Although blockchain technology is widely regarded as safe and secure, this is not always true of the applications built on blockchain technology, such as smart contracts. Like any software, there are bugs and security concerns in blockchain applications, making it crucial to conduct code audits and security checks to address security issues and identify potential vulnerabilities.1
There are two main forms of auditing in the blockchain smart contract ecosystem: software cybersecurity auditing and financial accounting auditing. Software cybersecurity auditing includes both manual audits and automated audits of blockchain smart contracts. Financial accounting auditing includes compliance testing of internal controls and substantive testing of transactions in blockchain smart contract software.
The growth of blockchain technology means that IT auditors and traditional financial audit professionals need relevant technology skill updating.
The growth of blockchain technology means that IT auditors and traditional financial audit professionals need relevant technology skill updating. In addition, traditional financial auditing practices must evolve as blockchain technology and Web 3.0 technology become standard. The disruptive effect of blockchain and associated smart contract technology on the auditing industry may put smaller auditing enterprises at a disadvantage because they will likely be slower to invest in the new technology. The auditing profession itself will become more IT oriented, and auditors will become more similar to software developers.2
Anticipated contributions to worldwide gross domestic product (GDP) by 2025 from blockchainsmart contracts are estimated to be US$422 billion and predicted to grow to US$1.76 trillion by 2030.3 Due to this increased reliance on blockchain smart contract technology, practitioners should improve their skills and knowledge in auditing blockchain smart contracts.
Benefits of Auditing Smart Contracts
Performing a security audit of smart contracts has several benefits, including:4
- Identifying code-related problems and potential security vulnerabilities in the smart contract
- Preventing hackers and cybercriminals from gaining access to the smart contract or data feed systems
- Building trust among system owners and investors
- Saving time and money by avoiding future security issues
- Enhancing the accountability of the smart contract system
- Verifying that smart contracts comply with regulatory guidelines
Manual vs. Automated Auditing Approaches
Software functionality and cybersecurity auditing of smart contracts can be performed manually, with the assistance of software (automated), or some combination of the two (blended).
Manual Auditing
Manual auditing of smart contracts consists of an expert team of developers performing a complete code analysis to identify problems and vulnerabilities. Although manual auditing is slower than automated auditing, it is effective and usually prevents false-positive results related to bugs or other issues.
Manual auditing provides more definitive results because each line of code is examined by developers or security experts. This method is more complex and thorough; therefore, it may be used to detect issues with the architecture or smart contract logic that are often undetected by automated analysis techniques.5
By taking advantage of the newest automated auditing tools and enabling them to augment human auditors, enterprises can enable human auditors to focus their time on problems that are difficult to solve.
Manual auditing may use emerging technologies such as machine learning (ML) to assist with the auditing process. Although using ML to enhance manual auditing may appear to be automated, much of the ML process is labor-intensive and often completed by highly skilled IT personnel. Some analysis models that use ML to detect smart contract vulnerabilities consume significant time to extract features manually. To detect smart contract vulnerabilities, researchers have proposed novel ML-based analysis models that introduce shared child nodes to decrease computational time.6
Automated Auditing
Automated auditing of smart contracts is conducted using special software tools, such as Mythril or Sithler, to automate the manual code analysis and check the output of the smart contract software. For example, in the public blockchain space, the publicly available software tool SmartCheck transforms Solidity source code to an Extensible Markup Language (XML)-based intermediate representation and verifies it against XPath patterns.7 These tools can find bugs quickly, help users avoid false positives, and identify other potential vulnerabilities in smart contracts.8
Automated auditing saves time for developers and delivers promising results. However, false positives may be reported because automated tools are unable to understand the context of the code. In addition, automated auditing may detect false vulnerabilities, obvious vulnerabilities, or previously discovered vulnerabilities.9
Blended Approach
The ideal software functionality and cybersecurity audit process should include some combination of automatic and manual auditing. By taking advantage of the newest automated auditing tools and enablingthem to augment human auditors, enterprise scan enable human auditors to focus their time onproblems that are difficult to solve. In addition to auditing from a functionality and cybersecurity perspective, auditing from a financial accounting perspective should also be considered.
