This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our cookie notice (http://www2.deloitte.com/ca/en/legal/cookies.html) for more information on the cookies we use and how to delete or block them.
The full functionality of our site is not supported on your browser version, or you may have 'compatibility mode' selected. Please turn off compatibility mode, upgrade your browser to at least Internet Explorer 9, or try using another browser such as Google Chrome or Mozilla Firefox.

Are CFOs in the best position to unlock the value of blockchains?

CFO1018

 

Published on November 13, 2018

Blockchains are real and we have seen how cryptocurrencies have already had a significant impact on the economy. As for the public/permissionless blockchains, Bitcoin and Ethereum currently have a combined market capitalization of over $5 billion. As for private/permissioned blockchains, Gartner estimates that blockchains will provide a value of approximately $360 billion by 2026.[1]

 

What are blockchains? Is this real or just a trendy illusion?

In terms of defining blockchains, we defined these two different types of blockchain as follows:[2]Permissionless blockchains such as the Bitcoin network allow anyone to read, write (append) and validate data on the blockchain, which is distributed with no single owner. Unlike the Bitcoin network, permissioned blockchains restrict access to authorized trusted participants (pre-selected nodes), who are the only ones able to directly access the blockchain data, submit transactions, and participate in the consensus mechanism. Such a blockchain may be either a public consortium network separate from the main Ethereum/Bitcoin network, such as arbitrary vendors being able to onboard themselves, or a private consortium, where participants are pre-configured and this network is not visible to a wider audience.” 

The one thing I would add is that even the public blockchain system uses many controls that we often find at our clients. For example, bitcoin checks to see if the bitcoins being transmitted can actually be traced to “unspent transactions” or that the amount of bitcoin “issued” will not exceed $21 million. But even “mining” involves controls, where the miners check the transactions, and leverage the concept of segregation of duties, as 51% of the network must agree to the miners work before the transactions they check are added to the ledger. The private blockchain is even more similar to regular systems, as the parties involved in the blockchain are limited to those who are invited to this blockchain. Consequently, they have the same risk and control profile that one would find with any private system. 

 

What are the risks arising from the use of blockchain? How can organizations mitigate these risks?

More broadly, the largest risk regarding public blockchains and crypto-assets is information security. Organizations need to leverage best practices to protect their digital wallets or their private cryptographic keys. The reason is that anyone who has access to these private keys also has access to dispose of the crypto-asset. Most, if not all, blockchain-related hacks that one hears about are related to the inadequate security of cryptographic keys. Cryptocurrency Security Standards[3] can be one best practice that can be used to assist individuals or entities in securing their cryptocurrencies. That being said, mature security standards, such as ISO27001/2, also provide controls around managing cryptographic keys. In other words, securing cryptographic keys is not a risk unique to blockchains but has been known to security practitioners for decades.

When it comes to implementing private blockchains within a business, security is at risk. However, the caveat for any internal system is that it is accessible by third parties who are external to the organization. With that in mind, organizations need to ensure that the fit between the technology and the problem they are trying to solve is right. That is, the risk in investing in blockchain technology is that the technology will not actually address the underlying business or strategic challenges they are trying to address. Consequently, they should consider whether there is an existing or more proven technology out there to address the problem that they are trying to solve. Blockchain is good at solving problems that require the efficient sharing of trusted information across multiple entities. However, it requires organizations who are involved in this arrangement to establish a common standard among themselves to facilitate such exchanges of information – which is by no means an easy task. Consequently, organizations need to be aware of the actual business problems that they are trying to solve and then identify whether blockchain fits that need.

 

Can all entities use blockchains? Or is it only for the big financial institutions?

Blockchains are for any industry looking to leverage a solution that will bring both digitization and verification into their processes. This verification could be between external parties or it could be internal within an organization. A good example of the former would be real estate, where Sweden is looking to use blockchains to enable the registration and sale of properties.[4] According to a 2016 study by a major investment bank, this could save between $2 billion to $4 billion in title insurance costs (i.e., insurance purchased to manage the risks of the fraudulent sale of property). But it’s not just real estate, it’s also logistics/shipping/supply chain as well as governments who could benefit from this technology. The Danish shipping giant Maersk, for example, is working with IBM to explore how Hyperledger can be used to expedite the paperwork associated with routing goods from one part of the globe to another.[5] Companies can also benefit internally by using such technology to record and settle intracompany amounts.

 

What are the risks of not jumping on the bandwagon? How can an organization familiarize itself with blockchains so it can start planning their adoption?

The right time to adopt blockchains really depends on what type of business you are in. For companies that are in the business of trust, like audit firms, lawyers, and others, it is a good idea to keep a close eye on this technology and understand how it is going to transform your business. For example, the R3, which offers the Corda blockchain platform focused on the financial institutions space, offers a way for people in that sector to join the consortium, get to know the technology and see when the right time is to get in on the technology. More broadly, blockchain technology is designed to provide network advantages to the entities that join, and here can be a lag in terms of benefiting from the technology if an entity joins a consortium (that is sponsoring the relevant blockchain) too late. Think about book retailers who let Amazon dominate e-commerce, forcing them to play catch-up. For businesses where trust is not the primary source of value, they need to consider more carefully when they get on the bandwagon: waiting can be beneficial as they can learn from the mistakes of others and adopt a more mature technology. Continuing with the e-commerce parallel, a chiropractor who set up a website in the past few years, was able to benefit from hosting companies that provide easy-to-use tools to develop not just their website but also tools that allow clients to book appointments and make online payments. That is, they didn’t have to build such systems themselves and instead could benefit from accessing the mature technology.

