics Discussion Series 2016-095. Washington: Board of Governors of the Federal Reserve System.

8

Lesson Note: To gain control over a peer network, a person attempts to gain a disproportionately large

influence by creating a large number of nodes or accounts. The technical term for this is a “Sybil”

attack.

While it is true that blockchain technology is often associated with cryptocurrencies, its scope is much

wider than monetary assets and the financial sector. There is more than one use for blockchain. Every

business and industry can benefit from the revolutionary technology of distributed ledgers. Different

applications can be built in a large variety of sectors such as trade and commerce, healthcare, and

government. KPMG identifies some examples of industries that blockchain will likely disrupt.

A Wide Variety of Blockchain Use Cases

Telecommunication

Blockchain can streamline the internal operations of the telecom

industry such as billing, roaming, network function virtualization

management, digital asset transactions, mobile money, and identity-as-

a-service.

Healthcare

Blockchain has use cases in the healthcare/pharmaceutical sector to

improve electronic medical records, and for facilitating new drug

development and medical innovation.

Banking

Blockchain can be used for derivative trading to connect potential buyers

and sellers on a decentralized network to update the information on a

continuous basis.

Media

Blockchain can help in maintaining the database of digital rights to avoid

copyright issues, use smart contracts for payment of media owners and

track the ownership of concert tickets.

Retail

For food safety, blockchain can allow consumers to track the origin of

food items and enforce transparency in the food supply chain from farm

origination details to the storage of food in retail stores.

Automotive

Blockchain can help the automotive industry in product life cycle

management thus tracking the full history of a vehicle from pre-

production to sale.

Source: KPMG, “Auditing Blockchain Solutions”, 2018

Blockchain, a breakthrough technology, allows Bitcoin to transfer and secure the integrity of

transactions and non-repudiation of payments by means of cryptographic techniques. It has received

ever-growing attention from researchers and industry. The next sections explain the following key

benefits of blockchain technology and how it can enhance today’s accounting and auditing practices.

✓ Triple-Entry Accounting

✓ Tamper-Proof Record

✓ Self-Executing Agreement

9

Lesson Note: The term "Triple-Entry Accounting" refers to a system proposed by Ian Grigg, financial

cryptographer, and described in his paper “Triple Entry Accounting” published in 2005.

The Future of Record-Keeping

Many industries have used blockchain to secure all types of records; from land transactions to financial

information. The most common types of records kept on blockchain include:

✓ Public records (e.g. property register)

✓ Financial information

✓ Business transactions

✓ Medical records

✓ Identity management

✓ Management activities

✓ Contracts

Blockchain does not only apply to documents. It can be used with any kind of digital asset, such as

video files, images, and email backups. This course focuses on the accounting and auditing aspects.

Triple-Entry Accounting

Companies have relied on double-entry accounting to gather information and maintain control over

their operations. This accounting method and the audited financial statements serve as valuable tools

for management, shareholders, governments and tax authorities. However, in its current state,

double-entry accounting has its limitations and can be circumvented. Although many proposed

solutions exist, one widely discussed alternative method is triple-entry accounting, an extension of the

double-entry system, enhanced by adding a third blockchain layer, a distributed ledger. Triple-entry

accounting improves the traditional double-entry accounting system by having all accounting entries

involving third parties cryptographically secured by a third entry.

A triple-entry accounting system is similar to the double-entry system except that there is a third layer,

using blockchain technology, embedded onto it. Triple-entry accounting has the potential to increase

the transparency, traceability, and efficiency of the process of accounting for transactions. Every

transaction would have a corresponding third entry that was verified by a blockchain. As parties create

transactions, the blockchain technology will use a consensus process to validate each new transaction,

create a third entry, and then post it to a shared (public) ledger. The following figure shows an example

of how blockchain creates a third entry linked to participants.

10

Company A’s Books Company B’s Books

Debits Credits Debits Credits

500 500

2,000 2,000

Blockchain Technology:

Distributed (Public) Ledger

Company A Company B

-500 500

-2,000 2,000

For example, if Company A records debits of $500 and $2,000 to account for cash received from

Company B for previous sales on account, Company B also records credits of $500 and $2,000 to

account for cash paid to Company A. When payments are made to Company A, new blocks are created

which are linked to all previous blocks in the chain, maintaining transaction history. Since the blocks

are visible to Company A and B in the public ledger, both companies are able to immediately see the

update. Therefore, both companies can confirm transactions without a need for a trusted party since

the public ledger (the third entry) ensures a match between payable and receivable.

In summary, Blockchain, a distributed ledger, allows companies to record their transactions directly

into a shared register as demonstrated in the diagram. Blockchain offers the possibility to use it to

generate trust, security, and transparency among people and entities that do not necessarily know

each other and to provide more business opportunities in areas where governing authority and

intermediaries exist. The next section explains how blockchain technology takes over the functions

performed by a trusted party.

Tamper-Proof Record

Tamper-proof, or immutability, is the ability for a blockchain ledger to create and store a permanent,

immutable, signed, and time-stamped record of identity, ownership, transactions or contractual

commitments. Although there have been a few incidents of hacking of digital currencies that rely on

blockchain technology, the unique way in which the information is stored and updated makes it very

secure as shown below.

CryptographyHashing Process

Consensus Mechanism

Tamper-Proof

11

Lesson Note: Although most publications on blockchain technology consider blockchain ledgers to be

immutable, there are situations in which a blockchain can be compromised. This is known as a 51%

attack and is discussed in detail later.

Consensus Mechanism

Blocks contain records of transactions or other data, which together form a blockchain. Each block is

cryptographically connected using a complex mathematical algorithm, known as a consensus

mechanism. Consensus mechanisms require a majority of nodes to agree on whether:

1. A new block is valid and appropriate for inclusion in the ledger; and

2. The ledger and its history is correct based on the consensus rules

Consensus mechanisms authenticate and validate a set of values or a transaction without the need to

rely on a centralized authority. The calculation results in an alphanumeric string that is put on the next

block. The process is then repeated for each bundle of transactions that are aggregated together; the

number of blocks will increase, and the chain will continue to grow over time.

In simple words, a block is a group of transactions on blockchain that have been verified. If a

transaction violates one of the rules the network agreed on (consensus), the transaction will be

considered invalid. Consensus helps keep inaccurate or potentially fraudulent transactions out of the

database and ensures a correct sequencing of transactions on a blockchain. For instance,

cryptocurrencies are secured via a consensus mechanism to prevent “double-spending”; spending the

same money twice. Two concensus-based validation processes must be carried out:

1. Ownership of the cryptocurrency; and

2. Sufficiency of cryptocurrency in the spender’s account

As defined, the spender of the cryptocurrency needs to prove the ownership of the private key in order

to initiate a transaction. To ensure that the spender has a sufficient balance in his/her account, every

transaction is verified against the spender’s account (“public key”) in the public ledger. Although no

personal information is shared, the transaction is validated and recorded via this consensus protocol.

There are different kinds of consensus mechanism algorithms which work on different principles.

Following is a brief discussion of the most commonly used mechanisms in the context of

cryptocurrencies.

1. Proof of Work

2. Proof of Stake

3. Proof of Authority

12

Proof of Work

Proof of Work (PoW) is a consensus protocol used to validate transactions recorded on blockchains

and generally requires the production of proof of complex cryptographic computations. It is a function

used to confirm transactions before they can be accepted by network participants. Mining, the process

of validating (confirming) transactions and adding them (a new block) to a blockchain, limits the

possibility of malicious entities manipulating a blockchain and falsifying transactions by:

✓ Verifying the legitimacy of a transaction by solving a mathematical puzzle, which is called a

hash function (discussed in the next section).

To include a transaction in the next block, a miner needs to know the cryptographic hash value

of the last recorded block. This hash value must be referenced to create/add a new block.

✓ Releasing newly-created cryptocurrencies (e.g. bitcoin) to reward the first miner who

generates a new block as “block reward”.

A successful miner is the one who beats everyone else in this game and solves this

mathematical puzzle. After finding the hash of the last recorded block, a miner announces it to

the network for the other nodes to verify and creates a new block with the transactions.

Bitcoin is the most well-known crypto with a PoW consensus-building algorithm. Other examples

include Litecoin, Bitcoin Cash, and Monero. Mining requires a special program, which helps miners

compete with their peers in solving massive mathematical puzzles as the input of each block becomes

larger over time (a more complex calculation). It also requires large amounts of computing power in

order to solve the puzzles (validating transactions) and earn rewards.

Lesson Note: As of November 28, 2019, the Bitcoin network accounts for roughly 0.21% of global

electricity use. Over the course of a year this is equal to around 69.59 TWh or terawatt-hours of energy

consumption5. The closest comparison for electricity consumption is the country Austria.

Mining pools are groups of collaborating miners who agree to share block rewards according to their

contributed mining hash power. There are various bitcoin mining pools across the globe and they

compete to be the next to find a valid block hash. In 2019, China mined the most bitcoins. With bitcoin,

the reward for mining a block is now 12.5 bitcoins. To keep bitcoin's inflation in check, every 4 years

on average (210,000 blocks), the reward granted to bitcoin miners is cut in half. This process is referred

to as a “halving”.

As explained, mining requires a vast amount of computing resources, which consume a significant

amount of electricity. Thus, PoW makes it extremely challenging to alter any aspect of the chain

because such an alteration would require re-mining all subsequent blocks. However, there are

5 Bitcoin energy consumption statistics are from the Cambridge Bitcoin Electricity Consumption Index (CBECI), with values as accessed on November 28, 2019.

13

different ways a blockchain can be attacked. A 51% attack, commonly known as majority attack, refers

to an attack on a blockchain where a single entity or group of organizations control more than 50% of

the mining power (hash rate). As a result, the attacker is able to interfere with the validation process

and manipulate the public ledger by:

Invalidating ongoing transactions (denial-of-service)

Intentionally omitting an event

Preventing other miners from mining (selfish mining)

Changing the sequence of transactions

Reversing transaction history (double-spend)

In May 2018, a group of malicious miners controlled 51% of the hash rate in Bitcoin Gold to falsify the

currency’s ledger and defraud (double-spending) at least $18 million worth of cryptocurrency from

online exchanges. A selfish mining attack (block withholding attack) is also an attack on the integrity

of the blockchain network. It is a strategy used by miners to increase their rewards by intentionally

withholding a validated block from being released to the network. They attempt to mislead other

miners to continue mining already validated transactions, reducing the number of miners doing real

mining work.

The following table summarizes the characteristics of PoW.

Goal Advantages Disadvantages

To provide a barrier to

publishing blocks in the form

of a computationally difficult

puzzle to solve to enable

transactions between

untrusted participants.

• Difficult to perform denial

of service by flooding

network with bad blocks.

• Open to anyone with

hardware to solve the

puzzle.

Computationally intensive

(by design), power

consumption, hardware

arms race.

Potential for 51 % attack

by obtaining enough

computational power.

Source: National Institute of Standards and Technology, “NISTIR 8202 Blockchain Technology Overview,”

accessed on November 24, 2019.

Proof of Stake

Proof of Stake (PoS) is another consensus protocol used to validate transactions on blockchains based

on a user’s stake. PoS evolved as a low-cost, low-energy consuming alternative to PoW algorithm. In

a PoS system, the act of validating transactions and creating new blocks is called “forging”. A validator

(forger) validates block transactions based on his or her stake by proving ownership of a certain asset

(e.g. a certain number of cryptocurrency units). In other words, validators must first put their own

assets at stake in order to take part in the forging process.

When selecting validators, the blockchain network usually looks at all participants and chooses

amongst them based on their ratio of stake to the overall amount of cryptocurrency staked. Thus, if

14

an individual had 38% of the entire network stake they would be selected 38% of the time; those with

2% would be selected 2% of the time. Since validators have staked their own money, theoretically,

they are incentivized to validate the right transactions. If they validate a fraudulent transaction, they

lose their holdings as well as their rights to participate as a forger in the future. A validator is paid a

transaction fee for his/her validation services by the transacting parties. Cryptocurrencies such as

Eos, Dash, and Tron utilize a PoS consensus mechanism.

The following table summarizes the characteristics of PoS.

Goal Advantages Disadvantages

To enable a less

computationally intensive

barrier to publishing blocks,

but still enable transactions

between untrusted

participants.

• Less computationally

intensive than PoW.

• Open to anyone who

wishes to stake

cryptocurrencies.

• Stakeholders control the

system.

Stakeholders control the

system.

Nothing to prevent the

formation of a pool of

stakeholders to create a

centralized power.

Potential for 51 % attack

by obtaining enough

financial power.



The following figure summarizes the differences between PoW and PoS.

Proof of Work Proof of Stake

Miners compete with one another using

computational power

There is no competition. The validator is

selected based on his/her stake.

The probability of mining a block is

determined by how much computational

work is done by the miner

The probability of validating a block is

determined by how large of a stake a

person holds

A reward is given to the first miner who

solves the puzzle

There is no block reward. The validator

collects transaction fee

Source: Hackernoon, “Consensus Mechanisms Explained: PoW vs. PoS”, accessed on December 4, 2019.

Proof of Authority

Proof of Authority (PoA), more recent than both PoW and PoS, was proposed by Gavin Wood (co-

founder and former CTO of Ethereum) in 2017. PoA, a reputation-based consensus algorithm,

leverages the value of identity rather than staking digital assets. The principle behind the reputation

mechanism is the certainty of a pre-approved validator’s identity. Nodes must have their identities

proven and verifiable within the network. The lower the reputation, the less likelihood of being able

15

to validate a block. In order to ensure the efficiency and security of the network, the group of validators

usually remains fairly small (25 or less). Although the conditions may vary from system to system,

there are three basic requirements to become a validator:

1. The identity must be formally confirmed with the ability to cross-reference such information

(e.g. address, phone number) in a public domain (public notary database)

2. The process of becoming a validator must be difficult to reduce the risks of selecting

questionable validators and incentivize the position and long-term commitment

3. The validator approval process must be consistent (standard) to ensure that all candidates

have an equal chance

Since PoA is designed to be less computationally intensive than PoW and has a limited number of

validators, it has the following advantages:

✓ The computational resources required for solving complex mathematical tasks (validating a

block) is far lower than PoW and PoS. Thus, a PoA network has a low requirement of

computational power, requiring significantly less power consumption.

✓ PoA has a high transaction rate as its transaction time is significantly faster than the

transaction time of PoW-based networks. Hence, it provides better performance.

✓ The interval of time it takes to validate blocks is predictable, unlike PoW and PoS consensuses

where this time varies.

The following figure summarizes the main pros and cons of PoA.

Pros Cons

Using PoA eliminates the possibility of an

attack since the validators are checked at the

stage of obtaining authority and are reliable.

With the use of PoA, decentralization is not

possible since a limited circle of people can

participate in block validation

It is an energy-efficient solution compared to

other consensus mechanisms

Although PoA can be used in public

blockchains, it is usually applied in private

blockchains requiring permission

Fast transaction processing Reputation cannot always keep participants

from malicious actions. If the reward for

fraud is more valuable than the authority, a

participant can harm the system

A new block is created in just 5 seconds, the

fees are extremely low, and network scaling

can occur horizontally, combining several

networks into one

16

Source: Changelly, “A Complete Guide to the Proof of Authority (PoA) Algorithm”, accessed on December 26,

2019.

The Concept of Forking

Changes to a blockchain network’s protocol and data structures are called forks. As a result of a fork,

a blockchain diverges into two potential paths forward, either with regards to a new rule (e.g.

validating transactions) or a transaction’s history. Reasons for effecting such a change/fork can occur

for various reasons, including:

• Add new functionality (e.g. making improvements)

• Correct security issues (e.g. addressing security risks)

• Reverse transactions (e.g. malicious transactions)

Forks are divided into two categories:

1. Hard forks

2. Soft forks

A hard fork creates a permanent split in blockchain because the changes (e.g. consensus protocols,

mining algorithm, block size) make the previous version of the chain incompatible. In other words,

non-upgraded nodes can no longer validate transactions created by upgraded nodes that follow newer

consensus protocols. Such changes are not backward compatible resulting in two versions of a

blockchain existing at the same time. That is, if one group of nodes continues to follow old rules while

the other nodes follow new rules, a permanent split can occur.

The following figure demonstrates a hard fork example that results from incompatible changes.

In the cryptocurrency world, a hard fork usually happens when groups of miners and developers

cannot agree on the change to the software. For example, a group of Bitcoin developers decided to

increase the block size limit from 1MB to 8MB. Since their proposal was not accepted by the majority

of users, they created a hard fork on Bitcoin to release Bitcoin Cash. Bitcoin continues to follow its

previous protocols. Bitcoin Cash, a new cryptocurrency, is generated based on new rules. The two

cryptocurrency systems will continue to develop simultaneously on parallel tracks.

For a soft fork, non-updated nodes can continue to transact with updated nodes within a soft fork.

This is because the blockchain features are still compatible (backward compatible) with the previous

Follow Old

Rules

Follow Old

Rules

Follow Old

Rules

Follow New

Rules

Follow New

Rules

Follow New

Rules

Blocks

from non-

upgraded

nodes

Blocks

from

upgraded

nodes

17

version of the chain which does not result in a duplication of the blockchain. For example, Segregated

Witness (SegWit), a Bitcoin protocol upgrade, is a soft fork designed to increase block capacity by

removing (“segregating”) digital signature (“witness”) data from transactions.

