While blockchain technology offers transformative value, it also introduces new risks, which has led to the need for blockchain audits. The exact rules for cryptocurrencies as assets have yet to be established, and there are risks for accounting firms building or consulting on the internal controls of organizations using blockchain technology. Nonetheless, let's take a look at the importance of blockchain audits and how they are necessary when auditing organizations that issue tokens. 

# The need for a blockchain audit

Due to the complexity and sensitivity of blockchain, the audit process requires a detailed approach and caution. In fact, the complexity of blockchain technology can lead to misjudgments or inexperienced audits, which can lead to serious damage.

Blockchain technology enables efficient transactions while ensuring transparency and trust, but despite these benefits, it has the potential to be abused or misused, and it is this risk that makes blockchain auditing necessary. A blockchain audit ensures that data integrity, transparency, and security are maintained, and that the blockchain system functions and performs correctly.

Organizations that issue cryptocurrency tokens also have this need for blockchain audits. Token issuance takes advantage of the transparency of the blockchain, which allows them to show investors that their business is honest and trustworthy.

To do this, in addition to auditing the transaction data on the blockchain, token issuing organizations need to audit the issuance and distribution process of the tokens, which is an important factor in measuring the value of the token and can help investors understand the true value of the token.

Auditing blockchain is essential for organizations running blockchain-based businesses. 

A blockchain audit basically follows a similar process to a traditional IT audit, but because of the nature of blockchain, it requires knowledge of cryptography, computer networks, software engineering, and more to understand exactly how blockchain works.

# Blockchain audit caveats

Audits of organizations operating in the blockchain business play an important role in enhancing the reliability of a company's assets and transactions. However, it is important to recognize that the cryptocurrency and blockchain fields are still in their early stages, and no applicable laws or standards have been established. Consider controls that can mitigate audit standards risk, but be sure to engage professionals with an understanding of blockchain. 

# Concepts of distributed ledger technology (DLT) and blockchain

Distributed ledger technology: DLT is a digital system that records asset transactions in multiple places simultaneously. Its core principle is decentralization, and it is designed to eliminate the need for a central authority and increase the security and transparency of the system.

Decentralization means that no one entity controls the data, transparency means that transactions are visible to all participants, immutability means that data cannot be changed once recorded, and security is maintained through cryptography.

Blockchain is a type of distributed ledger technology, and a blockchain is a chain of blocks, each of which contains a list of transactions. Once a block is added to the chain, the information contained in the block is permanent and cannot be changed, ensuring the integrity of past transaction data.

Blockchain is a technology for distributed storage of transaction data across multiple computers. This data is stored in each "block," and these blocks are connected to each other in a "chain. This structure makes it difficult to tamper with the data, providing high security. In addition, the transparency of blockchain allows all participants to view transaction records, which can be useful during the audit process.

Types of blockchains: 

1) Public blockchain: Open to anyone, participants can participate in the process of sending transactions to the network and validating and recording them. 

2) Private blockchain: limited to specific participants. 

3) Consortium blockchain: a hybrid type, where the consensus process is controlled by a pre-selected group of nodes.

# How blockchain works and smart contracts

1) Core technical concepts: A hash function takes input and produces a string of bytes of a fixed size. Cryptography ensures secure communication in the presence of an attacker. Public key infrastructure ensures secure and authenticated communication on the network.

2) Transaction processing: When transactions are created, they are grouped together with other transactions into cryptographically protected blocks. Miners validate transactions within these blocks and are rewarded with the corresponding cryptocurrency.

3) Smart contracts: Smart contracts are pre-written computer programs that automatically execute the terms of a contract. They are stored on the blockchain and are executed based on certain conditions.

4) Token issuance and trading: Organizations can issue and trade tokens that represent ownership or debt, which can be recorded and traded on the blockchain. These tokens must adhere to certain standards to be compatible with existing infrastructure.

5) Wallets and security: Wallets are used to store public and private keys associated with blockchain addresses. The security of the wallet is paramount to ensure the safety of the tokens it manages.

6) Regulatory and other issues: Due to the decentralized nature of blockchain technology, legal and regulatory issues can arise. Therefore, it is important to understand local laws and regulations related to blockchain and cryptocurrency use.

#Considerations

1) Data security:

Sensitive information related to tokens (private keys, transaction information, etc.) is stored in a database. This data must be encrypted, which can include using technologies like TLS to encrypt data in transit and algorithms like AES to encrypt data at rest.

2) Maintaining data integrity:

Due to the nature of blockchain, all transactions are stored in an immutable log. However, similar principles should be followed in the ancillary systems (such as DBs) that manage it. All significant data changes should be logged, and these logs should be protected from alteration.

