Using smart ledgers for internal audit purposes.
Studying this technical article and answering the related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We'd suggest that you use this as a guide when allocating yourself CPD units.
A smart ledger is 'a distributed multi-organisational data structure with a superb audit trail and some embedded computer code'. The immutable data structure provides a solid foundation for a history of data shared among the organisations. Adding new records allows the organisations to share more data or ‘message’ each other. The embedded computer code provides more sophisticated ways of sharing data, for example not-before-or-after certain times, or only with a selected people from the organisations.
Smart ledgers, distributed ledger technology, and blockchain are trendy phrases for old programming techniques. The techniques date back to at least a US patent application of 1976, though there are signs of earlier use. The techniques became trendy with the excessive attention paid to their use in cryptocurrencies, particularly since the launch of Bitcoin in 2009. Cryptocurrency hype has led to people seeking to apply smart ledgers in a wide range of applications. Numerous ‘use cases’ have been postulated ranging from trading of all forms, to identity systems, documentation sharing, and exchanges. ‘Blockchain’ is going to save the planet by recording carbon emissions, solving refugee crises through secure identification, and curing cancer through sharing medical records.
Controlling Central Third Parties
In truth, smart ledgers may well aid some ambitious projects to save the world, but the technology will do none of those things on its own. In economic terms smart ledgers’ principal benefit is helping to reduce the ‘central third party’ problem. The traditional solution to many forms of data sharing, from trade on exchanges to university degree information, has been to create a central third party who holds the master ledger or master records. Central third parties and central registries are a feature of many audit controls. But central third parties have the opportunity to either extract excessive ‘rents’, i.e. charge too much, or cheat. Charges can be levied on extracting and verifying old records, or making adjustments to new ledger entries such as new members, new assets, or new transactions. ‘Cheating’ is as a simple as taking a bribe to falsify records.
The advantage of smart ledgers lies not in being cheaper or faster. The advantage is that they allow organisations to work together without giving central third parties a strong natural monopoly. Smart ledgers reduce central third parties’ opportunities to charge excessive rents because the data is distributed, and reduce their opportunities to cheat because the historic ledger cannot be changed. When switching to a new central third party, organisations are not hostage to a monopoly on historic data.
Smart ledgers have grown in popularity, in large part due to increasing confidence based on their use in cryptocurrencies. While the ‘jury is out’ on cryptocurrencies, not least because of economic theory predictions and energy consumption, commercial users have shown great interest in identity, documentation, and agreement exchange using smart ledgers. So far, the greatest value has been in providing an independent, authoritative record of a document with an associated timestamp, while reducing central third party power.
Perhaps Just External, Independent Timestamping Is Sufficient Benefit?
Some quick examples of external timestamping already in action include:
- Fishface – is a project to provide fully-documented fisheries capabilities to small inshore fisheries based on GPS and HD video. Fishface records vessel logs and videos dynamically on a smart ledger external to the fisheries’ records
- FireDoor Guardian – is a company providing inspection tools for fire door examiners. Their software uses a smart ledger to timestamp the mobile app entries that examiners make about a fire door, in order to prove to government inspectors that each door has been properly examined
- Youthinmind – is a global study of mental health that continuously records individual assessments on a smart ledger to provide incontrovertible proof of what were the results, when, and where (geostamping). Health regulators pushed for such a system to avoid challenges of record tampering in clinical trials.
There are a number of audit issues, both internal and external, for users of smart ledgers. A basic first question is how can you ‘prove’ that all copies of the data are exactly alike on the ledger. The quick response is ‘the software works that way’. However, this answer is not as robust as it appears. For example, the Bitcoin blockchain keeps no record of transactions that have been rejected by its consensus algorithm. With tens of thousand of ‘nodes’ holding copies of master ledgers, it is clear that there is no simple proof of complete congruence. There are many other ‘ledger’ issues worthy of discussion, some covered in Auditing Mutual Distributed Ledgers (aka Blockchains): A Foray Into Distributed Governance & Forensics. There are even more issues to do with the legality of tokens or initial coin offerings, acceptability of blockchains for legal purposes, and validating smart contract code.