Hashing Process

Hashing is a process that converts an input of letters and numbers into an encrypted output of a fixed

length. The main use of a hash function is to verify the authenticity of a piece of data. A hash, a unique

fixed-length 32-byte identifier for every block, is the backbone of the blockchain network. It is

generated based on the information present in the block header. The use of a fixed-length output

drastically enhances the security of the data. If a hacker attempts to decrypt the hash, he or she cannot

tell how long or short the input is simply by looking at the length of the output.

Each block includes a timestamp and a link to a previous block through its hash, creating a literal

blockchain going back to the very beginning. In other words, the chain is “unbreakable” because the

hashing process of a new block always includes meta-data from the previous block’s hash output.

Therefore, it is nearly impossible to tamper with the stored information after it has been validated and

connected to a blockchain. If attempted, the subsequent blocks in the chain would reject the

attempted modification since their hashes would not be valid.

As blockchain uses the hashing process to link data items to each other, this technology makes it

challenging to tamper with a single record since a hacker would need to change the block containing

that record as well as those linked to it to avoid detection. The following graphic demonstrates how

the hash value is carried over to the next block in the chain to make the blockchain network generally

immutable.



Cryptography

The records on a blockchain are secured through cryptography, the process of enforcing

authentication, data confidentiality, and data integrity, as opposed to those systems where the

transactions are channeled through a centralized trusted entity. Cryptography is the technique of

disguising and revealing, otherwise known as encryption and decryption, data through complex

18

mathematics. Thus, the information can only be viewed by the intended recipients. This cryptographic

technique allows each block to be broadcast to participants in the network in an encrypted form so

that the transaction details are not made public.

Asymmetric cryptography is also known as public key cryptography. According to the National

Institute of Standards and Technology, asymmetric cryptography enables a trust relationship between

users who do not know or trust one another by providing a mechanism to verify the integrity and

authenticity of transactions while at the same time allowing transactions to remain public. It uses a

pair of keys; public and private keys to encrypt and decrypt data, respectively. The following graphic

demonstrates how asymmetric encryption works.

Source: Medium, “Understanding Encryption, Signing and Verification,” accessed on December 2, 2019.

In regard to cryptocurrencies, each participant on a blockchain network has a set of cryptographic

keys:

1. Public Key, similar to an account number, is made available to everyone on the network to

serve as an address on a block chain network to receive, for example, bitcoins as well as to

verify a digital signature validating the identity of the sender. An address is an identifier, an

alphanumeric string of 26-35 characters, representing a possible destination for a bitcoin

payment. A typical bitcoin address, beginning with the number 1, 3 or bc1, looks like:

1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2

2. Private Key, similar to a secret PIN or password to an account, is used to create a digital

signature for a transaction. It is uniquely linked to the owner and known only to the

participants in a transaction. The signature prevents the transaction from being altered by

anybody once it has been issued. Since a private key grants a cryptocurrency user ownership

of the funds on a given address, it allows a user to access his or her cryptocurrency. Thus, the

private key must remain secure because anyone with it can access (spend) funds.

Since cryptocurrencies do not exist in any physical shape or form, public and private keys are stored in

a cryptocurrency wallet. A crypto wallet is a software program that:

✓ Stores private and public keys used for cryptocurrency transactions;

✓ Interacts with various blockchains to enable users to send and receive cryptocurrency; and

19

✓ Monitors users’ balances in each cryptocurrency resulting from various transactions.

There are two types of cryptocurrency wallets:

1. Hot wallet is located in a device connected to the Internet (whether hosted or entity-

controlled). It allows users to send cryptocurrency to another address and to obtain an up-to-

date snapshot of all the entity’s recent cryptocurrency transactions and balances.

2. Cold wallet (cold storage) means generating and storing the private keys in an offline

environment (away from the Internet) since the online environment is very vulnerable to

hacking.

The basic distinction between the two is that hot wallets are connected to the Internet, while cold

wallets are kept offline. Since funds stored in a hot wallet are more accessible in comparison to funds

in a cold wallet, they are more vulnerable to hacking and phishing. In other words, cold wallets usually

maintain higher levels of security than hot wallets. There are different choices of cold wallets, such as

a hardware wallet or a paper wallet.

• Hardware wallets are located on a USB or other device. The entity’s private and public keys

are generated in the device when it is offline by using a random number generator.

• Paper wallets are a paper record of the entity’s private keys and related information. When

the entity’s computer or other devices and printer are offline, software is used to generate a

set of private and public keys and related addresses for its cold wallet.

In the asymmetric method, anyone can encrypt messages using the public key, but only the holder of

the paired private key can decrypt. That is, a person can encrypt a message using the receiver’s public

key, but it can be decrypted only by the receiver's private key. Security relies on the secrecy of the

private key. Each transaction is protected through a digital signature. The sender and the recipient

interact directly with each other and there is no need for verification by a trusted third-party.

Identifying information is also encrypted. If a record is altered, the signature will become invalid and

the peer network will know right away that something has happened. Early notification is critical to

preventing further damage.

The private key must be backed up and protected from accidental loss. Private keys are like physical

dollar bills. If they are lost, they cannot be recovered; the funds are forever lost, too. The holders,

unfortunately, lose the ability to sell or transfer the crypto funds attached to those keys.

20

Self-Executing Agreement

“A smart contract is a computerized transaction protocol that executes the terms of a contract. The

general objectives are to satisfy common contractual conditions.”

Nick Szabo, Cryptographer

Another important benefit of certain blockchains is that they can create “smart contracts”. Although

the concept of a smart contract was first introduced in 1994 by Nick Szabo, it was only with blockchain

technology that smart contracts were able to facilitate and verify the performance of a contract.

An “oracle” is a way for smart contracts to interact with external data sources (real-world occurrences)

such as payment completion, insurance policy, pricing data, and medical records. It basically draws

data from outside the blockchain environment. The insertion of external data triggers smart contract

executions, meaning that the smart contract reads the data and acts accordingly; execution or non-

execution. Thus, it is essential that data from the oracle is accurate. For example, the insertion of

wrong data could trigger a property transfer without a payment.

Based on the type of data collected and on the interaction with the external world, oracles have been

categorized as:

1. Software oracles extract data from online sources (websites) such as prices of commodities,

weather information, and flight schedule.

2. Hardware oracles obtain information directly from physical objects through sensors. A

primary example is the use of Radio Frequency Identification (RFID) tags within a logistic

framework.

3. Inbound oracles take data from outside of a blockchain. They reflect a set of “if” scenarios

associated with data from the external world. For example, “if an asset reaches a certain price,

a sale is triggered.”

4. Outbound oracles allow smart contracts to send data to the outside world. For example, an

oracle takes the payment confirmation from the smart contract and sends it to the warehouse

that automatically unlocks the storage unit for a customer.

Smart

Contract

Oracle Real-World

Occurrences

Data: Pricing Data

Data: Insurance Policy

21

Smart contracts are self-executing because they constitute lines of codes (e.g. pre-defined rules)

around an agreement that automate the contracting process and enable monitoring and enforcement

of contractual promises. Transactions are self-verifiable and tamper-proof. Therefore, unlike a

traditional contract where parties need remedial action through the legal system, self-executed smart

contracts eliminate the need for middlemen and keep the system conflict-free. For example, money

can only be sent from Alice to Bob if the conditions of an agreement are met: 1) date equals “January

1, 2020”, and 2) “Bob’s balance is less than 10 bitcoin”. If these conditions are met, the smart contract

executes itself to produce the output.

Since smart contracts enable decentralized automation by facilitating, verifying or enforcing the

negotiation or performance of a contract, they allow people to exchange anything of value, such as

money, shares, or property in a transparent manner. The Real Estate industry has experienced many

notable advantages of smart contracts. For example, the act of buying and transferring ownership of

property remains a tedious and lengthy process. These transfers typically need to be reviewed and

confirmed by multiple third parties such as escrow agents, lawyers, and governmental bodies.

Ethereum, a decentralized platform, utilizes smart contracts and as a result, it could be used to

automatically transfer homeownership to a buyer, and the funds to a seller, after a deal is agreed upon

without needing a third party to execute it on their behalf. Because the process is simplified, both the

buyer and the seller can save money and time.

Lesson Note: Management is responsible for establishing controls to ensure that the smart contract

source code is consistent with the intended business logic. An auditor should consider management’s

controls over the smart contract code.

Smart contracts are also beneficial in the cases of manual operations and lack of automation. For

instance, claim processing usually takes a significant amount of resources and time in insurance

administration. The use of smart contracts simplifies and streamlines processes by automatically

triggering payments for claims when certain agreed upon conditions between the company and the

customer are met.

The following table summarizes the differences between traditional contracts and smart contracts.

Traditional Contracts Smart Contracts

• 1-3 Days

• Manual remittance

• Escrow necessary

• Expensive

• Physical presence (wet signature)

• Lawyers necessary

• Minutes

• Automatic remittance

• Escrow may not be necessary

• Fraction of the cost

• Virtual presence (digital signature)

• Lawyers may not be necessary Source: PwC, “How Smart Contracts Automate Digital Business?”, 2016

22

Illustration: Crypto Transactions on a Blockchain

The following example demonstrates how blockchain technology allows for payments to move from

one party to another without going through a central or commercial bank.

Both Alice and Bob use a bitcoin wallet to make transactions. A wallet is specialized software that

calculates the balance of the user by keeping track of all incoming and outgoing payments.

All transactions are verified by network nodes through cryptography and recorded in a public

distributed ledger. Anyone with bitcoin can participate in the network, send and receive bitcoin, and

even hold a copy of this ledger. A bitcoin or a transaction cannot generally be changed, erased, copied,

or forged as everybody would know.

When Alice clicks ‘send’ in her wallet, the transaction gets propagated across the network. That is, she

broadcasts a message with the transaction that she wants to make to all the miners in the network as:

“Alice owns one bitcoin that lives at this address (insert bitcoin address). Alice wishes to send this

bitcoin to Bob at this address (BTC address)”.

While Alice publicly announces her intention, she must also securely send Bob the private key that

enables Bob to unlock the transaction and prove he is now the rightful owner. While the Bitcoin

network can always see the public address, it can never see the private key.

Within seconds most of the network knows about this transaction and Bob sees a new pending

transaction. In that transaction, Alice provides the miners with Bob's address and the number of

bitcoins she would like to send, along with a digital signature and her public key. The signature is made

with Alice's private key and the miners can validate that Alice, in fact, is the owner of those coins. Once

miners validate the transaction via the consensus mechanism protocol, they add the transaction to

the blockchain (hashing process). Now Bob will see in his wallet that the transaction is confirmed. It

means that by now it is recorded in the blockchain and cannot be reversed.

If Alice or Bob wanted to falsify a transaction, they would have to compromise the majority of

participants. This is much harder than compromising a single participant. Alice cannot claim that she

never sent a bitcoin/digital token to Bob because her ledger would not agree with everyone else’s.

Bob cannot claim that Alice gave him two bitcoins/tokens as his ledger would be out of sync.

23

Review Questions - Section 1

1. What is a basic feature of a blockchain platform?

A. A need for middlemen

B. Single point of control

C. Peer-to-peer network

D. Use of symmetric cryptography

2. Which of the following describes a potential attack on a peer network, where a person attempts

to gain control over the network by creating a large number of accounts?

A. Botnets

B. Sybil attack

C. Distributed denial-of-service

D. IP spoofing

3. What is the method that prevents “double-spending” in cryptocurrency exchanges?

A. Encryption

B. Block reward

C. Halving

D. Consensus algorithm

4. What is Proof of Work (PoW)?

A. A process of encoding and decoding information

B. A destination where a user sends and receives digital currency

C. A software program used to store private and public keys

D. A consensus protocol used to confirm transactions and produce new blocks to the chain

5. All of the following conditions must be satisfied in order to become validators in PoA EXCEPT:

A. Their identities need to be confirmed

B. High performance computer hardware is required

C. Eligibility is difficult to obtain

D. The selection process is standard

24

6. What is the term that describes a permanent split in a blockchain resulting from a change in

protocol and data structures?

A. 51% attack

B. Double-spending

C. Selfish mining

D. Hard fork

7. What is a change to blockchain protocol that is backward-compatible?

A. Soft fork

B. Hashing

C. Mining

D. Hard fork

8. What is the method that secures blockchain transactions by assuring the authentication and

confidentiality?

A. Hot wallet

B. Firewall

C. Cold storage

D. Cryptography

9. What does asymmetric encryption use?

A. Public keys only

B. Private keys only

C. Proof of Work

D. Public and Private keys

10. Which of the following describes an alphanumeric string of 26-35 characters that represents a

possible destination for a bitcoin payment?

A. Hash

B. Address

C. Wallet

D. Digital Signature

11. Which of the following techniques enables automation of the contracting process by facilitating,

verifying or enforcing the negotiation or performance of a contract?

A. Proof of Work

B. Smart contract

C. A stealth address

D. Hashing algorithm

25

Types of Blockchains

Blockchain networks can be classified based on their permission models, which determine who can

maintain blocks. In the current ecosystem, the market has three types of blockchains:

1. Public (Permissionless) blockchains

2. Private (Permissioned) blockchains

3. Hybrid blockchains

To better understand the characteristics and constraints of each type, one should be familiar with the

concept of the Scalability Trilemma described by Vitalik Buterin (the founder of Ethereum). The

trilemma refers to the trade-offs between three properties: decentralization, scalability, and security.

In other words, because it is difficult to achieve all three properties at the same time, trade-offs are

almost inevitable.

“Blockchain systems have to trade-off between different properties. And it’s very hard for them to

have three things at the same time, where one of them is decentralization. The other is scalability,

and the third is security”.

Vitalik Buterin, The Founder of Ethereum

Blockchain can achieve at most two of the three properties. If the focus is placed only on two of them,

the last property will considerably decrease, the result being a blockchain that could be more

centralized, less secure, or slow (non-scalable). The Scalability Trilemma can be a useful comparative

framework to measure blockchains against each other.

The Scalability

Trilemma Developed by

Vitalik Buterin

Decentralization

The Degree of Diversification

in Ownership

Scalability

The Capacity of the Network

Security

The Level of Defensibility

26

Advantage Disadvantage

Decentralization • It keeps in line with the

philosophy of blockchain

technology, to put the power in

the hands of the community

• More decentralized typically

means more secure. Unlike client-

server models, there is no single

point of failure that can be

exploited

Consensus algorithms like PoW

require a vast amount of

resources to maintain the

network, which steadily increases

over time

It compromises on performance

and speed, which is problematic

for use cases which require high

throughput

Because there is no central

moderator, any eventual disputes

need to be resolved by the

community

No single point of failure means

that the network does not rely on

a centralized server. As such, it is

difficult to shut down a

decentralized blockchain that is

being used for destructive

purpose

Scalability • A high degree of scalability

ensures that applications run at an

optimal speed while supporting a

high volume of transactions

• High levels of scalability makes an

application less likely to break

down if user demand is much

greater than originally assumed

The primary drawback of high levels of

scalability is related to the security

implications that may arise. As the

network increases, it becomes more

difficult and costly to implement

proper security measures

Security The main advantage of strong security

is that the blockchain network is less

vulnerable to attacks. A blockchain

with robust security is ideal for use

cases where data security and

integrity is paramount. This is

especially the case for enterprise-

grade applications, financial services

platforms, supply chains, and

confidential data.

Maintaining high levels of security

usually puts a strain on performance,

speed, and scalability, as a significant

portion of computing power and

resources need to be allocated. As a

result, network latency is increased

and throughput is significantly

reduced, which may deter potential

users.

Source: Modex, “A Brief Overview Of The Scalability Trilemma,” accessed on November 26, 2019.

27

Public Blockchains

Public (permissionless) blockchain networks allow every participant to submit transactions and add

entries to the ledger as no permission is required to join the network. The operation is like the public

internet, where anyone can participate. In other words, any participants can read and write to the

ledger. Thus, to prevent manipulation and protect the integrity of data, blockchain applies consensus-

based validation mechanisms (e.g. proof of work).

Although no personal information is shared and identifying data is encrypted, each participant has a

public address that theoretically could be traced back to an IP address or exchange account (through

proper network analysis). For this reason, transactions are not entirely anonymous, but they are

pseudonymous. The vast majority of cryptocurrencies currently in circulation are based on public

blockchains (e.g. Bitcoin, Bitcoin Cash, Ethereum, and Litecoin). However, public blockchains have

limited applications in the financial industry due to the public nature of transactions and limited

functionality support at a protocol level.

Public blockchains have no single owner. They are far more decentralized than a private

(permissioned) system because anyone can join the network. However, scalability is the trade-off,

meaning that public blockchains are usually slower than private blockchains. This is because of the

computational power required to maintain public blockchains and assure consensus. Consequently, as

the volume of transactions and the number of individuals joining the network increases, the longer it

takes to process these transactions (e.g. validation), especially during peak hours.

