A U D I T P R O G R A M N A R R A T I V E

BLOCKCHAIN
P R E PA R AT I O N
AUDIT PROGRAM
2 BLOCKCHAIN PREPARATION AUDIT PROGRAM

CONTENTS
4 Blockchain Preparation Audit Program
4 / Audit Subject
4 / Audit Objectives
4 / Audit Scope
4 / Business Impact and Risk
5 / Minimum Audit Skills
5 / Testing Steps
6 Acknowledgments

© 2019 ISACA. All Rights Reserved.

3 BLOCKCHAIN PREPARATION AUDIT PROGRAM

ABSTRACT
As an emerging technology, blockchain promises great benefit but also entails new risk.
Many enterprises lack personnel with the requisite skills to assess the risk and
recommend adequate safeguards to mitigate it. It is critical—especially during this early
phase of the technology—to understand the risk associated with blockchain and consider
the high-level controls that address it. The Blockchain Preparation Audit Program is
intended to meet these goals.

© 2019 ISACA. All Rights Reserved.

4 BLOCKCHAIN PREPARATION AUDIT PROGRAM

Blockchain Preparation Audit

Program
Blockchain still lacks a published, uniform and broadly • Provide management with an assessment of the blockchain

recognized auditing standard. Enterprises who adopt the technology control environment, indicating whether it is

technology should identify and develop key policies, adequately designed and operationally effective

procedures and controls to mitigate its risk and streamline • Identify blockchain risk, which could result in reputational

processes. and/or material financial impact

• Provide management with a holistic perspective on blockchain

technology that considers both technical and nontechnical

Audit Subject factors
Blockchain is the distributed network system underlying
the world’s first decentralized cryptocurrency, Bitcoin. It
Audit Scope
has quickly become one of the most promising
The Blockchain Preparation Audit Program is built on the
technological advancements in recent times. Blockchain
following six categories:
has the potential to transform a variety of key industries
that are ubiquitous in modern life: finance, healthcare, • Preimplementation

manufacturing and real estate, to name only a few. • Governance

• Development
Blockchain eliminates dependency on a central, trusted
• Security
authority for approving transactions; it facilitates and
• Transactions
guarantees consensus among multiple, decentralized
• Consensus
participants in the market. Its benefits include:
The auditor performing the review should determine the
• Transparency
scope of organizational functions, systems and assets to
• Cost reduction
be tested.
• Enhanced speed

However, as with any new technology, there are often

drawbacks; blockchain is still not fully mature, and caution
must be exercised when deploying it at an enterprise
level—its risk can easily be misunderstood or overlooked.
Accordingly, ISACA developed this audit program as an
initial framework within which enterprises can better
manage a blockchain implementation. The Blockchain
Preparation Audit Program worksheet is provided as a
separate Excel® file.
Business Impact and Risk
Blockchain must be carefully considered, properly
deployed and effectively managed; it is not practical for all
enterprises, and management must ensure that its use
supports business objectives. Blockchain commonly
entails risk and business consequences including:
• Use cases that are impractical and/or misaligned with strategic
objectives
• Poor implementation or deployment that results in wasted

resources and a solution that does not function properly

Audit Objectives • Gaps in security, including vulnerable source code, weak

The Blockchain Preparation Audit Program will: endpoints and theft/loss of sensitive data

© 2019 ISACA. All Rights Reserved.

5 BLOCKCHAIN PREPARATION AUDIT PROGRAM

• Vendors that cannot scale effectively to support blockchain at

enterprise level
• Substantial impact to customers and regulatory consequences

(including fines) when deployment is faulty

Minimum Audit Skills

The IT audit professional must have an understanding of
security, controls and technology processes. The auditor
should also possess adequate functional and business
knowledge to determine alignment with business strategy.
Individuals performing this audit should verify that they
have performed the required research to comprehend the
nature of blockchain technology and its associated risk.

Testing Steps
Audit steps have been developed for each category and
subprocess to evaluate the effectiveness of the
enterprise’s controls. Refer to the Blockchain Preparation
Audit Program Excel spreadsheet for full documentation.

In combination with the audit program, practitioners may

conduct interviews with key stakeholders in business and
technology groups to assess the use, deployment and
management of blockchain. Consider the following
questions:

• Was a business case assessment created for the use of

blockchain? What were some notable practical use cases?

• What type of blockchain (permissioned vs. permissionless) is

the organization using and why?

• How are blockchain wallet private keys managed? Is there an

identified custody approach?

• Were vendors selected to support blockchain? How were they

selected?

