2020年區塊鏈和內部控制報告 - COSO（英文版）（32頁）.pdf

《2020年區塊鏈和內部控制報告 - COSO（英文版）（32頁）.pdf》由會員分享，可在線閱讀，更多相關《2020年區塊鏈和內部控制報告 - COSO（英文版）（32頁）.pdf（40頁珍藏版）》請在三個皮匠報告上搜索。

1、C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n Sponsored By The information contained herein is of a general nature and based on authorities that are subject to change. Applicability of the information to specific situations should b

2、e determined through consultation with your professional adviser, and this paper should not be considered substitute for the services of such advisors, nor should it be used as a basis for any decision or action that may affect your organization. Jennifer Burns | Amy Steele | Eric E. Cohen | Dr. Sri

3、 Ramamoorti T H E C O S O P E R S P E C T I V E G ove r n a nce an d I n ter n al Con t rol B LO C KC H A I N A N D I N T E R N A L CO N T R O L This project was commissioned by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which is dedicated to providing thought leade

4、rship through the development of comprehensive frameworks and guidance on enterprise risk management, internal control, and fraud deterrence designed to improve organizational performance and governance and to reduce the extent of fraud in organizations. COSO is a private-sector initiative jointly s

5、ponsored and funded by the following organizations: American Accounting Association (AAA) American Institute of CPAs (AICPA) Financial Executives International (FEI) The Institute of Management Accountants (IMA) The Institute of Internal Auditors (IIA) Acknowledgements We would like to recognize and

6、 thank Yoland Sinclair, Manager, Deloitte it is blockchain plus something that is most successful. As a foundational technology, blockchain has the potential to radically change the global digital business landscape that would, in turn, have significant impact on almost everything else. As organizat

7、ions are contemplating the use of blockchain, they should know the following 10 things (See Appendix 2 for additional discussion): 1 Information about blockchain in the news and on the Internet is often misleading or incorrect. 2 Blockchain encompasses far more than digital assets; the benefits it c

8、an bring to an organization can be substantial. 3 Blockchain is not magic; it comes at a cost and doesnt eliminate all risks. In fact, it introduces new risks. 4 Knowing how blockchain works is crucial for evaluating, preparing for, and managing blockchains impact on internal control and the organiz

9、ation as a whole. 5 Blockchain has both technology and governance implications. 6 Blockchain will not make management, accountants, or auditors less relevant, although it will impact what they do and how they do it. 7 Blockchain requires new skill sets (e.g., data science for greater hindsight, insi

10、ght, and foresight) and new collaboration within and across organizations. 8 Now is the time to educate and engage stakeholders throughout the organization. 9 Blockchain is still in flux and continues to evolve. 10 Adoption of blockchain may not be a choice. The potential benefits of blockchain to f

11、inancial reporting will be maximized only if those who understand and are responsible for financial reporting, internal controls, and auditing are actively involved in the discourse about blockchain and collaborate to advance the collective agenda. Table 1. Implications of Blockchain on Five Compone

12、nts ComponentImplications of Blockchain Control Environment Blockchain may be a tool to help facilitate an effective control environment (e.g., by recording transactions with minimal human intervention). However, many of the principles within this component deal primarily with human behavior, such a

13、s management promoting integrity and ethics, which, even with other technologies, blockchain is not able to assess. The greater challenge relates to the intertwining of an entity with other entities or persons participating in a blockchain and how to manage the control environment as a result. Risk

14、Assessment Blockchain creates new risks and simultaneously helps to mitigate extant risks, by promoting accountability, maintaining record integrity, and providing an irrefutable record (i.e., a person or organization cannot deny or contest their role in authorizing/sending a message or record). Con

15、trol Activities Blockchain can act as a tool to help facilitate control activities. Blockchain and smart contracts can be a powerful means of effectively and efficiently conducting global business (e.g., by minimizing human error and opportunities for fraud). The collaborative aspects of blockchain,