Bitcoin, in its current form, can process approximately seven transactions per second. Ethereum can

handle 20 transactions per second. Comparable traditional centralized payment systems, such as VISA,

MasterCard, and PayPal, offer significantly higher transactions per second. For instance, VISA handles

150 million transactions per day, averaging roughly 1,700 transactions per second6. PayPal currently

processes 193 transactions per second. Finally, the costs of processing a transaction usually increase

as the network’s usage rises7.

6 Data on Bitcoin and VISA transactions speed statistics are from “Bitcoin vs. Bitcoin Cash: What is the Difference?,” Investopedia, with values accessed on November 26, 2019. 7 Data on Ethereum and PayPal are from “Transactions Speeds: How Do Cryptocurrencies Stack Up To VISA or PayPal?”, howmuch.net, with values as accessed on December 26, 2019.

28

Real-World Case: A Peer-to-Peer Electronic Cash System

“What is needed is an electronic payment system based on cryptographic proof instead of trust,

allowing any two willing parties to transact directly with each other without the need for a trusted

third party. Transactions that are computationally impractical to reverse would protect sellers from

fraud…. The system is secure as long as honest nodes collectively control more CPU power than any

cooperating group of attacker nodes.”

Satoshi Nakamoto, The Founder of Bitcoin

Bitcoin, the first permissionless blockchain, is public and open to all. It permits the transfer of currency

online, directly, and independent of central control. Bitcoin, an example of convertible virtual

currency, is used for retail purchases and investments. For example, it can be digitally traded between

users and can be purchased for, or exchanged into, U.S. dollars, Euros, and other real or virtual

currencies. Many merchants (e.g. Internet, real-world places) accept bitcoin as payment today

including:

✓ Overstock.com is the first major online retailer to accept bitcoin

✓ Microsoft accepts bitcoin payments for a variety of digital content

✓ Dell allows customers to buy computers and hardware with bitcoin

✓ DISH Network, the first subscription model pay-TV provider to accept bitcoin, added Bitcoin Cash

as a payment option

✓ Expedia accepts bitcoin for hotel bookings

Bitcoin remains the most well-known and widely used cryptocurrency, accounting for 72% of the

market8. This is the only type of virtual currency that has the potential to compete with traditional

currency.

In late 2019, there were about 18 million bitcoins in circulation. This number changes about every 10

minutes when new blocks are mined. Currently, each new block adds 12.5 bitcoins into circulation,

and 144 blocks per day are mined on average. So, the average amount of new bitcoins mined per day

is 1,800 (12.5 x 144) 9.

8 Data on cryptocurrency market valuations are from “Cryptocurrency Market Capitalizations,” CoinMarketCap, with values as accessed on September 20, 2019. 9 Data on bitcoin statistics are from “How Many Bitcoins Are There?,” Buy Bitcoins Worldwide, with values as accessed on December 26, 2019.

29

Private Blockchains

Private (permissioned) blockchains restrict access regarding who can perform different activities on

the network. The system operates similarly to a privately maintained database that is controlled by

giving read privileges to outsiders. For example, the owner (a single authority or an organization) of a

private blockchain has the ability to dictate who can and cannot become part of its network. That is,

only authorized participants are allowed write and read privileges.

Transaction processing and extension of the blockchain is performed by a set of known and accepted

nodes. Each participant of a private network knows the identity of the counterparty on the other side

of a transaction. This feature is critical to financial services due to anti-money laundering and know-

your-customer (“KYC”) considerations. Private blockchains also use consensus models (e.g. proof-of-

stake) for publishing blocks.

Since the participation is limited and controlled, private blockchains have a number of advantages over

public networks such as greater scalability, lower transaction costs, increased privacy, and less

vulnerability to malicious attacks. A private blockchain typically can process much higher transaction

volumes at higher speeds because, unlike public blockchains, it does not require significant

computational resources. For example, XRP is the cryptocurrency used by the Ripple payment

network. Built for enterprise use, XRP aims to be a fast, cost-efficient cryptocurrency for cross-border

payments. The Ripple platform is designed to allow fast and cheap transactions.

Private blockchains can also be for internal enterprise use, such as auditing and database

management. There are also some applications in the public sector, such as government budget or

government-industry statistics, which are usually managed by the government but can be made

available for the public to view.

Private blockchains may also be used by organizations that need to more tightly control and protect

their information. For instance, certain private blockchains require all members to be authorized to

send and receive transactions. In this case, members are not anonymous or pseudo-anonymous. This

feature discourages fraudsters since they can be identified. Thus, private blockchains can be beneficial

when transaction-processing nodes need to be known to comply with regulations. Other examples of

private blockchains include asset management. The most known examples of private blockchains are

Hyperledger Fabric and R3 Corda.

The following table summarizes the differences between the public and private blockchains.

30

Characteristics Public (Permissionless) Private (Permissioned)

Access Open and Transparent Access Authorized Members Only

Read Open to Anyone Authorized Members Only

Write Anyone Authorized Operators Only

Performance Slower Faster

Scalability Limited Scalability Highly Scalable

*Consensus Proof-of-Work (Mining) or

Proof-of-Stake

Proof-of-Stake or

Pre-approved participation

Transaction Cost Higher Low

Access Control Same Access Level for All

Participants

Full Control over Members

Access

Identify Anonymous or Pseudo

Anonymous Known

*: The concept of consensus is explained in “A Self-Regulating Ecosystem”.

Source: Business Blockchain HQ, “Blockchain Fundamentals,” accessed on November 12, 2019.

The following table identifies a list of opportunities and challenges auditors face in permissionless and

permissioned blockchains.

Opportunities Challenges

Permissionless • Examine transaction record on

blockchain;

• Develop novel audit process on

blockchain transactions;

• Verify the consistency between

items on blockchain and in the

physical world.

No reversal of erroneous

transactions;

No centralized authority to verify

the existence, ownership, and

measurement of items recorded

on blockchain;

Data retrieval due to clients’ loss of

private key;

No centralized authority to report

cyberattacks.

Need to be proficient in various

blockchain technologies;

Difficult to reach consensus rules

among all participants, when

acting as an organizational agent;

Audit transaction linked to a side

agreement that is ‘‘off-chain’’;

Tackle the situation when central

authority has the power to

Permissioned • Develop guidelines for blockchain

implementation;

• Leverage industry knowledge and

experience to offer advice for best

practices for blockchain consensus

protocols;

• Leverage business networks to

form permissioned blockchain

based on market demand;

31

• Act as planner and coordinator of

potential participants of a

blockchain;

• Leverage their expertise on IT

auditing to audit internal control of

blockchain, including data integrity

and security;

• Offer independent rating services

to a specific blockchain;

• Act as administrator of blockchain.

override information on

blockchain;

Cope with change of consensus

protocol in a blockchain.

Source: American Accounting Association, “How Will Blockchain Technology Impact Auditing and Accounting:

Permissionless versus Permissioned Blockchain”, Current Issues in Auditing Vol. 13, No. 2 Fall 2019.

Real-World Case: Blockchain for the Financial Industry

Quorum is an enterprise-focused, open-source version of Ethereum created by J.P. Morgan. Quorum

is designed to address specific challenges to blockchain technology adoption within the financial

industry and supports blockchain transactions amongst a permissioned group of known participants

J.P. Morgan

Quorum, developed by J.P. Morgan, offers an enterprise-focused and permitted blockchain. It will

become the first distributed ledger platform available through Azure Blockchain Service, allowing J.P.

Morgan and Microsoft customers to build and scale blockchain networks in the cloud. The principle of

Quorum is to apply cryptography to prevent all except those parties to the transaction from seeing

sensitive data. The solution involves a single shared blockchain and a combination of smart contract

software architecture and modifications to Ethereum. Quorum Whitepaper provides a high-level

overview of the Quorum blockchain platform:

Built on Ethereum

• First mover advantage. In production since July 2015

• 50,000 + unit tests, Security Audits, Bounty Program

• Largest Ecosystem of Developers, Tools DApp’s

• Public Ethereum blockchain protect over $1B + Ether

Simple Privacy Design

• Supports both private and public transactions and smart contracts

Single Blockchain Architecture

32

• All public and private smart contracts and state derived from a single, common, complete

blockchain of transactions validated by every node in the network

• Private smart contract state validated by parties to contract only

• Best of both worlds…every node validating the list of transactions while only exposing details of

private transactions and contracts to relevant parties

High Performance

• Able to process dozens to hundreds of transactions per second, depending on system

configuration; enough to support institutional volumes

Source: J.P. Morgan, Quorum: A permissioned implementation of Ethereum supporting data privacy, 2016

Consortium Blockchains

As explained, a private blockchain is managed by a single entity. Consortium (federated) blockchains

are private blockchains deployed for a group of organizations/individuals to share data in a

trustworthy environment. They restrict participation in the network to users permitted by agreed-

upon administrators. Consortium blockchains are also known as semi-decentralized blockchains

because the consensus process is controlled by pre-defined nodes or a set of participants on the

network.

Features of Consortium Blockchains

✓ Permissioned

✓ Semi-decentralized

✓ Required multi-party consensus

Like private blockchains, consortium blockchains offer certain advantages such as lower transaction

costs, shorter processing times and better privacy protection. Consortium blockchains are usually

associated with enterprise use where a group of organizations, such as multiple banks, operate a

shared ledger. Consortium blockchains are also an optimal solution for developing a network for all

supply chain participants.

For example, the supply chain in the jewelry industry is long and complicated. The industry is

vulnerable to fraudsters as jewels and precious metals change hands so many times. It involves many

parties such as miners, certifiers, insurers, regulators, shipping companies, designers, manufacturers,

retailers, and customers. Blockchain technology (e.g. TrustChain, Everledger) has empowered the

traceability and transparency of all stages of the global supply chain.

33

Real-World Case: Authenticated Provenance of Diamonds

The following case was extracted from Everledger, Press release, February 2019.

Transparency is one of the hottest topics in the jewelry industry. In 2015, Everledger developed a

blockchain solution, Provenance Proof Blockchain, to help prevent fraud and illicit trading. Provenance

Proof Blockchain enables transparency by securely tracing the journey of every stone from mining to

consumer. That is, every transaction and hand-over adds an entry to the blockchain, resulting in a

record, providing transparency into the complete journey of a gemstone, from the mine to the end

consumer.

This technology uses physical nanolabels, which are inserted in emeralds, so they can be traced back

to the exact mine. A combination of both a physical tracer (Emerald Paternity Test) and digital ledger

(Provenance Proof Blockchain), enables even more transparency. All processes, including the

registration and the upload of data, can be done with a smartphone. This ensures that the use of the

Provenance Proof Blockchain is an inclusive solution, convenient for all types and sizes of stakeholders

– artisanal miners, small-scale cooperatives, large companies, and any size of cutters and treaters,

dealers, wholesalers, gem labs, manufacturers, jewelry brands, retailers, and end consumers.

Working with a range of stakeholders across the diamond supply chain including diamond

manufacturers and downstream retailers, Everledger has since encrypted the provenance of over 2

million diamonds in a short three years.

Mine Rough Assort Planning Laser Cutting

Polishing Polishing QC Certification Store/Consumer

34

Hybrid Blockchains

Hybrid blockchains combine the best of public and private blockchains. For example, they offer the

critical features of public blockchains such as decentralized, secure, transparent and immutable. They

also have the privacy benefits of private blockchains by restricting users’ ability to access the network,

view, or change transactions. That is, only a selected section of data or records can be permitted to go

public, keeping the rest confidential in the private network. The main advantage is that a company has

better control over what it wants to accomplish. In particular, a company has the flexibility to design

an infrastructure based on the use case as different types of users can be assigned with different levels

of access and rights. For instance, privacy and transparency features can be tailored to classes of users,

actions, or categories of information. As demonstrated in the following figure, the private feature

ensures that sensitive data is secure while its public feature makes it verifiable and transparent.

Source: Kapoor, “What are Blockchain Benefits and Trends in 2019?”, Hacknoon, accessed on November 30, 2019

35

Whether to Deploy Blockchain Solutions

The increasing enthusiasm could potentially bias an objective evaluation about whether or not to

invest in this technology. Blockchain technology solutions may be suitable if the activities or systems

require features such as10:

✓ Many participants

✓ Distributed participants

✓ Want or need for lack of trusted third party

✓ Workflow is transactional in nature (e.g., transfer of digital assets/information between

parties)

✓ A need for a globally scarce digital identifier (i.e., digital art, digital land, digital property)

✓ A need for a decentralized naming service or ordered registry

✓ A need for a cryptographically secure system of ownership

✓ A need to reduce or eliminate manual efforts of reconciliation and dispute resolutions

✓ A need to enable real-time monitoring of activity between regulators and regulated entities

✓ A need for full provenance of digital assets and a full transactional history to be shared

amongst participants

In general, deploying blockchain can only be practical when multiple mistrusting entities want to

collaborate and change the state of a system but cannot settle on an online trusted third party. The

risk is that a company decides to adopt blockchain technology because it is intriguing without reflecting

on whether it is suitable for its business. The strengths, weaknesses, opportunities and threats (SWOT)

analysis provided below summarizes the advantages and disadvantages of this technology.

10 The blockchain application of considerations are from “NISTIR 8202 Blockchain Technology Overview,” National Institute of Standards and Technology, accessed on November 24, 2019.

36

SWOT Analysis of the Adoption of Blockchain

Positive Negative

Internal Strengths Weaknesses

✓ Fast and low-cost money transfers

✓ No need for intermediaries

✓ Automation (by means of smart

contracts)

✓ Accessible worldwide

✓ Transparency

✓ Platform for data analytics

✓ No data

loss/modification/falsification

✓ Non-repudiation

Scalability (discussed in “Types of

Blockchains”)

Low performance (discussed in

“Types of Blockchains”)

Energy consumption (discussed in

“Consensus Mechanism”)

Reduced users’ privacy

Autonomous code is “candy for

hackers”

Need to rely on external oracles - No

intermediary to contact in case of

loss of users’ credentials

Volatility of cryptocurrencies

Still in an early stage (no “winning”

blockchain, need of programming

skills to read code, blockchain

concepts difficult to be mastered)

Same results achieved with well-

mastered technologies

External Opportunities Threats

✓ Competitive advantage (if efforts to

reduce/hide the complexity behind

blockchain are successful, or in case

of diffusion of Internet of Things)

✓ Possibility to address new markets

(e.g., supporting car and house

sharing, disk storage rental, etc.)

✓ Availability of a huge amount of

heterogeneous data pushed in the

blockchain by different actors

Could be perceived as

unsecure/unreliable

Low adoption from external actors

means lack of information

Governments could consider

blockchain and smart contracts

“dangerous”

Medium-long term investment

Not suitable for all existing processes

Customers would still consider

personal interaction important

Source: Future Internet, “Blockchain and Smart Contracts for Insurance: Is the Technology Mature Enough?,”

2018.

Appendix A provides a blockchain decision tree to help individuals determine if blockchain technology

is suitable for a development initiative.

37


1. Which of the following statements is TRUE regarding public blockchains?

A. Privileges are used to control who can read the blockchain

B. Provide greater efficiency; transactions are processed faster

C. Designed to cater to enterprise requirements

D. Have no single owner; are visible to anyone

2. Which of the following platforms has the highest degree of scalability?

A. Bitcoin

B. VISA

C. Ethereum

D. PayPal

3. Cloud Inc. considers deploying a blockchain platform. Cloud Inc. needs to control who can read

and write on its blockchain. Which type of blockchain best fits Cloud Inc.’s need?

A. Public

B. Private

C. Consensus less

D. Permissionless

4. Which cryptocurrency is operated on a private blockchain?

A. Bitcoin

B. Ripple

C. Bitcoin Cash

D. Litecoin

5. What is a feature of a consortium blockchain?

A. Open to the public

B. Required multi-party consensus

C. Centralized

D. Permissionless

38

II. How Blockchain will Enhance the

Accounting and Auditing Professions “The blockchain technology is the most important advance in recordkeeping since the invention of

double-entry bookkeeping in Florence, Italy in 1494”

The Economist Magazine

Blockchain is essentially an accounting technology, which dramatically changes the way we create,

send, receive, track, validate, update and store transactions. It has the potential to offer absolute

certainty over the ownership and history of assets and reduce the costs of maintaining and reconciling

ledgers. Specifically, it could create a secure and immutable history of transactions that is easily

traceable to enhance audit-ability and transparency.

To appreciate the value of this technology, we need to understand current accounting and auditing

practices. This chapter explains the concept of accounting, the auditor’s responsibilities, and the

functions of middlemen. It also discusses the challenges facing the accounting and auditing professions

and blockchains can enhance many of the core activities of the accounting and auditing professions.

Foundation of Accounting Principles

The Value of Accounting

“Accounting is the art of recording, classifying and summarizing in a significant manner and in terms

of money, transactions and events, which are, in part at least, of a financial character and

interpreting the results thereof”.