3) Have a contingency plan:

You should have a contingency plan in place in case something goes wrong with your crypto token system. For example, you can take regular backups of critical data and have a disaster recovery plan in place that can automatically switch to a data center in another region if something goes wrong with your data center.

4) Assess suitability:

You should regularly assess the security posture of the systems that issue and manage your tokens. You can do this by conducting penetration tests with an external security consulting firm, or by conducting internal audits in accordance with international security standards such as ISO 27001.

5) Document policies and procedures:

All of the above procedures and policies should be documented, for example, a "guide to introducing two-factor authentication", "data encryption procedures", "guide to creating an emergency plan", etc. These documents should be kept easily accessible to employees and can also be used to train new employees.

6) Workforce management:

You should hire employees with an understanding and experience in blockchain and cryptocurrencies, or provide your current employees with the necessary training to enhance their technical skills. You should also have procedures in place to securely revoke the privileges of these employees when they leave or change jobs, and reassign their access to the system if necessary.

7) Maintain legality:

You need to operate your cryptocurrency in compliance with national and international laws and regulations. For example, you need to ensure that you are complying with Know Your Customer (KYC) and Anti-Money Laundering (AML) laws, and that you are protecting user information in accordance with privacy regulations.

8) Transaction monitoring:

It's important to have a system in place to identify and respond to anomalous transactions. This is due to the nature of cryptocurrencies and the potential for them to be used for illegal activities. Identify patterns of anomalous transactions, and if they occur, immediately alert or stop the transaction.

9) Post-mortem:

After a project or task is completed, the results should be reviewed and evaluated. This will help identify what went well and what needs to be improved. 

# ITGC and ITAC in the context of blockchain: 

- ITGC: ITGC ensures the reliability of systems that produce information material to financial reporting and is a fundamental control that supports ITAC. In the case of blockchain, ITGC can include controls related to blockchain software development and maintenance, user access controls, and network security controls.

- ITAC: These controls provide assurance about the processing of specific applications. In the blockchain context, ITACs may include assurances about the correct execution of smart contracts, validation of blockchain transactions, or authorization of blockchain participants.

When auditing a blockchain, the auditor should focus on validating the design and effectiveness of the controls in place, which includes reviewing the blockchain's architecture, smart contracts, and access controls. The auditor should also understand how tokens are issued and transacted, the security of the wallet, and any relevant regulatory or legal issues.

The audit should also consider the risk of material misstatement, including the completeness and accuracy of transactions recorded on the blockchain and whether those transactions are properly reflected in the organization's financial statements. Emphasis should be placed on verifying the completeness and accuracy of blockchain transactions. It is important to review whether all transactions recorded on the blockchain are complete and accurate and whether these transactions are properly reflected in the organization's financial statements. It is also important to verify the integrity, reliability, and safety of the blockchain. For example, auditors should verify that the blockchain's hash functions, encryption techniques, and transaction processing are functioning properly.

As identified above, auditing an organization with a blockchain business requires a deep understanding of how blockchain technology affects the organization's business activities. In addition, auditors should have extensive knowledge of IT general controls (ITGC) and IT application controls (ITAC). ITGC focuses on controlling the operating environment of information systems, while ITAC focuses on controlling the functionality of individual applications.

# ITAC(Information Technology Application Controls)

Information technology application controls are controls that are necessary to prevent and detect risks arising from computerized business processing, and they rely on specific business processes.

Information technology application controls play a significant role in improving processes, increasing efficiency and effectiveness, enhancing customer service, and reducing risk. These controls focus on ensuring the reliability, accuracy, completeness, and timeliness of the process in relation to the main risks that occur in the business process.

To operate these controls, the user does not need to understand the machine, while the machine needs a language to understand and process the user's commands. To accomplish this, software serves to facilitate communication between the machine and the user.

The main areas of information technology application controls are as follows

1) Input Control: Ensuring the accuracy, completeness, and validity of data as it is entered into the system. This prevents users from accidentally or intentionally entering incorrect data.

2) Processing controls: Ensure accuracy, completeness, and validity while the system processes data. This prevents data from being processed incorrectly.

3) Output controls: ensuring that the results of the system's processing are accurate and complete, preventing users from using incorrect information.

In relation to the above areas, it is necessary to control access to the system itself, protect data or system resources, and consider the confidentiality, integrity, and availability of information.

When performing IT and internal audits related to cryptocurrency tokens, the above-mentioned controls are crucial, especially since cryptocurrency tokens have value in and of themselves, and it is essential to ensure the integrity and availability of token-related data.

1) Data integrity: Integrity refers to the accuracy, consistency, and reliability of data. Data associated with cryptocurrency tokens must not be tampered with or lost. Integrity controls serve to ensure this; for example, controls such as data validation and data integrity checks.

