The 21st century has been host to a number of information systems technologies in the areas of science, automotive, aviation and supply chain, among others. But perhaps one of its most disruptive is blockchain technology whose origin dates to only 2008, when an individual (or perhaps a group of individuals) using the pseudonym Satoshi Nakamoto published a white paper entitled Bitcoin: A peer-to-peer electronic cash system in an attempt to address the threat of “double- spending” in digital currency.
Today, many top-notch global organizations are already using or planning to use blockchain technology as a secure, robust and cutting-edge technology to better serve customers. The list includes such well-known corporate entities as JP Morgan, Royal Bank of Canada, Bank of America, IBM and Walmart.
The tamper-proof attributes of blockchain, leading to immutable sets of transaction records, represent a higher quality of evidence for internal and external auditors. Blockchain technology will impact the performance of the audit engagement due to its attributes, as the technology can seamlessly complement traditional auditing techniques. Furthermore, various fraud schemes related to financial reporting, such as the recording of fictitious revenues, could be avoided or at least greatly mitigated. Frauds related to missing, duplicated and identical invoices can also be greatly curtailed.
As a result, the advent of blockchain will enable auditors to reduce substantive testing as inherent and control audit risks will be reduced thereby greatly improving an audit’s detection risk. As such, the continuing use and popularity of blockchain will mean that auditors and information systems security professionals will need to deepen their knowledge of this disruptive technology.
If you are looking for a comprehensive study and reference source on blockchain technology, look no further than The Auditor’s Guide to Blockchain Technology: Architecture, Use Cases, Security and Assurance. This title is a must read for all security and assurance professionals and students looking to become more proficient at auditing this new and disruptive technology.
Author(s): Shaun Aghili
Series: Security, Audit and Leadership Series
Publisher: CRC Press
Year: 2022
Language: English
Pages: 320
City: Boca Raton
Cover
Half Title
Series Information
Title Page
Copyright Page
Table of Contents
Foreword
Preface
1 Blockchain Technology: Creating Trust in a Trustless Environment
Blockchain Defined
Blockchain History
Blockchain Technology Versus Traditional Database Solutions
The Byzantine Generals Dilemma
Blockchain Types
Blockchain Components: A Primer
Centralized Networks
Decentralized Networks
Distributed Networks
The Block
Shared Ledger
Chaining Blocks
Blockchain Attributes and Benefits
Blockchain as a ZTA Tool
Conclusions and Recommendations
Core Concepts
Activity for Better Understanding
References
2 Blockchain Architecture, Components and Considerations
Blockchain Participants and Roles
Blockchain Types
Public Blockchains
Private Blockchains
Open Versus Closed Blockchains
Consensus
Consensus Algorithms
A Cryptography Primer
Symmetric Cryptography Algorithms
Asymmetric Cryptography Algorithms
Hybrid Cryptography
Homomorphic Cryptography
Elliptic Curve Cryptography
Zero-Knowledge Proof
Hash Functions
How Does a Hash Work?
Where Are Hash Functions Used?
Security Properties of Hash Functions
Real-World Hash Applications
Common Cryptographic Hash Functions
Merkle Trees
The Working of Merkle Trees
Benefits of Merkle Trees
Digital Signatures
Digital Signature Generation
Digital Signature Verification and Validation
Access Control, Identity Management and Membership Service Providers
Identity Management
Membership Service Providers
Crypto Wallets
Types of Wallets
Cold Wallet Or Cold Storage
How Are Keys Stored in a Wallet?