American Institute of Certified Public Accountants

The history of accounting is thousands of years old and can be traced to ancient civilizations such as

China, Babylonia, Greece, and Egypt. Accounting was used to keep records regarding the cost of labor

and materials used in building great structures like the Pyramids11. All entities have resources such as

money, labor, raw materials, equipment, buildings, and factories. Therefore, the entity must record

the details of business transactions in a systematic, orderly, and logical manner in order to track and

analyze its assets, liabilities income, and expenditures, and answer the following basic questions:

• What are the costs of purchasing company assets (e.g. property, machines, equipment)?

11 Information on the history of accounting are from “Financial Accounting -I,” Chandra Shekhar.

39

• How much does it cost to create the products/services?

• How much is spent on overhead (e.g. rent, insurance, utilities)?

• What is the cost of managing employees (e.g. salaries, commissions, benefit programs)?

• How much is receivable from customers to whom goods/services were sold on credit?

• How much is payable to suppliers as a result of credit purchases?

• Are there any amounts that have been outstanding for a long time?

• Are there any loans outstanding and if so, what is their nature and when will they be repaid?

• What is being leased and when will the lease(s) end?

• Is revenue increasing or decreasing year-over-year? Why?

• Is cash flow positive or negative each month?

Accounting information is valuable because decision-makers can use it to measure the business

activities and the financial outcomes of different alternatives. For instance, management uses

accounting information to analyze business performance and make decisions. Creditors examine a

company’s financial statements to assess the company’s ability to repay a loan. Prospective investors

are interested in evaluating the investment characteristics of a company such as risk, return, and

growth. The American Accounting Association states that accounting is the process of identifying,

measuring and communicating economic information to permit informed judgments and decisions by

users of the information.

The Development of Accounting Discipline

Book-Keeping System

“Book-keeping is the science and art of correctly recording in the books of account all those business

transactions that result in the transfer of money or money’s worth”.

R.N. Carter

The need for recording business transactions in a systematic and clear manner gives rise to book-

keeping. Book-keeping, concerned with record-keeping of business events and maintenance of books

of accounts, provides the basis for accounting. The objectives of book-keeping include:

1. Maintaining a permanent, complete, and accurate record of all the business transactions

2. Keeping records of income, expenses, assets, and liabilities to help to assist in decision making

3. Tracking the activities of customers and suppliers (e.g. the amount due)

4. Ascertaining recorded transactions on the financial statements to show the business

performance

5. Determining tax basis and obligations by recording all business transactions

The activities of book-keeping include recording in a journal, classifying and summarizing financial

data, posting to the general ledger and balancing accounts. All business transactions are initially

40

recorded in a book of original entry (journal), in accordance with the double-entry accounting system

used in modern financial accounting, and then posted to the general ledger. A general ledger, the king

of all books, tracks all of the information needed to prepare financial statements including assets,

liabilities, equity, revenue, and expenses.

Lesson Note: The first known description of double-entry book-keeping was first published in 1494

A.D. by Lucas Paciol who was an Italian merchant.

Double-entry accounting means that each transaction is recorded in at least two accounts where the

total debits always equal the total credits. It allows companies to maintain records reflecting what

they own and owe, and have earned and spent for a given period of time. Under double-entry

accounting, all transactions fit into a simple equation:

Assets = Liabilities + Equity

The following table illustrates how the nature of entry affects the financial position of a company.

Account Type Normal Balance Debit Credit

Assets Debit I

Liabilities Credit I

Equity Credit

For example, when a company borrows money from a bank, the company's assets will increase and its

liabilities will increase by the same amount. A financially healthy company usually maintains a

consistent ratio of assets to liabilities. A sudden increase in this ratio may indicate that liabilities such

as long-term debt was hidden in off-balance-sheet entities or entries.

41

Example: Double-Entry Accounting

Johnson Architectural Company has assets of $800,000, obligations of $500,000, and owner's equity

of $300,000. The accounting equation is:


$800,000 = $500,000 + $300,000

If at the end of the reporting period, the firm derived a net income of $100,000, the accounting

equation becomes:


$900,000 = $500,000 + $400,000

If $50,000 was then used to pay creditors, the accounting equation becomes:


$850,000 = $450,000 + $400,000

By using the double-entry system, the accuracy of the accounting can be proven through the

preparation of a trial balance. A trial balance is a statement which displays debit balances and credit

balances of all accounts in the general ledger. The agreement of the debit and credit totals of the trial

balance gives assurance that:

• Equal debits and credits have been recorded for all transactions

• The calculation of the account balances in the trial balance has been performed correctly

However, the equality of totals in debt and credit does not necessarily mean that the accounting

process has been error-free. Serious errors may have been made, such as failure to record a

transaction or posting a debit or credit to the wrong account. Examples of common errors that may

cause a trial balance to be out of balance include:

Posting a debit as a credit, or vice versa

Failing to post part of a journal entry

Incorrectly determining the balance of an account

Recording the balance of an account incorrectly in the trial balance

Omitting an account from the trial balance

Making a transposition or slide error in the accounts or the journal

42

Management Assertions

The preparation of financial statements is management's responsibility. For example, a Controller is

responsible for establishing and maintaining internal control that will initiate, record, process, and

report transactions consistent with management's assertions embodied in the financial statements.

Whenever management issues financial reports, management is making the following assertions:

✓ Existence or occurrence: The assets, liabilities and shareholders' equity balances of the

company exist at a given date. For example, management asserts that inventories in the

balance sheet are available for sale.

✓ Completeness: All transactions and accounts that should be presented in the financial

statements are included. For example, management asserts that all purchases of goods are

recorded and included in the financial statements.

✓ Valuation or allocation: The amounts of assets, liabilities, equity, revenue, and expenses

included in the financial statements are appropriate. For example, management asserts that

property is recorded at historical cost and that such cost is systematically allocated to the

proper accounting period.

✓ Rights and obligations: The company holds or has ownership rights or usage rights over the

assets, and liabilities are obligations of the company at a given date. For example,

management asserts that amounts capitalized for leases in the balance sheet represent the

cost of the company’s rights to leased property and that the corresponding lease liability

represents an obligation of the company.

✓ Presentation and disclosure: The components of the financial statements are properly

classified, described and disclosed. For example, management asserts that obligations

classified as long-term liabilities in the balance sheet will not mature within one year.

The Role of Auditor

“The origin of the word audit relates it to hearing, and traces of this early usage, signifying the

hearing by proper authorities of accounts rendered by word of mouth, still linger in such phrases as

hearing witnesses and examine witnesses included in some dictionary definitions of audit.”

The American Institute of Certified Public Accountants

The use of double-entry accounting, a system of checks and balances, helps identify whether or not

errors have been made in recording transactions. The double-entry system may solve the problem of

managers knowing whether they could trust their own books. However, each company represents

their version of a transaction independently of the other. For instance, Enron represented transactions

in a way best suiting itself. Whether intentionally fraudulent or accidental, multiple participants in a

transaction can get out of sync since there are no checks and balances between entities. Companies

43

are expected to share their financial information with stakeholders such as the audit committee,

shareholders, lenders, and regulatory bodies. This raised the question of how external parties could

trust management and the company’s books.

One of the primary objectives of an audit is to provide trust among its intended parties. It focuses on

both the truth of the records and the question of whether or not the statements were faithfully

prepared from those records. Auditing is generally defined as a systematic process of objectively

obtaining and examining evidence in respect of certain assertions about economic events, to ascertain

the degree of correspondence between those assertions and established criteria and to report the

results to interested parties.

Auditors, independent guarantors of financial information, validate a company’s transactions and

verify the integrity of accounting entries (e.g. sales, expenses) as shown in the table below. They must

follow auditing standards to form an opinion as to whether the financial statements are free of

material misstatement, whether caused by error or fraud.

Revenues = Accounts receivable are from the sale of merchandise, or the performance

of services for a customer or a client

Expenses = Accounts payable result from expenditures necessary to conduct business

operations (e.g. rent expense cost of goods sold)

Net Income = Revenues − Expenses

The Sarbanes-Oxley Act (SOX) imposed stringent requirements on external auditors in their evaluation

of internal controls over financial reporting (ICFR). Specifically, it requires auditors to perform an

independent audit of ICFR and to issue a report including two opinions — one on management's

assessment and one on the effectiveness of ICFR. To form the opinion, the auditor must gather

appropriate and sufficient audit evidence by performing audit procedures. Examples of audit

procedures include:

• Interviewing appropriate personnel at all organizational levels

• Re-calculating recorded amounts for accuracy (e.g. depreciation schedule)

• Confirming the existence of balances with third parties (e.g. cash, sales, receivables, debt,

liabilities, investments)

• Re-performing procedures or controls (e.g. bank reconciliation, 3-way matching)

• Observing the operation of an internal control procedure being performed

• Inspecting the company’s documentation (e.g. records, reports, operating manuals)

Lesson Note: Audit evidence contains both information that supports and corroborates management's

assertions regarding the financial statements or ICFR and information that contradicts such assertions.

Since auditors are the trusted professionals who perform testing to obtain sufficient evidence to opine

and attest to the existence, accuracy, and completeness of transactions as well as the presentation of

44

related information in financial statements, they must be independent from the client and parties that

have an interest in the results shown on the financial statements so that the audit opinion will not be

influenced by any relationship between them.

In summary, audited financial statements are a cornerstone of business as investors’ willingness to

commit their capital depends on confidence that financial statements have not been manipulated.

Therefore, all companies that wish to access the U.S. capital markets must obtain an audit of financial

statements.

The Functions of Intermediaries

“Traditionally, finance, as we know, has always been dominated by intermediaries such as banks,

governments and central authorities as a means to establish ‘trust’ for any storage or exchange of

value.”

XinFin Organization

Trust, the root of “promise to pay,” is vital to the conduct of all businesses. Trust is difficult to gain;

therefore, we need to rely on a central authority or intermediary (middlemen) that acts as the

implicitly trusted mediator maintaining every transaction. In other words, assuring trust between

participants depends on the existence of an intermediary who maintains and updates a ledger in a

system.

A financial intermediary simply connects two parties in a financial transaction. For example, banks

allocate funds from savers to borrowers. We trust that banks will provide us with accurate information

and access to the deposits on request. Similarly, for a syndicated loan, a form of loan business in which

two or more lenders jointly provide loans for a single borrower (e.g. corporation, sovereign

government), one bank is usually appointed as the trusted third party to manage the loans (e.g.

maintaining the register of lenders, administrating loans, and keeping all the records). However, in a

global economy, creating and maintaining trust in the system has become increasingly time-

consuming, expensive, and inefficient.

Examples of common financial intermediaries include:

Stock Exchanges: Stock exchanges act as an agent by facilitating the trading of securities and stocks

and disseminating information. For example, they provide confirmation of trade terms, clearing, and

settlement. They charge a brokerage fee to each party which is its profit. Notable stock exchanges

include NASDAQ, New York Stock Exchange (NYSE), and Shanghai Stock Exchange (SSE). In the

45

aggregate, NASDAQ processed about 9.9 million executed securities trades daily, valued at $69.3

billion.12

Depository Institutions: Depository institutions accept currency deposits, offer various payment

services ranging from the interbank association (e.g. operate ATM, clear checks) and point of sale to

credit/debit card network and an electronic funds transfer system. There are three major types of

depository institutions including commercial banks, savings and loans/savings banks, and credit

unions. The Federal Deposit Insurance Corporation (FDIC) insures deposits in banks and thrift

institutions for at least $250,000. As of June 2019, there were 4,630 FDIC-insured commercial banks

in the U.S13.

Insurance Companies: According to the National Association of Insurance Commissioners, the basic

concept of insurance is that an economic device transfers risk from an individual to a company and

reduces the uncertainty of risk via pooling. On a contractual basis, the insurer will guarantee payment

for an uncertain unfortunate event. The insured pays a premium to the insurer at regular intervals in

exchange for protection related to that uncertain future occurrence. Insurance companies (the

insurer) pool customers together (e.g. corporations, individuals) with the goal to mutually bear the

burden of losses if an unfortunate event occurs. They collect funds (premiums) for policies and provide

policy benefits.

12 Average daily volume and value were calculated using 2016 data on U.S. retail and wholesale PCS systems and were approximated based on the number of business days in the year. See Committee on Payment and Market Infrastructures (2016), Statistics on Payment, Clearing and Settlement Systems in the CPMI Countries, with values as accessed on November 8, 2019. 13 The commercial bank statistics is from “Statistics At A Glance,” the Federal Deposit Insurance Corporation, with values accessed on November 11, 2019.

46


1. What is the concept that an increase or decrease in one account must be offset exactly by an

increase or decrease in another account?

A. Conservatism

B. The going concern assumption

C. Double-entry accounting

D. The monetary measurement concept

2. According to the rules of debit and credit, which of the following statements is TRUE?

A. Increases in asset, liability, and owners’ equity accounts are recorded by debits

B. Decreases in asset and liability accounts are recorded by credits

C. Increases in asset and owners’ equity accounts are recorded by debits

D. Decreases in liability and owners’ equity accounts are recorded by debits

3. Which of the following management assertions indicates that the amount of revenue and expense

included in the financial statements is appropriate?

A. Existence

B. Completeness

C. Valuation

D. Rights and obligations

4. What is the process of objectively obtaining and examining evidence in respect of certain

assertions about economic events?

A. Cost accounting

B. Risk assessment

C. Auditing

D. Management accounting

5. As an independent guarantor of financial information, what is an auditor's primary consideration

regarding internal control?

A. Whether the control reflects management's philosophy and operating style

B. Whether the control affects management's financial statement assertions

C. Whether the control provides adequate safeguards over access to assets

D. Whether the control enhances management's decision-making processes

47

6. Which of the following entities usually serves as a financial intermediary?

A. The Internal Revenue Service

B. A public accounting firm

C. New York Stock Exchange

D. A community college

48

Obstacles of the Current Practice

A Burden on Business

Cost Implications of Internal Control

Currently, to prevent, detect, and correct financial irregularities, companies rely on a system of checks

and balances, otherwise known as internal controls. However, internal controls require resources that

incur a cost for the company. For example, a reconciliation process, a comparison of specific sets of

data to other sources, identifies discrepancies that need to be investigated (e.g. detecting

unauthorized changes or omission of transactions). The reconciliation process may involve multiple

systems and records requiring participation from employees, vendors, and multiple departments. This

task often affects daily accounting operations due to the manual labor it takes to conduct and

document periodic reviews and follow-ups.

Segregation of duties is another example of an internal control that could be costly. Although

segregation of duties is often considered a key internal control, hiring additional employees is not

always feasible, especially for smaller companies. Moreover, the segregation of duties may lead to

overstaffing if it is not well established. Finally, it is important to know that more is not necessarily

better in the case of internal controls, especially when the costs of implementing and performing the

controls exceed the benefits and the risks are low. For example, a rigid implementation may cause a

slowdown in the operation of the business by increasing bureaucracy and reducing productivity.

Audit Compliance

Auditors may ensure the validity and credibility of financial information and compliance with

regulations; however, an independent audit is an expensive monitoring tool. For example, SOX

drastically impacted the cost of, and time needed to complete, a quality audit. SOX also specifies

what is required of the auditors in an audit of a public company. Auditors are required to design and

perform various audit procedures to obtain sufficient appropriate audit evidence. These procedures

can be time-consuming and laborious, especially when manual reviews are required and paper

documentation has to be obtained.

For instance, audit confirmations are usually performed to obtain evidence from third parties about

management assertions including the existence of cash balances and the completeness of accounts

payable. According to the auditing standards (AU 326 Audit Evidence), when using external

confirmation procedures, the auditor usually performs the following procedures:

1. Determines the information to be confirmed or requested;

2. Selects the appropriate confirming party;

49

3. Designs the confirmation requests, including ensuring that requests are properly directed to

the appropriate confirming party and state that responses are to be sent directly to the

auditor;

4. Sends the requests, including follow-up requests when applicable, to the confirming party;

and

5. Evaluates whether the results of the external confirmation procedures provide relevant and

reliable audit evidence or whether further audit procedures are necessary.

Confirmation is often considered time-consuming because the average turnaround of paper

confirmations takes four to eight weeks. It can be also costly and manually intensive because of the

resources required in preparation, mailing, receipt, and follow-up. It is estimated that paper

confirmations cost as much as $70 per confirmation. This figure can increase depending on staff rates

and the amount of follow up work required on lost or inaccurate confirmations as well as investigating

any exceptions14. Limitations of confirmations are addressed in “Reliability of Audit Evidence”.

In general, the cross-party verification process can be costly as the audit fee is usually determined by

the amount of time the auditor spends conducting the audit. The larger the organization’s budget and

the more complex its operations, the more time the audit will take and the higher the audit cost. The

Financial Education & Research Foundation (FERF) 2018 survey reveals increases in audit fees, with

public companies reporting an average increase of 4.1%. Private companies reported an average

increase of 5.6%. The average audit of a public company took almost 34,000 hours of work. For a

private company, it took about 1,395 hours. Audit costs could be a significant burden to some

organizations if audit fees continue to increase. The following tables summarize the survey results.