16、 however, can introduce additional complexity, particularly when the technology is decentralized and there is no single party accountable for the systems that fall under ICFR. Information the ideas in this paper can be applied to both at a conceptual level. Table 2. Audience and Intended Use Audienc

17、eIntended Use Board of directorsUnderstanding the following (governance level): Key concepts related to blockchain How blockchain may impact internal control at a sufficient level to enhance oversight responsibilities Audit committee members Executives (CEO, CFO, Controllers) Understanding of the fo

18、llowing (operational and/or technical level): Key concepts related to blockchain How to leverage the 2013 Framework to evaluate considerations related to the use of blockchain and make more informed decisions about using blockchain Examples of how each component of the 2013 Framework may be impacted

19、 when block- chain is implemented Internal auditors, management accountants, and others concerned with internal control matters External auditorsUnderstanding of the following: (operational and/or technical level) Key concepts related to blockchain How to evaluate managements controls with respect t

20、o blockchain AcademicsUnderstanding the following (depending on basic or applied research interest): Key concepts related to blockchain How blockchain may impact internal controls How to share the concepts as well as practical applications with students This paper discusses each of the COSO componen

21、ts, describing: how to use blockchain to enhance that component, new threats or risks that arise from using blockchain, and examples of how to mitigate such threats or risks. Finally, with a view to enhancing collaboration, the paper concludes with next steps that can be taken as blockchain becomes

22、more widely adopted. c o s o . o r g 4 | Blockchain and Internal Control: The COSO Perspective . . . . . . . . . 2 Cryptography is relevant in that before any transaction is entered on a blockchain it must be agreed to through a consensus protocol. Each block is linked to the prior block with a uniq

23、ue identifier (i.e., a “hash”). 3 www.data.gov. II. THE WAVE OF CHANGE KNOWN AS BLOCKCHAIN In light of the potential changes blockchain may bring to business and operating environments as both an enabler and a driver it seems prudent to consider its implications on internal control. Blockchain imple

24、mentations might address, or even eliminate, extant internal control weaknesses; might be used to improve existing controls; and particularly in the absence of recognized best practices might pose new risks or challenges in practical contexts. What is blockchain? There are many conflicting definitio

25、ns of blockchain, but drawing on a variety of sources this paper uses the following working definition: blockchain is an append-only ledger, a sequential database maintained by a decentralized network of users responsible for agreeing upon additions to the chain and secured through cryptography.2 In

26、 laymens terms, a blockchain is a secure, transparent, irreversible digital ledger shared across participants. It is important to note that many different types of blockchains exist; there is no singular “the blockchain.” Many of the changes that proponents attribute to the adoption of blockchain ar

27、e not found in isolation; it is “blockchain plus something” (i.e., other emerging technologies) that may make the changes possible. These technologies focus on supplementing or eliminating manual tasks, and moving toward a more streamlined state of financial reporting with more timely reporting of r

28、elevant information. Certain tools and technologies that may be helpful in further exploiting the potential evolution of blockchain include the following: Artificial intelligence (AI) AI is an area of computer science where intelligent machines work and react like people for tasks like decision-maki

29、ng, problem-solving, emulating senses, learning, planning, and activities like visual perception and speech recognition. It is particularly useful at identifying patterns and outliers. AI can be used to augment human involvement or as its replacement. For instance, AI can be used to analyze real-tim

30、e trade transactional data and other information on a blockchain to simulate human judgment in classification, recording, analytics, and decision-making. Internet of Things (IoT) Internet of Things is a broad term for the growing list of things that can link to the Internet. With home automation dev

31、ices, just about anything that can turn on and off can be Internet-enabled and be part of a network of things that can monitor, report about, and act upon the environment around it. IoT devices can potentially write to or act upon information in a blockchain to assist auditors in their work. Big Dat

32、a/Open Data The availability of data beyond an entitys own books and records, so-called exogenous data, can facilitate broader industry analytics to provide greater context to advanced audit data analytics. Big data refers to the wide variety of data coming from sources such as IoT, social media, an