Compliance and Substantive Testing
Financial auditors must understand the software and IT problems (presented by embedded codes) that could compromise the integrity of inputs to blockchain smart contracts.10 Smart contracts will be a key component in the adoption of blockchain technology at the enterprise level and thus must be understood by traditional business leaders (e.g., C-suite executives and regulators).11 Financial auditors must implement and verify the functioning of internal controls to assure that blockchain smart contracts function as intended.
Internal Controls and Compliance Testing
To audit smart contracts, auditors must consider the smart contract oracles (which provide data inputs) and the processes that ensure that any node may accept and implement changes.12 Although smart contracts are mostly tamper-proof once they are on a blockchain, data inputs are vulnerable to common IT threats before they are uploaded to the blockchain. Hence, oracles, off-chain processes, and other upstream data feed processes are sensitive to IT and security threats before the smart contract is created or the data is uploaded.13
Compliance comprises three categories:
- Auditors as internal controls—In the future, it may fall to auditors to perform the role of trusted intermediaries responsible for verifying and executing smart contracts. Although the smart contracts themselves become part of the blockchain, the details of the contract can be hidden so that only certain parties are able to view them.14 Internal controls can be divided into three categories: controls over crypto assets (including cryptocurrencies), controls over blockchain smart contracts, and controls over information privacy.15 Auditing professionals should become familiar with the different categories of internal controls before attempting to build, maintain, or audit any blockchain.based system, including smart contracts.
- Smart control—Smart control layers provide auditors with access to smart contracts and associated digitized controls. Continuous data auditing, continuous control monitoring, audit data analytics, and many other auditing services are currently offered digitally (and remotely), all of which fit well within the blockchain smart contract system.16
- Regulatory compliance—For auditors, blockchains and smart contracts reduce the burden of having to check for regulatory compliance because compliance itself can be built into the smart contracts directly. Detection of violations, automatic reconciliation, instant settlements, automatic financial reporting, automatic proof of regulatory compliance to interested parties, resistance to fraud, and long pattern recognition via ML or data mining are all benefits of blockchains and associated smart contracts.17
Substantive Testing of Transactions
Auditors can confirm transactions on smart contracts and verify the accuracy, occurrence, completeness, and validity of transactions by auditing the source data related to the smart contracts themselves.18 Auditors also need access to the blockchains on which the smart contracts depend to determine whether the controls and conditions of the smart contract are operating properly.19
Although auditors’ accuracy verification (substantive testing) roles may be diminished by the adoption of blockchains and smart contracts, their oversight of and insight into both new and legacy IT systems will continue to be necessary and could become even more important.20 In fact, auditors and similar service providers may become the primary professionals creating smart contracts on blockchains.21 Similar to the previous IT movements to integrate data analysis into the formal auditing process, blockchain smart contract analysis will become part of that process. Audits of smart contracts involve both the physical world and the virtual model that maintains the data, business activities, and conditions of goods that exist in the physical world. This virtual model consists of three layers: the blockchain, the smart controls associated with the blockchain, and the payment mechanism itself.22
Blockchains and associated smart contracts will enable audit professionals to replace the traditional sampling method of evidence gathering with a whole-population approach because all records are easily accessible and auditable at scale. In addition, some blockchains (particularly those that are public and permissionless) will give auditors direct access to transaction histories in real time, validated and verified by an associated community of data miners.23
There are a number of open-source and proprietary blockchain smart contract accounting and financial auditing software tools. Within the open-source community, the Lukka open-source software, with about 75 blockchain-specific controls, can facilitate audits of any blockchain system. Lukka also has specific tools for smart audit procedures and provides paid services.24 The Hyperledger Fabric open-source blockchain ecosystem contains a number of open-source tools for accounting systems, including the GoDBLedger.25 Proprietary enterprises that offer paid services and products within this space include CodeXDF,26 Softledger,27 Bitcoin Sync by Blockpath,28 Gilded,29 Cryptoworth,30 and Bitwave.31
Taxation
Taxation will be heavily impacted by the adoption of smart contracts. Tax compliance can be made substantially simpler by using smart controls to execute and audit tax filings.32 In addition, any taxation or audit disputes can be resolved securely by multiple parties via smart controls within smart contracts.33
Policies and Regulations
Blockchain and cryptocurrency enterprises are facing increased scrutiny from regulatory authorities, particularly in the United States. Similar to the 2010 US Dodd-Frank Act, which was intended to protect consumers and rein in US Wall Street after the 2008 housing crisis, and the 2002 Sarbanes-Oxley Act, which was influenced by the Enron and WorldCom scandals, the regulation of blockchain-related business processes is a response to various collapses (e.g., FTX) and other fraudulent activity.34 Although these regulatory responses will impact public permissionless blockchain businesses (e.g., Coinbase, Ripple, Genesis) and technologies (e.g., Bitcoin, Ethereum, stablecoins), these regulations are unlikely to have a significant negative impact on the corporate adoption of blockchain technology, particularly when it comes to private permissioned blockchains.