2018 Audit Fee Survey

(Based on the 2017 Filing Year)

Survey Respondents Average Audit Fees Median Audit Fees

Large Accelerated $11,010,871 $6,973,000

Accelerated $727,056 $415,000

Non- Accelerated $161,101 $128,371

Private company $138,658 $71,775

Nonprofit organization $91,619 $45,000

Source: Financial Education & Research Foundation (FERF), 2018 Audit Fee Survey

14 Information about the estimate cost of paper confirmation are from “How Inefficiencies Increase the Risk of Confirmation Fraud,” Confirmation.com, 2015.

50

2018 Audit Fee Survey

Survey Respondents

Average Hour Average Rate

2017 2016 2017 2016

Public company 34,003 32,508 $248 $225

Private company 1,395 1,754 $191 $180

Note: Nonprofit organizations reported flat fees.

Source: Financial Education & Research Foundation (FERF), 2018 Audit Fee Survey

Inherent Limitations of Financial Audits

The Association of Certified Fraud Examiners (ACFE) reveals that financial audits are the most common

anti-fraud control put in place, with nearly 80% of organizations in its study opting for such audits.

However, only 4% of fraudulent activities are detected by external auditors15. This indicates that most

organizations may misunderstand the nature of financial audits and, therefore, place too much

reliance on the audits. It is important to understand that financial audits are not designed to search

for fraud in the accounting records. Thus, they are not aimed at preventing and detecting fraudulent

activities. Moreover, the auditor is not expected to, and cannot, obtain absolute assurance that the

financial statements are free from material misstatement due to fraud or error. This is because there

are limitations of an audit, such as reliability of audit evidence and the nature of audit procedures. This

section examines some of the challenges in the current audit practice.

15 Statistics about common anti-fraud controls and fraud detection methods are from “Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse,” The Association of Certified Fraud Examiners.

51

Reliability of Audit Evidence

According to the auditing standards (AU 326 Audit Evidence), audit evidence is all the information used

by the auditor in arriving at the conclusions on which the audit opinion is based and includes the

information contained in the accounting records underlying the financial statements and other

information. The reliability of audit evidence is influenced by its source and nature and is dependent

on the individual circumstances under which it is obtained.

• Physical examination

• External documents

• Confirmation

• Re-calculation

• Re-performance

• Observation

• Internal documents with effective controls

• Analytical procedures with sufficient data

• Inquiry

• Internal documents with poor controls

As noted, audit evidence in the external form received directly by the auditor such as legal

representation letters and bank confirmations may be more reliable than evidence generated

internally by the entity. For example, the auditor may seek direct confirmation of receivables by

communication with debtors. However, confirmation is often considered a relatively low-benefit

procedure since it only requires routine effort and even less thought. According to the auditing

standards (AU 330 The Confirmation Process), confirmations have interception and alteration risks and

source of the response risks. That is, fraudsters can circumvent the audit confirmation process in the

following ways:

Company provides the account statement, contact name and contact information (e.g. false

mailing addresses, phone numbers, fax number)

Company directs/influences the auditor’s authentication process

Auditor’s limited ability to authenticate documents and signatures

According to a survey of over 150 accounting firms, almost all of the mailing addresses for

confirmations are provided to the auditor by the client or taken directly from client-provided bank

statements16. The risk associated with any client-provided documentation is that fraudsters can easily

create a fake statement (e.g. names, addresses, and phone numbers) and manipulate the document

by using a scanning machine to deceive the auditor.

16 Information about the estimate cost of paper confirmation are from “Guide to Electronic Confirmations,” Boomer Consulting, Inc.

Rel

iab

ility

of

Evid

ence

High

Low

High

52

Moreover, the manager may direct the auditor to send confirmations to a dishonest vendor who is

willing to fraudulently complete the confirmation responses, in hoping to avoid detection. As a result,

the auditor cannot be certain of the accuracy and completeness of information, even though the

auditor has performed audit procedures to obtain assurance that all relevant information has been

obtained.

Finally, photocopies, facsimiles, filmed, digitized or other electronic documents are acceptable audit

evidenced depending on the controls over their conversion and maintenance. Although an audit rarely

involves the authentication of documentation, documents can be falsified or forged with limited

possibility for authentication and traceability. Since the auditor is neither trained or expected to be an

expert in the authentication of documents, information may appear valid when it is not.

The ACFE identifies the following top eight concealment methods used by fraudsters17:

1. Created fraudulent physical documents (55%)

2. Altered physical documents (48%)

3. Created fraudulent transactions in the accounting system (42%)

4. Altered transactions in the accounting system (34%)

5. Altered electronic documents or files (31%)

6. Destroyed physical documents (30%)

7. Created fraudulent electronic documents or files (29%)

8. Created fraudulent journal entries (27%)

More than half of the concealment methods (1, 2, 5, 6, and 7) are related to falsification or

manipulation of physical/electronic documents. Apparently, this type of technique was successfully

carried out by Parmalat executives who committed the largest cash and investment confirmation

fraud. However, it is not the only case of confirmation fraud used to steal cash or falsify financial

records. In case after case, confirmation procedures are shown to be easily manipulated, especially

when the process is simple to circumvent.

17 Statistics about concealing fraud are from “Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse,” The Association of Certified Fraud Examiners.

53

Examples of Confirmation Fraud

Satyam

“Asia

Enron”

2008-2009

To make the company’s performance appear far more profitable to investors,

former senior officials at Satyam created false invoices and forged bank statements

to inflate the cash balances. For example, the former senior managers created more

than 6,000 phony invoices to be used in Satyam’s general ledger and financial

statements. The employees also falsified bank statements to reflect payment of the

sham invoices. This resulted in inflated cash and bank balances of up to $1.44 billion,

understated liabilities about $300 million and non-existent accrued income of $86

million.

Kmart

2005-2006

The SEC brings this accounting fraud action as the result of the improper recognition

of vendor “allowances” by Kmart with the knowledge and involvement of

representatives of several of the company’s major vendors, including Eastman

Kodak Company, Coca Cola Enterprises Inc. and PepsiCo Inc.’s wholly-owned

subsidiaries, Pepsi-Cola Company and FritoLay, Inc. Representatives of these

vendors participated in the pulling forward of allowances by cosigning false or

misleading accounting documents, executing side agreements, and, in some

instances, providing false or misleading third party confirmations to the company’s

independent auditor, PwC18.

Ahold

2005-2006

With respect to the fraud at U.S. Foodservice (USF), Ahold's wholly-owned

subsidiary, USF executives also provided, or assisted in providing, Ahold's

independent auditors with false and misleading information by, for example,

persuading personnel at many of USF's major vendors to falsely confirm overstated

promotional allowances to the auditors in connection with year-end audits19.

Parmalat

“European

Enron”

2003

The fraud involved an off-shore company called Bonlat Financing, which was

registered in the Cayman Islands. Parmalat involved a phony letter, purportedly

from Bank of America, that declared Bonlat to be in possession of assets that

included 3.95 billion euros supposedly held by Bank of America. As part of the audit

procedures, Grant Thornton, received a confirmation on Bank of America letterhead

from Parmalat confirming the existence of the account for Bonlat. Bank of America

later stated the confirmation of a forgery. Investigators believe that the

confirmation was forged with the use of scanners by Parmalat finance officers.

18 Information about Kmart’s confirmation fraud are from the SEC litigation case: Securities and Exchange Commission v. John Paul Orr, Michel J. Frank, Albert M. Abbood, Darrell J. Edoquist, David C. Kirkpatrick, David N. Bixler, Thomas L. Tayler and Randall M. Stone. 19 Information about Ahold’s confirmation fraud are from the SEC Press Release 2004-144.

54

Nature of Audit Procedures

Use of Sampling

Due to a large number of transactions occurring throughout the year, it is nearly impossible for

auditors to identify and verify each transaction. Therefore, to perform the audit efficiently and cost-

effectively, auditors usually use sampling techniques to limit the number of transactions and balances

selected for testing. According to the auditing standards (AU 350 Audit Sampling), audit sampling

refers to the selection and evaluation of less than 100% of the population of audit relevance such that

the auditor expects the items selected (the sample) to be representative of the population. However,

selective testing involves judgment regarding the areas to be tested and the nature, timing, and extent

of the tests to be performed. Even with good faith and integrity, mistakes and errors in judgment can

happen.

Moreover, sampling risk is the risk that the auditor's conclusion based on a sample may be different

from the conclusion reached if the entire population were subjected to the same audit procedure.

According to the auditing standards (AU 350 Audit Sampling), sampling risk can lead to two types of

erroneous conclusions:

1. Assessing Too High (Audit Efficiency): When the assessed control risk is higher than the actual

operating effectiveness of the control, the auditor will generally increase testing to

compensate for the perceived ineffectiveness of the control. Similarly, if the auditor initially

concludes that a material misstatement exists based on the sample when, in fact, it does not,

the performance of additional audit procedures will ordinarily lead the auditor to the correct

conclusion. While these situations affect audit efficiency since additional (and perhaps

unnecessary) audit procedures are performed, the audit is still effective as the correct

conclusions are generally reached.

2. Assessing Too Low (Audit Effectiveness): The assessed control risk is lower than the actual

operating effectiveness of the control which could lead to insufficient testing. Or the auditor

concludes that a material misstatement does not exist based on the sample when, in fact, it

does. This type of erroneous conclusion is more damaging than the first type because it affects

audit effectiveness and is more likely to lead to an inappropriate audit opinion.

There is always a probability that a fraudulent transaction is not included in the auditor’s sample and

therefore remains undetected. Thus, testing of less than 100% of a population always increases the

risk that a misstatement will not be detected.

Risk of Fraud

Double-entry accounting allows companies to maintain a complete record of all business transactions

over any given period of time. However, it is still vulnerable to fraud. There is a close association

between financial statement frauds and corporate failures and collapses. Financial statement fraud

55

(“cooking the books”) is a scheme in which individuals deliberately carry out any of the following acts

in order to create a rosy picture of the company's financial position, performance, and cash flows:

1. Altering documents (e.g. records, terms) to manipulate outcomes or hide unusual transactions

2. Creating fictitious transactions and false journal entries to manipulate operating results

3. Deliberately applying biased assumptions and judgments to estimate accounting balances

4. Making unsupported adjustments to amounts reported in the financial statements

5. Misapplying accounting principles relating to classification and presentation, or disclosure

For example, Enron used the following accounting gimmicks to create a rosy picture of its financial

performance:

Failure to properly record and disclose investments in special purpose entities (SPEs),

contingent liability for SPEs’ debt, and the SPEs’ dealings with them

Improper recognition of revenue that increased its reported net income

Inadequate disclosure of and accounting for related-party transactions

Incorrect accounting for its own stock that was issued to and held by SPEs

There is always the possibility that management or others may not provide, intentionally or

unintentionally, accurate and complete information, including information that has been requested

by the auditor. Since fraud often involves sophisticated and carefully organized schemes designed to

conceal it, audit procedures used to gather audit evidence may not detect an intentional misstatement

that involves, for example, management override and collusion to falsify documentation as discussed

in “Reliability of Audit Evidence”.

Real-World Case: Touting Bogus Revenues

The following case is extracted from the SEC Press Release 2017-62 and SEC litigation case: Securities

and Exchange Commission vs. Notis Global, Inc. (f/k/a Medbox, Inc.), Vincent Mehdizadeh, Bruce

Bedrick, Yocelin Legaspi, and New-Age Investment Consulting, Inc.

The SEC charged a California-based company and its founder with falsely touting “record” revenue

numbers to investors and claiming to be a leader in the marijuana industry while some of its earnings

came from sham transactions with a secret affiliate.

Medbox was a self-described leader in the marijuana consulting industry. It provided marijuana

consulting services and claimed to sell vending machines known as “Medbox” devices capable of

dispensing marijuana on the basis of biometric identification. Vincent Mehdizadeh was Medbox’s

founder, COO, and majority shareholder.

Mehdizadeh executed the scheme in a series of actions. He created a shell company called New-Age

Investment Consulting to carry out illegal stock sales and used the proceeds from those sales to boost

Medbox’s revenue. He transferred 226,000 Medbox shares under his control to New-Age. Then, he

drafted bogus documentation to paper up the transaction and create the false appearance that New-

56

Age had paid or provided services valued at $552,000. In truth, New-Age had paid nothing for those

shares. He allegedly issued press releases headlining the phony revenues as record earnings to

legitimize itself as a viable commercial operation when in fact nearly 90% of the company’s revenue

in the first quarter of 2014 stemmed from sham transactions with New-Age.

Specifically, Mehdizadeh misled Medbox’s auditor in connection with his 2012, 2013 and first quarter

2014 audit or quarterly review work when he signed January and March 2014 management

representation letters falsely representing that:

Medbox’s financial statements were fairly presented in conformity with GAAP;

There were no material transactions that had not been properly recorded in the books and records

underlying the financial statements;

He had no knowledge of any fraud or suspected fraud involving Medbox’s management that would

have a material effect on the company’s financial statements; and

Related-party transactions and related accounts receivable or payable had been properly recorded

or disclosed in the financial statements.

Mehdizadeh knew that the foregoing statements and omissions to Medbox’s auditors were false and

did not make those false statements and omissions through ignorance, mistake, or accident

Mehdizadeh allegedly acknowledged in a text message that “the only thing we are really good at is

public company publicity and stock awareness. We get an A+ for creating revenue off sheer will but

that won’t continue.”

The SEC charged Medbox and Mehdizadeh with falsely touting “record” revenue numbers to investors

and claiming to be a leader in the marijuana industry while some of its earnings came from sham

transactions with a secret affiliate. Mehdizadeh agreed to pay more than $12 million in disgorgement

and penalties and agreed to be barred from serving as an officer or director of a public company or

participating in any penny stock offerings.

Timeliness of Financial Reporting

The audit function usually occurs after weeks, months and even quarters of the year have passed. The

relevance of information and its value tends to weaken over time. Thus, the auditor’s ability to

definitively validate and confirm the transactions becomes a borderline untenable effort. Moreover,

because there is a balance between the reliability of information and its cost, the users of financial

statements expect that auditors form an opinion within a reasonable period of time for reasonable

costs.

57

Erosion of Confidence: Audit Deficiencies

As discussed, an independent audit of financial information is required to give users (e.g. investors,

creditors) confidence that the information can be trusted. In other words, investors can only trust

financial markets if they trust their auditors. In particular, the auditors’ assessment of the company’s

financial condition.

As a result of a series of financial reporting scandals, the U.S. public lost some of its trust in auditing

and financial reporting. For example, the collapse of the energy trading firm Enron focused attention

on the issue of auditor independence. Enron’s external auditor, Arthur Andersen, was paid $27 million

for non-audit services and $25 million for audit work from Enron. The quality of Arthur Andersen’s

audit work for Enron was impaired by conflicts of interest between fulfilling its professional

responsibilities and keeping its largest client by agreeing with Enron’s management. Arthur Andersen

was indicted on one count of obstruction of justice resulting from an investigation that Andersen

shredded working papers related to the Enron case.

Arthur Andersen was also the external auditor of WorldCom (now MCI). In 2002, WorldCom incorrectly

recorded certain operating expenses as capital expenditures, effectively overstating net income. It

admitted the total amount by which it had misled investors over the previous 10 years was almost $75

billion. The scandal is one of the largest scandals in the history of the U.S. Finally, the former chief

executive and the former chief financial officer of Tyco stole more than $150 million through a series

of unethical business practices involving stock fraud, unauthorized bonuses and falsified expense

accounts. PwC was the external auditor of Tyco.

The U.S. Congress responded to declining public confidence and the failure of the auditing profession

to prevent or detect fraudulent behavior (e.g. Enron, WorldCom) by passing the Sarbanes-Oxley Act,

aimed at enhancing accountability for both management and auditors. The Sarbanes-Oxley Act and

the creation of the Public Company Accounting Oversight Board (PCAOB) ended the era of self-

regulation by the audit profession.

Public accounting firms must register with the PCAOB and be subject to inspection every three years

(one year for large firms) and must adopt quality control standards. Inspections are designed to

identify whether there are deficiencies in how the accounting firm performs public company audits

and whether there are weaknesses in its quality controls over public company auditing20. Violations of

the PCAOB’s rules are deemed to be violations of the Securities Exchange Act of 1934 and are subject

to the same penalties.

The law increased both the cost of an audit and audit quality. Whether this occurred in a linear

relationship remains in question. After more than a decade of inspections, the PCAOB should have

20 Information about objectives of an inspection is from “A Guide to PCAOB Inspections”, Center for Audit Quality.

58

enhanced audit quality and decreased audit deficiency rates. Deficiencies were of such significance

that auditors had not obtained sufficient appropriate audit evidence to support their opinion.

However, the audit deficiency rate of the Big 4 public accounting firms does not reflect the expected

improvement. According to the recent PCAOB annual inspection results21, the Big 4 had an average

overall audit deficiency rate of 31% in 2017. That is, one out of every three audits is not performed

properly by the largest public accounting firms. KPMG’s deficiency rate has increased every year since

2009.

Lesson Note: It is important to know that the PCAOB takes a risk-based, directed sample approach

targeting several significant risk factors. Thus, the high average deficiency rate can be partially

attributed to the difficult nature of the inspected audits such as fair value of financial instruments and

revenue recognition

21 Data on statistics about the PCAOB’s annual inspection are from the Public Company Accounting Oversight Board - Firm Inspection Reports, with values as accessed on November 14, 2019.

