audit - Pwim.Net

EY Ops Chain: Bringing Transparency and Accountability to Public Finance Management

Exclusive interview with Jimmy Ong, Ernst & Young: Part 1

Governments utilize enterprise resource planning (ERP) tools to track public finance nowadays, however, how can we ensure the tracking of public funds is transparent and accountable to the general public?

Ernst & Young (EY) has been the leader in using blockchain to track public finance. Its flagship product, EY Ops Chain made its debut in 2017 which has been widely adopted across the areas of public finance and supply chain management. In Apr 2018, EY brought blockchain into its audit business with the EY Blockchain Analyzer, which helps auditors to interrogate the data and perform analysis of transactions, reconcile and identify transaction outliers.

Blockchain.News sat down with Jimmy Ong, EY Asia-Pacific Blockchain Leader to take a deep dive in EY Ops Chain and EY Blockchain Analyzer. In particular, we explore how EY Ops Chain facilitates a more transparent public finance tracking. Ong also shared an interesting use case when EY Ops Chain enables the tracking of blood in Canada.

What would you say is the main impetus behind the formation of the EY blockchain team and when did EY first begin experimenting with the technology?

At EY, we are constantly evaluating and innovating with new technologies to ensure we understand how these solutions can solve real-world problems for our clients. Our mission is to build a better working world and bring digital transformation to the forefront. This includes experimenting with and using emerging technologies – like blockchain – when applicable. We see blockchains as universal business infrastructure that will integrate business ecosystems.

On the website of EY, the immediate quote is that “blockchains will do for networks of enterprises and business ecosystems what enterprise resource planning (ERP) did for the single company”. Could you expand on this core concept for our readers?

EY has a clear vision and strategy for how blockchain is digitalizing and integrating supply chains by knitting together business operations and finance at the ecosystem level. Blockchain does that through tokens and smart contracts.

Blockchains allow for a level of digital collaboration previously thought unfeasible. Using blockchain, we now have a technology-based business infrastructure that enables enterprises to transact between each other using shared business logic and shared business data.

We see blockchain playing a very important role enabling enterprises to complete the purchase-to-pay (P2P) lifecycle – from contracting, ordering, fulfilling, invoicing to handling payments in a more accurate, efficient and more secure manner.

EY OpsChain: Use Cases

Which areas of blockchain applications are the focus of the EY blockchain team? Can you share some examples with us?

At EY, we focus on two blockchain platforms: EY Ops Chain and EY Blockchain Analyzer. EY Ops Chain helps organizations conduct business on private and public blockchains. EY Blockchain Analyzer helps organizations get insights into what happened on the blockchain. We see these two platforms as complementary as the first enables enterprises to conduct business transactions on the blockchain while the latter allows for enterprises to analyze them.

EY OpsChain

Using EY Ops Chain traceability, we have enabled our clients to track numerous assets along the value chain such as wine, chicken, and animal vaccines. Earlier this year, we brought EY Ops Chain traceability to one of the world’s most important services: blood service operations. We worked with the Canadian Blood Services (CBS) to track blood from ‘vein to vein.’

The blood registry had a desire to augment the donor base and utilize emerging tech to optimize the management of Canada’s blood product supply and inventory. Implementing EY Ops Chain traceability would help reinforce the partnership in Canada between donors, hospitals, patients, ministries and CBS employees by bringing them all on one platform.

For tracing blood from ‘vein to vein,’ the solution starts with the donor where the bag of blood is scanned and tagged, monitored along the logistic journey, tracked as it’s processed into additional products including plasma, cells and platelets. Once the blood product is ready for recipient use, the bag is then scanned for the final time closing the loop.

The results were improved transparency and donor engagement, enhanced end-to-end management along with the key process steps from collection, CBS transport, production/testing, storage, hospital transport and storage, leveraging data and technology to support research and seek improved patient outcomes.

EY Blockchain Analyzer

EY Blockchain Analyzer is all about linking the blockchain with enterprise transactions and real-world assets. The platform can integrate with a multitude of sources and provides useful tools to perform blockchain analytics, audits, and tax processes. We use the EY Blockchain Analyzer for our audit engagements where the enterprise has transactions on the public blockchains such as Bitcoin, Bitcoin Cash, Ethereum, Ethereum Classic and Litecoin. EY Blockchain Analyzer helps with transaction monitoring, tax calculation, token and smart contract testing. The technology can also support zero-knowledge proof (ZKP) private transactions and connect with private Ethereum, Quorum, and Hyperledger blockchains.