Future Trends
Financial auditors (certified public accountants [CPAs]) must become more like IT, software, and cybersecurity professionals to be able to audit their clients’ unique IT environments and understand how data is transitioned from the local IT system to the blockchain smart contract.35 Blockchains themselves necessitate more robust cybersecurity practices for auditing professionals because the security and accuracy of local IT pipelines become more important if the final data will eventually be uploaded to a blockchain. The many benefits of blockchain smart contracts should not mask the ongoing dependence on traditional cybersecurity solutions. Blockchain smart contracts are merely one component of existing IT infrastructures, and any correctly functioning smart contract will rely on properly operating cybersecurity and data security platforms.36 Essentially, one cannot build a complete and secure blockchain smart contract without already having a software and security infrastructure in place that supports the blockchain, such as off-chain systems and connected oracles (data feeds) providing (reliable) external information. It is important to remember that blockchain smart contracts are not generic solutions to every scenario. They should be considered an extension of preexisting systems that provide additional benefits.
In addition, blockchain smart contracts can store accounting data securely while sharing only relevant data with interested parties for information verification. Smart contracts’ ability to rapidly verify accounting standards or whether prespecified business rules are met will enable auditors to confirm balance sheets, liabilities, and equity accounts as well as generate trustable results more quickly and receive automatic alerts if errors or discrepancies are discovered.37
Smart contracts offer auditors and accountants promising solutions for financial transactions involving simple currency transactions. Well-known issues in accrual-basis accounting and related auditing issues may be easily solved by the adoption of smart contracts.38 Recently, researchers have attempted to develop a triple-entry accounting system to enable automated transactions, storage, and verification using blockchain smart contract technology. In addition, incorporating transparency, accountability, and auditability directly into smart contracts has become a priority.39
Smart contracts and blockchains will play significant roles in the auditing profession as autonomous software becomes more common in other industry areas of healthcare, supply chain, and manufacturing.
In addition, adoption of blockchains and smart contracts by the financial industry is predicted to generate higher demand for auditing services overall, especially as these emerging technologies extend into nonfinancial industry domains.40 To develop enterprise-level smart contract auditing platforms, the development, implementation, and control of smart contracts must be standardized. Auditors will encounter difficulties scaling up previous auditing standards to blockchain smart contracts unless they are standardized in a way similar to other legal contracts.41 Smart contracts and blockchains will play significant roles in the auditing profession as autonomous software becomes more common in other industry areas of healthcare, supply chain, and manufacturing.42
Conclusion
Blockchain smart contracts have the potential to transform auditing practices, enabling accurate and timely automated assurance services. In conjunction with other emerging technologies such as artificial intelligence (AI), the Internet of Things (IoT), and robotics, blockchain smart contracts will become a foundational technology for the future of commerce and business, commonly referred to as the Fourth Industrial Revolution or Web 3.0.43
Other emerging technologies will extend the ability of blockchain smart contracts to assess and record both digital and physical assets. Combining blockchain smart contracts with other emerging technologies will enable auditors to automatically measure, detect, and analyze inventory, contracts, and other items in real time. Physical IoT devices, including attached sensors, microsize computer chips, smartphones, and similar devices, will enable the automatic collection and self-reporting of a variety of measurements that can be transmitted to smart contracts and accounting and auditing professionals.44 These devices will have to be audited in terms of their physical controls and the oracles that supply smart contracts their input data. Smart contracts will enable technology to automate a variety of auditing activities, including forecasting; credit rating evolution; monitoring default risk; estimating financial status, purchase behavior, fixed asset depreciation, and bad debt; manual data extraction; and audit preparation tasks. Automation of these tasks will enable audit professionals to focus on more value-added activities, including providing strategic advice to customers, performing in-depth manual analysis of particular items or topics, developing analytics models, and expanding business operations.