24%29%

38%

22%24% 27%

49%

20%20%

31%

50%

24%

DELOITTE E&Y KPMG PWC

The PCAOB Annual Inspection: Audit Deficiency Rate

2015 2016 2017

59

Real-World Case: Significant Audit Failures

KPMG

The following case is extracted from the SEC Press Release 2017-142.

KPMG has agreed to pay more than $6.2 million to settle charges that it failed to properly audit the

financial statements of an oil and gas company, resulting in investors being misinformed about the

energy company’s value.

In 2011, KPMG was hired as the outside auditor for Miller Energy Resources and issued an unqualified

audit report despite the fact that its key oil and gas assets were grossly overstated. KPMG and the

engagement partner John Riordan:

Failed to properly assess the risks associated with accepting Miller Energy as a client and

Failed to properly staff the audit, which overlooked the overvaluation of certain oil and gas

interests that the company had purchased in Alaska the previous year.

Among other audit failures, KPMG and Riordan did not adequately consider and address facts known

to them that should have raised serious doubts about the company’s valuation, and they failed to

detect that certain fixed assets were double-counted in the company’s valuation.

“Auditing firms must fully comprehend the industries of their clients. KPMG retained a new client and

failed to grasp how it valued oil and gas properties, resulting in investors being misinformed that

properties purchased for less than $5 million were worth a half-billion dollars,” said Walter E. Jospin,

Director of the SEC’s Atlanta Regional Office.

Crowe LLP

The following case is extracted from the SEC Press Release 2018-302.

The SEC filed settled charges against national audit firm Crowe LLP, two of its partners, and two

partners of a now-defunct audit firm for their significant failures in audits of Corporate Resource

Services Inc., which went bankrupt in 2015 after the discovery of approximately $100 million in

unpaid federal payroll tax liabilities

The SEC's order against Crowe finds that its audit team identified pervasive fraud risks in connection

with its 2013 audit of Corporate Resource Services yet:

Failed to include procedures designed to detect the company's undisclosed payroll tax obligations;

Failed to properly identify and audit the company's related-party transactions;

Failed to obtain sufficient appropriate audit evidence to respond to these fraud risks, support

recognition of revenue, and otherwise support the audit opinion;

Failed to evaluate substantial doubt about the company's ability to continue as a going concern;

and

60

Failed to conduct a proper engagement quality review.

Crowe's engagement partner, Joseph C. Macina, and engagement quality reviewer, Kevin V. Wydra,

caused Crowe’s audit failures. In addition, Crowe was not independent as a result of an ongoing direct

business relationship with Corporate Resource Services. The audit deficiencies occurred despite the

involvement of Crowe's national office, which was aware of the high-risk nature of the engagement

and the inability to obtain appropriate evidence.

A related order finds that Mitchell J. Rubin and Michael Bernstein, former partners at Rosen, Seymour,

Shapps, Martin & Co., LLP, engaged in fraud and performed a highly deficient audit of Corporate

Resource Services' 2012 financial statements, which amounted to no audit at all, and that Bernstein

caused the firm to lack the required independence when he failed to comply with partner rotation

requirements.

"The audit standards are designed to ensure that public accounting firms have reasonable procedures

to identify and respond to illegality and issues that pose material risks to the integrity of an issuer's

financial statements," said Anita B. Bandy, Associate Director in the Division of Enforcement. "As set

out in our order, the pervasive audit failures of Crowe and these accountants left investors with a

misleading picture of Corporate Resource Services' financial condition."

The SEC's orders find that:

1. Crowe violated the audit requirement and accountant reporting provisions of the federal

securities laws and that Macina and Wydra caused those violations.

2. Rubin and Bernstein violated the antifraud provisions and caused violations of the audit

requirement and accountant reporting provisions of the federal securities laws.

3. Crowe, Macina, Wydra, Rubin, and Bernstein caused Corporate Resource Services to violate the

issuer reporting provisions of the federal securities laws.

4. Crowe, Macina, Wydra, Rubin, and Bernstein engaged in improper professional conduct.

61

The Potential Impact on the Accounting and

Auditing Professions

Blockchain technology has the potential to impact all record-keeping processes, including the way

transactions, are processed, authorized, recorded and reported. For example, the application of smart

contracts allows financial transactions to be executed automatically. The tamper-proof nature of the

technology reduces the need for manual reconciliations. Moreover, methods for obtaining sufficient

appropriate audit evidence will be improved. This section addresses how blockchain technology could

potentially revolutionize industries.

Enhancement of Book-Keeping Systems

Simplifying Reconciliation

In a market with many transacting parties, each company generally manages multiple vendors and

business partners and must reconcile multiple documents to validate and confirm the authenticity and

accuracy of its transactions. Average transaction costs, including reconciliation, can run into

thousands of dollars, especially for large organizations. Reconciliation involves comparing the

company’s records to the records or systems of other institutions and vendors to ensure they match

before issuing payments. When differences are identified, they need to be researched which could

lead to manual corrections and additional approvals before payments can be processed. Therefore,

the reconciliation within and among the various parties or accounts can be very time-consuming.

As explained in “Triple-Entry Accounting”, the third entry, independent entry, allows both parties to

record transactions through a complex system of consensus and validation. That is, the book-keeping

entries of both parties are corresponding, consistent, and matched because the universal ledger is

shared identically and permanently with every participant. The permanent record reduces the chances

for fraud, thus making records more trustworthy and reduces the need for separate reconciliation

efforts.

Improving the Financial Reporting Process

Because all transactions and entries can be logged, viewed, and monitored by all participants in the

ledger in real time on blockchain, it is highly unlikely that transactions would be manipulated. The

time-delay between entry posting and review could be significantly reduced. Thus, material

misstatements, omissions and duplication of transactions, and accounting errors or irregularities could

be promptly identified and corrected as they occur or could be prevented. For instance, employees

will find it very difficult to tamper with payment records since transactions are time-stamped and

verified by a distributed network of computers. As risks of fraud are decreased, the trustfulness of

financial information is increased, which could increase trust with stakeholders (e.g. auditors,

shareholders).

62

Moreover, in the unpredictable and rapidly changing business world, companies are overwhelmed

with information from an array of sources and pressure from regulatory requirements. For example,

the complexity of international business activities, increased legal demands, and shorter SEC deadlines

intensify the level of stress within the accounting department. As a result, closing the books has

become a very error-prone process. Regardless of company size or complexity, the financial close

process requires tremendous time and resources for most companies. Most companies spend at least

one week to gather the numbers and at least one week to analyze the results. For instance, the closing

periods range from one day for a small accounting department to 24 days for the large companies.

The following table lists examples of how blockchain improves accounting processes.

Process Pre-Blockchain Blockchain-Enabled Accounting

Reconciliation of

Accounts

Time-consuming process of obtaining

both internal and external

documentation and manually

comparing two sets of data

Streamlined process − all information

is on blockchain and approved by the

organization and counterparties in

real-time

Preparation of

Internal Ad Hoc

Reports

Majority of time spent verifying that

information is correct and matches

other sources within the organization

Less time spent verifying −

transactional information is available

to any members of the network and

more time can be spent on advice

and advisory activities

Closing of Books at

Month, Quarter,

and Year-End

Occupies a large amount of internal

accounting time to 1) get the

necessary information to close the

books and 2) run reports to ensure

entries and information are posted

correctly

Possible to imagine scenarios where

financial statements, fed from the

blockchain, are updated every day,

making periodic closes a routine and

less painful process

Source: The CPA Journal, “Blockchain Basics and Hands-on Guidance,” accessed on November 22, 2019.

63

Transformation of Auditing Practices

Although auditing procedures have improved, redundancies and inefficiencies still exist. Confirmation,

re-performance, and review of documents can be burdensome, manually intensive tasks. As explained

in “Inherent Limitations of Financial Audits”, these procedures are usually costly, consume a lot of

resources and do not guarantee that there are no discrepancies in the accounting information.

Combined with external verifications and multiple reporting requirements, audit procedures often

result in duplications of effort and wasted time. Moreover, there are inherent weaknesses in the use

of sampling techniques (e.g. insufficient sample size, sample inadequacy) as discussed earlier. This

section explains how blockchain could fundamentally change the auditing process.

Financial Audits

Reliability of Data

Several features of blockchain technology allow auditors to automate audit processes of mainly

transaction-based accounts in income statements. For example, blockchain allows users to record

transactions or any digital interaction among a network in a secure, transparent, and auditable way.

When a company pays an outstanding invoice, the invoice is validated and approved by the consensus

mechanism. Then, the invoice is recorded as paid and information is broadcasted to the blockchain

network. Any manipulation, such as altering the history of transactions, will break the chain and alert

all parties on the network of anomalies in real-time. This technology makes it difficult to tamper with

transaction records and easier to investigate violations. Thus, immediate detection of fraudulent

activities becomes possible.

Audit Methodology

Currently, trial balances, journal entries, sub-ledger extracts, account reconciliations and supporting

spreadsheet files are provided to an auditor in a variety of electronic and manual formats. In a

blockchain world, auditors can have read-only access to automatically verify and validate transactions

on a company’s ledger for reporting or other regulatory purposes. This technology offers an

opportunity to streamline audit processes and makes it feasible to conduct continuous auditing

because of real-time access to transaction records.

64

Source: IBSIX, “Blockchain Technology and It’s Potential to Disrupt Accounting”, accessed on December 4, 2019.

In addition, supporting documentation, such as invoices, contracts, and purchase orders, are

encrypted and securely stored or linked to a blockchain. Since all entries are instantly visible and nearly

impossible to alter, confirmation of the existence or accuracy of transactions becomes less necessary.

Blockchain may replace random sampling by auditors, by making it easier and more effective to:

✓ Test 100% of all transactions by using code

✓ Generate an exception report identifying any discrepancies or inconsistencies

In general, blockchain-enabled digitization, such as smart contracts, enables auditors to deploy more

automation, analytics, and machine-learning capabilities. For example, not only could any unusual

activities be detected but also relevant parties could be automatically notified of the occurrence on a

real-time basis. The technology allows auditors to focus on transactions that cannot be automatically

verified and also reduces the time necessary to complete the audit work and audit costs by allowing

auditors to spend more time exercising their professional judgment. The following table summarizes

how blockchain technology improves audit productivity.

Audit Procedure Traditional Method Blockchain-Enabled Audit

Observation

Observe the performance of

control activities (e.g. counting

inventory)

Use blockchains or process mining

to verify workflows

Inquiry

Seek information through

informal inquiries and formal

written responses

Monitor processes and controls,

identify process violators for

examination

Confirmation Verify account balances with

external parties

Link data streams using blockchain

applications

Inspection of records or

documents

Pull samples of records and

trace/verify/match

Evaluate entire datasets in

Enterprise Resource Planning (ERP)

using blockchain

65

Inspection of tangible

assets

Physical inventory, walk-

though

RFID tagging

Recalculation

Extract and recalculate figures

to verify

Monitor all data and run

calculations automatically at

intervals desired

Re-performance Re-perform procedures to

Verify

Automatically replicate all

transactions and identify exceptions

Analytical procedures Scanning and statistics Filter real-time data with continuity

equations and statistics

Source: The audit procedures comparison of traditional manual procedures and blockchain-enabled audit is

modified based on Appelbaum and Nehmer from the CPA Journal, “Blockchain Basics and Hands-on Guidance,”


Appendix B summarizes blockchains’ impact on auditing practices.

Application of Professional Judgment

As explained, when companies move to a blockchain infrastructure, an immutable audit trail is

created. Because of the immutability, altering or omitting accounting data becomes extremely

difficult, blockchain is expected to reduce reliance on auditing for testing financial transactions and

eliminate certain auditing procedures. However, blockchain can never replace audits. For instance,

auditors will still need to apply professional judgment and perform audit procedures on accounting

estimates, assumptions and other judgments made by management, even if the underlying

transactions are recorded in a blockchain. Examples of common accounting estimates or judgments

include:

• Expected lives and salvage values of long-term assets

• Warranty claims

• Obligations for pension benefits

• Losses from bad debts and asset impairments

Risks and Controls of Crypto Transactions

Since major cryptocurrencies use transparent public blockchains, understanding the nature of

cryptocurrency is crucial to being able to evaluate the risk implications. Although each of these

cryptocurrencies has its own unique characteristics, most cryptocurrencies have the following

characteristics:

• Supply and demand is the key determinant of cryptocurrency prices; no single party

(government or otherwise) regulates its use

• The value can change by the hour; a high volatility. For example, an investment that may be

worth thousands of U.S. dollars today might be worth only hundreds tomorrow.

66

• The system is not operated by a central authority (not centrally controlled), its state is

maintained through distributed consensus

• Transactions and balances are recorded on a distributed digital ledger (blockchain)

• Transfers can be done with minimal processing fees without the need for a trusted third-party,

allowing users to avoid the steep fees charged by traditional financial institutions

• Transactions are irreversible; once the participant provides confirmation, the transaction is

initiated and no one is able to stop that transaction

• The personal data security is enabled by public-private key cryptography

• Ownership of cryptocurrency units can be proved exclusively cryptographically

• The use of cryptography provides a mechanism for securely encoding the rules of a

cryptocurrency system (e.g. prevents “double-spending”, resists counterfeiting)

While blockchain and other systems could ultimately make authenticating and verifying a transaction

more automated, ICFR involves considerations beyond the integrity of software systems. For example,

auditors must have an understanding of matters related to cryptocurrency, including its financial

reporting implications, and identify and assess risks of material misstatement in financial statements

related to cryptocurrency transactions and balances. Examples of conditions or events that may give

rise to a risk of material misstatement in cryptocurrency transactions and balances include22:

The company does not have sufficient controls over cryptocurrency transactions.

The cryptocurrency wallet (if applicable) has not been accounted for.

The company loses a private key and can no longer access the related cryptocurrency.

An unauthorized party gains access to the company’s private key and steals its cryptocurrency.

The company misrepresents ownership of a private key and the related cryptocurrency.

The company sends cryptocurrency to an incorrect address and it cannot be recovered.

The company enters into and records a cryptocurrency transaction with a related party that

cannot be identified due to the potential anonymity of parties to blockchain transactions.

There are significant delays in processing cryptocurrency transactions at the end of a period.

Events or conditions make it difficult to determine the value at which a cryptocurrency should

be recorded for financial reporting purposes.

22 Examples of matters to consider when identifying and assessing risks of material misstatement in cryptocurrency is adapted from “Audit Considerations Related to Cryptocurrency Assets and Transactions” Chartered Professional Accountants of Canada, 2018

67

Thus, entities must have controls in place to mitigate the risks and safeguard cryptocurrency

transactions. Examples of internal controls include:

✓ Establish clear lines of responsibilities related to wallet creation and monitoring.

✓ Apply two-factor or multi-factor authentication to access to a wallet.

✓ Implement policies and procedures requiring private keys to be created and safeguarded in a

controlled environment. Private keys are always backed up. Backups might be located on

separate electronic devices or paper wallet.

✓ Establish appropriate segregation of duties. For example, the individual who monitors

cryptocurrency assets should not be involved in initiating the cryptocurrency transactions.

✓ Implement policies and procedures requiring both a careful review of each address before

sending and the use of a checksum.

✓ Implement policies and procedures related to valuations of cryptocurrency for financial

reporting.

✓ Assign responsibilities within the entity for identifying, recording, summarizing, and disclosing

related-party transactions, including cryptocurrency transactions.

✓ Implement procedures to monitor cryptocurrency transactions in the days before and after

financial reporting dates to determine that transactions are recorded in the appropriate

period.

Finally, auditors need to address the following assertions associated with using blockchain technology,

which enables the existence of cryptocurrency:

All cryptocurrency transactions are captured and appropriately

reflected in the financial statements and footnotes.

Completeness,

Presentation and

Disclosure

Cryptocurrency is sent to a correct address. Rights

Only authorized parties obtain access to the entity’s private key. Existence, Rights

All cryptocurrency transactions with a related party can be identified. Accuracy, Completeness,

and Disclosure

All cryptocurrency transactions are measured at an appropriate value. Valuation

All cryptocurrency transactions at the end of a period are processed

on a timely basis. Cut-off

Considerations of Fraud and Error

“Blockchain does not magically make information contained within it inherently trustworthy. Events

recorded in the chain are not necessarily accurate and complete. Recording a transaction on a

blockchain does not alleviate the risk that the transaction is unauthorized, fraudulent, or illegal.”

68

PCAOB 2018 Speech: 43rd World Continuous Auditing & Reporting Symposium

The acceptance of a transaction to a blockchain may satisfy certain financial statement assertions such

as the occurrence of a transaction; however, this does not necessarily assure the legitimacy,

correctness or nature of the transaction or the reliability of a company’s financial reporting. For

instance, in a bitcoin transaction for a product, the auditor can easily verify that the transfer of bitcoin

is recorded on a blockchain. However, the auditor may or may not be able to determine that the

product was delivered by only evaluating information on a blockchain. According to the Chartered

Professional Accountants of Canada, a transaction recorded in a blockchain may still be:

Unauthorized, fraudulent or illegal

Executed between related parties

Linked to a side agreement that is “off-chain” (e.g. process or transaction external to the

distributed ledger)

Incorrectly classified in the financial statements

There is always a need for auditors to identify the risk of inaccurate or fraudulent information, evaluate

controls, assess transactions for evidence of fraud or classification errors and opine on whether the

financial statements are fairly stated.

