blockchain and cryptocurrencies including assurance and · putting blockchain to work smart...
TRANSCRIPT
1
Blockchain and
cryptocurrencies
including assurance and
compliance considerations
2
PARTICIPATE IN Q&A• Download the IIA Conferences App to
participate in Q&A during select
sessions
• Select the session through the
schedule icon
• Submit your questions for the session
or to specific presenters by selecting
the ASK icon
• Ask a member of the Conference Staff
if you need assistance
• You can also go to https://ic.cnf.io/ from
your mobile device web browser
3
Joining us today
A Michael SmithUS Internal Technology Audit Solutions Leader
PwC
Zachary LyndeFactom, Inc., CFO
4
Agenda
Introduction/background
Overview – What is blockchain?
Cryptocurrencies
Assurance and Compliance
5
Blockchain vs. Bitcoin
What is blockchain?
A decentralised ledger of all
transactions, essentially blocks of
validated and cryptographic
transactions chained together by
mathematical algorithms
What is bitcoin?
An unregulated digital virtual
currency based on blockchain
technology. It is used to process P2P
transactions and offers lower
transaction fees than traditional
online payment mechanisms
6
Blockchain – How it works
A blockchain is a
distributed, tamper-
proof digital ledger.
7
Key concepts of blockchain
Distributed ledger
Every participant in the
network has simultaneous
access to a view of the
information
Cryptography
Integrity, identity and
security of the information
on the blockchain are
ensured with cryptographic
functions
Consensus
Verification is achieved by
participants confirming
changes with one another,
replacing the need for a
third party to authorise
transactions
Smart contracts
The ability to run
additional business logic
means that agreement on
the expected behaviour of
financial instruments can
be embedded in the
blockchain
Transparency that can
eliminate the need for
reconciliation and
create provenance –
proving the negative
Prevents unwanted
intrusion on the network
from non-authenticated
participants
Facility for peers to
validate updated
information ensuring
integrity of the data on
the chain
Implement shared
workflow and enhanced
automation
What does this mean for your organization?
8
Conditions for successful blockchain application
Multiple
parties share
data
multiple
participants
need views of
common
information
Multiple
parties update
data
multiple
trusted
participants
need to record
and update
information
Requirement for
verification
participants
need to trust
that the
actions that
are recorded
are valid
Intermediaries
add
complexity
removal of
intermediaries
can reduce
cost and
complexity
Interactions
are time
sensitive
reducing
delay has
business
benefit
Transactions
interact
Transactions
created by
different
participants
depend on
each other
1 2 3 4 5 6
If at least four of these things hold true blockchain could be an applicable solution
9
Putting blockchain to work
Smart contracts allow for automated transactions based on predetermined conditions or triggering events. This unlocks a
second layer of value for blockchain use cases, while making it easier to maintain and enforce governance throughout the
blockchain network.
Asset traceability
Tracking part changes and
service events throughout
lifecycle of useful life (i.e.
Asset “Health Record”)
Finance
Accelerate payments and
settlement through real time
purchase order updates and
automating settlement
Tax and customs
Automating and streamlining
compliance burdens by executing
transactions precisely and
reliably while automatically
generating documentation.
Payments, royalties, and licensing
Automating predetermined contract
terms and enabling faster royalty
payments and subscription revenue
settlements, while increasing trust in
customer data.
Identity management
Authenticating identity and
verifiable credentials on a
blockchain for accelerated
log-in and increased data
security
Digital currencies
Decentralized currency
crosses borders and
eliminates intermediaries
Records and contract
management
Blockchains provide an engine
for collecting and maintaining
verifiable records
Audit and compliance
Enable real-time, transaction-level
assurance and provide additional
transparency to interested
stakeholders
10
Smart contract
A smart contract is a digitally
signed, computable agreement
between two or more parties. A
virtual third party—a software
agent—can execute and enforce
at least some of the terms of
such agreements.
Smart contracts have the ability to
run additional business logic which
means that agreement on the
expected behavior of financial
instruments can be embedded in
the blockchain.
