Digitalization in auditing: The blockchain technology: opportunity for new audit spaces?

(1)

Digitalization in auditing:

The blockchain technology: opportunity for new audit spaces?

Msc. Accountancy and Controlling

University of Groningen, Faculty of Economics and Business

EBM000A20 25-06-2018 Michelle Koning S2301229 m.koning.9@student.rug.nl Supervisor: dr. A. Bellisario

Second assessor: prof. dr. D.M Swagerman

(2)

2

ABSTRACT

This research has studied the impact of digitalization in auditing. Currently blockchain is among the most trending technologies and assumed to be disrupting for various professions. In this sense, blockchain is regarded as especially disruptive for the auditing profession. Some voices even argue that it could eliminate the demand for auditing altogether. However, despite the expectations there is a paucity of knowledge regarding where and how blockchain technology is effectively applicable. This study aims to contribute to the knowledge by investigating how blockchain opens a new audit space for auditing. The evidence indicates that the application of blockchain within auditing results to a shift in tasks where the professional judgement of an auditor becomes more important. Furthermore, the blockchain can be regarded as another IT system hereby affecting auditor’s assessment of the effectiveness of the internal control. Subsequently the use of blockchain solutions results in a growing demand for audit and assurance services hereby opening a new audit space for auditing. Nevertheless the evidence indicated that currently the skills and capabilities of auditors are not sufficient in order to provide audit and assurance services. Moreover, the lack of standards and regulation regarding blockchain delays the emergence of new audit spaces.

(3)

3

INTRODUCTION

Over the past decades, every aspect of organizational and social activities has been impacted by the rapid developments of the internet and information technologies (Li et al. 2009). Digital technologies are reshaping organizations and markets, creating technological discontinuity that has a disruptive effect on business models. This is also emphasized by Bhimani and Willcocks (2014) who state that no aspect of business today remains untouched by digital technologies. Moreover, according to Arsenie-Samoil (2010) trends resulting from digitalization can’t be avoided. In order to survive, organizations should modernize by implementing new information technologies. Furthermore, digitalization has led to a constant change of roles, relationships, practices, identities and skills within organizations (Yoo et al. 2010).

As businesses adapts to digitalization, so too does the auditing profession (Caster and Verardo, 2007). Almost 25 years ago, Baker (1993) already stated that digitalization affects the practices of auditing. Recently, Forbes Insight and KPMG (2017) examined how technologies are changing the audit profession and found that innovative technologies are considered to be the future of auditing, and indeed will play a vital role. Moreover, according to Lombardi et al. (2015) the auditing profession is at a crossroad: rapidly advancing technology changes the way information is received and analyzed. In order to remain a relevant service to users of financial statements, auditing must find a way to evolve. Experts already agreed that the auditing profession has begun to evolve new advanced technologies and that it will further incorporate technology over the next decade.

This inevitably raises questions on how the adoption of innovative technologies might influence the auditing profession. In this wise, this study is meant to address the blockchain technology as the specific technological innovation impacting the auditing profession.

According to Dai and Vasarhelyi (2017), blockchain has served as a potentially transformative information technology and is considered as one of the most important and innovative technologies developed in recent years. By zooming-in the auditing domain, Fanning and Centers (2015) stated that blockchain will change the way financial firms perform many of their activities. Along this line, that is also believed in common practice (e.g., Swan, 2015).

(5)

5

Wang and Kogan (2017), for instance, mentioned the audit field as the potential field where blockchain will be most disruptive and promising. Finally, Gupta (2017) even states that blockchain will replace all financial intermediaries and that the blockchain technology might reduce the demand for auditing.

But what is blockchain? Blockchain established a decentralized public ledger that provides a secure infrastructure for transactions among unfamiliar parties without a central authority. The technology should lead to lower trading costs, quicker transaction settlement, a reduced fraud risk, improved auditability of transactions and increased effectiveness of monitoring (Dai and Vasarhelyi. 2017). Noticeably, these features are in accordance with the audit function (Li, 2017).

Some studies have been recently arguing that digital technologies, such as blockchain, can imply tremendous change in auditing (Guthrie and Parker, 2016). Along this line, Vasharhelyi et al. (2015) already suggested that when the majority of audit clients eventually adopts a blockchain technology the audit profession has to adapt. Still, stepping on to the current practice-based conversation on auditing and technology, the IAASB (2016) has even claimed that an effective use of blockchain may be calling for auditors with changed competencies and skills. However, despite the predicted potential effects of blockchain on the audit profession, the application of blockchain to auditing remains largely under-explored (Dai and Vasarhelyi, 2017) and, so far, little evidence has been delivered.

In this sense, throughout their history the audit profession has been proven to be highly adaptive in responding to and innovating amid dynamic and competitive markets. Change within the audit profession has previously led to a series of “new audit spaces” (Andon et al. 2015). This adaptations towards new audit spaces can transform traditional auditing principles and procedures (Jeacle, 2017).

However, despite such a summoned attention, the current literature seems to be lacking empirical explanations about “how” the blockchain technology is impacting on the audit process. In fact, despite the increased attention blockchain has received from the audit profession, it remains an underdeveloped research area (Umarovich et al. 2017). Thus, in order to provide a stepping stone towards an increased understanding, this study aims to explore the implications of blockchain technology in the audit profession by answering the following research question: “How does blockchain open a new audit space for auditing?”

(6)

6

Contribution

According to Carter et al. (2015), research on emerging developments within auditing can advance our understanding of how they emerge and what the implications for professionals are. Particularly, this study responds to recent calls from the auditing research community, which has been urging more academic examination of emerging areas of relevant interest, such as the digital economy (e.g., Guthrie and Parker, 2016), where blockchain in fact lies.

This study is also relevant for practitioners since it aims to bring further insight in the changing audit profession. Both ‘today’s auditors’ and ‘auditors to be’ might benefit from the findings, in order to prepare themselves towards the required skills and knowledge needed to cope with the impact that disruptive technologies have on auditing. Moreover, according to Andon et al. (2015) and Cooper and Morgan (2013) research of new audit spaces offers important insight into the future operation of audit firms and auditors more generally.

Furthermore, according to Risius and Spohrer (2017) there is a call for research concerning how blockchain can replace certain service providers, such as auditors, or how the established companies can implement blockchain to their current business. This is exactly where this study is aiming at by investigating how blockchain opens a new audit space for auditing.