Blockchain smart contracts have the potential to transform auditing practices, leading to accurate and timely automated assurance services. As the adoption of blockchain smart contracts continues to grow, auditors and accounting professionals will be called on to play pivotal roles in the development, control and execution of smart contracts.
Endnotes
1 Quantstamp Labs, “What Is a Smart Contract Audit?” 2019, http://quantstamp.com/blog/what-is-a-smart-contract-audit
2 Brender, N.; Gauthier, M.; et al.; “The Potential Impact of Blockchain Technology on Audit Practice,” Journal of Strategic Innovation and Sustainability, vol. 14, iss. 2, 2019, http://doi.org/10.33423/jsis.v14i2.1370
3 PricewaterhouseCoopers, Time for Trust: The Trillion-Dollar Reasons to Rethink Blockchain, October 2020, http://www.pwc.com/gx/en/industries/technology/publications/blockchain-report-transform-business-economy.html
4 Healthcare Business Today, “Benefits of Smart Contract Auditing Services,” 7 August 2021, http://www.healthcarebusinesstoday.com/benefits-of-smart-contract-auditing-services/
5 Korobeinikov, A.; “How to Conduct a Smart Contract Audit of Your Project,” Blaize, 27 December 2020, http://blaize.tech/article-type/how-to-conduct-a-smart-contract-security-audit-of-your-project-and-why-this-is-important/
6 Xu, Y.; Hu, G.; et al.; “A Novel Machine Learning–Based Analysis Model for Smart Contract Vulnerability,” Security and Communication Networks, 2021, http://doi.org/10.1155/2021/5798033
7 Tikhomirov, S.; Voskresenskaya; E.; et al.; “Smartcheck: Static Analysis of Ethereum Smart Contracts,” Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain, Sweden, May 2018, p. 9-16, http://ieeexplore.ieee.org/document/8445052
8 Op cit Korobeinikov
9 Ibid.
10 Hayrettin, U.; Karaburun, G.; “Changes in the Professional Profile of Auditors in the Light of Blockchain Technology,” European Journal of Digital Economy Research, vol. 1, iss. 1, 2020, p. 5-12, http://www.researchgate.net/publication/347913804
11 Smith, S. S.; “Blockchain, Smart Contracts and Financial Audit Implications,” IUP Journal of Accounting Research and Audit Practices, vol. 19, iss. 1, 2020, p. 8-17, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=3797445
12 Ibid.; Smith, S.; Garcia, A.; “Blockchain Smart Contracts Part 3: Deployment and Integration With Existing Information Technology Systems,” ISACA® Journal, vol. 1, 25 January 2023, http://je7z.images-collector.com/archives
13 Sheldon, M. D.; “A Primer for Information Technology General Control Considerations on a Private and Permissioned Blockchain Audit,” Current Issues in Auditing, vol. 13, iss. 1, 2019, p. A15-A29, http://doi.org/10.2308/ciia-52356
14 Kokina, J.; Mancha, R.; et al.; “Blockchain: Emergent Industry Adoption and Implications for Accounting,” Journal of Emerging Technologies in Accounting, vol. 14, iss. 2, 2017, p. 91-100, http://doi.org/10.2308/jeta-51911
15 Li, W.; Ma, W.; “Blockchain Adoption and Accounting Information System: An Investigation of Challenges and Expected Value,” 15th China Summer Workshop on Information Management, 2021, http://doi.org/10.1111/acfi.13088