11
Industry use cases
Financial services
Clearing & Settlement Provide automated clearing upon trade completion
Lending Allow concurrent participation by lenders in pricing
Payments Enable real-time payments including international transfers
Trade Finance Digitize and authenticate trade finance records
Securities Create unique identifiers and track transactions
Non financial services
Healthcare Eliminate mismatch or duplicate medical records
Public SectorSecure storage and governance of an individual’s records such as birth
certificates
Supply Chain Drive transparency and traceability of goods and services
12
2. Cryptocurrency overview
13
Crypto assets
• This area is much more complex than is generally expected
• Not all crypto-variants are synonymous. In fact, there are distinct categories
of crypto assets each of which has unique economic drivers and risk factors
• Understanding the nature of these assets is key to understanding how to manage
the related risk
• Transaction processing of crypto-currencies is complex consists of on and off
ledger transactions
Economic Categories
True Virtual Currencies – Value driven primarily by momentum and market cap
Pay for use Currencies – Value driven by the utility of the associated platform
In lieu of token based Currencies – Value entirely connected to the in lieu of asset
14
Types of cryptocurrency
Other notable cryptocurrencies and crypto-assets (e.g. tokens) continue to rise in
total market cap likely due to their individual unique properties, examples;
• Ethereum - programmable decentralized and trustless applications, contracts
and money
• Litecoin - faster block generation rate and faster transaction confirmation
• Monero - offers a secure, private and untraceable currency
• Zcash - offers privacy and selective transparency of transactions
15
Technological, cultural and economic catalysts contributed to the creation
of cryptocurrencies
A crypto asset is a medium of exchange, created and stored electronically in the blockchain,
using encryption techniques to control the creation of monetary units and to verify the transfer
of funds. It is not issued by any central authority.
What is a Crypto asset?
There are over
1,500 coins and
tokens globally
(as of 2/23/18)
The total market
cap of all coins
and tokens
$455B
(as of 2/23/18)
Global token sales
$millions
2007
2008
Cyberphunk
Manifesto
Cryptography
P2P networks
1940s
Early Building
Blocks
Global
Financial Crisis
Economic
Recession
Satoshi Nakamoto
whitepaperFirst bitcoin
transaction1980s
Introduction of
digital money
1990s
16
Blockchain technology presents potential security risks and challenges
Security
Challenges
Presented by
Blockchain
Cryptosystem Risks
Traditional cryptography risks, including key management and weak key generation, may impact data confidentiality.
Blockchain Specific Attack Vectors
In addition to the traditional security concerns, Blockchain brings additional security challenges and attack vectors, including
Consensus Hijack, Sidechains, and DDoS attacks.
Absence of Governance
Lack of oversight to ensure efficient and secure use of Blockchain networks, and the absence of processes to combat illegal
activity, gives rise to security concerns.
Integration and Scalability Concerns
Tools for interoperability are in nascent stages and are susceptible to security concerns. In addition, scalability presents a
challenge as ledger growth can slow transaction speed.
Design Flaws
Vulnerabilities in code and the absence of privacy principles being incorporated in the design present data security and
privacy concerns.
Use Case Specific Vulnerabilities
Some security vulnerabilities are unique to specific implementations such as management of Smart Contracts and
Cryptocurrency Wallets.
17
Cryptocurrency risks and considerations
Key Management Challenges
• Private keys that cannot be revoked and that cannot be reasonably regenerated in the case of loss,
- Whose private key compromise would result in massive losses?
Key Management Challenges
• Private keys that cannot be revoked and that cannot be reasonably regenerated in the case of loss,
- A single wallet then method to allocate the cryptocurrency to the appropriate partie(s); or
- A complex sub-ledger/blockchain?
Cold Storage/Hardware Security Modules
• Hacks can be various and often complex. Most of these breaches (e.g., hacks at BTC exchanges) could be prevented, or at least
severely limited, with a leading practice security approach
• How to ensure completely offline yet accessible if needed?
• What is held in cold storage and what is available for actual use?
• How to account for wildly fluctuating currencies?
Wallet Addresses
• How are funds received and paid?
• How is settlement and management including reconciliation and reporting handled?
- Multi-signature as noted is a good approach for multiple wallet and users
18
3. Assurance and Compliance
19
Enterprise need and challenges
Increases in transaction volume and rapidly evolving complex technologies are creating a critical need for
business, technology and compliance functions to be prepared, adaptive and agile to emerging challenges.