However, internal auditors increasingly recognise the potential to apply smart ledgers to internal audit. Perhaps the most basic thinking is to use these ledgers to increase confidence through timestamping. These ledgers can provide independent timestamping for a host of organisational ledgers that need to be part of the system of internal controls. Ledgers of ledgers if you will. For any transactions of substance, an internal auditor can specify that a copy of the transaction must also be timestamped on an external smart ledger. This provides verification in future of the completeness and accuracy of internal records. In addition to timestamping and regulatory reporting, here are some internal audit ideas:
- recording the use of identity information in anti-money-laundering and know-your-customer processes
- archiving ‘deal rooms’ or ‘property data rooms’ authoritatively for future reference
- tracing consolidation processes through externally timestamped records of general ledger statements
- requiring the external recording of any high-risk internal process to be recorded on a smart ledger.
Some high-performance systems for timestamping are extremely cost-effective, with costs being miniscule on a per-transaction basis. In a 2017 experiment, researchers from the National Physical Laboratory, the Toronto Stock Exchange (TMX), Strathclyde University, and Z/Yen timestamped financial stock trades with Co-ordinated Universal Time (UTC) generated from atomic clocks and recorded the trades directly on a smart ledger. The “Atomic Ledger” project recorded over 20 million transactions from three hours of trading to the ChainZy smart ledger system. The National Physical Laboratory concluded that this system was capable of recording up to one trillion transactions per day. This experiment foreshadows the idea that any regulatory reporting, not just trade reporting, could be independently and inexpensively timestamped. Regulators, such as the UK Financial Conduct Authority, have been speculating on ‘pull’ reporting (getting what they want when they need it). Independently timestamped records could reside as a base set of smart ledger information for them to ‘pull’ from when required.
Independent, external timestamping can be a simple and inexpensive control. More complex situations can be accommodated with embedded snippets of computer code, ‘sprites’ to some people, ‘smart contracts’ to others. These computer programs can be set to release data at certain times, verify release of data, record when and to whom data is released, in fact anything that can controlled by a program is possible. Much of the focus and hype surrounding ‘smart contracts’ is on forcing payments to complete. For a variety of reasons, such as liquidity, this is problematic. But the idea that dumb code can provide some basic controls seems solid. Looking ahead, two trends are worthy of mention, increasing technology regulation and increasing data stewardship.
Many new application areas will generate huge amounts of data. Take drones or autonomous vehicles. An autonomous vehicle might have several radars, a lidar, and comms with the road bed, nearby vehicles, meteorological centres, lighting, road bed, or signage. All of this is likely to be required to be authoritatively recorded. Likewise, with drones sending and recording their positions, visuals, or commands. A society that is constantly trying to reduce risk is one that will insist on increasingly authoritative recording. Regulators will demand it.
Equally, data stewardship is crucial. Legislation, such as the EU’s General Data Protection Regulation, requires organisations to demonstrate solid stewardship of any data that might identify an individual. Yet, the idea of independent external timestamping would mean that this data is being shipped outside in large volumes. Sure, it can, and should be encrypted, but it also needs to be shared. The answer to this problem lies in the ‘smarts’. Embedded snippets of code can control future data usage. A number of data markets are emerging, using techniques such as anonymisation, partial interrogation, or zero-knowledge proofs. Others are exploring how theories, such as deontic logic, might glue all this complexity together. All these techniques are aiding the use of code to enforce rules dictating how data can be shared, when, with whom, for what purpose, for how long. Such ‘permissioning’ structures may create a wealth of new controls for internal auditors.
What’s A Poor Internal Auditor To Do?
In the 1970s, groups of computer programmers were thrilled about the ‘internet of communication’. Some mused on how they could prove communication? Could they demonstrate simply that A had sent B a communication C some time after the event? The answer was straightforward then, i.e. store a ‘hash’ or long ‘checksum’ of A, B, and C. At the time, the economics of an ‘internet of record’ made little sense. One 256 bit hash consumed a significant fraction of any contemporary computer’s memory. Today, Bitcoin talks of substantial trillions of hashes per second.
Today, the computing economics are substantially different. Society demands more records for forensics and risk reduction. Smart ledgers are likely to provide many multi-organisational ways of storing shared data and transactions. Internal audit must not just oversee smart ledgers, but also use them to achieve internal audit goals.