16 Vasarhelyi, M. A.; Halper, F. B.; et al.; “The Continuous Process Audit System: A UNIX-Based Auditing Tool,” The EDP Auditor Journal, vol. 3, iss. 3, 1991, p. 85-91; Alles, M.; Brennan, G.; et al.; “Continuous Monitoring of Business Process Controls: A Pilot Implementation of a Continuous Auditing System at Siemens,” International Journal of Accounting Information Systems, vol. 7, iss. 2, 2006, p. 137-161, http://doi.org/10.1016/j.accinf.2005.10.004; Vasarhelyi, M. A.; Alles, M.; et al.; “Continuous 33 Assurance for the Now Economy,” Institute of Chartered Accountants in Australia, 2010; Dai, J.; Vasarhelyi, M. A.; “Toward Blockchain-Based Accounting and Assurance,” Journal of Information Systems, vol. 31, iss. 3, 2017, p. 5-21,
17 Liu, M.; Wu, K.; et al.; “How Will Blockchain Technology Impact Auditing and Accounting: Permissionless Versus Permissioned Blockchain,” Current Issues in Auditing, vol. 13, iss. 2, 2019, p. A19-A29, http://doi.org/10.2308/ciia-52540
18 Op cit Dai and Vasarhelyi
19 Appelbaum, D.; Nehmer, R. A.; “Auditing Cloud-Based Blockchain Accounting Systems,” Journal of Information Systems, vol. 34, iss. 2, 2020, p. 5-21, http://doi.org/10.2308/isys-52660
20 Peters, G. W.; Panayi, E.; “Understanding Modern Banking Ledgers Through Blockchain Technologies: Future of Transaction Processing and Smart Contracts on the Internet of Money,” SSRN, 2015, http://dx.doi.org/10.2139/ssrn.2692487; Op cit Dai and Vasarhelyi; Yermack, D.; “Corporate Governance and Blockchains,” Review of Finance, vol. 21, iss. 1, 2017, p. 7-31, http://doi.org/10.1093/rof/rfw074
21 Op cit Dai and Vasarhelyi
22 Ibid.
23 Op cit Liu et al.
24 Lukka, “Blockchain Auditing—Accelerating the Need for Automated Audits,” 2022, http://lukka.tech/blockchain-auditing.accelerating-the-need-for-automated-audits-2/
25 Darcy, S.; “Open Source Accounting Software Developed by Accountants,” Opensource, 2020, http://opensource.com/article/20/7/godbledger
26 CodexDF, http://codexdf.com/
27 Softledger, http://softledger.com
28 Bitcoin Sync by Blockpath, http://quickbooks.intuit.com/app/apps/appdetails/blockpath/en-us/
29 Gilded.Finance, http://quickbooks.intuit.com/app/apps/appdetails/blockpath/en-us/
30 Crunchbase, “Cryptoworth,” http://www.crunchbase.com/organization/cryptoworth
31 Bitwave.io, http://www.bitwave.io/
32 Allison, I.; “Deloitte, Libra, Accenture: The Work of Auditors in the Age of Bitcoin 2.0 Technology,” International Business Times, 18 August 2015, http://www.ibtimes.co.uk/deloitte-libra-accenture-work-auditors-age.bitcoin-2-0-technology-1515932; Op cit Dai
33 Op cit Yermack
34 Peck, E.; “Why the FTX Scandal Gets Compared to Enron,” Axios, 18 November 2022, http://www.axios.com/2022/11/18/enron-ftx-scandal
35 Rozario, A. M.; Thomas, C.; “Reengineering the Audit With Blockchain and Smart Contracts,” Journal of Emerging Technologies in Accounting, vol. 16, iss. 1, 2019, p. 21-35, http://doi.org/10.2308/jeta-52432
36 Norman, C. S.; Payne, M. D.; et al.; “Assessing Information Technology General Control Risk: An Instructional Case,” Issues in Accounting Education, vol. 24, iss. 1, 2009, p. 63-76, http://doi.org/10.2308/iace.2009.24.1.63; Huang, S. M.; Hung, W. H.; et al.; “Building the Evaluation Model of the IT General Control for CPAs Under Enterprise Risk Management,” Decision Support Systems, vol. 50, iss. 4, 2011, p. 692-701, http://doi.org/10.1016/j.dss.2010.08.015; Op cit Sheldon
37 Dai, J.; “Three Essays on Audit Technology: Audit 4.0, Blockchain, and Audit App,” Rutgers University (New Brunswick, New Jersey, USA), 2017, http://rucore.libraries.rutgers.edu/rutgers-lib/55154/pdf/1/play
38 Op cit Kokina et al.; Fuller, S. H.; Markelevich, A.; “Should Accountants Care About Blockchain?” Journal of Corporate Accounting and Finance, vol. 31, iss. 2, 2020, p. 34-46, http://doi.org/10.1002/jcaf.22424