Transaction volume
Due to increase in transaction
volumes current internal audit
methodologies that are manual,
sample-based and point in time
do not provide the needed level
of confidence.
Technological challenges
Current methodologies cannot
provide the necessary
assurance in areas when a
blockchain is used.
• Point in time
• Forensic
• Sample based
• Speculative
• Subjective
population
results
Traditional audit approach
Methodologies will likely have to
shift from a manual to an
automated and continuous
approach to address a
significant increase in
transaction volumes.
20
Fundamental shift in internal audit philosophy
Providing this transparency requires a fundamental shift in how we think about internal audit and
internal controls. It should go from retrospective, or forensic, point in time efforts to actual real
time auditing where the underlying foundations of internal audit and internal control become part
of the nature of each discrete transaction.
Current state
• Point in time
• Forensic
• Retrospective
• Sample based analysis
• Speculative
• Subjective population results
Future state
• Real time
• Inherency
• Immediate/Predictive
• Full population
• Macro level trending
• Objective Population results
21
Blockchain continuous auditing solution criteria
Understand blockchain use
case business purpose and
the resultant effect on the
risks and control
objectives.
1 – Purpose (P1)
Assess on and off
blockchain processes and
technologies to understand
continuous assurance
methodology affects, up
and down stream, on audit
expectations and entire
process risk profile.
2 – Process (P2)
Assess the blockchain
architecture variant and
identify applicable control
objectives using blockchain
assurance risk framework.
3 – IT Risk (ITr)
Identify assurance related
stakeholders, determine
and inventory their
expectations and needs for
reporting purposes.
4 – Stakeholder (Sr)
5 – Assurance Threshold Formula (ATx)
Based on the results of the activities 1-4 apply assurance formula below
P1 + P2 + ITr + Sr = ATx
The solution sum of Y (Continuous Audit) must always be equal or greater than ATx in order to create the necessary
level of assurance.
Therefore Y ≧ ATx
22
Blockchain continuous auditing risk framework*
The Blockchain Risk Framework evaluates 6 different risk categories in order to address
assurance and compliance needs of stakeholders. It overlays Blockchain use cases in four of
the six risk categories.
Blockchain
Risk Framework
Governance
and Oversight
Cyber
Security
Blockchain Audit Use Cases
Blockchain
Architecture
Layer
Infrastructure
Layer
Operational Layer
Transactional
Layer
Cyb
er
* Patent Pending
Application Layer
Decentralized Protocols (Consensus)
Shared Data Layer
(Servers and Databases)
Encryption
Permissioned Network
Commercial APIs (Interfaces)
Overlay Network (LAN/WAN)
23
Blockchain Use Cases
Blockchain enables decentralized deployment and execution
of the following use cases over a peer-to-peer network.
Contract
Initiation
Smart Contracts
Digital Assets
Asset Onboarding
04
03
02
01
Asset Maintenance
Asset Transfer
Asset Retirement
Development
&
Deployment
01 02 03 04 05
Asset &
Services
Onboarding
Initiation
&
Execution
Asset &
Services
Exchange
Contract
Fulfillment
Digital Tokens
Digital Wallets
Vis
ion
Physical
Creation
Value Assignment
Transfer
Verification
02
03
04
01
05Settlement
Wallet DLTUser
• Digital Tokens
• Digital Assets
• Smart Contracts
• Cryptocurrencies
• Money/Payments
01 02 03
Software
Online Mobile
Retirement06
Payments Use Case SpecificPwC
24
Digital Assets
Digital Assets can include anything in the digital world which can be owned and managed, including
physical and virtual assets. Blockchain facilitates a real-time representation of ownership, management,
and the movement of the assets to maximize efficiency and transparency throughout the lifecycle.
Media & Entertainment
• Graphics, Videos,
Audio, Documents, etc.
• Streamlined Creative
• Workflow
• Intellectual Property
• Capturing & Distributing
Content from
Live Events
• Repurposing Materials
for Marketing
Campaigns
Consumer Packaged
Goods
• Product Images
• Packaging Layouts
• General Branding
• Social Media
• Videos, Commercials,
Ads, E-Commerce, etc.
