Auditing enterprise chains, a year later

What we learned about where we’re going.

About a year ago, we wrote an article about how the blockchain industry needed to come to terms with the possibility that enterprise chains – the latest and coolest way to describe private/permissioned distributed ledgers– would need to be audited. And, how that could create new revenue streams and ways for audit organizations to add value to their clients. As a follow-up to that article, we thought we would update on our latest observations, research, and thinking.

Please note, for this article, we’re not talking about auditing individual transactions forexternal reporting purposes, but rather, systems auditing of enterprise chains which is fundamentally different and raises its own set of challenges.

First, in terms of general industry observations, as enterprise chain projects move toward production deployments, we have spoken with quite a few senior IT Assurance Leaders who are slowing down projects until their IA teams have an audit plan in place. As expected, there’s been confirmation that you must have a plan to audit these chains to get the green light from the control tribe to go live or move any significant amount of value.

Current forensic and sample-based audit practices for centralized systems are not applicable to systems audits of enterprise chains.

Our research, in partnership with Rutgers University’s Continuous Auditing and Reporting Laboratory (CARLab), the leading research institution focused on continuous auditing, monitoring, and analytics has shown that existing systems audit practices are inadequate for enterprise chains.

Summary of initial fundings:

  1. Over 90% of current system controls, the same types of control libraries used for SAP system audits, are not relevant for enterprise chains.
  2. There are many new controls that are relevant and, we believe, many many more undiscovered controls, especially in the domain of smart contracts.
  3. The real-time, full population, architecture inherent to Blockchain will drive the industry to increase the use of continuous auditing and monitoring service delivery methods.
  4. For ancillary systems, such as wallets and keys, the automation of current auditing practices would be adequate.

An example of a control that in its current form is not relevant for enterprise chains is [segregation of duties]. Blockchains don’t require the enforcement of extraneous SoD controls because the consensus mechanism enforces it directly. An example of a new control is [node checking] which is continually assuring that only consensus approved nodes are operating on the chain at any point in time.

We will publish our white paper, detailing our findings, in early 2018.

How can audit organizations position themselves to capture value in a distributed and decentralized world?

Our research tells us audit organizations should:

  1. Focus on finding ways to monetize their proprietary control libraries.
  2. Make their libraries available on many types of enterprise and public chains.

Thinking forward to the deployments of projects such as Cosmos, Polkadot, and Aion, which will blur the lines between moving value across enterprise and public chains, we believe audit organizations should prioritize planning for boundless network and market structures.

To offer one possible future, imagine a blockchain-based Network Assurance Marketplace (NAM), like an Apple/Amazon/Google app store, where audit organizations can upload control libraries, get them validated in some way, clients can search and buy access to libraries that are configured and tuned to a specific protocol, industry, function, or use case. Further, clients can also source, from the NAM, an audit organization to deliver the actual continuous systems auditing and monitoring service. And yes, you still need living breathing auditors to do some of the work!

In this network and market structure, audit organizations that already have many libraries, can shape their intellectual property into bespoke data solutions, packaged as, or facilitated by, crypto-assets and sell them at global scale. Or, instead of focusing on creating and selling libraries, can choose to specialize in the delivery of these next generation audit services. The outcome of this construct could be the unbundling of integrated audit frameworks and methodologies with new organizations competing to create audit value in new ways.

Libra’s focus is on building blockchain-native software that supports the delivery of control libraries.

Libra is not in the business of creating, maintaining, or owning control libraries or developing and deploying the actual systems audit services. These are the roles of other organizations. Rather, we will offer the audit ecosystem two things:

  1. Our research towards defining an open source, baseline blockchain-centric library of controls that’s agnostic to any one particular protocol, such that any audit organization will be able to contribute to, leverage, and then expand upon, these controls for their own commercial purpose.
  2. Continue to invest in building highly scalable and secure tools that will serve as software scaffolding used to support the delivery of systems audit services.

You should expect our first ‘Blockchain Audit Tool’ enterprise application in 2018. We are currently deep in research, learning what sorts of controls are relevant for different protocols and use cases, validating business needs and required practices, and translating those efforts into solutions.

Overall, we agree with articles about how the pace of change is accelerating for the industry. But we also see the possibility for structural change, especially in the packaging and delivery of systems audit value.

This perspective is driving us to organize efforts such that all organizations in the audit ecosystem can succeed in the distributed ledger era. If this is something you have interest in as well, please shoot me a note. We look forward to updating the market on our next set of actions related to these efforts.

Post Script: Thank you to Libra’s Audit Advisory Committee, Rutgers University’s CARLab, and the Monax team for supporting these efforts.