The remainder of this study is as follows: the next chapter consist of the theoretical background of this study. After the theoretical background the method of this study is descripted. The study ends with a representation of the study’s findings resulting in the discussion and conclusion.

(7)

7

THEORETICAL BACKGROUND

The first part of this chapter explains how blockchain opens a new audit space by using the theory of the audit expectations gap. The second part conceptualizes the blockchain technology and reviews the implications of blockchain for auditing as described existing literature.

The audit expectations gap

The power of the audit profession: vagueness about the scope and meaning of the audit Due to the increasing digitalization it is suggested the audit profession is at risk of being left behind. However, at the same time, there has been a growing demand for audit styled services resulting in the emergence of a number of novel audit and assurance spaces (Andon et al. 2014; Andon et al. 2015). O’Dwyer (2011) states that although the competitive environment of accounting firms has been transformed, the accounting profession retains to have a crucial role and even extends its influence. This raises questions regarding how the audit profession was able to maintain its power and how new audit spaces have emerged.

According to Free et al. (2009) the power of the audit profession rests on the vagueness about the scope and meaning of the audit. This vagueness results in the exportability of financial auditing into new audit spaces and its capacity to lend legitimacy to this new context. This is also emphasized by Andon et al. (2014) arguing that the exportability of auditing, into domains beyond the traditional financial audit, lies within the seductiveness of vaguely defined auditing ideals. The vagueness about the scope and meaning of the audit is reflected in the audit expectations gap.

Vagueness about the scope and meaning of the audit: the audit expectations gap

The vagueness about the scope and meaning of auditing results from the unclear relationship between the inputs and the outputs of auditing (Power, 1997). The input consists of the audit routines and procedures performed by the auditor, the output consists of an opinion given by the auditor. The presumed effect of this opinion is to enhance the credibility of the audited object. However, the input leading to the output cannot be observed: despite the mass of technical routines and procedures available to the auditor the nature of the opinion given remains vague. This results in an obscurity regarding what auditors do. In other words, the nature of auditing, the various roles and responsibilities and the audit practice are poorly understood by non-auditors (Humphrey, 1992). This obscurity is reflected in the audit expectations gap.

(8)

8

The gap can be defined as “the gap between society’s expectations of auditors and auditors’

performance as perceived by society” (Porter, 1993). This expectations gap is essential for the

audit profession (Power, 1997)

Essential obscurity: the expectations gap and the position of the audit profession This paragraph explains why the expectations gap, is essential to the audit profession.

Power (1997) states that the legitimacy of auditing requires some publicity of the operational process but not so much that it could be directly copied by outsiders. This is also the case with audit objectives. The objectives have to be concrete enough to be perceived as useful by the user groups and general public, however not concrete enough that it is possible for outsiders to determine the success or failure of the process in meeting its objectives. In other words, in order to keep their economic position the audit practice should not become fully transparent. It is the expectation gap that prevents the audit practice from being fully transparent.

If non-auditors could measure the input and output directly, the audit becomes fully transparent, resulting in an understanding of what auditors do. If this is the case there is no expectation gap. However, considering the statements above, in order to stay legitimate auditors should publish some of the operational process but not too much. Thus, from this point of view, the existence of the expectation gap sustains the economic position of the audit profession.

That obscurity is essential to sustain the economic position is also emphasized by Lee (1993), stating that the auditing profession, can be characterized as an institutionally - based occupation which uses various explicit characteristics, traits and situations as strategic resources to advance its claim to self-regulate its activities and exercise market control over its services.

(9)

9

Lee (1993) further states that it is of particular strategic concern that a profession demonstrates a credible body of knowledge underlying its practices, but without revealing sufficient detail to permit access to non-members. In this way the practices remain vague, resulting in an expectations gap. This gap engineers a widening of the scope of audit (Lee, 1993; Power, 1997).

Towards meeting expectations: the expectations gap as a resource for change in auditing As mentioned before the audit expectations gap secures the position of the audit profession. However, the expectations gap can also impair the position of the audit profession. Nevertheless, according to Ruhnke and Schmidt (2014), the audit profession has a rational interest in ensuring that its activities gain and maintain external legitimacy. Therefore the audit profession will try, to some extent, to meet society’s expectations by closing the expectation gap. In this sense, the expectation gap can be used as a driver for change within auditing (Ruhnke and Schmidt, 2014). This is also emphasized by Humphrey et al. (1992), stating that the expectation gap can be seen as a symptom of the evolutionary development of audit responsibilities since the audit profession gradually and constructively responds to the changing expectations of society. As a result of changing expectations of society, the audit profession accepts additional duties and responsibilities. In other words, the expectations gap extends auditing to include areas which are currently not covered.

Moreover, the existence of an expectations gap indicates that there is a need to expand the scope of audit and assurance services (Schelluch and Gay 2006). In order to meet society’s expectations auditing must change in line with market expectations. Essentially, new roles and changes in the functional scope have always been demanded of audit (Power, 2003). Consequently, the nature of auditing has changed as the boundaries have been redrawn resulting in an emergence of new audit spaces (Andon et al, 2015).

The offer of new services in order to meet society’s expectations is also consistent with the more traditional, protective defense of the status quo, which is already explained in this chapter. Namely, the use of the expectations gap by the audit profession in order to maintain its position. Although the profession stresses its commitment to the public interest by its acceptance of additional duties, this acceptance portrays a rather narrow, self-interested, commercially-orientated depiction of the public interest (Humphrey et al. 1992).

(10)

10

This is also emphasized by Fisher and Naylor (2016), stating that the persistent nature of the gap is no accident but rather the natural consequence of tensions between a largely self-interested profession and the public they serve. The reactive responses of the profession to close the gap can be viewed as a strategic response (Fisher and Naylor, 2016). Auditors use the vagueness of the nature of auditing to meet expectations of society but subsequently to retain their own position. Resulting in a continuous negotiation and transformation of the preferred meanings of the nature, practice and outcomes of auditing.

The expectations gap and blockchain technology

The following part applies the theory of the expectations gap to the specific context of this study: the blockchain technology.

