How SOC can build trust in blockchain


Risk is part of business. Risk is also part of technology. As you integrate new technologies into your business, it’s important to understand both the capabilities and the risks.


Leaders from the line managers to the CEO need to understand how new technologies will affect their operations, and how they need to use controls to manage the risks. Some of the most exciting new capabilities in business have digital assets and blockchain technology at their core.


Many people only think of blockchain as the technology supporting cryptocurrencies like Bitcoin and Ethereum. Other blockchain use cases continue to present themselves, though, from supply chain management to gaming, across industries from healthcare to real estate. The security, transparency, traceability and efficiency of blockchain solutions can be powerful, with intrinsic benefits that can help your organization build trust, establish a positive reputation and gain new clients.


However, blockchain technology can be complex and not all businesses (or customers) are ready to navigate the risks on their own. Businesses might choose to rely on third parties to help implement or manage blockchain solutions, and that third-party reliance can introduce risks. If a business develops a blockchain solution in-house, there can be a risk of insufficiently understanding the function or architecture of the technology. There is even a risk that the technical implementation team might not understand the business use case that the blockchain solution is meant to support.


Headshot of Brad Barrett

“If a developer isn’t thinking of the risks while working on the technology, then it’s easy to miss out on some of those components of the code that are positive — and overlook some risks.”

Brad Barrett

Grant Thornton Risk Advisory Services Partner

“In order to understand the risks, it’s important to understand the technology,” said Grant Thornton Risk Partner Brad Barrett. “If a developer isn’t thinking of the risks while working on the technology, then it’s easy to miss out on some of those components of the code that are positive — and overlook some risks.” Processes such as change management or security administration can help to mitigate technology risks, but what if you are the company responsible for performing these processes, or if you are performing these processes for someone else?


Manage risks with controls


To manage the complexity and risk of blockchain solutions, businesses can develop an understanding of the technology and use a framework for implementing controls. The AICPA has established guidance that independent auditors can use to perform System and Organization Controls (SOC) examinations on a blockchain solution or blockchain management company, to understand how well controls have been implemented. These third-party attestations can be particularly helpful when seeking to build trust in the output of an evolving technology like blockchain.


SOC examinations can generate three main types of reports that can help you and your customers understand a solution’s design and effectiveness. The reports cover information technology general controls, along with controls relating to financial reporting, other reporting, transaction processing and similar activities. Alternatively, SOC reports can focus on categories of IT risks like security, availability, processing integrity, confidentiality and privacy. The AICPA guidance provides for flexibility that lets you focus on those areas most important to your organization and your customers:

  • SOC 1 (Internal Control over Financial Reporting): evaluates the service organization’s internal controls over financial reporting, which are likely to impact the user entities’ financial statements
  • SOC 2 (Trust Services Criteria): evaluates the service organization’s controls relevant to security, availability, processing integrity, confidentiality, and privacy of the systems, which are likely to impact the service commitments and system requirements contracted by the user entities
  • SOC 3 (Trust Services Criteria for General Use): evaluates the same controls as a SOC 2, but the report is designed for general public use



Use SOC reports


SOC reports provide insight into how a particular process is conducted. They also provide insight into whether the internal controls are adequate to maintain the desired level of accuracy, completeness or relevance when focusing on business processes. If you are concerned about information technology, SOC reports help clarify processes relating to security, availability, processing integrity, confidentiality, privacy or other topics. Here are some examples of how a SOC report may be used:

  • Customer request: If a current or prospective customer wants you to demonstrate your ability to meet service commitments or system requirements effectively, or that you have the right customer protections in place, a SOC 2 or SOC 3 report can help build confidence.
  • Third-party vendor: If a company is not fully familiar with blockchain technology but they are preparing to do business with a vendor that uses it, the company can ask the vendor for a SOC 2 report that demonstrates the effectiveness of that vendor’s security or operational efficiency processes and controls.
  • Reduce audit requests: If your current customers require audit support for their controls over financial reporting related to your system, a SOC 1 report can reduce the burden of compliance from many unique requests made by many unique customers, to a streamlined report upon which all your customers can rely.
  • Management internal evaluation: Management can request an independent audit to understand whether the controls and security framework they have in place are operating as expected.

The key benefit of a SOC examination and report is to demonstrate an understanding of both the process and the risks, as well as the suitability of design and operating effectiveness of controls.


Headshot of Sara Henderson

“These key audit insights can be shared with management and may also be top of mind for the company’s customers and external auditors.”

Sara Henderson

Grant Thornton Risk Advisory Services Experienced Manager

“During a SOC examination, one objective is to map the financial reporting, security, availability, processing integrity, confidentiality or privacy risks associated with the environment to controls that support the business process and IT architecture,” said Grant Thornton Risk Experienced Manager Sara Henderson. “A secondary benefit of this process is identifying control gaps or opportunities for operational improvement. These key audit insights can be shared with management and may also be top of mind for the company’s customers and external auditors.”


Consider the biggest factors for blockchain


Privacy protections are a key element in blockchain technology. Information in a private blockchain distributed ledger must remain both private and secure against unauthorized access. A SOC examination can help provide assurance that information from a company — or its customers — will remain secure.


Cybersecurity is a concern for businesses and governments around the world. The ability to protect sensitive and confidential information can make the difference between business success and failure. Companies can use a specific SOC report dedicated to the unique challenges of cybersecurity to show how they will detect, respond to, mitigate and recover from security breaches.


Headshot of Kirt Seale

“The biggest motivation for these companies should be to apply a solid foundation of internal controls while they are growing.”

Kirt Seale

Grant Thornton Risk Advisory Services Principal

In supply chain operations, companies might need to demonstrate that a blockchain solution has effective internal controls in place to identify issues before they become problems. Many companies have recently become much more sensitive about the risks and impacts of supply chain disruptions.


“The biggest motivation for these companies should be to apply a solid foundation of internal controls while they are growing,” said Grant Thornton Risk Principal Kirt Seale. “Rather than backing into internal controls and potentially ingraining bad habits, start sooner and earlier to avoid problems down the road.”


Trust matters


It’s always important to help others believe in the quality, efficiency and effectiveness of your business operations. When businesses conduct SOC examinations and reports, they can move a step ahead of the competition. Show your customers, stakeholders, investors, employees and vendors that you have a serious commitment to quality, and show them that their trust matters to you.






Our featured advisory services insights