The AICPA has released a white paper that provides practitioners (known as service auditors) with advice about performing SOC for Service Organization reports on companies that have incorporated blockchain into their service-delivery systems.
The use of blockchain may allow service organizations to provide new services (e.g., developing new systems to support supply chain efficiency) and to reduce the costs of providing existing services (e.g., reducing the risk of unauthorized changes to business records). But blockchain use also brings increased risks for service organizations and user entities.
As noted in the white paper, management is responsible for identifying, assessing, documenting, and responding to blockchain-related risks through the design and implementation of controls that mitigate those risks.
The white paper, Implications of the Use of Blockchain in SOC for Service Organization Examinations, is geared toward service auditors who perform SOC for Service Organizations: Internal Control Over Financial Reporting (SOC 1) examination or SOC for Service Organizations: Trust Services Criteria (SOC 2) examinations. Practitioners conducting SOC for Supply Chain examinations may also find the white paper helpful.
Specifically, the white paper aims to educate service auditors about the unique features of blockchain and the risks associated with using the technology as part of a system that delivers services to user entities. Understanding those risks and the controls implemented by the organization to mitigate those risks is critical for the service auditor who performs a SOC 1— SOC for Service Organizations: (ICFR) examination or a SOC 2 — SOC for Service Organizations: Trust Services Criteria examination. The white paper also discusses some of the ways those examinations may be affected by the use of blockchain.
The paper is organized into two parts. Part 1:
- Presents an overview of blockchain, including a discussion of the different types of blockchain networks and some of the unique features that make blockchain different from other technologies a service organization may use in its system; and
- Identifies specific risks of using blockchain.
Part 2 of the paper:
- Presents an overview of relevant professional standards and criteria governing SOC for Service Organization examinations;
- Discusses the need for the service auditor’s team to possess knowledge about blockchain and the specialized skills and competencies to perform the engagement, including the use of specialists when appropriate;
- Describes the unique elements of the service auditor’s understanding of a service organization’s system when blockchain is integral to and interfaces with that system; and
- Discusses unique considerations when forming an opinion on the description of a service organization’s system that includes blockchain, the suitability of the design of the controls, and in a type 2 examination, the operating effectiveness of controls.
— Jeff Drew (Jeff.Drew@aicpa-cima.com) is a JofA senior editor.