EY OpsChain: Public Finance Manager

In Oct 2019, EY has launched the OpsChain Public Finance Manager (PFM) in tracking public funds. Can you share with us the pilot testing result in Toronto?

EY Ops Chain Public Finance Manager helps governments allocate taxpayers more effectively. The solution’s aim is to drive transparency, eliminate reconciliation and enhance the decision-making ability of governments for the financial management of public funds. EY first implemented our solution for the City of Toronto and it is now being piloted worldwide. The city’s financial management transformation efforts lead to the blockchain-based solution for better managing reconciliations and interdivisional fund transfers between different agencies.

Results are being measured on an ongoing basis but early signs point to a more accurate availability of reporting measures for management decision-making. Decision-making authority has a consolidated view of funds along the chain in real-time. Administrators now have synchronized transactional and reporting data across participants. The product has reduced administrative costs and allowed for the reallocation of resources to high-value-add activities.

It is claimed that the PFM can track government fund movement through different state agencies, which also means different state agencies need to share their own data to the blockchain for transparency. What are the challenges to gather public fund data from different state agencies?

Governments, municipalities, and the many agencies related perform the essential public services to empower the communities of which they serve. That being said, the IT landscape and digital maturity of authorities can differ drastically among them.

Our solution makes it easy to integrate with a wide range of ERP and other financial reporting systems to help alleviate the siloed and out-of-sync data problems that plaque most governments and enterprises alike.

"The Wars to Come," Blockchain – A Game Changer for Auditors

Every industrial revolution was driven by different automation. The “Steam Engine” began the “First Industrial Revolution”, Previous industrial revolutions were driven by “Factory Machines and Fossil Fuels”. Whereas, the on-going automation revolution is based on “Data-Driven Artificial Intelligence” (AI) and “Blockchain Technology”.

If “data is the fuel “of the Fourth Industrial Revolution, “blockchain will be the engine” driving it forward. Both of them have a positive relationship because blockchain distributed ledger nature allows for safe and secure storage of data. Working together not only will advance their own adoption & implementation but will shape the next Industrial Revolution.

“Blockchain is a decentralized ledger of transactions across a peer-to-peer network that cannot be changed, tampered with, or lost due to blockchain’s decentralized and distributed nature. The blocks in a Blockchain consist of digital information (“block”) stored in a public database (“chain”).

Blockchain technology was first introduced as the core technology behind digital currency bitcoin, but it has now evolved far beyond bitcoin and has the potential to transform and disrupt a multitude of industries, from financial services to the public sector to healthcare.

Among various use cases are payment processing, online voting, executing contracts, signing documents digitally, creating verifiable audit trails and registering digital assets.

Blockchain Impact on Accounting & Auditing World

Blockchain-based world would create new requirements for audits with new risks. A blockchain ledger would provide an assurance baseline that eliminates the need for traditional auditing entirely as blockchains, by definition, create up-to-date immutable, historical records.

This technology has the potential to impacts all record-keeping processes, including the way transactions are initiated, processed, authorized, recorded and reported. All information is recorded in real-time which is immutable and it brings transparency in financial reporting and accounting process with certainty over the provenance (origin) of those transactions.

Distributed ledgers working together with artificial intelligence can automate a range of processes, from payments through to foreign exchange trades and the filing of tax returns.

“Auditors will need the skills and capabilities to review blockchains as they are created.”

Blockchain Feature- Immutability & Transparency

In Blockchain immutable accounting records are created. Manipulating transaction entries to falsify or eliminate them is practically impossible. Since all the information is stored as a block and every block is associated with others, anyone trying to change one block needs to alter the associated blocks which becomes a daunting task for the hacker.

Auditors spent a lot of time in the verification of the transactions trail to ensure there is sufficient evidence and information is transparent. The use of Blockchain will save time that traditionally goes in manual auditing & detailed analysis. That time can be utilized in formulating more strategic work & delivering future business value.

Blockchain Feature- Real-Time

Gone are those days when auditors had to wait for it for the end of the year or month to carry out the audit.

