AICPA Whitepaper Focuses on Conducting SOC Audits Involving Blockchain

The American Institute of CPAs (AICPA) has issued a new white paper to help auditors providing SOC for Service Organization (SOC) reports on organizations that have incorporated blockchain into their service delivery systems.

Implications of the Use of Blockchain in SOC for Service Organization Examinations was developed by a Working Group of the AICPA Assurance Services Executive Committee (ASEC). The paper examines the skills and competencies auditors need to perform such engagements, the unique features of blockchain, the risks associated with using blockchain, and how the use of blockchain by service organizations may affect their SOC examinations.

“As the use of blockchain increases, it’s likely that more service organizations will decide to use blockchain. Auditors hired to perform their SOC engagements need a deeper understanding of the technology and the risks it presents to the service organization and those who use their services,” said Amy Pawlicki, AICPA Vice President – Assurance and Advisory Innovation.

The paper is divided into two parts:

Part 1

presents an overview of blockchain, including a discussion of the different types of blockchain networks and some of its unique features

identifies specific risks of using blockchain

Part 2

presents an overview of relevant professional standards and criteria governing SOC for service organization examinations

discusses the need for the engagement team to possess knowledge about blockchain and the specialized skills and competencies to perform the engagement, including the use of specialists when appropriate

describes the unique elements of the auditor’s understanding of a service organization’s system when blockchain is integral to and interfaces with that system

discusses unique considerations when forming an opinion on the description of a service organization’s system that includes blockchain, the suitability of the design of the controls, and in a type 2 examination, the operating effectiveness of controls.

SOC 1, SOC 2 and SOC for Supply Chain

While this paper specifically addresses SOC 1 and 2 examinations, it may also be helpful to a practitioner performing a SOC for Supply Chain examination. In March 2020, the AICPA unveiled a new supply chain risk management reporting framework to help manufacturers, producers, distribution companies, and their customers and business partners identify, assess and address supply chain risks. Information on the guide can be found here.

“Service organization management is responsible for identifying and assessing blockchain-related risks, and for designing and implementing effective controls to mitigate those risks to acceptable levels,” explained Pawlicki. “When performing a SOC engagement, it’s critical for auditors to understand those risks and controls.”