Panelists Discuss Limits of Current Audit Protocols As Applied to Blockchain
four eyes principle
smart contracts
However, this conception leads to the question of who controls the asset, particularly where it concerns exchanges that hold custody of them.
"When I go to Coinbase and they have their enterprise custody there, and there's a fund with an account with them, how do I know these keys they hold, which take me to a particular set of crypto assets, really belong to that fund? How do I know that? How do I determine that is the totality of the funds, or the assets owned, by that fund?" he said.
The straightforward answer might be to look on the blockchain. But, said Ramirez, if someone tells him that they have five bitcoins, "there's no place on the blockchain where you can go and see you own five bitcoins." The blockchain is a record of transactions in and out of an account, and in order to determine that someone indeed has five bitcoins, that person will need to add and subtract every single transaction ever made in order to determine how much they have left.
"Coinbase isn't doing that all the time," he said. "They have a record of account and their system, developed by them, which reads the blockchain and saves those balances, so when I go online, I don't need to read the blockchain every time, but they need to keep it synchronized and that, as auditors, is something we must address."
He said he recently had a client who said they had a certain amount of digital assets in their wallet, but when he scanned the blockchain for those assets, the amount was different. After investigating, he realized that somewhere along the line the system was synchronized with incorrect information, which was then recorded on the client's financial information.
Ramirez also pointed to problems with trust between the auditor and the client brought about by digital assets. A client controls a private key giving him control over a certain amount of digital assets. However, in order to prove that he does indeed control the private key, he would need to reveal it to the auditor, which would theoretically give the auditor the ability to take his money, which may be inconvenient for the auditor if the assets go missing by some other means. Neither the client nor the auditor, therefore, want this information revealed. Maybe the auditor goes to the custodian then. The client can send instructions to the custodian to execute an instruction.
"The challenge for the auditor is if I go to the custodian to see those transactions, how do I know they were valid transactions authorized by the owner of these assets?" he said. "So we needed to do audits related to data analytics, controls over the systems of the account owner to validate that in fact these were valid transaction," he said.
One thing he said he likes in such situations is what he called "zero knowledge protocol," which he described at its most simple as "tell someone you have something, but don't tell them what."
But the final panelist, Robert Sledge, a partner at KPMG's Department of Professional Practice, noted that there are still great challenges in proving the existence and exclusive ownership of a digital asset. He asked the audience to imagine auditing a client who says they have 10,000 bushels of grain. The auditor asks for evidence that the client has this grain, and the client takes the auditor to the farm and uses a key to open the silo. He asked: Is this enough to prove ownership?
"They have a key, and they know they can go open [the silo], and no one has stopped them, and they opened the door and there was grain there," he said. "But the risk we're wrestling with is: What if it was their brother's key and their brother's grain on their brother's farm, and you're auditing the older brother's financial statements who doesn't really have the grain but put the grain on the balance sheet, but you're not engaged to audit the balance sheet of the younger brother, who has the grain silo."
In the physical world, he said, there are other procedures, such as looking through property tax records that could settle this matter. In the digital assets world, though, there's far less to support such assertions. Even if one moved bitcoins from one account to another, he said, that doesn't actually prove ownership. All it proves is that the person has a key. Did they steal it? Can other people use it? Are the transfers even being made from the account in question? Are the assets transferred the same ones referred to in the financial statement? Moving bitcoins from one account to another alone, he said, does not prove ownership. But he fears that other auditors who may not be as familiar with blockchain will simply assume that it does, and set a bad precedent.
"I fear there's always someone who will set the precedent, who will fall into that trap, and issue an audit opinion saying he saw the bitcoin move back and forth, but then the investors of that company go to claim the assets, that entity has no rights to the key, it's disappeared somewhere and the company is gone. The only one left on the book is the auditor who said there were micro-transactions," he said.
Sledge also expressed concerns that people are framing this entire issue the wrong way by focusing too much on blockchain itself and not enough around its specific uses.
"Blockchain is just a data structure, albeit one subject to a lot of creative thinking," he said. "And so when we talk about auditing blockchain, I wonder, is that sort of like saying auditing database? That sounds a little funny. We should never talk about auditing database. We'd talk about how do we understand how this database is being used in business operations, what controls are around it, where is information stored, etc. So I think we have a very broad spectrum of uses of blockchain that exist today, and even broader uses in the future, so when we think of auditing it, I think we have to approach it as we would approach auditing databases and not necessarily say we have to wait for the PCAOB or AICPA to release a standard saying this is how you audit blockchain."