Real-World Case: The Mega-Hack of Bitcoin

Mt. Gox was one of the largest cryptocurrency exchanges in the world before it filed for bankruptcy in

2014. About 70% of all bitcoin transactions were handled by Mt. Gox at its peak performance. There

were a series of attacks between 2011 and 2014. In 2011, unknown hackers allegedly used staff

credentials from a Mt. Gox auditor's compromised computer to:

Artificially alter the nominal price of a bitcoin to fraudulently drop to a single cent on the Mt. Gox

exchange

Used the exchange's software to sell them all nominally, creating "ask" selling orders at artificially

reduced price

Illegally obtain the private keys (kept in hot wallets) of Mt.Gox clients and transfer an estimated

2,000 bitcoins from customer accounts on the exchange

On February 7, 2014, Mt. Gox halted all bitcoin withdrawals due to transaction malleability. Mt.Gox

issued a press release on February 10, 2014 stating that:

“A bug in the bitcoin software makes it possible for someone to use the Bitcoin network to alter

transaction details to make it seem like a sending of bitcoins to a bitcoin wallet did not occur when in

fact it did occur. Since the transaction appears as if it has not proceeded correctly, the bitcoins may be

resent.”

69

On February 24, 2014, Mt. Gox suspended all trading and then the website went offline. On February

28, 2014, Mt. Gox filed for bankruptcy protection in Tokyo. During Tokyo press conference called to

announce the bankruptcy, Mark Karpelès, former CEO of Mt. Gox stated:

"We had weaknesses in our system, and our bitcoins vanished. We've caused trouble and inconvenience

to many people, and I feel deeply sorry for what has happened."

About 750,000 of its customers’ bitcoins, as well as 100,000 of its own bitcoins, were stolen. The total

loss constituted around 7% of all bitcoins available, worth around $473 million near the time of the

filing.

The following excerpts were from Mark Karpelès first media interview with the Wall Street Journal

since the Tokyo press conference when Mt. Gox filed for bankruptcy in February 2014:

Q: What were your mistakes?

A: Security. Not just security on the system, but in the office. We had some cases where a stranger

sneaked in and took things away. We also have at least one former employee stealing the company’s

data.

Q: What else did you do wrong?

A: Management. I was too busy and couldn’t lay out an adequate corporate structure. I wish I had five

of me, as I was too busy with meetings with banks, lawyers and business partners. That was all painful,

I wish I had more time to do engineer-type of work.

Q: Why didn’t you hire experienced professionals?

A: We tried, but we didn’t have money and also often they turned us down. A former Financial Services

Agency bureaucrat approached us once last year, but he declined our offer at the end.

Q: When did you find out that the bitcoins were gone, and how did you feel about it?

A: A few days before we filed for bankruptcy. And we learned as we checked our storage when repairing

the system to deal with malleability attacks. I always worried about ‘What if all the bitcoins were

gone?’ Since that actually happened, I have gone through many sleepless nights. Scared, frustrated

and angry—-so many emotions were occupying my mind.

In March 2019, the Tokyo District Court found Mark Karpelès guilty of falsifying electronic records to

inflate Mt. Gox's holdings by $33.5 million, but innocent on charges of embezzlement and breach of

trust. He was sentenced to two and half years and suspended for four years.

New Role of the Auditor

Because of blockchain’s potential to significantly shift the audit model, an evolving role for the auditor

is inevitable. There is always the risk of unidentified errors or vulnerabilities. For example, a blockchain

does not operate as intended because of coding errors when developed, or changes (intentional or

unintentional) made after a blockchain is deployed. Therefore, auditors need experience; not only

accounting and auditing but also coding and data analytics. They should also have a strong skill set,

70

including understanding technical language, the functions of a blockchain, and key IT control domains

around development, security, change management and operations.

According to KPMG, blockchain solutions and their implementations pose risks and opportunities

(audit areas) which include the following:

Framework

Modules Risk Areas Audit Areas

Key Ownership

and

Management

• Accidental loss of stored cryptographic

keys resulting in inability to claim asset

ownership

• Inability to change cryptographic

private keys shared with other

participants for legitimate business

needs

• Unsecure or unencrypted storage,

transmission and use of cryptographic

private keys

✓ Key generation and

decommissioning

✓ Key maintenance and governance

✓ Logging and auditing of key usage

✓ Key management infrastructure

✓ Key traceability and version

control

✓ Hash algorithm management.

Interoperability

and Integration

• Misinterpretation or misuse of data

sent by disparate blockchain platforms

• Security issues of Application Program

Interface (API) used for integrating

blockchain platform with enterprise

system

• Data quality and legacy issues when

interfacing with legacy systems.

✓ Interface/API documentation

review

✓ Data mapping and integration

✓ Data validation checks and rules

✓ Intermediary platform and

protocols

✓ Interoperability connectors and

plugins

✓ Secure interfaces and API review.

Consensus

Mechanism

• Uncontrolled changes, majority hash

rate attack or hijack by a coalition of

dishonest counterparties

• Inconsistencies due to forking issue

creating two versions of groups and

ledgers

• Inaccurate timestamps when

connecting to a node to alter a node’s

network time counter.

✓ Consensus protocol design

✓ Consensus change control

procedure

✓ Review of consensus rules

✓ Transaction log and audit trail

✓ Consensus override handling

✓ Consensus hijack monitoring.

Heterogeneous

regulatory

compliance

• Unencrypted Personally Identifiable

Information (PII), Patient Health

Information (PHI) or Financial data

published in global transactions

✓ Country specific laws

✓ Industry regulatory compliance

✓ Cross-border privacy regulations

✓ Platform compliance standards

✓ Data sensitivity in transaction

blocks

71

• Differing privacy, regulatory and

compliance requirements for cross-

border data flow

• Inability to remove or change sensitive

or confidential data impacting ‘right to

be forgotten’ principle.

✓ Data classification standards.

Access and

Permissions

Management

• Corporate data stored on blockchain is

discoverable without explicit

authorization

• Privilege escalation through confused

deputy problem to misuse the authority

• Misconfigured restrictions and insecure

deserialization by authorized user on

permissioned blockchain.

✓ Group and user permissions

✓ Roles and level of access

✓ Discretionary access control

✓ Enrollment and termination

procedures

✓ Segregation of duties and conflict

of permissions.

Infrastructure

and Application

Management

• Inconsistent development and

unsecure coding practices for

blockchain platform and application

• Lack of Software Development Life

cycle (SDL) processes, adequate testing,

and documentation

• Security vulnerabilities related to

development, configuration,

implementation, and deployment.

✓ Software development life cycle

✓ Platform and application

documentation

✓ Secure coding principles and

development practices

✓ Bug tracking and application

patching

✓ Cybersecurity testing.

Network and

Nodes

Governance

• Lack of intermediary or governing body

to settle and resolve asset, identity or

transaction disputes

• Network centralization, collusion, spam

and unauthorized controlling of

network operations

• Unclear accountability of blockchain

functioning, information protection,

transaction validations.

✓ Governance and dispute

resolution

✓ Network compliance and node

reputation checks

✓ Single point of failure analysis

✓ Network monitoring and spam

analysis

✓ Data leakage prevention

mechanism.

Source: KPMG, “Auditing blockchain solutions”, 2019.

72


1. According to the Association of Certified Fraud Examiners (ACFE), what is the most common

concealment method?

A. Altered electronic documents or files

B. Created fraudulent journal entries

C. Destroyed physical documents

D. Created fraudulent physical documents

2. All of the following are the inherent limitations of an audit EXCEPT:

A. Reliability of audit evidence

B. Timeliness of financial reporting

C. Use of sampling techniques

D. Control design deficiency

3. Confirmation is most likely to be a relevant form of evidence with regard to assertions about

accounts receivables when the auditor is primarily concerned about which of the following

assertions?

A. Classification

B. Existence

C. Valuation

D. Presentation and Disclosure

4. Johnny, controller of EMX Inc., paid a friend $5,000 for the use of the friend’s name and address

as the contact information for the accounts payable audit confirmations. The auditor sent the

confirmations to the friend’s address and received back official-looking confirmations that

“verified” EMX’s account. Johnny committed which of the following fraudulent activities?

A. Business email compromise

B. Billing scheme

C. Confirmation fraud scheme

D. Financial identity theft

5. The risk that an auditor concludes, based on the sample selection, that a material misstatement

does not exist when, in fact, such misstatement does exist is referred to as:

A. Control risk

B. Sampling risk

C. Detection risk

D. Inherent risk

73

6. Blockchain technology has the potential to enhance the CPA profession in all of the following ways

EXCEPT:

A. Enhancing the financial close process

B. Reducing the need for audit confirmations

C. Eliminating audit procedures on accounting estimates

D. Simplifying the reconciliation process

7. All of the following events increase the risk of material misstatement in cryptocurrency balances

EXCEPT:

A. Losing a private key that cannot be recovered

B. Unable to identify transactions with related parties

C. Applying two-factor authentication to obtain access to a wallet

D. Unauthorized party gaining access to a private key

8. Cryptocurrency that is sent to a correct address is related to which management assertion?

A. Classification

B. Presentation

C. Valuation

D. Rights

74

Appendix A: Blockchain Decision Tree The U.S. Department of Homeland Security (DHS) Science & Technology Directorate has been

investigating blockchain technology and has created a flowchart to help one determine whether a

blockchain may be suitable for a development initiative. The flowchart is reproduced by the National

Institute of Standards and Technology and published in “NISTIR 8202 Blockchain Technology

Overview”.

75

Appendix B: Blockchain’s Impacts on

Auditing Practices The following table is created based on American Accounting Association, “How Will Blockchain

Technology Impact Auditing and Accounting: Permissionless versus Permissioned Blockchain”, Current

Issues in Auditing Vol. 13, No. 2 Fall 2019.

Audit Practices Blockchain’s Impact

Internal

Audit

External

Audit

Evidence

gathering

• Whole-population investigation replacing the

traditional sampling approach;

• Direct access to transaction history.

X X

Transaction

validation and

verification

• Real-time transaction validation by a community

of miners;

• Record verification and maintenance by all users.

X X

Compliance

evaluation

• Built-in compliance with most recent standards,

regulations, and laws;

• Instant presentation of the underlying regulation

to an operator;

• Immediate detection of violations.

X

Transaction

reconciliation

• Automating reconciliation (if transactions take

place between parties within a single blockchain

network);

• Instant settlement;

• Reduction of time spent on reconciliation and

increased efficiency.

X

X

Financial

reporting

• Near real-time financial reporting;

• No errors;

• Less prone to fraud.

X X

Planning and

advising

• Providing complete, accurate records for auditors

to quickly spot problems, prioritize plans, and find

long-term patterns.

X

Decision

support

• Offering reliable and timely information stored in

blockchain to perform analytics;

• Predicting the consequences of actions;

• Facilitating smart contracts by embedded

analytical models (i.e., to identify trends).

X

76

Answers to Review Questions


1. What is a basic feature of a blockchain platform?

A. Incorrect. Blockchain, a decentralized structure, eliminates the need for middlemen to

transfer information among participants.

B. Incorrect. In a decentralized system, there is no single point of control since the control is

shared between various independent entities.

C. Correct. Blockchain is a type of distributed ledger that creates a peer-to-peer network, which

establishes the means for transacting, and enables recording, transferring, tracking,

authenticating, and storing of digital assets.

D. Incorrect. Asymmetric (not symmetric) cryptography, known as public-key cryptography, is

one of the key components of blockchain technology.

2. Which of the following describes a potential attack on a peer network, where a person attempts

to gain control over the network by creating a large number of accounts?

A. Incorrect. Botnets, derived from “robot network”, are networks of compromised computers

controlled by remote cybercriminals without owners’ knowledge and consent.

B. Correct. Sybil Attack is a type of attack seen in peer-to-peer networks in which a person

creates and operates multiple accounts (identities) in order to gain a disproportionately

large influence.

C. Incorrect. A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt

normal traffic of a targeted server, service or network by overwhelming the target or its

surrounding infrastructure with a flood of Internet traffic.

D. Incorrect. IP spoofing is a technique used to gain unauthorized access to machines, whereby

an attacker illicitly impersonates another machine by manipulating IP packets. An attacker

convinces a system that it is communicating with a known, trusted entity and provides the

attacker with access to the system.

3. What is the method that prevents “double-spending” in cryptocurrency exchanges?

A. Incorrect. Encryption is the process of converting plaintext into a data stream (ciphertext) that

protects the confidentiality of digital data.

B. Incorrect. Block reward refers to the cryptocurrency rewarded to miners when they validate

and create a block.

77

C. Incorrect. Halving refers to a reduction in the block reward given to miners once a certain

number of blocks have been mined.

D. Correct. Cryptocurrencies are secured via a consensus algorithm to prevent “double-

spending”. Such mechanism authenticates and validates a set of values or a transaction

without the need to rely on a centralized authority.

4. What is Proof of Work (PoW)?

A. Incorrect. Cryptography, the process of encoding and decoding information, is used to verify

and secure transactions on a blockchain.

B. Incorrect. An address is basically a destination where a user sends and receives digital

currency. It is similar to a bank account.

C. Incorrect. A crypto wallet is a software program that stores private and public keys used for

cryptocurrency transactions.

D. Correct. Proof of Work (PoW) is a consensus protocol used to validate transactions recorded

on blockchains and generally requires the production of proof of complex cryptographic

computations. It is a function used to confirm transactions before they can be accepted by

network participants.

5. All of the following conditions must be satisfied in order to become validators in PoA EXCEPT:

A. Incorrect. Identities must be formally confirmed with the ability to cross-reference such

information (e.g. address, phone number) in a public domain (public notary database).

B. Correct. The computational resources required for solving complex mathematical tasks

(validating a block) is far lower than PoW and PoS. Thus, it requires significantly less power

consumption.

C. Incorrect. The process of becoming a validator must be difficult to reduce the risks of selecting

questionable validators and must incentivize the position and long-term commitment.

D. Incorrect. The validator approval process must be consistent (standard) to ensure that all

candidates have an equal chance.

6. What is the term that describes a permanent split in a blockchain resulting from a change in

protocol and data structures?

A. Incorrect. 51% attack refers to a potential attack on a blockchain by an individual or group of

miners controlling more than 50% of the network's mining hash rate or computing power.

B. Incorrect. Double-spending is the attempt to send cryptocurrency to two separate locations

at the same time; spending the same money twice.

78

C. Incorrect. Selfish mining is a strategy used by miners to increase their rewards by intentionally

withholding a validated block from being released to the network.

D. Correct. A hard fork creates a permanent split in a block chain because the changes (e.g.

consensus protocols, mining algorithm, block size) make the previous version of the chain

incompatible.

7. What is a change to block chain protocol that is backward-compatible?

A. Correct. For a soft fork, non-updated nodes can continue to transact with updated nodes.

This is because the blockchain features are still compatible (backward compatible) with the

previous version of a chain which does not result in a duplication of a blockchain.

B. Incorrect. Hashing involves converting plain-text to a hash value of fixed size by a hash

function.

C. Incorrect. Mining is defined as the computer process of validating information, creating a new

block and recording that information into a blockchain.

D. Incorrect. A hard fork creates a permanent split in a blockchain because the changes (e.g.

consensus protocols, mining algorithm, block size) make the previous version of the chain

incompatible. In other words, such changes are not backward compatible.

8. What is the method that secures blockchain transactions by assuring authentication and

confidentiality?

A. Incorrect. A hot wallet is located in a device connected to the Internet (whether hosted or

entity-controlled). It allows users to send cryptocurrency to another address and to obtain an

up-to-date snapshot of all the entity’s recent cryptocurrency transactions and balances.

B. Incorrect. A firewall is a system designed to prevent unauthorized access to or from a private

network.

C. Incorrect. Cold storage is the act of generating and storing one’s private keys in an offline

environment.

D. Correct. Cryptography is the process of enforcing authentication, data confidentiality and

data integrity of transactions via quorum structures.

9. What does asymmetric encryption use?

A. Incorrect. Unlike symmetric encryption, asymmetric encryption encrypts and decrypts the

data using two separate yet mathematically connected cryptographic keys. These keys are

known as a public key and a private key.

B. Incorrect. Asymmetric encryption uses two keys; public and private keys, to encrypt plain text.

79

C. Incorrect. Proof of Work is a consensus protocol used to validate transactions recorded on

certain blockchains that generally requires the production of proof of complex cryptographic

computations that require large amounts of computing power in order to validate

transactions.

D. Correct. Asymmetric cryptography, also known as public key cryptography, uses public and

private keys to encrypt and decrypt data, respectively.

10. Which of the following describes an alphanumeric string of 26-35 characters that represents a

possible destination for a bitcoin payment?

A. Incorrect. Hash is a mathematical function or algorithm that ciphers a given input into a fixed-

size alphanumeric strand known as a hash value.