Existence of an expectations gap

While rapid technological developments have resulted in changes in business and financial reporting, the response from the audit profession, falls considerably short (Fisher and Naylor, 2016). Moreover, when significant changes occur in the corporate arena society expects auditors to accept a range of new responsibilities (Porter, 2012). When the response to the changes falls short it can be assumed that the audit profession has not incorporated the expected responsibilities yet. Thus, within this context, the conditions appear for the emergence of an expectations gap (Fisher and Naylor, 2016).

Connecting this to the technological development which is the subject of this study it is argued that blockchain will have a significant impact on the corporate arena. At the same time, it is also argued that the response of the audit profession towards blockchain technology falls short (Dai and Vasarhelyi, 2017). Thus, it is argued that an expectations gap will emerge due to the current situation of the audit profession in relation to blockchain. Through this expectations gap blockchain opens a new audit space for auditing in the following manner:

Vagueness concerning the scope and meaning of auditing: incorporating blockchain in auditing

As mentioned before auditors deliberately keep the meaning and scope of auditing vague, this prevents outsiders from entering the audit field and enables auditors to broaden the scope and practice of auditing. Since the public does not understand what auditors do, the audit profession could simply incorporate blockchain technology within auditing.

(11)

11

According to Humphrey et al. (1992) symbolic traits of independence, trustworthiness, altruism and expertise in combination with the vagueness about what an auditor does strengthens the exportability of auditing into new spaces. Thus, through the essential obscurity of auditing, reflected in the expectations gap, in combination with symbolic traits, blockchain could be easily incorporated in auditing.

Changing corporate arena: changes in auditing

Another way how blockchain could open a new space for auditing through the audit expectations gap can be found in the expectation gap as a driver of change. As mentioned before, when significant changes occur in the corporate arena, society expects auditors to accept a range of new responsibilities (Porter, 2012). Thus, if blockchain enters the corporate arena; society’s expectations change. As a result of changing expectations, the audit profession accepts additional duties and responsibilities, resulting in an expanding scope of auditing and new roles of auditors (Schelluch and Gay, 2006; Power 2003; Ruhnke and Schmid, 2004; Humphrey et al. 1992). Which subsequently results in new audit spaces (Andon et al. 2015). According to Power (2003) in this way, new objects and practices are continually being made auditable.

Moreover it is due to this expectations gap that additional duties and responsibilities become actual duties and responsibilities. Porter (2012) argues that as society’s familiarity with the changes in the auditors external environment evolves, recognition of the benefits to be obtained from auditors performing responsibilities that are reasonably expected (but not required) of them increases until, through a change in legislation, regulation or auditing standards, they become actual responsibilities of auditors.

Thus, if blockchain becomes familiar in the corporate arena expected additional duties and responsibilities of the auditor with regard to blockchain become actual responsibilities and duties through changes in legislation, regulation and standards. In this way blockchain opens a new audit space for auditing.

However, the question remains how blockchain influences the audit profession. Which additional duties and responsibilities will be accepted? How does this new audit space look like? In other words: how does blockchain opens a new audit space for auditing?

(12)

12

The following part conceptualizes blockchain by giving a description of the working and the characteristics of the blockchain technology. The chapter ends with a review of implications of the blockchain technology as currently known by the existing literature.

Conceptualization of blockchain technology

Currently, blockchain technology receives a lot of public attention and is among the most trending technologies (Risius and Spohrer, 2017). Blockchain technology became publicly known as the technology underlying Bitcoin, which enables peer-to-peer digital currency trading. However, blockchain has broadened its technical foundation to support various businesses nowadays (Dai and Vasarhelyi, 2017).

Definition

According to Dai and Vasarhelyi (2017) the bitcoin blockchain can be viewed as a new type of accounting database that records the transactions of the digital currency into blocks. These blocks form a chain which is used to create a decentralized, publicly available and cryptographically secure digital currency system. The blocks are arranged in linear chronological order and shared to a network.

Risius and Spohrer (2017) define the blockchain technology as “a fully distributed system for

cryptographically capturing and storing a consistent, immutable, linear event log of transactions between networked actors”.

They state that the blockchain technology is similar to a distributed ledger that is consensually kept, updated and validated by the parties involved in all the transactions within a network. The blockchain technology enforces transparency and guarantees eventual, system-wide consensus on the validity of an entire history of transactions.

This is a result of the complex data structures which are used by a blockchain to store all the transactions in a way that the current state of the system inherently depends on all previous transactions (Glaser, 2017).

In other words, the blockchain is designed in such a way to ensure the integrity and irreversibility of published transactions, therefore making it almost impossible for a single or a small group of malicious parties to tamper with records within the blockchain (Dai and Vasarhelyi, 2017). In essence, this distributed ledger strategy crowd-sources the verification function classically played by auditors (Yermack, 2017).

(13)

13 Private and permissioned blockchains

The blockchain architecture is designed to be a decentralized public database. Which means that every party in the network has the right to read, verify and update transactions to the chain. However, in modern applications (the use of blockchain within a business or group of companies) this is undesirable. This kind of applications require restrictions of certain rights to certain entities, known as a ‘private blockchain’ (Pilkington, 2016). The information stored in this blockchain is only accessible to predetermined entities, thus, this design can protect the privacy and confidentiality of business data.

Smart contracts

According to Dai and Vasarhelyi (2017) blockchain has evolved through three phases. First it was solemnly used for the trading of cryptocurrencies, the second phase also has a focus on trading but with a much broader scope of financial applications. Nowadays blockchain systems are further expanded beyond financial and business applications. To expand the application of blockchain systems from digital currency trading towards to a broader variety of products ‘smart contracts’ were introduced in the second phase (Swan, 2015).

Dai and Vasarhelyi (2017), based on (Kivat, 2015; Peters and Panayi, 2016; and Zhang et al. 2016) define smart contracts as computer programs operating on blockchains that autonomously verify, enforce and execute the terms in the contracts. Smart contracts allow parties who do not fully trust each other to conduct and reliably control mutual transactions without relying on the services of any trusted third party (Risius and Spohrer, 2017). Previously the execution and monitoring of contracts mainly relied on a trusted central authority.

This is why the adoption of blockchain technology and associated smart contracts can result in a change of the current assurance paradigm (Dai and Vasarhelyi, 2017).