Inter-Planetary File Systems
Smart Contracts
Smart Contract Lifetimes
How Developers Ensure Users Cannot Exploit Bugs Or Unintended Functionality
Turing Completeness
Untrusted Code
Conclusions and Recommendations
Core Concepts
Activity for Better Understanding
References
3 Blockchain Tokens and Cryptocurrencies
Blockchain Governance
Popular Blockchain Governance Strategies
Blockchain Forks
Why Forks Happen
Types of Forks
The DAO Hack
Tokens in Blockchains
Types of Tokens
Token Standards
Ethereum Gas and EIP 1559
Blockchain Token Use Cases
Cryptocurrencies
Popular Cryptocurrency Types
Cryptocurrency Exchanges
Summary and Conclusions
Core Concepts
Activity for Better Understanding
References
4 The Advent of the Triple Entry Accounting: Implications for Accountants and Auditors
The History of Accounting Entries
Single Entry
Double Entry
Triple-Entry Accounting
Double-Entry Versus Triple-Entry Accounting
The Effect of Triple-Entry Accounting for Accountants
The Implications of Blockchain for Auditors
Financial Fraud Mitigation Using Blockchain Technology
Financial Statement Fraud
Skimming
Cash Larceny
Register Disbursement Schemes
Check Tampering
Billing Schemes
Payroll Schemes
Expense Reimbursement Schemes
Misuse of Inventory
Other Non-ACFE-Related Blockchain Threats
Double-Spending Attacks
Exchange Hacks
Social Engineering
Malware
A Proposed Purchase Cycle Blockchain Audit Checklist
Fraud Schemes Associated With Purchase Cycle
Public and Private Sector Triple-Entry Accounting Challenges
Summary and Conclusions
Core Concepts
Activity for Better Understanding
References
5 Blockchain Use in the Financial Services Sectors
Blockchain Use in Financial Services
Blockchain in the Banking Sector
Banking Payments Systems
The Embedded Supervision Principles in Blockchains
Use of Blockchain On Exchanges
Blockchain-Based Transaction Clearance and Settlements
The Investment Management Sector (Mutual Funds)
Investment Management Use Cases
Know Your Customer Considerations
Streamline Compliance and Process Duplication Avoidance
Blockchain as a Money Laundering Prevention Tool
Blockchain and Consumer Credit
Cardholder Identity and Verification Processes
Microloans Management for Users in Developing Countries
A Corda Platform Use Case
Blockchain and Trade Financing
International Trade Use Cases
Blockchain in the Insurance Sector
Blockchain Solutions for Various Insurance Use Cases
Blockchain and Group Insurance Benefits
Summary and Conclusions
Core Concepts
Activity for Better Understanding
References
6 Blockchain and Supply Chain Management
Supply Chain Defined
Different Types of Supply Chain
Supply Chain Components
Supply Chain Fraud Risks
Counterfeit Goods
Fraudulent Billing
Misappropriation of Assets
Food Fraud
Mislabeling – Some Major Food Fraud Cases
Blockchain Benefits in Supply Chain Management
Walmart’s Supply Chain Blockchain
Maersk
DeBeers Jewelers
Summary and Conclusions
Core Concepts
Activity for Better Understanding
References
7 Ethereum, Hyperledger and Corda A Side-By-Side Comparison of Capabilities and Constraints for Developing Various Business Case Uses
Ethereum
Components of Ethereum
Smart Contracts
The Ethereum Virtual Machine
Characteristics of Smart Contracts
Limitations of Smart Contracts
Consensus Mechanism
Limitations of Ethereum
Ethereum Use Cases
Hyperledger
Hyperledger Frameworks
Benefits of Using Hyperledger
The Design Philosophy of Hyperledger
Tools of Hyperledger
Hyperledger Smart Contracts
The Architecture of Hyperledger
Consensus in Hyperledger
Limitations of Hyperledger
Hyperledger Use Cases
Corda
Components of the Corda Platform
Corda Smart Contracts
Corda’s Consensus Mechanism
Corda Use Cases
User Privacy in Corda
Limitations of Corda
A Side-By-Side Comparison of Ethereum, Hyperledger and Corda
Decision Tree to Choose the Right Framework for a Business Use Case
Summary and Conclusions
Core Concepts
Activity for Better Understanding
Reflective Questions (Supplementary)
References
8 Designing a Blockchain Application
Blockchain Design Guiding Principles and Considerations
Do We Need a Blockchain Solution in the First Place?