33、d other data sources too large or complex to be processed by traditional applications. Open data is a subset of big data: large, usually structured, data sets, usually made available by governments.3 Big data, IoT, AI, and blockchain may all be used together in the future and, working in conjunction

34、 with internal control processes, could become a powerful toolset. c o s o . o r g Blockchain and Internal Control: The COSO Perspective | 5 . . . . . . . . . 4 www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html. Implications for Internal Control The internal control environment

35、is likely to be different in a blockchain-enabled world. As such, it is important to consider and leverage these differences, factoring in blockchain capabilities, attributes, risks, and benefits. Leveraging distinctive capabilities of blockchain to enhance internal control, in turn, may promote gre

36、ater: Effectiveness and efficiency of operations, Accuracy, consistency, and reliability of financial and other reporting, and Compliance with applicable laws and regulations. In many ways, the control considerations with respect to implementing and operating blockchain solutions are much like those

37、 of a new Enterprise Resource Planning (ERP) or document management system. When considering financial reporting controls, certain “mainstay” financial controls (e.g., reconciliations) and processes (e.g., creation of financial reports) will likely fundamentally change. Further, new risks may emerge

38、, which will require new controls. See sidebar for examples of how financial reporting controls and processes may change. EXAMPLES OF HOW FINANCIAL REPORTING CONTROLS AND PROCESSES MAY CHANGE Internal controls related to the control environment The amount of control an entity may be able to impose w

39、ithin different blockchain environments will vary. In many cases, control will no longer rest within the entity. This will impact how entities consider and evaluate issues within the control environment. Reconciliations With the use of a blockchain solution to respond to reconciliation-heavy areas (

40、e.g., intercompany transactions), reconciliations will become highly streamlined, efficient, and result in increased visibility to all parties to the transaction. Confirmations With the ability to reperform calculations of transactions on the blockchain, there may no longer be a need for certain typ

41、es of confirmations. However, there may also be an increased need for other confirmations with potentially new service providers. Vendor and supplier approval The use of blockchain may change the nature of an organizations relationships with vendors and suppliers (e.g., how transactions are processe

42、d, visibility to pricing, and reporting and transparency of information). Third-party service providers Like other technology solutions, blockchain solutions may be controlled internally or sourced externally. Most externally sourced systems are typically overseen by a particular third party, the se

43、rvice organization. Management can request a type 2 SOC 2 system and organization controls report providing information about “the fairness of the presentation of third partys managements description of the service organizations system and the suitability of the design and operating effectiveness of

44、 the controls to achieve the related control objectives included in the description throughout a specified period.”4 Consequently, the demand for some form of SOC reporting in these environments will likely increase. Decentralized external systems In a blockchain world, there may be no singular, cen

45、tralized management to oversee a particular blockchain. Although the pre-established rules (protocol) of the designers and changes brought on by the consensus of the stakeholders can be communicated, there may be no singular external entity that can be held accountable for achieving the control obje

46、ctives or held responsible when there are problems. This lack of accountability poses a serious challenge. Without centralized management, there may be no simple or easy way to engage a SOC auditor and, absent SOC reports, enterprises must consider alternatives. c o s o . o r g 6 | Blockchain and In

47、ternal Control: The COSO Perspective Types of Controls in a Blockchain World Controls are characterized as preventive (before risk materializes) and detective (during or after risk materializes). With blockchain, these control types are still relevant and applicable. EXAMPLES OF HOW FINANCIAL REPORT

48、ING CONTROLS AND PROCESSES MAY CHANGE (CONT.) Integration of Digital Assets Another way blockchain can be different from traditional technology solutions is integration of digital assets into the system. Some blockchains have their own integrated digital payment or value that exists nowhere else and

49、 can be tracked no other way. Traditional systems can link into banking or other financial systems; blockchain is sometimes the system itself. Electronic audit trail An important benefit from certain blockchains is the automatic creation and presence of an electronic record of all transactions (i.e., an audit trail). Nevertheless, additional challenges exist with respect to determining ownership and rights, and just because a transaction is on a blockchain does not necessarily validate the transactions for books and records purp