 

What would be the role of auditor in a world where the books cannot be manipulated?

Nuance is key when exploring how blockchains can potentially transform the financial audit. “Blockchainthusiats” need to be careful not to exaggerate the capabilities of blockchains when discussing with the audit and accounting professionals. The “audit objective,” if you will, that the bitcoin blockchain addresses is a limited aspect of the validity assertion: specifically that the bitcoins were previously not spent. That’s the only “assurance” that the technology gives the potential recipient of the cryptocurrency. Considering it takes a lot of electricity to perform this one simple audit procedure (it is estimated to consume more electricity than New Zealand[6]) we would have to wonder how much it would cost in energy to audit all the transactions being processed by the entity (putting aside the complexities of building such a system). However, there is a case for permissioned ledgers to be much more energy efficient because they don’t use mining to verify transactions since it is supporting the transaction exchange between known parties. Such permissioned assign the role of mining (i.e. transaction verification) to what some call “verifiers”.

But at the same time, auditors cannot ignore this technology because it will definitely have implications on how we audit. There definitely needs to be guidance from standard-setters, regulators and other institutions (e.g., courts) that would determine the usability of such “cryptographically-signed transactions” for the purposes of audit evidence. But when and if that happens, blockchains combined with other technologies like artificial intelligence could enable auditors to expand the scope of their audits, as the efficiencies gained could enable the use of these and other technologies to provide higher quality financial statement audits to the various stakeholders out there.

 

How can CFOs get ready for this new technology?

Many CFOs are uniquely po­si­tioned to un­der­stand the dual chal­lenges of com­pli­ance and in­for­ma­tion man­age­ment – some­thing they may face at every month-end closing.

The initial step, how­ever, is to get past the mys­tique of the blockchain and its unique vocabulary, hash­ing, en­cryp­tion, Merkle-roots, shared ledger, just to name a few new concepts.  Colleagues of mine in Deloitte’s Assurance practice, who focus on Blockchain for Finance, Janine Moir[7] and Nicholas Lauriault[8], have found that the Finance Function finds such basics useful in assessing the potential benefit, process changes and risk impacts that Blockchain can potentially deliver. Here is a very simple sketch of a walk-through illustrating how a bit­coin trans­ac­tion typically works.

Blockchain2

I recommend assigning a trusted mem­ber of the finance team to un­der­stand how the blockchain ledgers work and iden­tify added-value potentials within their or­ga­ni­za­tion. This may re­quire taking external training and investing in self-study. Al­ter­na­tively, an organization may acquire knowledge about blockchain by hiring an external expert to train several members of the finance team.

[1] https://www.gartner.com/smarterwithgartner/the-cios-guide-to-blockchain/

[2] https://www.iasplus.com/en-ca/cfos-corner/technology/a-decentralized-future

[3] https://www2.deloitte.com/mt/en/pages/technology/articles/mt-article-cryptocurrency-security-standard-CCSS.html and https://cryptoconsortium.org/standards/CCSS

[4] https://cointelegraph.com/news/swedish-government-land-registry-soon-to-conduct-first-blockchain-property-transaction

[5] https://www.reuters.com/article/us-shipping-blockchain-maersk-ibm/maersk-ibm-say-94-organizations-have-joined-blockchain-trade-platform-idUSKBN1KU1LM

[6] https://www.theguardian.com/technology/2018/jan/17/bitcoin-electricity-usage-huge-climate-cryptocurrency

[7] jamoir@deloitte.ca, https://www.linkedin.com/in/moirjanine/

[8] nlauriault@deloitte.ca, https://www.linkedin.com/in/nicholas-lauriault-4b6b83123/

 

Contacts

 

Malik Datardina

Malik Datardina
Risk, and Compliance (GRC) Strategist, Auvenir
Malik Datardina is the Governance, Risk and Compliance Strategist for Auvenir. He is a Chartered Professional Accountant, Chartered Accountant, and a Certified Information Systems Auditor, who analyzes how disruptive technologies like blockchain, big data, Internet of Things, and artificial intelligence will transform the way audits are performed. Malik brings more than 15 years of experience in information systems, risk and assurance, information security governance and audit data analytics. He also volunteers on CPA Canada's Audit & Assurance Technology Committee and the Technology Advisory Committee and he teaches tech and audit innovation concepts to Masters of Accounting students at the University of Waterloo.

Auvenir - From our inception in 2016, we’ve been focused on how best to apply new technologies to help small and medium sized accounting firms provide a more efficient and technology-driven engagement experience for their clients. As a Deloitte venture, we benefit from the agility of a start-up culture while leveraging world-class professional services and technology expertise.

 

Correction list for hyphenation

These words serve as exceptions. Once entered, they are only hyphenated at the specified hyphenation points. Each word should be on a separate line.