Literature review: auditing and blockchain

Auditing

Wang et al. (2017) define auditing as an information-intensive activity carried out to assess the truth and fairness of the financial statements and their compliance with the required standards and legislation. Within auditing ICT plays a vital role in ensuring the accuracy, timeliness and integrity of audit reports, simultaneously strengthening the credibility of the financial information that is being presented (Wang et al, 2017).

(14)

14

However, technological advances also challenge the audit profession. To remain relevant auditing must take advantage of technological advances and provide assurance which is meaningful to real-time financial statement users (Lombardi et al. 2015). The statements above raise questions regarding how blockchain technology affect the audit profession. According to Karajovic et al. (2017) the future of blockchain in the auditing industry appears contradictory due to the technology’s self-auditing capabilities and immutability. However a more pragmatic view can clarify the profound and beneficial impact that the technology will have on innovation across the audit industry. For example, it is expected that blockchain will be a widely applicable infrastructure to support enterprise information systems and continuous auditing systems (Wang et al, 2017).

The beneficial impact on innovations is also emphasized by Ruckehauser (2017) who state that the digitalization of auditing is still in its infancy, however, the application of the blockchain technology could lead to the technological progress needed.

Irreversibility and immutability

Due to the use of cryptographic algorithms the blockchain guarantees data integrity which makes it impossible to alter the transaction history. Because of this blockchain technology could be applied in auditing for the purpose of continuous monitoring and fraud detection.

Furthermore, this irreversibility and immutability leads to an improved efficiency and effectiveness of auditing (Wang et al, 2017). According to Wright and DeFilippi (2015) the irreversibility enables that the transactions can be easily audited resulting in a more effective and efficient audit.

Olnes et al. (2017) state that the immutability of the blockchain technology shifts the focus of auditing on the transactional level to a focus on the system level. However, the consequences of this changing focus needs to be further explored. The authors further state that both the software and algorithms need to be audited to ensure the functioning, regardless, the self-auditable characteristics of the blockchain technology, the public should be able to rely on the proper functioning of the blockchain. Also, compliance with laws and regulation should be analyzed.

(15)

15 Storage and verification of audit-related documents

Another possible application of the blockchain technology lies within the storage and verification of audit-related documents (Dai and Vasarhelyi, 2017). According to the authors a blockchain ledger could be used as a reliable medium to store any audit-related documents.

For example, electronic invoices, bills of lading, letters of credit etc. could be stored blockchain. In this way all the documents are traceable and unchangeable. Additionally, analytical tools can be applied to the accounting records in order to discover patterns, identity anomalies and extract other audit evidence. Besides the increased storage capability, the blockchain also enhances the auditability of information. A blockchain secures the data that is stored within the chain hereby lending veracity. This allows auditors to test the completeness of financial information.

The problem of timeliness and the use of smart contracts

Traditional auditing is centered around the audit of paper-based income statements which is performed after the transactions have taken place. Due to the manual nature of the procedures and the lack of tools it is hard to effectively analyze and monitor large amounts of transactional data. However within the business world nowadays, the speed and scope of business activities has increased fundamentally. As mentioned before, this requires auditors to provide assurance closer to the transaction date.

According to Wang et al. (2017) blockchain is a promising technology for facilitating real-time accounting and continuous auditing because blockchain reduces the speed of transaction settlement.

Role of auditors:

It is implicated that the accuracy and verification roles of auditors may be diminished due to the blockchain , however, according to Dai and Vasarhelyi (2017) the judgement, oversight and insight of auditors become even more necessary. They state that the focus of auditing will change from erifications to more complex analysis such as systematic evaluations and risk assessments. Furthermore, the auditor will be an evaluator and examiner over the design of blockchain. Karajovic et al. (2017) mention that some tasks of the auditor become obsolete by the blockchain. However, the features of the technology allows auditors to spend more time to interpretinformation and provide consultations to clients. In other words, the role will shift towards an advisory role.

(16)

16

Although existing literature describes some possible applications of blockchain technology within auditing, it remains an underdeveloped research area, especially in terms of evidence gathered from the audit field (Umarovich et al. 2017; Dai & Vasarhelyi 2017). The possible applications are descripted in a general way and do not show, for example, possible issues or problems resulting from the applications. This study aims to provide a deeper understanding on how blockchain opens new audit spaces by investigating the audit field. The following chapter explains the methodology of this study.

(17)

17

METHODOLOGY

Research design

Qualitative research

The aim of this study is to identify how blockchain opens a new audit space for auditing. In this respect, the study will follow a qualitative approach. Qualitative research describes and enables understanding of actual human interactions, meanings and processes which constitute real-life organizational settings (Power and Gendron, 2015; Gephart, 2004; Pratt, 2009). Furthermore, qualitative research provides insights into how broad concepts and theories operate in specific settings and enables examination of real-life processes. In essence, qualitative research is especially suitable for studying the complexities of expert practices like auditing (Cooper and Morgan, 2008), which is exactly the case within this study since auditing is the research subject. Moreover, a qualitative approach allows the development of insights into expertise and may sometimes even question professional claims that are taken for granted (Power and Gendron, 2015). Even more specifically, according to Cooper and Morgan (2008), it is qualitative research which is valuable in describing the details of how new accounting and auditing innovations are actually done, which is exactly the purpose of this study. Moreover, qualitative research can also be useful for practitioners; in a way that it enables a better understanding of the applicability of specific innovations in complex contexts (Cooper and Morgan, 2008). Thus, by following a qualitative approach this study could clarify the implications of an innovation; such as the blockchain technology, for practitioners of auditing.

Sample

The sampling strategy chosen is critical case sampling. With critical case sampling, a small number of important cases are selected (Patton, 2001). Important cases are the cases which provide the most information and have the greatest impact on the development of knowledge. The sample consists of auditors.

Since auditors perform the audit it is assumed that auditors are able to provide the most information and have the greatest impact on the development of knowledge on the phenomenon auditing and blockchain. Furthermore, the sample also consists of one blockchain expert, former IT auditor and a policy advisor IT and auditing who is also a former (IT) auditor.

(18)

18

More specifically, the target group will consist of auditors working in one of the Big 4 1_companies

in the Netherlands. This setting is chosen because the Big 4 are considered as the leading firms in innovation in auditing (Curtis et al. 2016). Considering blockchain, all four firms have incorporated blockchain by offering blockchain services.