Does the Application Need to Be Feature-Heavy Or Feature-Light?
What’s More Important – Collaboration Or Security?
Design for Security and Privacy
Will the App Have Consistency Or Specialization?
Will Support Be Centralized Or Decentralized?
The Mechanics of Decentralization in DApp
Monolithic Or Modular?
Personas
Persona Example 1
Persona Example 2
User Stories
Prof. Shaun’s User Story
Dr. Anika’s User Story
Functional Requirements
Technical Requirements and Tasks
Popular Application Design Approaches
Ancile
Ontology-Driven Approach
Software Engineering Strategies for DApps
The Model-Driven Approach
The User Design Approach
The Design Process
Blockchain Application Design: Good Practices and Considerations
Summary and Conclusions
Core Concepts
Activity for Better Understanding
References
9 Blockchain Application Development
Fundamental Differences Between Software and Firmware
Popular Application Development Frameworks
Ethereum
Hyperledger
Corda
Ripple
Quorum
Layers of Blockchain Application
Tools for Blockchain Applications
Integrated Development Environment
Good Practices for Blockchain Development
Summary and Conclusions
Core Concepts
Activity for Better Understanding
References
10 Testing and Auditing Blockchain Applications
Why It Is Critical to Test a Blockchain Application
Popular Testing Tools for Blockchain
Challenges in Testing Blockchain Implementation
Phases of Blockchain Testing
Testing Models: Functional Testing
Blockchain Bug Management Considerations
A Four-Step Bug Management Strategy
Blockchain Bug Categories
Tools for Testing
Test Plan Strategy for Blockchain Applications
Opportunities to Enhance Testing Strategies
Regression Testing
Automation Testing
Test Management Considerations
User Acceptance Testing
Blockchain Application Auditing Considerations
A Framework for Auditing Blockchain Solutions
A Proposed Audit Checklist for Blockchain Audits
Summary and Conclusions
Core Concepts
Activity for Better Understanding
Reflective Questions
References
11 Blockchain System Implementation
Introduction
Disaster Recovery
Elements of an Effective Disaster Recovery Plan
The Use of Blockchain Technology in Disaster Recovery
Verification of Data Integrity
Availability
Memory Correction
Cloud Storage
Contract Management
Fraud in Contract Management
Blockchain as a Tool in Contract Management
Product Distribution/Monetization
Supply Chain Management
Blockchain’s Value in Today’s Supply Chains
Asset Management Using Blockchain
Blockchain as a Solution in Asset Management
Use of Blockchain for Data Control, Security, Legal Compliance and Assurance
Data Control
Security
Legal Compliance
Assurance
Blockchain Implementation Challenges
Using a COBIT 2019 Approach for Blockchain Implementation
A Three-Layer Implementation Approach
The COBIT 2019 Implementation Approach
Phase 1: What Are the Drivers?
Phase 2: Where Are We Now?
Phase 3: Where Do We Want to Be?
Phase 4: What Needs to Get Done?
Phase 5: How Do We Get There?
Phase 6: Did We Get There?
Phase 7: How Do We Keep the Momentum Going?