39 Op cit Dai and Vasarhelyi; Op cit Kokina et al.
40 Op cit Rozario and Thomas
41 Op cit Smith
42 Association of Chartered Certified Accountants (ACCA), EY, Risks and Opportunities of Blockchain and Distributed Ledgers, USA, 25 April 2017, http://www.accaglobal.com/content/dam/ACCA_Global/professional-insights/pro-accountants-guide-to-distributed-ledgers-and-blockchain/25%20April%202017%20ACCA%20EY%20event%20FINAL%20REPORT.pdf; American Institute of Certified Public Accountants (AICPA), Chartered Professional Accountants of Canada (CPA Canada), Blockchain Technology and Its Potential Impact on the Audit and Assurance Profession, 2017, http://us.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/blockchain-technology-and-its-potential-impact-on-the-audit-and-assurance-profession.pdf; Op cit Dai and Vasarhelyi; Institute of Chartered Accountants in England and Wales (ICAEW), Blockchain and the Future of Accountancy, UK, 2018, http://www.icaew.com/-/media/corporate/files/technical/technology/thought-leadership/blockchain-and-the-future-of-accountancy.ashx; Op cit Yermack; Kozlowski, S.; “An Audit Ecosystem to Support Blockchain-Based Accounting and Assurance,” Continuous Auditing, Emerald Publishing, UK, 2018; O’Leary, D. E.; “Some Issues in Blockchain for Accounting and the Supply Chain, With an Application of Distributed Databases to Virtual Organizations,” Intelligent Systems in Accounting, Finance and Management, vol. 26, iss. 3, 2019, p. 137-149, http://doi.org/10.1002/isaf.1457
43 Omohundro, S.; “Cryptocurrencies, Smart Contracts, and Artificial Intelligence,” AI Matters, vol. 1, iss. 2, 2014, p. 19-21, http://doi.org/10.1145/2685328.2685334; Deloitte, C-Suite Briefing: Five Blockchain Trends for 2020, USA, March 2020, http://web.archive.org/web/20210124164242/http://www2.deloitte.com/content/dam/Deloitte/ie/Documents/Consulting/Blockchain-Trends-2020-report.pdf; Dorri, A.; Kanhere, S.; et al.; “Blockchain in Internet of Things: Challenges and Solutions,” 2016, http://doi.org/10.48550/arXiv.1608.05187; Op cit Dai and Vasarhelyi; Ferrer, E. C.; “The Blockchain: A New Framework for Robotic Swarm Systems,” Proceedings of the Future Technologies Conference, Springer, Switzerland, 2018, http://link.springer.com/chapter/10.1007/978-3-030-02683-7_77;
44 Op cit Dai and Vasarhelyi; Op cit Kozlowski; Schmitz, J.; Leoni, G.; “Accounting and Auditing at the Time of Blockchain Technology: A Research Agenda,” Australian Accounting Review, vol. 29, iss. 2, 2019, p. 331-342, http://doi.org/10.1111/auar.12286
SAMUEL ZARUBA SMITH
Is a Ph.D. candidate at the University of Nevada-Reno (Reno, Nevada, USA) and is associated with its Center for Cybersecurity. He has extensive IT experience as a full-time employee, management consultant, and researcher for Amazon, Microsoft, Bank of America, and AT&T as well as public utilities and governments. His research interests include auditing, artificial intelligence, ethics, blockchain, security, governance, compliance, risk management, policy, and distributed systems.
ANDY GARCIA | PH.D., CPA
Is a professor at Bowling Green State University (Bowling Green, Ohio, USA). He has worked for a global accounting firm and a Fortune 500 company as an international auditor and has authored papers published in the ISACA® Journal, International Journal of Accounting and Information Management, Research on Professional Responsibility and Ethics in Accounting, Journal of Accounting Education, and Internal Auditing.