Data Collection

Data sources and collection

In-depth interviews are the primary data source of this study. This method is chosen because the in-depth interview is designed to provoke the interviewee’s perspective on the research topic by reconstructing perceptions of events and experiences related to the topic (DiCicco‐Bloom and

Crabtree, 2006). So, from this study’s point of view, it enables the opportunity to obtain an in-depth understanding on how blockchain technology could open a new audit space for auditing from a practical perspective.

The interviews had a semi-structured nature. The choice for semi-structured interviews derived from its flexible, accessible and intelligible nature. Semi-structured interviews allow the interviewer to modify the style, pace and ordering of questions in order to evoke the fullest response from the interviewee. It also enables interviewees to provide responses in their own terms and in the way how they think and use language (Qu and Dunmay, 2011). In other words semi-structured interviews enable the researcher to gain insight from a practical perspective. Which is the purpose of this study.

The interviews were conducted as follows: first two initial interviews were held at the beginning of the data collection for orientation purposes. The objective was to map the current situation of blockchain technology within the audit and to become more familiar with the topic.

The interviewees indicated that currently blockchain technology is not widely applied in the audit yet. Auditors are currently discovering which and how blockchain applications can be incorporated in the audit by doing blockchain pilots. Also auditors do not encounter blockchain applications at their clients yet. However the interviewees indicated that this is a matter of time.

Subsequently, based on the theoretical background and the initial interviews semi-structured interview questions were prepared.

(19)

19

In order to explore how blockchain opens a new space for auditing the topics covered in the interview-questions were:

The influence and implications of the blockchain on the (traditional) audit of the financial statements; exploring which tasks currently performed by the auditor are affected, what are the related accounts and procedures, and what the consequences are for the auditor; The demand for additional audit and assurance services due to the blockchain; is there a demand for this kind of services and how does it look like; The current skills and capabilities of auditors in relation to the skills and capabilities needed to work with the blockchain; hereby investigating if the auditor is able to work with the blockchain; And the role of the auditor in a blockchain world and how this role looks like.

After the preparation of interview questions, interviewees were chosen based on their function and working experience and knowledge of the blockchain technology (an overview is displayed in

table 1). The interviewees were approached by the researcher. During the interviews only the

researcher and interviewee were present. The conducted interviews lasted on average 36 minutes and were tape recorded. Beforehand permission regarding tape-recording was asked to the interviewee. Also matters of confidentially and anonymity were discussed beforehand. The tape recordings were transcripted and subsequently processed and coded. In order to assist this process the ATLAS application was used. Computer software, like ATLAS, can help to facilitate a consistent approach to codification and to reduce the opportunities to introduce bias (Smith, 2015).

(20)

20

Besides interviews additional archival data was collected via (non-scientific) sources such as newspaper articles, opinions and articles appearing at online professional platforms, and publications regarding blockchain from audit institutions. Also notes taken from informal conversations with auditors working at the selected firm are used. More additional data was gathered via the attendance of lectures and the participation of the researcher in the field. An overview of the additional data is included in appendix A.

Data analysis

The collected data was analyzed by using a systematic protocol which provides an audit trail from transcripts to the results of the analysis via successive stages of data reduction and summarization (Lillis, 1999). The used protocol in this study is loosely based on the method of Gioia et al. (2012). Gioia et al. (2012) devised a systematic inductive approach of data analysis in order to capture the concepts relevant to the human organizational experience in terms that are adequate at the level of meaning of the people living that experience and adequate at the level of scientific theorizing about experience. Thus, the method can be seen as both appropriate in academic and practical aims.

The data analysis was conducted as follows: first the interviews were transcribed. Subsequently, the transcripts and additional archival data were uploaded in Atlas. The documents were separately coded by using the coding manager of the Atlas tool. Hereby ‘open coding’ was used, meaning that relevant passages in the documents could be selected and labeled by entering the code names belonging to the selected passage. When all the documents were coded the codes were classified into groups. This classification was based on codes which depicted the same concept, or codes which were related to each other. After the classification the network manager was used. The network tool in Atlas shows an overview of a classification or group of codes. The name of the code group is the central point in the network. Furthermore, the network shows all the codes classified into that group with their relation to each other and relating quotes. The networks were used in order to analyze the data. The networks made it easy to identify similarities and differences within the evidence. An example of such an network can be found in appendix B. After analyzing the data the construction of a data structure followed. The data structure starts with first order concepts which are directly copied from the evidence or summarizations of pieces of evidence. These concepts were categorized into terms which summarizes the concepts. The terms were subsequently categorized in a theme. The data structure can be found in appendix C.

(21)

21

FINDINGS

This chapter describes the findings based on the analyses of the collected data. The evidence gathered showed three main themes which are discussed below:

The interplay between ‘blockchain - based’ auditing and ‘traditional’ auditing

Elimination of manual tasks

When asking the interviewees if blockchain impacts the audit of the financial statements all interviewees responded that the use of blockchain changes the traditional audit approach. In other words, blockchain can impact the way how auditors execute their engagements.

Blockchain technology can eliminate labor intensive manual data extraction and audit preparation activities. Furthermore some of the manual tasks could be eliminated by using the blockchain. First, looking at manual data extraction and audit preparation activities within traditional auditing data such as account reconciliations, trial balances, journal entries, sub-ledger extracts and supporting spreadsheets are provided to the auditor in a variety of electronic and manual formats. This results in the fact that each audit begins with different kind of information sources and schedules. Subsequently, auditors have to invest a significant amount of time in the planning of the audit. In a blockchain world, however, auditors have near real-time data access via a read-only mode at blockchains. This allows auditors to obtain information required for the audit in a consistent recurring format instead of the different formats resulting from traditional auditing. Auditing hereby is expected to become easier and more reliable.

With regard to the elimination of manual tasks 2 the interviewees indicated that some manual tasks of the traditional audit could be replaced by the blockchain technology. Because blockchain alters methods of invoicing, documentations, contracts and payments blockchain could also alter the audit procedures which are performed on processes related to this methods. For instance, auditor N stated that the standardized processes could be eliminated with the use of blockchain.

However, at the same time, auditor N also indicated that this applies mainly to the simple procedures such as purchasing processes, sales and payment processes. For example, if we look at such a simple process, imagine a transaction between company A and B (company A sells a product to company B).

