A 40-page memo, recently commissioned and released by COSO, explains how companies can use blockchain technology to create more robust internal controls — and also highlights new controls that will be necessary because of the risks that blockchain creates. According to the memo, business use of blockchain will implicate the five components of COSO’s 2013 Internal Control Framework as follows:
- Control Environment: Blockchain may be a tool to help facilitate an effective control environment (e.g., by recording transactions with minimal human intervention). However, many of the principles within this component deal primarily with human behavior, such as management promoting integrity and ethics, which, even with other technologies, blockchain is not able to assess. The greater challenge relates to the intertwining of an entity with other entities or persons participating in a blockchain and how to manage the control environment as a result.
- Risk Assessment: Blockchain creates new risks and simultaneously helps to mitigate extant risks, by promoting accountability, maintaining record integrity, and providing an irrefutable record (i.e., a person or organization cannot deny or contest their role in authorizing/sending a message or record).
- Control Activities: Blockchain can act as a tool to help facilitate control activities. Blockchain and smart contracts can be a powerful means of effectively and efficiently conducting global business (e.g., by minimizing human error and opportunities for fraud). The collaborative aspects of blockchain, however, can introduce additional complexity, particularly when the technology is decentralized and there is no single party accountable for the systems that fall under ICFR.
- Information & Communication: The inherent attributes of blockchain promote enhanced visibility of transactions and availability of data, and can create new avenues for management to communicate financial information to key stakeholders faster and more effectively. One aspect, in particular, for management to consider in applying blockchain is the availability of information to support the financial books and records, and related auditability of information transacted on a blockchain.
- Monitoring Activities: The promise of blockchain to facilitate monitoring more often, on more topics, in more detail, may change practice considerably. The use of smart contracts and standardized business rules, in conjunction with Internet of Things (IoT) devices, may alter how monitoring is performed.
-Liz Dunshee, TheCorporateCounsel.net August 13, 2020