B. Correct. An address is an identifier, an alphanumeric string of 26-35 characters, that

represents a possible destination for a bitcoin payment.

C. Incorrect. Wallet is a software program used to store cryptocurrency private keys.

D. Incorrect. Digital signature provides validation and authentication in the same way signatures

do, in digital form; ensuring the security and integrity of the data recorded onto a blockchain.

11. Which of the following techniques enables automation of the contracting process by facilitating,

verifying or enforcing the negotiation or performance of a contract?

A. Incorrect. Proof of Work (PoW) is the original consensus algorithm in a blockchain network. It

is an algorithm used to confirm transactions and produce new blocks to the chain.

B. Correct. Smart contracts constitute lines of code intended to digitally facilitate, verify, or

enforce the negotiation or performance of a contract.

C. Incorrect. A stealth address is a vital part of Monero's inherent privacy. It requires the sender

to create a random, one-time address for every transaction on behalf of the recipient so that

different payments made to the same payee are unlinkable.

D. Incorrect. A hashing algorithm is a cryptographic hash function. It is a mathematical algorithm

that maps data of arbitrary size to a hash of a fixed size. It's designed to be a one-way function,

infeasible to invert.

80


1. Which of the following statements is TRUE regarding public blockchains?

A. Incorrect. Private (permissioned) blockchains restrict access regarding who can perform

different activities on the network. Public (permissionless) blockchain networks allow every

participant to submit transactions and add entries to the ledger as no permission is required

to join the network.

B. Incorrect. Scalability is the trade-off, generally making public blockchains slower than private

blockchains and traditional central payment systems. This is because of the computational

power required to maintain public blockchains and assure consensus.

C. Incorrect. Private blockchains, such as Hyperledger Fabric, are designed to cater to enterprise

requirements. Public blockchains have limited applications due to the public nature of

transactions and limited functionality support at a protocol level.

D. Correct. Public (permissionless) blockchain networks allow every participant to submit

transactions and add entries to the ledger as no permission is required to join the network.

Public blockchains have no single owner. They are far more decentralized than a private

(permissioned) system.

2. Which of the following platforms has the highest degree of scalability?

A. Incorrect. Bitcoin, in its current form, can process approximately seven transactions per

second. Scalability is the trade-off of public blockchains. This is because of the computational

power required to maintain public blockchains and assure consensus.

B. Correct. VISA offers significantly higher transactions per second, processing 150 million

transactions per day, averaging roughly 1,700 transactions per second.

C. Incorrect. In its current state, Ethereum, a public blockchain, can handle around 20

transactions per second.

D. Incorrect. PayPal currently processes 193 transactions per second.

3. Cloud Inc. considers deploying a blockchain platform. Cloud Inc. needs to control who can read

and write on its blockchain. Which type of blockchain best fits Cloud Inc.’s need?

A. Incorrect. Public blockchain networks allow every participant to submit transactions and add

entries to the ledger as no permission is required to join the network. The operation is like the

public internet, where anyone can participate. In other words, any participants can read and

write to the ledger.

81

B. Correct. Private blockchains restrict access regarding who can perform different activities on

the network. The system operates similarly to a privately maintained database that is

controlled by giving read privileges to outsiders.

C. Incorrect. In the current ecosystem, the market has three types of blockchains: 1) public 2)

private and 3) hybrid. Blockchain technology always applies a consensus mechanism to

authenticate and validate transactions without the need to rely on a centralized authority.

D. Incorrect. Permissionless blockchains are also known as public blockchains. Since Cloud Inc.

needs to control who can join the network, a private (permissionless) blockchain that places

restrictions on who is allowed to participate in the network and in what transactions would be

the most appropriate for Cloud Inc.

4. Which cryptocurrency is operated on a private blockchain?

A. Incorrect. Bitcoin is operated on an open, public blockchain. Anyone is free to download the

bitcoin blockchain and begin mining operations in exchange for mining fees and block rewards.

B. Correct. Ripple runs on a private blockchain. Ripple (Labs) Inc., the company behind Ripple

(XRP), decides who may act as a transaction validator on its network.

C. Incorrect. Bitcoin Cash is also an example of a public blockchain. There is no barrier to entry

to use it.

D. Incorrect. Litecoin is operated on a public blockchain network which allows every participant

to submit transactions and add entries to the ledger.

5. What is a feature of a consortium blockchain?

A. Incorrect. Consortium blockchains are private blockchains deployed for a group of

organizations/individuals to share the data in a trustworthy environment.

B. Correct. The consensus process is controlled by pre-defined nodes or a set of participants on

the network.

C. Incorrect. Consortium blockchains are also known as semi-decentralized blockchains because

they are granted to a group of approved organizations/individuals.

D. Incorrect. Consortium blockchains restrict access regarding who can perform different

activities on the network.

82


1. What is the concept that an increase or decrease in one account must be offset exactly by an

increase or decrease in another account?

A. Incorrect. Conservatism is a prudent reaction to uncertainty to try to ensure that uncertainty

and risks inherent in business situations are adequately considered. Thus, a gain contingency,

for example, is not recorded in the financial statements. If the probability of realization is high,

the contingency is disclosed in the notes.

B. Incorrect. Accounting is based on the assumption that the accounting unit or entity is engaged

in continuous and ongoing activities. The accounting unit or entity is assumed to remain in

operation into the foreseeable future to achieve its goals and objectives. This assumption is

referred to as the going concern (or continuity) assumption.

C. Correct. Double-entry accounting is a method of accounting that recognizes the duality of a

transaction such that any change in one account also causes a change in another account.

D. Incorrect. The monetary unit assumption requires that financial information be measured and

accounted for in the basic monetary unit of the country in which the enterprise is located. The

monetary value of an economic event or transaction, determined at the time it is recorded, is

not adjusted for subsequent changes in the purchasing power of the monetary unit.

2. According to the rules of debits and credits, which of the following statements is TRUE?

A. Incorrect. Asset accounts usually have debit balances. Unlike asset accounts, both liability and

owners’ equity accounts generally have credit balances. Therefore, to increase both liability

and owners’ equity accounts, we credit these accounts instead of debiting them. To increase

asset accounts, we debit these accounts.

B. Incorrect. Asset accounts usually have debit balances and liability accounts usually have credit

balances. To decrease asset accounts, we credit them. However, we debit liability accounts to

record a decrease.

C. Incorrect. Asset accounts usually have debit balances and owners’ equity accounts usually

have credit balances. To increase asset accounts, we debit them. However, to increase owners’

equity accounts, we credit them.

D. Correct. Liabilities and owners’ equity accounts usually have credit balances. Therefore, to

decrease liability and owners’ equity accounts, we debit them.

3. Which of the following management assertions indicates that the amount of revenue and expense

included in the financial statements are appropriate?

83

A. Incorrect. The assertion of existence is the assertion that the assets, liabilities, and

shareholders' equity balances appearing on a company's financial statements exist at a given

date.

B. Incorrect. The assertion of completeness is an assertion that the financial statements include

every item that should be included in the statement for a given period.

C. Correct. The assertion of valuation is the statement that the asset, liability, equity, revenue,

and expense amounts included in the financial statements are appropriate.

D. Incorrect. This is the assertion that the company holds or has ownership rights or usage rights

over the assets, and liabilities are obligations of the company at a given date.

4. What is the process of objectively obtaining and examining evidence in respect of certain

assertions about economic events?

A. Incorrect. The Institute of Management Accountants defines cost accounting as “a systematic

set of procedures for recording and reporting measurements of the cost of manufacturing

goods and performing services in the aggregate and in detail.”

B. Incorrect. Risk assessment is a process for identifying and assessing risks that may affect

organizations from achieving objectives.

C. Correct. Auditing is generally defined as a systematic process of objectively obtaining and

examining evidence in respect of certain assertions about economic events, to ascertain the

degree of correspondence between those assertions and established criteria and report the

results to interested parties.

D. Incorrect. Management accounting as defined by the IMA is “a profession that involves

partnering in management decision making, devising planning and performance management

systems, and providing expertise in financial reporting and control to assist management in

the formulation and implementation of an organization's strategy.”

5. As an independent guarantor of financial information, what is an auditor's primary consideration

regarding internal control?

A. Incorrect. Management's philosophy and operating style is just one factor in the control

environment of internal control.

B. Correct. An auditor's primary concern is whether a specific control affects financial

statement assertions. Much of the audit work required to form an opinion consists of

gathering evidence about the assertions in the financial statements. These assertions are

management representations embodied in the components of the financial statements.

Controls relevant to an audit are individually or in combination likely to prevent or detect

material misstatements in financial statement assertions.

84

C. Incorrect. Restricting access to assets is only one of many physical controls, which constitute

the control activities of internal control.

D. Incorrect. Many controls concerning management's decision-making process are not relevant

to a financial audit.

6. Which of the following entities usually serves as a financial intermediary?

A. Incorrect. The Internal Revenue Service, a U.S. government agency, collects taxes and enforces

tax laws.

B. Incorrect. A public accounting firm provides accounting, auditing, and tax services to their

clients.

C. Correct. New York Stock Exchange acts as an agent by facilitating the trading of securities

and stocks and disseminating information.

D. Incorrect. A community college is an example of a not-for-profit organization, which does not

earn any profits for its operation.


1. According to the Association of Certified Fraud Examiners (ACFE), what is the most common

concealment method?

A. Incorrect. About 31% of fraudsters altered electronic documents or files to cover their crimes.

B. Incorrect. Only 27% of fraudsters created fraudulent journal entries to conceal their schemes.

C. Incorrect. About 30% of fraudsters destroyed physical documents to conceal the misdeeds.

D. Correct. About 55% of fraudsters created fraudulent physical documents to cover their

crimes.

2. All of the following are the inherent limitations of an audit EXCEPT:

A. Incorrect. The reliability of audit evidence is influenced by its source and nature and is

dependent on the individual circumstances under which it is obtained. For example, there is

always the possibility that management or others may not provide, intentionally or

unintentionally, accurate and complete information.

B. Incorrect. The audit function usually occurs after weeks, months and even quarters of the year

have passed. The relevance of information and its value tends to weaken over time. Thus, the

85

ability to definitively validate and confirm the transactions by these auditors becomes a

borderline untenable effort.

C. Incorrect. There is always a probability that a fraudulent transaction is not included in the

auditor’s sample and therefore remains undetected. Thus, any sample of less than 100% of a

population always increases the risk that a misstatement will not be detected.

D. Correct. Control design deficiency is one of the limitations of internal controls. Because of

such limitations, there is a risk that material misstatements will not be prevented or

detected on a timely basis.

3. Confirmation is most likely to be a relevant form of evidence with regard to assertions about

accounts receivables when the auditor is primarily concerned about which of the following

assertions?

A. Incorrect. Limited classification information is received through confirmation.

B. Correct. A confirmation primarily addresses whether the third party replying to the

confirmation agrees that a debt exists as of a certain date.

C. Incorrect. Although confirmations provide limited information on valuation, they do not

directly assess collectability which determines the proper amount to be reported in the

financial statements.

D. Incorrect. Confirmations are of limited assistance in the determination of whether the account

of the financial statements is properly classified, described and disclosed.

4. Johnny, controller of EMX Inc., paid a friend $5,000 for the use of the friend’s name and address

as the contact information for the accounts payable audit confirmations. The auditor sent the

confirmations to the friend’s address and received back official-looking confirmations that

“verified” EMX’s account. Johnny committed which of the following fraudulent activities?

A. Incorrect. Business email compromise involves taking over an email account or spoofing an

email address in order to initiate theft via unauthorized ACH or wire transfers.

B. Incorrect. Billing scheme is a fraudulent disbursement scheme in which a person causes his or

her employer to issue a payment by submitting invoices for fictitious goods or services, inflated

invoices, or invoices for personal purchases.

C. Correct. Johnny circumvented the confirmation process by directing the auditor to send

confirmations to a friend who fraudulently completed the confirmation responses.

D. Incorrect. Financial identity theft is related to ID thieves taking out loans or credit cards using

a victim’s information. The victim often receives a lender’s letter stating that he/she has not

repaid a loan that he/she did not take.

86

5. The risk that an auditor concludes, based on the sample selection, that a material misstatement

does not exist when, in fact, such misstatement does exist is referred to as:

A. Incorrect. Control risk is the risk of a material misstatement in the financial statements arising

due to absence or failure in the operation of relevant controls of the company.

B. Correct. Sampling risk arises from the possibility that, when a test of controls or a

substantive test is restricted to a sample, the auditor's conclusions may be different from

the conclusions he/she would reach if the test were applied in the same way to all items in

the account balance or class of transactions.

C. Incorrect. Detection risk is the risk that the auditor will not detect a material misstatement

that exists in an assertion. For example, the substantive tests fail to detect misstatement.

D. Incorrect. Inherent risk is the susceptibility of an assertion to a misstatement, due to error or

fraud, that could be material, individually or in combination with other misstatements, before

consideration of any related controls.

6. Blockchain technology has the potential to enhance the CPA profession in all of the following ways

EXCEPT:

A. Incorrect. The technology makes it possible to imagine scenarios where financial statements,

fed from blockchain, are updated every day, making periodic closes a routine and less painful

process.

B. Incorrect. Supporting documentation, such as invoices, contracts, and purchase orders, are

encrypted and securely stored or linked to blockchain. Since all entries are instantly visible and

nearly impossible to alter, confirmation of the existence or accuracy of transactions becomes

less necessary.

C. Correct. Auditors will still need to perform audit procedures on accounting estimates,

assumptions and other judgments made by management, even if the underlying

transactions are recorded in a blockchain.

D. Incorrect. In blockchain, the book-keeping entries of both parties are corresponding,

consistent, and matched because the universal ledger is shared identically and permanently

with every participant. The permanent record reduces the chances for fraud, thus making

records more trustworthy and reduces the need for separate reconciliation efforts.

7. All of the following events increase the risk of material misstatement in cryptocurrency balances

EXCEPT:

A. Incorrect. The loss of a private key gives rise to the risk of a material misstatement if the effect

of the loss is not properly accounted for.

87

B. Incorrect. The inability to identify transactions with related parties will affect the accuracy of

assets and completeness of disclosures.

C. Correct. Risks of unauthorized access to a hot wallet may be reduced by the use of two-

factor authentication to obtain access to a wallet.

D. Incorrect. An unauthorized party may steal the entity’s cryptocurrency. As a result, the entity

may no longer be able to access the cryptocurrency linked to that key. Such events increase

the risk of material misstatement if the effect of the loss is not properly accounted for.

8. Cryptocurrency that is sent to a correct address is related to which management assertion?

A. Incorrect. The assertion of classification means that the entity records all the transactions in

the proper accounts.

B. Incorrect. The assertion of presentation indicates that the components of the financial

statements are properly classified, described and disclosed.

C. Incorrect. The assertion of valuation is the statement that the amounts of crypto assets

included in the financial statements are appropriate.

D. Correct. A feature common to all blockchains is that once a transaction is confirmed on the

blockchain, it is irreversible, and ownership rights are established. If cryptocurrency is sent

to an incorrect address, the entity no longer has ownership rights over the crypto assets.

88

Glossary Algorithm: A process or set of rules to be followed in calculations or other problem-solving operations.

Altcoins: Any cryptocurrency other than bitcoin. Bitcoin was the first cryptocurrency, and all coins that

came after it are considered bitcoin alternatives.

Authentication: The process of proving the counterparty identities and the existence of assets via

private and public keys.

Block: A block represents multiple transactions or records grouped together on a block chain.

Blockchain: A digital ledger that records all related transactions since its inception.

Consensus Mechanism: A method to authenticate and validate a set of values or a transaction without

the need to trust or rely on a centralized authority.

Cryptography: A process of encrypting and decrypting information.

Distributed Ledger: A public ledger, or record of transactions, that exists on a peer-to-peer network

instead of being kept by a central authority.

Double-Entry System: System of accounting in which every transaction and event affects at least two

accounts.

Double-Spending: The attempt to send the same cryptocurrency to two separate locations at the same

time.

Hash: A hash is created by a hashing algorithm and links blocks together on a blockchain.

Mining: The act of verifying blocks on a blockchain to earn a reward, usually cryptocurrency.

Peer-to-Peer: A connection between two or more computers without using a centralized third party

as an intermediary.

Public Key: The public address where other wallets send transaction values.

Private Key: The encryption key uniquely linked to the owner and known only to the parties involved

in a transaction. It is secretly held in a digital wallet.

Wallet: An electronic device or online service used to store cryptocurrency.

89

Index

audit evidence, 53 Bitcoin, 30 Blockchain, 11 Cold wallet, 19 Consensus mechanism, 11 Cryptography, 18 Distributed ledger technology, 5 Hardware wallet, 19 Hash, 17 Hot wallet, 19 Hybrid blockchain, 36 Mining, 12

oracles, 21 Paper wallet, 19 Private (permissioned) blockchain, 31 Private key, 18 Proof of Stake, 13 Proof of Work, 12 Public (permissionless) blockchain, 29 Public key, 18 sampling risk, 56 smart contracts, 21 Tamper-proof, 10 Triple-entry accounting, 9

an introduction for cpas

Documents