2_{with manual tasks we mean tasks which are generally performed by junior staff e.g. tasks which} can be performed by junior auditors since in order to execute these kind of tasks relatively less audit experience and skills are needed

(22)

22

If a blockchain is used then the purchase invoice from company B reconciles with the sales invoice of company A. Because with blockchain it can’t be the case that the transaction is only registered by one party. Another example: with the use of blockchain there is no need to ask clients for banks statements or to request for confirmations from third parties as the transactions can be verified by the auditor on the public available ledger.

Thus, reconciliations which were traditionally made by (especially) junior auditors can be replaced by the blockchain technology. Subsequently this replacement gives the auditor more time to focus on more complex processes and accounts. Therefore the incorporation of the blockchain technology in auditing results in a shifting focus towards more complex processes and accounts, for which high skills and knowledge are needed.

Increased assurance

Within traditional auditing auditors use sample based substantive testing. Sample based testing means that if auditors test a certain account, not all transactions relating to that account are audited. Instead the auditor audits a part of the whole population; a sample of transactions relating to the specific account. The auditor audits a sample because some accounts consists of thousands of transactions. If the auditor audits every single transaction it will take too much time. However, a blockchain enables the auditor to test the whole population of transactions instead of a sample. Because with a blockchain you can apply algorithms in order to detect deviant transactions or patterns on a real time base instead of detecting ‘after the facts’.

Moreover due to the shift from sample based testing towards testing a whole population the level of assurance increases. Traditionally, due to sample based testing, auditors give reasonable assurance instead of complete assurance, since not all transactions are audited.

Continuous monitoring

Moreover, blockchain enables continuous monitoring of the financial statements. Through a private blockchain companies can customize user access of the blockchain, this allows them to give read-only access to external entities. So in this case, a company could give read-only access to the auditor. Subsequently, this enables the auditor to verify the transactions in real time instead of having to wait several weeks or months to go through all of the records of the transactions,

(23)

23

which is the case in traditional auditing. In this way, audits of financial statements become more automated and continuous since financial irregularities can be uncovered in real time.

Interviewee S: “If there is assurance regarding the integrity of a blockchain solution then an auditor could reconcile the transactions displayed in the blockchain in real time. I know an example of an audit company which developed a blockchain application. The client uses this application and the auditor gets a sort of read only permission within the blockchain. Then the auditor runs his continuous auditing tool in order to identify outliers.

This enables the auditor to, if there are outliers, act directly.

The role of the auditor: professional judgement

Does this mean that with the use of blockchain the auditor is not needed anymore? According to the evidence gathered: the answer is no.

First, blockchain could replace the manual tasks which are relatively simple. However, there are still accounts and processes of which the audit procedures can’t be replaced by the blockchain technology. If we consider fair value questions, accounts based on estimations, and assumptions displayed in the annual report, an auditor is still needed. In these cases, the professional judgement of the auditor plays a crucial role.

Interviewee N: “The added value of the auditors lies within accounts which have estimation elements such as provisions. However the standard procedures, such as

standard samples, can be taken over by the blockchain technology”

Second, the automatic reconciliation made by the blockchain only confirms the integrity of the data. This means that with the use of blockchain the risk concerning the fairness and completeness of transactions expires. However, the data still needs to be judged on other aspects. When conducting an audit, an auditor assesses that the recorded transactions are supported by data, or as it is often called: audit evidence, which is relevant, reliable, objective, accurate and verifiable.

If transactions occur on the blockchain, this may be sufficient audit evidence for certain assertions such as the occurrence of a transaction. For example, the auditor can verify through the blockchain, that company A has transferred bitcoins to company B in order to buy a product. However, the auditor may not be able to determine that the product was actually delivered solely by the information displayed on the blockchain.

(24)

24

Interviewee S told that the moment when the data is displayed on the blockchain, that is the moment when you can state that the data integrity is guaranteed. At the same time, you expect that this data is not manipulated. However, how can you be sure of this? Since this is dependent to so many variables. For example, if the blockchain is a permissioned one, which means that there is a certain degree of decentralization, then it is still possible to alter or delete transactions. For instance, what if the blockchain says that there has been a delivery of five crates of cucumbers but in reality there has been a delivery of six crates? The blockchain can’t change anything about that Thus, you are still dependent on the human aspect.

Moreover, the blockchain can be used in order to collect data. The integrity of the data is hereby guaranteed by the blockchain. However, that is all the auditors knows. The auditor still needs to use his knowledge and skills in order to judge the data on relevance, reliability, objectivity, accuracy and verifiability and to give an interpretation to the data. For example, the reliability of the data: if the auditor obtains audit evidence directly from the blockchain the auditor still needs to consider the risk that the information might be inaccurate because of error or fraud. Furthermore, the auditor also has to assess if the data source, in this case the blockchain, is reliable. This will be further discussed in the second part of the findings.

Interviewee H: “ The auditor still has a role in the blockchain world. Simple and boring tasks will be partially eliminated. However you still need to say something about the data

that is generated by the blockchain. A blockchain can’t do that for you; you need an auditor to do that. If you trade physical goods via the blockchain how do you know for sure that the goods which are presented in the blockchain truly exist? For example, how

do you know that the liters oil presented on the blockchain truly exist in the real world? That kind of examples are cases for the auditor, who can determine if the presented

goods truly exist”

So, if there is still a place for the auditor, how does it looks like? According to the evidence it is important that the auditor measures and communicates the data which is made available by the blockchain. The auditor could be the one who translates the provided information and the one who secures that the information, as it is displayed by the blockchain, is truly de case in real life.

Moreover, if the blockchain generates large amounts of data; investors will have to ask themselves questions like “what are the implications of the data for the performance of the company?” “What are the implications of the debt position for the continuity of the company?” This is the trump card for auditors.

(25)

25

Auditors are financial specialist who are able to interpret large amounts of data and tell the story resulting from the numbers. The auditor uses his professional judgement in order to determine that the displayed data can be traced back to actual proceedings and what the implications of these proceedings are. In this way, auditors use professional judgement in order to translate the information of the blockchain.