Summary and Conclusions
Core Concepts
Activity for Better Understanding
References
12 Blockchain Risk, Governance Compliance, Assessment and Mitigation
Blockchain Technology Risks
Ledger Transparency Risks
Blockchain Security Risks
Operational Risks
Blockchain Application Development Risks
Cryptocurrency and Payment Considerations
Blockchain Regulatory Compliance Risks
Regulatory Compliance Considerations
Payment Card Industry Data Security Standards
Blockchain Considerations Related to Payment Card Processing
Health Insurance Portability and Accountability Act
Blockchain Considerations Related to HIPAA
General Data Protection Regulation
The Personal Information Protection and Electronic Documents Act
The COSO Framework
A Proposed List of Blockchain Good Practices Based On COSO
Conclusions and Recommendations
Exercise for Better Understanding
References
13 Blockchain User, Network and System-Level Attacks and Mitigation
Introduction
Blockchain User, Network and System-Level Attacks and Mitigation
User-Level Attacks
Stolen Private Key
Mitigation
Malware
ElectroRAT
PCASTLE
Lemon Duck
Ransomware
Mitigation
Implementing System Updates
Node-Level Attacks
Mitigation
Blockchain Network Attacks
Flawed Network Design
Poor Overall Network Security
51% and Double Spending Attacks
DoS Attacks
Eclipse Attacks
Replay Attacks
Routing Attacks
Sybil Attack
Blockchain System-Level Attacks
Integer/Buffer Overflow Attacks
Mitigation
Time Stamp Attacks
Mitigation
Buffer Out of Bounds Attacks
Mitigation
Race Condition Attacks
Mitigation
Blockchain Security Best Practices
Inherent Security Measures
Ethereum
Ethereum Smart Contracts
Ethereum Security Measures
Hyperledger Fabric
Hyperledger Smart Contracts
Hyperledger Security Measures
Corda
Corda Smart Contracts
Corda Security Measures
Summary and Conclusions
Core Concepts
Activity for Better Understanding
References
14 Smart Contract Vulnerabilities, Attacks and Auditing Considerations
Smart Contracts Security Considerations
Reentrancy Attack
Real-Life Case Scenario
Access Control
Real-Life Case Scenario
Arithmetic Over/Underflows
Real-Life Case Scenario
Unchecked Return Values
Real-Life Case Scenario
DoS Attacks
Real-Life Case Scenario
Bad Randomness
Real-Life Case Scenario
Race Condition
Real-Life Case Scenario
Short-Address Attack
Timestamp Dependency
Real-Life Case Scenario
Smart Contract Auditing Considerations
Smart Contract Auditing
Control Flow Analysis Tools
McCabe IQ
Ethereum Virtual Machine
Taint Analysis Tools
TAJ
DYTAN
Dynamic Code Analysis Tools
MAIAN
ContractLarva
Vulnerability-Based Scanning Tools
Mythril
Securify
SmartCheck
Symbolic Execution Tools
DART
Manticore
Oyente
Summary and Conclusions
Core Concepts
Activity for Better Understanding
References
15 Blockchain-As-A-Service
Introduction
A History of Cloud Computing
Cloud Computing at a Glance
Cloud Computing Attributes
Cloud Deployment Types
Cloud Computing Service Models
Cloud Computing Roles and Responsibilities
Benefits of Cloud Computing
What Is BaaS?
How Does the BaaS Model Work?
Advantages of BaaS
BaaS Challenges
Current and Anticipated Future Interest in BaaS
How Is BaaS Different From Serverless Computing?
BaaS Server-Side Capabilities
How Is BaaS Different From PaaS?
How Do BaaS Applications Run?
Consensus Mechanism
Criteria for Selecting a Blockchain as a Service Partner
BaaS Platforms
IBM BaaS
Oracle
Microsoft Azure BaaS
Amazon AWS BaaS
Alibaba
Accenture
Baidu
Huawei
SAP BaaS
BaaS Business Use Case
Food Traceability With Amazon Managed Blockchain: Nestlé
Royalties Information for Publishers With Azure Blockchain Service
Global Shipping Business Network Oracle Blockchain-As-A-Service: CargoSmart
Proposed BaaS Platforms
Functional Blockchain-As-A-Service
NutBaaS
Full-Spectrum Blockchain-As-A-Service
Novel Blockchain-As-A-Service
Unified Blockchain-As-A-Service
Public Blockchain-As-A-Service
BaaS Governance
Permissioned Chains
Off-Chain Control
Summary and Conclusions
Core Concepts
Activity for Better Understanding
References
Index