"When I go to Coinbase and they have their enterprise custody there, and there's a fund with an account with them, how do I know these keys they hold, which take me to a particular set of crypto assets, really belong to that fund? How do I know that? How do I determine that is the totality of the funds, or the assets owned, by that fund?" he said.
The straightforward answer might be to look on the blockchain. But, said Ramirez, if someone tells him that they have five bitcoins, "there's no place on the blockchain where you can go and see you own five bitcoins." The blockchain is a record of transactions in and out of an account, and in order to determine that someone indeed has five bitcoins, that person will need to add and subtract every single transaction ever made in order to determine how much they have left.
"Coinbase isn't doing that all the time," he said. "They have a record of account and their system, developed by them, which reads the blockchain and saves those balances, so when I go online, I don't need to read the blockchain every time, but they need to keep it synchronized and that, as auditors, is something we must address."
He said he recently had a client who said they had a certain amount of digital assets in their wallet, but when he scanned the blockchain for those assets, the amount was different. After investigating, he realized that somewhere along the line the system was synchronized with incorrect information, which was then recorded on the client's financial information.
Ramirez also pointed to problems with trust between the auditor and the client brought about by digital assets. A client controls a private key giving him control over a certain amount of digital assets. However, in order to prove that he does indeed control the private key, he would need to reveal it to the auditor, which would theoretically give the auditor the ability to take his money, which may be inconvenient for the auditor if the assets go missing by some other means. Neither the client nor the auditor, therefore, want this information revealed. Maybe the auditor goes to the custodian then. The client can send instructions to the custodian to execute an instruction.
"The challenge for the auditor is if I go to the custodian to see those transactions, how do I know they were valid transactions authorized by the owner of these assets?" he said. "So we needed to do audits related to data analytics, controls over the systems of the account owner to validate that in fact these were valid transaction," he said.
One thing he said he likes in such situations is what he called "zero knowledge protocol," which he described at its most simple as "tell someone you have something, but don't tell them what."
But the final panelist, Robert Sledge, a partner at KPMG's Department of Professional Practice, noted that there are still great challenges in proving the existence and exclusive ownership of a digital asset. He asked the audience to imagine auditing a client who says they have 10,000 bushels of grain. The auditor asks for evidence that the client has this grain, and the client takes the auditor to the farm and uses a key to open the silo. He asked: Is this enough to prove ownership?
"They have a key, and they know they can go open [the silo], and no one has stopped them, and they opened the door and there was grain there," he said. "But the risk we're wrestling with is: What if it was their brother's key and their brother's grain on their brother's farm, and you're auditing the older brother's financial statements who doesn't really have the grain but put the grain on the balance sheet, but you're not engaged to audit the balance sheet of the younger brother, who has the grain silo."
In the physical world, he said, there are other procedures, such as looking through property tax records that could settle this matter. In the digital assets world, though, there's far less to support such assertions. Even if one moved bitcoins from one account to another, he said, that doesn't actually prove ownership. All it proves is that the person has a key. Did they steal it? Can other people use it? Are the transfers even being made from the account in question? Are the assets transferred the same ones referred to in the financial statement? Moving bitcoins from one account to another alone, he said, does not prove ownership. But he fears that other auditors who may not be as familiar with blockchain will simply assume that it does, and set a bad precedent.
"I fear there's always someone who will set the precedent, who will fall into that trap, and issue an audit opinion saying he saw the bitcoin move back and forth, but then the investors of that company go to claim the assets, that entity has no rights to the key, it's disappeared somewhere and the company is gone. The only one left on the book is the auditor who said there were micro-transactions," he said.
Sledge also expressed concerns that people are framing this entire issue the wrong way by focusing too much on blockchain itself and not enough around its specific uses.
"Blockchain is just a data structure, albeit one subject to a lot of creative thinking," he said. "And so when we talk about auditing blockchain, I wonder, is that sort of like saying auditing database? That sounds a little funny. We should never talk about auditing database. We'd talk about how do we understand how this database is being used in business operations, what controls are around it, where is information stored, etc. So I think we have a very broad spectrum of uses of blockchain that exist today, and even broader uses in the future, so when we think of auditing it, I think we have to approach it as we would approach auditing databases and not necessarily say we have to wait for the PCAOB or AICPA to release a standard saying this is how you audit blockchain."