How SOC can build trust in blockchain

Risk is part of business. Risk is also part of technology. As you integrate new technologies into your business, it’s important to understand both the capabilities and the risks.

Leaders from the line managers to the CEO need to understand how new technologies will affect their operations, and how they need to use controls to manage the risks. Some of the most exciting new capabilities in business have digital assets and blockchain technology at their core.

Many people only think of blockchain as the technology supporting cryptocurrencies like Bitcoin and Ethereum. Other blockchain use cases continue to present themselves, though, from supply chain management to gaming, across industries from healthcare to real estate. The security, transparency, traceability and efficiency of blockchain solutions can be powerful, with intrinsic benefits that can help your organization build trust, establish a positive reputation and gain new clients.

However, blockchain technology can be complex and not all businesses (or customers) are ready to navigate the risks on their own. Businesses might choose to rely on third parties to help implement or manage blockchain solutions, and that third-party reliance can introduce risks. If a business develops a blockchain solution in-house, there can be a risk of insufficiently understanding the function or architecture of the technology. There is even a risk that the technical implementation team might not understand the business use case that the blockchain solution is meant to support.

Manage risks with controls

To manage the complexity and risk of blockchain solutions, businesses can develop an understanding of the technology and use a framework for implementing controls. The AICPA has established guidance that independent auditors can use to perform System and Organization Controls (SOC) examinations on a blockchain solution or blockchain management company, to understand how well controls have been implemented. These third-party attestations can be particularly helpful when seeking to build trust in the output of an evolving technology like blockchain.

SOC examinations can generate three main types of reports that can help you and your customers understand a solution’s design and effectiveness. The reports cover information technology general controls, along with controls relating to financial reporting, other reporting, transaction processing and similar activities. Alternatively, SOC reports can focus on categories of IT risks like security, availability, processing integrity, confidentiality and privacy. The AICPA guidance provides for flexibility that lets you focus on those areas most important to your organization and your customers:

• SOC 1 (Internal Control over Financial Reporting): evaluates the service organization’s internal controls over financial reporting, which are likely to impact the user entities’ financial statements
• SOC 2 (Trust Services Criteria): evaluates the service organization’s controls relevant to security, availability, processing integrity, confidentiality, and privacy of the systems, which are likely to impact the service commitments and system requirements contracted by the user entities
• SOC 3 (Trust Services Criteria for General Use): evaluates the same controls as a SOC 2, but the report is designed for general public use

Use SOC reports

SOC reports provide insight into how a particular process is conducted. They also provide insight into whether the internal controls are adequate to maintain the desired level of accuracy, completeness or relevance when focusing on business processes. If you are concerned about information technology, SOC reports help clarify processes relating to security, availability, processing integrity, confidentiality, privacy or other topics. Here are some examples of how a SOC report may be used:

• Customer request: If a current or prospective customer wants you to demonstrate your ability to meet service commitments or system requirements effectively, or that you have the right customer protections in place, a SOC 2 or SOC 3 report can help build confidence.
• Third-party vendor: If a company is not fully familiar with blockchain technology but they are preparing to do business with a vendor that uses it, the company can ask the vendor for a SOC 2 report that demonstrates the effectiveness of that vendor’s security or operational efficiency processes and controls.
• Reduce audit requests: If your current customers require audit support for their controls over financial reporting related to your system, a SOC 1 report can reduce the burden of compliance from many unique requests made by many unique customers, to a streamlined report upon which all your customers can rely.
• Management internal evaluation: Management can request an independent audit to understand whether the controls and security framework they have in place are operating as expected.

The key benefit of a SOC examination and report is to demonstrate an understanding of both the process and the risks, as well as the suitability of design and operating effectiveness of controls.

Consider the biggest factors for blockchain

Privacy protections are a key element in blockchain technology. Information in a private blockchain distributed ledger must remain both private and secure against unauthorized access. A SOC examination can help provide assurance that information from a company — or its customers — will remain secure.

Cybersecurity is a concern for businesses and governments around the world. The ability to protect sensitive and confidential information can make the difference between business success and failure. Companies can use a specific SOC report dedicated to the unique challenges of cybersecurity to show how they will detect, respond to, mitigate and recover from security breaches.