In blockchain all the information is recorded on “Real-Time” i.e it is time-stamped. By the use of blockchain technology, it is now possible to perform an audit whenever it is required improving the pace of financial reporting and auditing.

A blockchain-based ledger lays out the entire history of related transactions, updated in real-time and visible to all parties involved — creating a clear, auditable record that is virtually impossible to falsify or destroy, promising to radically improve the fight against challenges like fraud and money laundering.
Malcolm J. Murray, Fellow and VP, Gartner

With access to unalterable audit evidence, the auditor could have real-time data access via read-only nodes on blockchains. Blockchain combined with artificial intelligence could transform the way in which fraud investigations and forensic accounting are undertaken.

The real-time systems would highlight and investigate anomalies and unusual transaction patterns as they emerge. It cannot eliminate fraud completely; however, it may help identify fraud in real-time.

Blockchain Challenges “New world of digital risk”

Blockchain-based world would create new requirements for audit with new risks. While block chain’s design brings transparency, immutability and security in the transactions, but still the occurrence of frauds cannot be eradicated. The Blockchain environment is still susceptible to various technology risks.

The auditors will need to audit whether the distributed ledger systems are working correctly.
Professor Nigel Smart, University of Bristol

In Blockchain the data is validated by a majority of other users on the system. If the majority of the users on the distributed ledger become corrupt, it is possible to break the chain.

The DAO–HACK

Blockchain can also be vulnerable to programming mistakes, for instance in June 2016, Swiss-based DAO – actually called “The DAO” lost virtual currency when a hacker found a loophole in the coding that allowed him to drain funds from The DAO. In the first few hours of the attack, 3.6 million ETH were stolen, the equivalent of $70 million at the time. Once the hacker had done the damage he intended, he withdrew the attack.

The DAO was a digital decentralized autonomous organization and a form of investor-directed venture capital fund. It launched in April 2016 after a crowdfunding campaign. The DAO had an objective to provide a new decentralized business model for organizing both commercial and non-profit enterprises.

The DAO’s hack was not due to a problem inherent on the Ethereum blockchain; it came from a coding loophole exploited by an intelligent hacker. Had the code been written correctly, the hack could have been avoided

There is currently no standard way to validate blockchain-based business processes and the related control environment.

The reality is that no system is flawless – not even blockchain.

Assess the Reliability of the Blockchain Consensus Protocol

Auditor needs to understand and assess the reliability of the consensus protocol for the specific blockchain taking into risk consideration of whether the protocol could be manipulated.

Evaluate Management’s Accounting policies for Digital Assets

Auditor will also need to evaluate management’s accounting policies for digital assets and liabilities, which are currently not directly addressed in international financial reporting standards or in the U.S. generally accepted accounting principles.

Auditors will always be needed to design the appropriate audit strategies in complex systems making decisions about what level of audit is required, how data should be captured, and the type of audit analytics that should be applied.

No way to Reverse Transactions

In a case, if a user accidentally or deliberately transfers an amount (in the form of digital currency) to the wrong or unauthorized address (recipient) account, then there’s currently no way to reverse the transaction.

To avoid such situations, Auditors are therefore required to assess whether effective automated controls General information technology controls (GITCs) related to the blockchain environment are in place to validate transactions before they are executed.

Impossible to recover the Account if Private key is lost

If in any case, a user loses his private key (e.g. through a software or hardware malfunction), then the user loses his access to his virtual currency account. All his amounts will remain inaccessible forever and cannot be recovered easily.

Auditors need to review effective disaster recovery procedures are in place and verify whether controls that address the risks associated with blockchain can be relied upon.

No Reporting Authority

If an entity experiences a phishing attack, there is no central authority to report any incident since in blockchain there is no central administration. This situation can also translate into a risk of fraud.

When faced with such risk, Auditors will be expected to determine whether internal controls to prevent and detect phishing attacks are indeed operating effectively.

Top Auditing Firms have Undertaken Blockchain Audit Initiative

An auditor will need to stay abreast of recent developments in this space to consider how to tailor audit procedures to take advantage of blockchain benefits as well as address incremental risks.

EY has recently announced the launch of its “Blockchain Analyzer tool” to help audit teams assemble an organization’s entire transaction data from multiple blockchain ledgers. It also supports testing of multiple cryptocurrencies managed or traded by exchanges and asset managers.

