Applying the COSO framework addresses risks but raises some new ones.
Despite its mysterious origins, distributed ledger technology (DLT) is increasingly viewed by companies as vital to remain competitive. From an internal control (IC) standpoint, the technology has significant potential to reduce risk and improve efficiency but also introduces new risks, prompting a recently published report on how to apply the leading IC framework when adopting DLT, also referred to as blockchain.
- “We wanted to put this guidance out there so concerns about controls are not an inhibitor to adopting DLT,” said Paul Sobel, chairman of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), retired chief risk officer of Georgia-Pacific and a former NeuGroup member.
- “The paper is intended to move blockchain to the next level by discussing the key risks and controls that we think organizations should be thinking about as it relates to distributed ledgers,” said Jennifer Burns, partner at Deloitte & Touche. Deloite and COSO teamed up on the report “Blockchain and Internal Control: The COSO Perspective.”
Growing ubiquity. The report recounts the 2008 paper by Satoshi Nakamoto—identity still unknown—that set the stage for bitcoin and the blockchain technology behind it. DLT’s accessibility, transparency, and security has dramatically broadened its applications.
- In Deloitte’s 2020 blockchain survey of 1,488 senior executives globally, 83% of respondents said that without adopting DLT their organizations or projects will lose competitive advantage.
- An even higher percentage said their suppliers, customers and/or competitors are discussing or working on blockchain solutions.
- Higher percentages of respondents also see compelling business cases for blockchain technology and anticipate it achieving mainstream adoption.
Risk reduction and creation. Viewing DLT through the five components of the COSO Internal Control – Integrated Framework 2013, most organizations already apply the framework by complying with Section 404 of the Sarbanes-Oxley Act, Mr. Sobel said. Still, there remain plenty of risk-reduction opportunities and also some concerns. These include:
Control environment. DLT may help facilitate an effective control environment because it minimizes human intervention.
- However, the component primarily addresses principles involving human behavior, such as promoting integrity and ethics, that blockchain cannot assess.
- Plus, blockchains with multiple entities participating and intertwining face greater complications managing the control the environment.
Risk Assessment. Through this COSO-framework component, DLT reduces risk by promoting accountability, maintaining record integrity, and providing a record that is distributed to all participants simultaneously, so it cannot be denied or refuted.
- But companies must consider risks more broadly, such as other parties in the blockchain network with different risk appetites and risk monitoring standards.
- DLT also introduces the potential for new fraud schemes or new ways to carry out traditional ones.
Control activities. Blockchain and related smart contracts, which automatically execute, control, or document contractual events and actions, can significantly improve business efficiency by reducing human effort and fraud.