Administrative Audit Considerations for Smart Contracts
In the last blog we discussed what are smart contracts, how smart contracts interact with other components on a blockchain network. This blog will focus how one should go about auditing smart contracts. Specifically, we will be focus on administrative audit considerations.
To start, it is important to state that auditing a smart contract auditing is not:
A review of accounting or financial controls.
A compliance checking or testing.
Instead, the smart contract auditing process must focus on the evaluation of key safeguards and controls of the smart contract. In other words, the high-level audit process is as follows:
1. Understand the underlying blockchain technology, the application and the logics of the smart contract. You cannot effectively audit something that you do not understand.
2. You must be able to identify risks and what you possibly implement to mitigate or reduce the impact to an acceptable level.
What we do is to achieve and monitor compliance effectively, and we assess the effectiveness of the control systems and rules.
Accordingly, IT auditing is about the ability to Identifying risk and the appropriate controls to mitigate risk to an acceptable level.
Zero Friction has been active in working with industry partners and clients with their blockchain audit strategies. Our team played a key role in defining Blockchain Preparation Audit Program with ISACA and, more recently, played a key role in authoring the generic blockchain reference model and the blockchain security considerations for the ISACA Blockchain Framework and Guidance.
In our Smart Contract Audit Review process, Zero Friction reviews smart contracts on three specific areas:
Administrative (the focus of today's blog)
Administrative: Audit Considerations for Buyer and Seller
In this first portion of the review, we focus on the risks among the participants. Specifically, we want to know:
Who are the participants? Are there only two parties, or are there other parties involved? Additional party adds to the complexity of the smart contract and its settlement.
Are the participants financially stable, viable, experienced and knowledgeable in the proposed transactions?
Is there appropriate disclosure or disclaimer or statement of possible risk from usage of the smart contract?
What are the likelihood for the participants to commit fraud, misconduct on manipulate the smart contract? Are there track records or past performances that would indicate otherwise?
Are there any conflict of interest? Specifically, in a two-party transaction (e.g., as buyer and seller), can the seller also participate in the contract as a buyer?
Can both parties be able to deliver their promises/commitment as stated by the smart contract?
Administrative: Audit Considerations from External Factors
Smart contracts can also be influenced to other external risks. Depending on the application of the smart contract, we may also need to consider:
Herstatt (settlement) risk
Platform behaviors such as Development/Ongoing Support, Security issues, Speed of transactions, Cost of transactions, Scalability, etc.
Regulators may validate, or conversely invalidate the business model that the smart contracts rely on. Herstatt risk deals risk relating to settlement of a time or value sensitive transaction. If the application involves cryptocurrencies, changes to cryptocurrency prices are significant with daily swings of -20 to 30% are not uncommon. The longer the wait to settle the transaction, the greater the risk to all participants.
Proper handling of privacy of participants should be considered to meet the regulatory requirements of GDPR and CCPA. Our recommendation is that PII should be maintained off-chain.
The blockchain platform has dependencies such as the community of developers, ongoing support, historical security issues, etc. As a collective these may significantly impact the survivability of the blockchain. There are also technical design risks such as transaction time, scalability of transactions, ledger rollbacks, etc. must also be reviewed.
Administrative: Audit Considerations for the Smart Contract
The last portion that we examine is the smart contract itself. Specifically, we focus on the following:
Does the contract actually represent the promises of the smart contract?
Is there clear agreement addressing non-operational issues such as force majeure or liabilities?
Is there an escrow and how that to be handled?
Is there a security audit performed on the production code base? Who performed the review and their qualifications? Were identified vulnerabilities addressed and validated?
In the next blog, we will examine the details behind Operational Audit Considerations of a smart contract.