PwC has also launched”Blockchain Validation Software”, which combines risk & control framework with continuous auditing software. It will test for anomalies in real-time.

The Committee of Sponsoring Organizations of the Treadway Commission, or COSO, is developing voluntary guidelines for companies to strengthen their oversight of blockchain-technology projects. The guidance is expected to be released in the first quarter of 2020.

Blockchain technology has the potential to upend Audit, Assurance and Control functions —Auditors need to stay attuned to emerging use cases — As Role and skillsets of Auditors will change as new Blockchain-based techniques and procedures emerges.

Get ready for “The Wars to Come”

Fantom Collaborates With Dedaub To Automatically Detect Smart Contract Bugs With Watchdog

In the latest announcement from the scalable layer 1 platform, Fantom announced its collaboration with Dedaub to leverage its automated system called Watchdog to look for smart contract bugs in the Fantom ecosystem.

Watchdog is an automated system developed due to Fantom’s partnership with security firm Dedaub. Using an automated, continuous auditing system, Watchdog can automatically analyze selected smart contracts from the Fantom Network for buggy code that could become the root cause of security attacks.

According to Fantom foundation in the announcement, Watchdog will particularly focus on attacks afflicting decentralized finance (DeFi) apps.

“We’re incredibly excited to bring a new level of safety and security to the ecosystem with Watchdog. Developers require access to cost-effective, efficient, and trustworthy smart contract auditing tools. Watchdog delivers just that and will set a new standard for security,” said Michael Kong, chief executive officer at Fantom Foundation.

Furthermore, Fantom stated in the announcement that if a vulnerability is detected in any of the Fantom ecosystem, security firm Dedaub will alert the project, and assist them in analyzing the risks involved and support the project team in fixing the vulnerability in time.

The scalable layer 1 platform added that although new threats can arise as protocols evolve, making a completed audit outdated. As a result, Watchdog supplements manual audits with automated vulnerability detection services that are continuously updated to address newly discovered exploits.

Speaking of partnerships, web3 domain provider Unstoppable Domains recently partnered with Fantom network to allow Fantom users to benefit from simplified crypto transactions, user verification, and identity ownership.

Fantom CEO Michael Kong noted: “Unstoppable Domains has been at the forefront of decentralized domains for years, and is a pioneer in the Web3 space. We are thrilled to work alongside Unstoppable Domains to bring these domain names to the Fantom Network, and to further simplify the movement of digital assets for our users.”

Euler Finance suffers $197M DeFi hack

Euler Finance, a DeFi lending protocol, suffered a flash loan attack on March 13, resulting in the biggest hack of crypto in 2023 so far. The lending protocol lost nearly $197 million in the attack, impacting more than 11 other DeFi protocols as well. Euler Finance disabled the vulnerable etoken module and vulnerable donation function to block deposits.

On March 14, Euler Finance updated its users on the situation and notified them of the disabled features. The firm stated that it works with various security groups to perform audits of its protocol, and the vulnerable code was reviewed and approved during an outside audit. However, the vulnerability remained on-chain for eight months until it was exploited, despite a $1 million bug bounty in place.

Sherlock, an audit group that has worked with Euler Finance in the past, verified the root cause of the exploit and helped Euler submit a claim. The audit protocol later voted on the claim for $4.5 million, which passed, and later executed a $3.3 million payout on March 14.

In its analysis report, the audit group noted a significant factor for the exploit: a missing health check in “donateToReserves,” a new function added in EIP-14. However, the protocol stressed that the attack was still technically possible even before EIP-14.

Sherlock noted that the Euler audit by WatchPug in July 2022 missed the critical vulnerability that eventually led to the exploit in March 2023. Euler has also reached out to leading on-chain analytic and blockchain security firms, such as TRM Labs, Chainalysis, and the broader ETH security community, in a bid to help them with the investigation and recover the funds.

Euler Finance has notified that they are also trying to contact those responsible for the attack in order to learn more about the issue and possibly negotiate a bounty to recover the stolen funds. The incident highlights the need for regular audits of DeFi protocols to detect vulnerabilities and prevent hacks. As DeFi continues to grow and attract more users, security and reliability will become even more critical for the industry’s success.