2) Data availability: Availability refers to the ability to use data at the time it is needed. Systems involving cryptocurrency tokens require continuous and reliable service, so controls such as backup and recovery procedures and disaster response plans in case of system failure are necessary.

3) Data confidentiality: It should be restricted to users with appropriate authorization, and since information related to cryptocurrency tokens is security sensitive, controls such as access control, rights management, and user authentication are important.

Before starting the audit, the auditor needs to have a deep understanding of cryptocurrencies and blockchain, and a clear understanding of the business model and operating environment of the organization using the technology. The auditor should also be aware of regulatory requirements and legal issues related to cryptocurrency transactions, and conduct the audit taking into account the organization's IT control environment, which includes the organization's strategies and procedures to ensure the integrity of the system, availability, confidentiality, and data.

# How to audit blockchain

A blockchain audit involves the following key steps

(1) Planning and preparation: In this phase, you should focus on determining the scope of the audit, setting objectives, and understanding the technical characteristics and processes of the blockchain platform. You should also review and understand blockchain data structures, encryption methods, and transaction types. This phase requires a deep understanding of blockchain networks and systems.

(2) Data collection: Data collection: Auditors need to understand and review the information security and control mechanisms in relation to the data collected by the blockchain. Blockchain ensures transparency of transaction data, and these data can be used for analysis and verification.

(3) Review: The audit process thoroughly reviews the blockchain's transactions, smart contracts, security policies, etc. The transactions in each block are verified, the logic of the smart contract is correct, the security policy is thoroughly applied, etc.

(4) Data analysis: In this step, blockchain transactions and associated data are analyzed to find inconsistencies, incomplete transactions, unusual activity, etc. Blockchain analytics tools can be used to understand transaction patterns, detect anomalies, and analyze transaction attributes (e.g., time, amount, participants, etc.).

(5) Control testing: Auditors should conduct control testing to verify the control mechanisms of the blockchain, which may include testing the safety of the blockchain network, the integrity of transactions, the execution of smart contracts, access control and security, process automation, etc. Through testing, you can verify how what you understand in theory works in practice, and identify any unexpected errors or problems.

(6) Create a report: Based on the results of the audit, a report is created, which clearly records the problems found during the audit, improvements, etc. and is delivered to the relevant person or organization.

The above can be briefly summarized as follows.

1) Verification of cryptocurrency transactions: Auditors can verify cryptocurrency transactions on the blockchain to ensure the completeness, accuracy, and authenticity of transactions. Blockchain technology permanently records each transaction, ensuring transparency and traceability of transactions.

2) Smart contract verification: Smart contracts are automated agreements that execute automatically when certain conditions are met. Auditors can examine the code of a smart contract to ensure that it is working as expected and that there are no security threats.

3) Blockchain network security audits: Blockchain networks must be secure from internal and external attackers. Auditors can verify the network's security mechanisms, detect vulnerabilities in the system, and suggest measures to prevent security threats.

4) Token issuance and trading review: The auditor should understand and review how tokens issued by the organization are issued and traded. This ensures that the issuance and transfer of tokens are properly recorded, that the tokens are being traded in a proper manner, and that legal and regulatory requirements related to the issuance of tokens are met.

5) Wallet and security review: The auditor should ensure that the wallet is properly managed for the security of the tokens. This includes ensuring that the wallet's private and public keys are securely stored and managed, and that access to the wallet is appropriately controlled.

Conclusion

Blockchain technology has great potential for companies' audit procedures because it ensures transparency, safety, and integrity. However, it is important that this new technology is properly understood and managed. This requires auditors to have a deep understanding of blockchain technology and specialized IT skills, which will help them uncover critical information during the audit process, implement effective control mechanisms, and improve a company's blockchain strategy.

Because the nature of blockchain technology basically guarantees the integrity and reliability of data, internal controls are strengthened compared to traditional data management systems. However, beyond this basic integrity and reliability, there are still a number of risks and issues that need to be addressed.

Establishing internal controls over the servers that manage the blockchain is important, but by focusing on one place where blockchain data is stored and processed, you may be overlooking a broader range of risks and issues.

For example, internal controls are needed for a variety of elements, including token ownership and transfer, transaction monitoring, fraud detection, user authentication and authorization, data security and encryption, and backup and disaster recovery. These elements cannot be handled by the server alone and require an integrated approach to the entire system and organization.

You also need to build internal controls from a legal perspective. You need to ensure that you're complying with laws and regulations related to token issuance and trading, and that you're following regulations such as KYC (Know Your Customer) and AML (Anti-Money Laundering).

At the end of the day, the goal of internal controls is to manage risk for blockchain and token-related activities, successfully achieve business objectives, and comply with laws and regulations, so the "to what extent" you need to implement internal controls depends on how effectively you can achieve these objectives. This requires continuous evaluation and improvement of the establishment and operation of internal controls.