• Does management adequately understand blockchain? Are they

providing effective oversight?

• How does the enterprise manage regulatory risk for blockchain?

• Does the enterprise have qualified blockchain developers? If not,

how will the enterprise acquire the requisite development

expertise?

© 2019 ISACA. All Rights Reserved.

6 BLOCKCHAIN PREPARATION AUDIT PROGRAM

Acknowledgments
ISACA would like to recognize:

Lead Developer ISACA Board of Directors

Varun Ebenezer Rob Clyde, Chair Chris K. Dimitriadis, Ph.D.
Vice President & Senior Audit Manager CISM ISACA Board Chair, 2015-2017
USA Clyde Consulting LLC, USA CISA, CRISC, CISM
INTRALOT, Greece
Brennan Baybeck, Vice-Chair
Expert Reviewers CISA, CRISC, CISM, CISSP
Nana B. Amonoo-Neizer Oracle Corporation, USA
CISA, CISM
Tracey Dedrick
USA
Former Chief Risk Officer with Hudson
Dr. T. Chithralekha City Bancorp, USA
India
Leonard Ong
Andrew Clark CISA, CRISC, CISM, CGEIT, COBIT 5
USA Implementer and Assessor, CFE, CIPM,
CIPT, CISSP, CITBCM, CPP, CSSLP, GCFA,
Keatron Evans
GCIA, GCIH, GSNA, ISSMP-ISSAP, PMP
CEH, CISSP, ISSMP
Merck & Co., Inc., Singapore
USA
R.V. Raghu
Tuan Phan
CISA, CRISC
CISSP, PMP, Security+
Versatilist Consulting India Pvt. Ltd., India
USA
Gabriela Reynaga
B. Ganapathi Subramaniam
CISA, CRISC, COBIT 5 Foundation, GRCP
CISA, CISM, CIPP/E, CIPM, CIPT
Holistics GRC, Mexico
United Kingdom
Gregory Touhill
CISM, CISSP
Cyxtera Federal Group, USA

Ted Wolff
CISA
Vanguard, Inc., USA

Tichaona Zororo
CISA, CRISC, CISM, CGEIT, COBIT 5
Assessor, CIA, CRMA
EGIT | Enterprise Governance of IT (Pty)
Ltd, South Africa

Theresa Grafenstine
ISACA Board Chair, 2017-2018
CISA, CRISC, CGEIT, CGAP, CGMA, CIA,
CISSP, CPA
Deloitte & Touche LLP, USA

© 2019 ISACA. All Rights Reserved.

7 BLOCKCHAIN PREPARATION AUDIT PROGRAM

About ISACA
Now in its 50th-anniversary year, ISACA® (isaca.org) is a global association
1700 E. Golf Road, Suite 400
helping individuals and enterprises achieve the positive potential of
Schaumburg, IL 60173, USA
technology. Today’s world is powered by information and technology, and
ISACA equips professionals with the knowledge, credentials, education and
Phone: +1.847.660.5505
community to advance their careers and transform their organizations. ISACA
leverages the expertise of its 460,000 engaged professionals—including its Fax: +1.847.253.1755
140,000 members—in information and cybersecurity, governance, assurance,
Support: support.isaca.org
risk and innovation, as well as its enterprise performance subsidiary, CMMI®
Institute, to help advance innovation through technology. ISACA has a Website: www.isaca.org
presence in more than 188 countries, including more than 220 chapters
worldwide and offices in both the United States and China.

DISCLAIMER
Provide Feedback:
ISACA has designed and created Blockchain Preparation Audit Program (the
www.isaca.org/blockchain-preparation
“Work”) primarily as an educational resource for professionals. ISACA makes
no claim that use of any of the Work will assure a successful outcome. The Participate in the ISACA Online
Work should not be considered inclusive of all proper information, procedures Forums:
and tests or exclusive of other information, procedures and tests that are https://engage.isaca.org/onlineforums
reasonably directed to obtaining the same results. In determining the propriety
Twitter:
of any specific information, procedure or test, professionals should apply their www.twitter.com/ISACANews
own professional judgment to the specific circumstances presented by the
particular systems or information technology environment. LinkedIn:
www.linkedin.com/company/isaca

RESERVATION OF RIGHTS Facebook:

www.facebook.com/ISACAHQ
© 2019 ISACA. All rights reserved.
Instagram:
www.instagram.com/isacanews/

Blockchain Preparation Audit Program

ISBN 978-1-60420-800-9

© 2019 ISACA. All Rights Reserved.