An IT General Controls-Based Audit Approach for Blockchain

Wickey Wang
Author: Jiewen (Wickey) Wang, CISA
Date Published: 30 August 2021

From an audit standpoint, there are many different focal points for blockchain. Fortunately, looking at blockchain from the perspective of IT general controls (ITGCs) makes auditing blockchain more manageable and simpler. Speaking of simplifying, for those who may be new to blockchain, let’s start with a quick recap of how blockchain works.

Each block in the blockchain is compared to a box and then each box is divided into several grids. There are grids for historical information, which cannot be changed. If you do want to put new information in an existing box (or add a new box to this network), you have to find all the boxes and store the same new information in each box (redundancy). These boxes are placed in (or distributed) to different garages (notes) in different areas with a lid (i.e., the area is encrypted). Although the box’s information cannot be changed, each box has a method to connect and communicate with other boxes (point to point). 

With that understanding of blockchain, the IT auditor can look to ITGCs (specifically, access management, change management and data management/backup and restoration) as the foundation of a blockchain audit.

Client/wallet access management
The majority of blockchain client or wallet access is controlled by public and private key mechanisms. So, access management associated with private key security, in addition to general access management, needs to be audited.

In the Governance and Key Management sections of its Blockchain Audit Program, ISACA addresses this access management by considering the following:

  • For private blockchains, to what extent does the network operator manage former members from access to the network?
  • Are members authorized with appropriate IT controls, such as inactivity disable and access authorization periods? Handling may be facilitated through Dapp, use of digital certificates, etc.
  • Does the network operator utilize automated controls to disable inactive user accounts or disable user accounts when the access authorization period has expired?

Other access management control objectives for client/wallet management include ensuring that a secure key/seed backup exists; determining that backup key/seed is protected against environmental risks such as fire, flood, and theft; and confirming that proper keyholder grant-and-revoke policies and procedures are created and implemented.

Blockchain change management
The possibility of introducing risk as a result of changes to processes or systems makes it imperative for enterprises to review, test and obtain approvals around system changes prior to implementation. Since blockchain is a newer technology, it is important that all involved in change management have a solid understanding of blockchain technology. Elements of blockchain where change management best practices should be considered relate to software (mining/staking, wallet – if applicable) and smart contracts. For example, when auditing smart contracts, there should be assurance that the process around adding/upgrading smart contracts does not adversely affect contract performance or result in damage to nodes or network participants. 

Data management backup and restoration
When information in the blockchain flows into other systems of the enterprise, risks around the integrity of the data need to be assessed. Given that, auditors are encouraged to understand the interface logistics and to review data transfer from the blockchain data platform to the common application for completeness and accuracy. Examples of control objectives that auditors should assess are:

  • Procedures around orphan transactions: a matching issue with transactions could be an indicator of fraud; and
  • Controls that prevent or detect manipulation of data/transaction timestamps

For backup and restoration, in theory, as long as the source of the stored file defines the backup file, then encrypts the file data and submits it to all relevant nodes in the blockchain, the backup-related risk has been covered. So, my humble opinion is that the backup-related risk can be a non-key control.

Traditional ITGCs tend to focus more on applications, databases, and the operating system, so they do not consider the network layer as blockchain does. When coupled with a detailed audit plan and approach tailored to each enterprise’s environment (i.e., the way blockchain is set up and leveraged) ITGCs are still a solid foundation for an audit of blockchain. In its Blockchain Audit Program, ISACA has identified controls in the areas of governance, infrastructure, data management, key management and smart contracts. I hope my blog post today can give you a high-level view on what blockchain is and how an ITGC-based audit approach can lend assurance around the use of blockchain.