Cryptocurrency
• Bitcoin, Ethereum
• Mining Operations
• Node Outsourcing
• Digital Wallets
• Platform & Pool
Development
Internet of Things
• Network-Enabled
Objects
• Data Analytics
• Interconnectivity &
Remote Access
• Smart Functions
• Drones & PIGs
Public Sector
• Voting
• Identity Management
• Land Registration
• Real Estate Transfers
• License Fees
• Justice Administration
25
Digital Assets (continued)
Digital Assets
01
02
03
04
• Asset Policy/Governance
• Asset Onboarding/Integration
• Digitization & Remote Access via ICRs
• Establishment of rule-based parameters
• Real-time status and data analytics
• Data-driven, automated optimizations
• Predictive maintenance (depending on level of cross-chain integration)
• Machine learning reduces overall human involvement
• RePublic ledger tracks an asset’s usage and status
• Preservation al-time ownership change and registration
• of data over asset’s entire life cycle
• Automated disposal or cannibalization of assets
• Dynamic inventory management tracks and replaces assets automatically
• Replacement assets are automatically onboarded
• Smart reports are filed or logged for review
Asset Onboarding Assets are ingested/digitized on Blockchain
Asset Maintenance Assets are managed cross-chain
Asset Retirement Blockchain managed & executed
Asset Transfer DLT managed transferability
• Retirement is not authorized or monitored
• Digital Assets are not retired appropriately & timely
• Removal of Digital Assets is not logged by DLT
• Retired assets are not burned/destroyed
• Asset are transferred without participant rquest
• Change Management process does not track data
• Digital Assets are not correctly integrated with DLT
• Digital Asset transfers are not authorized or monitored
• Maintenance mechanisms are not in place
• Cross-chain integrations are not functioning properly
• Updates to assets are not reflected timely
• Assets recorded on DLT do not exist
• Governance policies are not defined for Digital Assets
• Digital Assets are not appropriately onboarded
• Rule-based parameters have not been established
Risk Considerations
26
Digital Wallets
Digital Wallets
• Wallets can scale to any client or user’s needs
• Can facilitate storage or transfer of personal or commercial funds
• Maximizes portability of resources and security based on
user requirements
• Online/Exchange-based
• Mobile/App-based
• Physical/Ledger-based
• Software/Hardware-based
• Compatibility
• RMAs if needed
• Remediation
• Recovery key setup
• Login/access credentials
• Authorized access
• Logging and monitoring access
Onboarding & Registration Create, encrypt, and backup wallet platform
Management & Updates Firmware, interface, & security patching
Logical Security Tokens are used in a secure digital space
Incident Management Transactions connect across Digital space
• Secure recovery keys, private keys, and PKIs
• Secure physical wallets (drives or ledgers)
• Access points to wallet interface
• Login/access credentials
Physical Security Tokens can be removed from the Blockchain
• Removal of wallet is acknowledged and recorded
Retirement Wallets are accounts closed or deactivated
• Digital Wallets are not retired appropriately/timely
• Removal of balances is not logged by DLT
• Retirement is not authorized or monitored
05
06
01
02
03
• Access controls are not defined for keys/PKIs
• Physical access controls are not defined
• Login credentials are weak or ineffective
• Incident management mechanisms are not in place
• Recovery/Backup procedures are not defined
• There is a lack of cross-platform connectivity
• Change management procedures are not in place • Updates are not completed, authorized, or monitored • Knowledge gaps inhibit effective
wallet implementation
• Lack of wallets onboarding process• Encryption algorithms are ineffective or outdated • Digital Wallets are not compatible
with environment• Whitelist and blacklist of wallets is not maintained
04• Access is not restricted and logged appropriately
• Digital Wallets lack strong login mechanism
• Monitoring mechanisms are not in place or enforced
Risk Considerations
27
Thank you
© 2019 PwC. All rights reserved. PwC refers to the US member firm or one of its subsidiaries or affiliates, and may sometimes refer to the PwC network.
Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.
28
TELL US WHAT YOU THINK!
Evaluate this session right in the
IIA Conference App!
Not using the conference app?
Visit: ic.cnf.io to complete
your session evaluations.