Summarizing the statements above, the evidence shed light on the interplay between traditional audit procedures and audit procedures with the use of blockchain. The evidence indicates that the professional judgement of the auditor becomes even more important. First, due to the elimination of manual tasks. Tasks which need high skills and knowledge remain, tasks in which professional judgement is of high importance. Second, blockchain confirms the integrity of the data however, the data needs to be judged on other aspects, in order to do this, the auditor needs to execute professional judgement. Third the auditor uses his professional judgement in order to translate the information of the blockchain.

Interviewee W: “ I think that it is unlikely that the professional judgement of an auditor could be completely usurped by technology”

Understanding and assessing the blockchain and its functioning

The previous part described the interplay between traditional auditing and blockchain based auditing emphasizing that there is still a role for the auditor in a blockchain world. As mentioned before, once data is displayed at a blockchain, you can state that the data integrity is secured however an auditor should secure more.

According to the evidence an auditor should, in order to use a blockchain in auditing, assess if the blockchain is functioning properly. In other words: an auditor should assess if the blockchain is reliable and can be trusted.

Interviewee H “Every transaction displayed on the blockchain is immutable, you can’t delete the transactions. Therefore you can trust the integrity of the data however, first

(26)

26 Assessment of the effectiveness of the internal control

Nowadays, the auditor makes an assessment of the effectiveness of the internal control of the company which is audited. Internal control is defined by Hayes et al. (2015) as follows: “ internal

control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of the operations, reliability of financial reporting, compliance with applicable laws and regulations, and safeguarding of assets against unauthorized acquisition, use or disposition”. In order to understand the entity’s internal controls auditors

evaluate the design of a control and judge whether it has been implemented. In other words, auditors determine whether the control is capable of effectively preventing or detecting and correcting material misstatements. According to Hayes et al. (2015) the heart to any internal control system is the information technology upon which the business processes rely. An auditor makes an assessment of the general IT controls, examples of IT general controls are: controls over data center and network operations, system software acquisition, change and maintenance, access security and application system acquisition, development and maintenance. Moreover, according to Hayes et al. (2015) IT poses specific risks to the effectiveness of an company’s internal control and auditors should be aware of these risks. Examples of IT specific risks are: reliance on systems or programs that are inaccurately processing data, processing inaccurate data or both, unauthorized access to data that may result in destruction of data or improper changes to data, the possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties thereby breaking down segregation of duties, unauthorized changes to data in master files, unauthorized changes to systems or programs and other inappropriate actions.

Blockchain: another IT system

Going back to the blockchain technology the evidence indicated that blockchain can be categorized as just another IT system. A private blockchain 3 is essentially an IT system with corresponding risks. Thus, in this sense, a blockchain can be seen as a part of the internal control and therefore needs to be taken into account in the assessment of the effectiveness of the internal control.

(27)

27

Especially from the point of view that information technology is the heart of any internal control system.

Assessing the blockchain

One of the interviewees explained a risk assessment of a blockchain solution. This risk assessment is used in order to identify the specific risks associated with blockchain solutions and defines controls for these risks. The key points of a blockchain assessment are: access and user management, authorization and provisioning management, data management, interoperability, scalability and performance, change management, privacy and security. For example, in the case of access and user management you assess the user access management of cryptographic keys. Everyone within a blockchain gets a pair of keys, therefore access management is very important. With this pair of keys you can interact on the blockchain. Thus, you have to make sure that only the persons who rightfully have access to the blockchain are the ones who have access to the keys. And what should you do if someone loses his key? Another example, data management, especially interesting since data on a blockchain is immutable. Everything which is displayed on a blockchain is visible to every party within the blockchain network so you have to think about things such as which data do I wish to share with different companies? How do you keep your data confidential. The last example: segregation of duties. It is difficult to manage segregation of duties in a blockchain because within a blockchain everyone is equal. So, how do you manage your segregation of duties? How do you make sure that for example, super users of a blockchain don’t do things which are not desirable and what about authorization?

If we compare the risk assessment of the blockchain to the assessment of the general IT controls traditionally performed by auditors, we identified similarities: access management, data management, segregation of duties, authorization, change and maintenance are in both assessments key points. Considering this, we can say that the core of auditing does not change, however the technical component grows. When we consider the examples, a lot of auditing today consists of auditing around the technology, getting hard-copy records. Blockchain will require auditing through the technology.

Furthermore, the evidence also indicates that it is not likely that companies will substitute all their existing IT systems for the blockchain technology. It is more likely that companies will complement their existing IT systems with blockchain.

(28)

28

In this sense, the blockchain will be connected with the existing IT systems. This is clarified by the following example given by interviewee H:

“It is unlikely that a company will replace all their existing IT systems, such as an ERP system, because a company runs all kind of processes through their existing systems. Companies would prefer to complement

their existing ERP systems with a blockchain in order to, for example, communicate with other companies within their value chain”

Nevertheless, it is not possible to directly replace all your existing systems. Simply, because blockchains are, for example, not suitable for transferring high amounts of data, to store high amounts of data and to process high amounts of transactions. For processes, which generate high amounts of data, a blockchain is not a solution. So, due to this limitations you still need other IT systems. Some processes will be carried out through ERP systems, some processes will be carried out through the blockchain. However, if you connect your existing IT systems with the blockchain, you have to make sure that this connection is made properly. For example, if your ERP system is connected to your blockchain: transactions go via the ERP system to the blockchain. If there is an error in your ERP system then it might be possible that the transactions displayed on the blockchain are incorrect since you’ve connected both systems. So as an auditor, you have to make sure that this connection is made properly otherwise it is not possible to use the data displayed on the blockchain as audit evidence. In other words you have to assess what happens if the underlying data source of the blockchain, in this case the ERP systems, has an error.

Interviewee N: “How do companies guarantee that the information displayed on the blockchain is reliable? How do they store the information? How do you make sure that

the blockchain is not manipulated and altered by someone without the inference of another party? For this kind of questions you’ve got an auditor”

Since the auditor first makes an assessment of the effectiveness of the internal control of the systems and thereafter uses the systems for their information output, the auditor should take risks and implications into account when assessing the clients information systems. If blockchain is added towards the existing systems the auditor should assess this blockchain and also has to make sure that the link with the other systems is working properly. In other words, when blockchain is implemented the audit process needs to shift further towards the assessment of operating effectiveness of the internal IT controls.

(29)

29

In this way blockchain opens a new audit space since the application of blockchain technology within companies affects the assessment of the effectiveness of the internal control. If blockchain becomes a part of the internal control the auditor has to evaluate the design of the control and judge whether it has been implemented.

