BLOCKCHAIN 101
Dan Altobelli, CPA, CISA, CEHAudit Manager
New Jersey Legislature
New Jersey Office of the State Auditor
BLOCKCHAIN 101
1. How does it work?
2. What is so great about
blockchain?
3. Blockchain and audit – Part I
4. Blockchain and audit - Part II
5. Blockchain Attack!
BLOCKCHAIN 1011. How does it work?
Blockchain is a shared, immutable ledger
that facilitates the process of recording
transactions and tracking assets in a
business network.
Virtually anything of value can be tracked
and traded on a blockchain network.
Bitcoin <> Blockchain – Bitcoin
Blockchain
BLOCKCHAIN 1011. How does it work?
BLOCKCHAIN 1011. How does it work?
Meet
Tommy the Transaction
BLOCKCHAIN 1011. How does it work?
6
15
2412 15 18
61524121518
BLOCKCHAIN 1011. How does it work?
61524121518
BLOCKCHAIN 1011. How does it work?
61524121518
BLOCKCHAIN 1011. How does it work?
6152412151824156181512
BLOCKCHAIN 1011. How does it work?
6152412151824156181512
85680303030
BLOCKCHAIN 1011. How does it work?
115983388710Hash of
Hashes
BLOCKCHAIN 1011. How does it work?
HASH OF BLOCK HEADER
BLOCKCHAIN 1011. How does it work?
HASH OF BLOCK HEADER
PREVIOUS HEADER HASH
BLOCKCHAIN 1011. How does it work?
BLOCKCHAIN 1011. How does it work?
BLOCKCHAIN 1011. How does it work?
BLOCKCHAIN 1011. How does it work?
BLOCKCHAIN 1012. What is so great about
blockchain?
The Pillars or Blockchain:
1. Decentralization
2. Transparency
3. Immutability
4. Anonymity
BLOCKCHAIN 1012. What is so great about
blockchain?
Three types of blockchains:
1. Public - no one is in charge
2. Private – one in-charge who looks
after the blockchain
3. Consortium or Federated –
more than one in-charge
BLOCKCHAIN 1012. What is so great about
blockchain?Public Private Consortium/Federated
Anyone can run a full node. In-charge determines who can run a node.
Only selected members of the consortium can run a full node and mine
Anyone can maketransactions.
In-charge determines who can make a transaction.
Only selected consortiummembers can make transactions.
Anyone can review or audit the blockchain.
In-charge determines who can review or audit the blockchain.
Only selected members of the consortium can review or audit the blockchain.
PermissionlessSecureTransparentInefficient
PrivatePower is consolidatedPrivateEfficient
PemissionedSemi-privateEfficient
BLOCKCHAIN 1012. What is so great about
blockchain?
Blockchain – Where might you see it?
1. Any kind of commerce
2. The sharing economy
3. Media (ebooks, music, etc)
4. Banking
5. Governance
6. Healthcare
7. IoT
8. Identity Management
BLOCKCHAIN 1013. Blockchain and Audit –
Part I
Blockchain’s impact on audit
1. Financial Audits
2. Continuous Monitoring
3. “Triple” Ledger Accounting
4. Fraud detection
5. IT General Controls
BLOCKCHAIN 1013. Blockchain and Audit –
Part I
Blockchain’s impact on the audit profession
1. Audits of Smart Contracts
2. Service Auditor or Consortium Blockchains
3. Blockchain administrator
BLOCKCHAIN 1014. Blockchain and Audit –
Part II
Auditing blockchain – Risks
1. Misconfigured access permissions
2. Poorly constructed rules
3. Insecure applications built on the tech
4. Personal information/right to be
forgotten
5. Key management
BLOCKCHAIN 1014. Blockchain and Audit –
Part II
Auditing blockchain – Audit Areas
1. Governance
2. Development
3. Security
4. Transactions
5. Consensus
BLOCKCHAIN 1014. Blockchain and Audit –
Part II
Auditing blockchain – Governance
• Management Oversight
• Regulatory Risk
• Business Continuity
• Vendor Management
BLOCKCHAIN 1014. Blockchain and Audit –
Part II
Auditing blockchain – Development
• Expertise
• Business Requirements and Design
• Testing
• Deployment
• Change Management
BLOCKCHAIN 1014. Blockchain and Audit –
Part II
Auditing blockchain – Security
• Wallet Management (Keys)
• Secure Coding
• Access Permissions and Management
• Network Vulnerability
• Endpoint Security
BLOCKCHAIN 1014. Blockchain and Audit –
Part II
Auditing blockchain – Transactions
• Transaction types
• Transaction Fees
BLOCKCHAIN 1014. Blockchain and Audit –
Part II
Auditing blockchain – Consensus
• Consensus configuration
• Mining Infrastructure
BLOCKCHAIN 1014. Blockchain and Audit –
Part II
Audit Programs
KPMG India – Auditing blockchain solutions
https://assets.kpmg/content/dam/kpmg/in/pdf/2018/10/A
uditing_Blockchain_Solutions.pdf
ISACA Blockchain Preparation Audit Program
(Free for members, $49 for others)
http://www.isaca.org/Knowledge-
Center/Research/ResearchDeliverables/Pages/Blockchain-
Preparation-Audit-Program.aspx?cid=pr_1236304&appeal=pr
BLOCKCHAIN 1015. Blockchain Attacks?!?!
Network Attacks
User Wallet Attacks
Smart Contract Attacks
Transaction Verification Mechanism Attacks
BLOCKCHAIN 1015. Blockchain Attack!
51% or Majority Attack
BLOCKCHAIN 1015. Blockchain Attack!
Network Attacks
User Wallet Attacks
Smart Contract Attacks
Transaction Verification Mechanism Attacks
Mining Pool Attacks
BLOCKCHAIN 101
QUESTIONS?