Technology Leads the Way: Digital Assets, Blockchain and SOC
Digital Assets – Are You Asking the Right Questions?
As more and more entities get involved in the digital assets space, this is an area of increased audit risk. Knowing the right questions to ask and being prepared with the resources necessary to make an assessment is of vital importance. Auditors must be aware of the many unique considerations and auditing challenges brought about with this new asset class.
In order to address financial reporting and auditing challenges, the AICPA’s Digital Assets Working Group continues to develop nonauthoritative accounting and auditing guidance to help financial statement preparers and auditors who are operating in the digital asset space. The Digital Assets Practice Aid, includes the following topics:
The Practice Aid was originally issued in 2019 and is updated periodically with new topics and content, to provide nonauthoritative guidance on how to account for and audit digital assets under U.S. generally accepted accounting principles for nongovernmental entities and generally accepted auditing standards, respectively. It is intended for those with a fundamental knowledge of blockchain technology and is based on existing professional literature and the experience of members of the Digital Assets Working Group.
Have Blockchain Risks Been Considered in the Engagement?
Many entities are turning towards blockchain technology as a solution for their business, operational, regulatory or strategic initiatives. For example, entities may incorporate blockchain technology into their financial systems, or they may use a service organization that has integrated blockchain technology to provide services to the entity (such as, supply chain management, payroll processing, or employee benefit plan recordkeeping). However blockchain technology is being utilized, it is important for the auditor to understand and identify the unique risks as well as those controls that may be in place to mitigate those risks. It is important for the auditor to take these risks into account when gaining an understanding of the system and the assessment of the risk of material misstatement.
The Information Systems Audit and Control Association (ISACA) and AICPA & CIMA formed a joint working group, the ISACA-AICPA & CIMA Joint Blockchain Working Group to identify risks associated with enabling blockchain technology. The working group created a risk by domain table, which is intended for those professionals with an advanced understanding of blockchain technology. This tool can be used by CPAs to assist an entity with identifying the relevant risks in each engagement.
The trend is clear: more and more entities will transform significant portions of their business, revenue model, or operations using blockchain technology and auditors will need to be aware of the unique risks. It is imperative that the assessment of the risk of using blockchain technology be considered throughout the engagement. If a blockchain has already been incorporated within an entity, it will be important to perform a retrospective review to identify risks related to the five domains, as applicable, in order to identify control
gaps that may threaten the achievement of the entity’s objectives.
Implications of the Use of Blockchain in SOC for Service Organization Examinations
The AICPA’s Assurance Services Executive Committee’s Implications of Blockchain on SOC 1 and SOC 2 working group has published the paper, “Implications of the Use of Blockchain in SOC for Service Organization Examinations.” The objectives of this paper are to educate the service auditor about some of the unique aspects of blockchain and to discuss the implications of the use of blockchain in a system used to provide services to user entities of a SOC for service organization report. The paper includes examples of how service organizations might use blockchain in a system used to provide services to user entities, as well as additional AICPA resources for service auditors who want to learn more about blockchain.
The paper is divided into two parts:
- Part 1
- Presents an overview of blockchain, including a discussion of the different types of blockchain networks and some of its unique features
- Identifies specific risks of using blockchain
- Part 2
- Presents an overview of relevant professional standards and criteria governing SOC for service organization examinations
- Discusses the need for the engagement team to possess knowledge about blockchain and the specialized skills and competencies to perform the engagement, including the use of specialists when appropriate
- Describes the unique elements of the auditor’s understanding of a service organization’s system when blockchain is integral to and interfaces with that system
- Discusses unique considerations when forming an opinion on the description of a service organization’s system that includes blockchain, the suitability of the design of the controls, and in a type 2 examination, the operating effectiveness of controls.
The complete paper may be found on the SOC web page here.
For additional SOC resources, please visit the Service Organization Controls: SOC Suite of Services page.
FAQs: SOC 2 and SOC 3 Examinations
The AICPA staff has issued nonauthoritative guidance on selected practice matters raised by members in connection with SOC 2® and SOC 3® examinations. The Frequently Asked Questions: SOC 2® and SOC 3® Examinations (FAQs) represent the views of AICPA staff based on the input of members of the AICPA Assurance Services Executive Committee’s SOC 2® Working Group. The FAQs address the following topics:
- Change in the Opinion on Design and Operating Effectiveness
- Trust Services Categories Addressed
- Common Controls to meet the Trust Services Criteria
- SOC Providers
- Considering the Appropriate Period of Time for a SOC 2 Examination
- Lack of a Board of Directors
- SOC 2 Examination that Addresses Additional Subject Matters and Additional Criteria
- Use of Sampling
- Laws and Regulations
- Procedures for Testing Operating Effectiveness
- Consideration of Materiality in a SOC 2 Examination
- SOC 3 Examinations
- SOC Logo for CPAs
The complete FAQs may be found on the SOC web page here.