Assurance of the blockchain

As mentioned in the previous parts, in order to use the blockchain within auditing, it is important to secure the integrity of the operating effectiveness of the blockchain. On the other side, users of the blockchain technology also want to know if the blockchain is operating as it should.

According to the evidence if blockchain is used in the corporate arena there will be demand for auditing and assurance of blockchains. The interviewees told that clients don’t develop their own blockchain solution. They will rather buy it as a ‘Software as a Service’ from a service-provider. Considering the blockchain; this service provider is a blockchain-solution developer. If the client buys such a service, the client subsequently would like to know if he can trust that provider. Before a client buys a blockchain solution, the client wants independent assurance regarding the stability and robustness of the blockchain’s architecture. Why this assurance is demanded is explained as follows: there is a difference between just saying ‘my blockchain solution works as it should’ or having proof of the operating effectiveness. Proof can be provided by a written statement issued by an independent party.

The demand for assurance is driven by the liability aspect. For example, if you buy your blockchain solution then you want to shift the liability to the provider of that service. If something goes wrong or if there is a failure with regard to the blockchain you want to shift a piece of liability towards the provider of the service.

Interviewee S “This is the fundament of an assurance report. Providing clarity regarding liability and sharing that liability. That is the most important reason why assurance

should be given with regard to blockchains”

Is it the auditor who gives assurance regarding the blockchain? As mentioned before with a written statement issued by an independent party the operating effectiveness of the blockchain can be proved. An auditor is such an independent party who gives assurance in the form of a written statement. Traditionally, an auditor gives reasonable assurance regarding the truth and fairness of the financial statements.

(30)

30

However, recently auditors also give assurance concerning, for instance, sustainability aspects and MBA rankings (Free et al. 2009; O’Dwyer, 2011). Is this also the case with blockchain? According to the evidence this is not directly the case.

The interviewees were asked if the auditor is the one who can give assurance regarding the blockchain and they responded skeptical. They indicated that resulting from their role as a trusted independent third party they are the logical choice.

Interviewee H: “Yes, who else could do it? Assurance has something to do with name and reputation, auditors have a good name and reputation regarding assurance”

Need for a specialist

However, they further mentioned that based on their current knowledge and skills they are not able to give assurance on the blockchain. According to the evidence in order to do that you need blockchain specialists. If you want to know if the blockchain is designed correctly in cryptographic means, you should, for example, assure that a generation of private keys can’t be traced back and recalculated. An auditor cannot do this. This is the work of a cryptograph. So in order to give assurance regarding the blockchain you need a specialist such as an cryptograph.

Interviewee J: “Assurance regarding the blockchain? No, an auditor can’t give assurance on that. In order to do that, you need a specialist”

Interplay between different departments

Does this mean that auditors don’t play a role in the audit and assurance of blockchains? According to the evidence this is not the case. The audit and assurance of blockchains will be a collaboration between different departments: financial auditors, IT auditors and blockchain specialists. Financial auditors are needed in order to give an interpretation to the figures displayed and processed through the blockchain. The IT auditor makes an risk assessment in order to determine if the given management assertions are compatible with the blockchain. Finally, the blockchain specialist assess the cryptographic design of the blockchain.

(31)

31

This interplay is also visible in the following example: one of the interviewees told that if an auditor needs to audit a blockchain then the auditor will ask an expert to perform the audit of the blockchain. Subsequently the expert will execute the blockchain audit and communicates his findings to the financial auditor. This results in a report with recommendations for the auditor and the management letter. The auditor assesses this report and determines the implications for the financial audit. In this case, it is important that the specialist asks the client the right questions with regard to the financial audit. It is easier to ask the right questions if this specialist is accompanied by an IT auditor. Thus, again we see the interplay between the different departments. However, this not new within auditing. If we consider, for instance, the audit of pension funds, it is common to consult an actuary.

Interviewee J “An auditor will have to trust on the work which is performed by a specialist, however, that’s not new within auditing”

Blockchain: a new department

Moreover, the use of blockchains in the corporate arena results in a growing demand for assurance, audit and advisory services. According to the evidence, this results in new blockchain departments within audit firms. The blockchain departments consists of specialist who can give assurance or provide advisory services if demanded by the client or support the financial audit department when a blockchain solution has to be audited. Considering the fact that audit firms have a good name and reputation regarding audit, assurance and advisory, audit firms will set up another department in order to meet the client’s demand.

(32)

32

DISCUSSION

The following chapter discusses the findings of this study in relation to existing literature and gives implications for further research.

Professional judgement

The findings of this study shed light on the interplay between traditional auditing and auditing with blockchain. Although the evidence indicated that blockchain has an impact on the way how an audit is conducted the evidence also indicated that the auditor will not be usurped by the blockchain technology. According to the evidence the professional judgement of an auditor will play a bigger part when blockchain is used in auditing. This is in contrast with the view of Yermack (2017) who states that in a blockchain world users of financial statement information would not need to rely on the judgement of auditors. Instead they could trust data displayed on the blockchain and subsequently impose their own accounting judgement to make their decisions. This study indeed emphasizes that with blockchain technology the integrity of data is assured. However, the evidence also indicates that in order to give assurance regarding the financial statements, the data should also be judged on other aspects. Aspects for which the professional judgement of an auditor is needed. This is also indicated by Richens et al. (2017) stating that the financial statement audit cannot easily be automated because some parts of auditing involves significant subjectivity or professional judgement, making them naturally resilient to automation. Furthermore some of the most useful information to users of financial statements is subjective and it is hard for accounts to transmit this information.

Furthermore, according to Grout et al. (1994) the most informative thing about accounts might not be the numbers they contain, but the fact that auditors, after exercising their professional judgement, are prepared to let the company make the claims that is does by giving assurance. Even though the auditors thereby leave themselves open to the possibility of large lawsuits if the assurance was given unfairly. This is in line with the evidence indicating that the auditor can be the translator of the data displayed in the blockchain.

Moreover, according to Yermack (2017) users of financial statements don’t need to rely on the judgement of auditors anymore, because with blockchain, a firm could voluntarily post all of its ordinary business transactions on a public blockchain.

Digitalization in auditing: The blockchain technology: opportunity for new audit spaces?