Accounting Information Systems Content for Free-Response Part of Final
types of nodes
*full node- program that fully validates transactions and blocks (full ledger) -lightweight node- does not store a full copy of the blockchain, passes its data to full nodes to be processed
section 320
reports on examination of controls at a service organization relevant to user entities' internal control over financial reporting
public blockchain
anyone can read the blockchain ledger and submit new transactions
hash rate
number of nonces tried per second (currently in the trillions)
nonce
the one data input to the block header that miners can change
Bitcoin vs bitcoin
-Bitcoin is the protocols, platform, and software used to run the digital currency bitcoin -bitcoin is a unit of currency
August -> October 2008
-Bitcoin.org was registered -Lehman Brothers filed for chapter 11, AIG bailed out, Bank of America buys Merrill Lynch, US Government established 700 billion for Troubled Asset Relief Program -Bitcoin whitepaper released on Halloween 2008, written by Satoshi
why blockchain matters to accountants
-accountants are expert record keepers, who keep records of financial transactions in ledgers
mystery of Satoshi Nakamoto
-anonymous creator of bitcoin -identity remains unknown (could be a person, many people, a corporation, a government) -Bitcoin whitepaper demonstrates considerable knowledge across disciplines (cryptography, computer science, economics, psychology, technical writing)
new transactions
-are communicated (broadcasted/propagated/gossiped) amongst nodes -nodes do not receive transactions in the same order, blocks determine order -nodes verify each transaction received for appropriateness
tokens
-are fungible (replaceable) or non-fungible -security token represents an investment -utility token gives access to use the blockchain product or service in the future -asset-backed tokens are tied to an asset in the physical world
Bitcoin vs blockchain
-bitcoin is not blockchain -many blockchains now exist, with a great deal of variation in technical design -Bitcoin's blockchain set the foundation for those that followed
blockchain structures
-centralized has one central intermediary -decentralized has many key intermediaries -distributed can indirectly communicate with everyone (goal of blockchain)
ethereum
-created by Vitalik Buterin in 2015 -offers a more simplistic programmable language to develop applications that run on a block chain -native token is ether, a utility token -uses proof of stake and is resistant to ASICs -accounts are either externally owned (store ether) or smart contract (can have code stored with it)
problems that blockchain solves
-direct exchanges of value over the internet -individual parties cannot censor transactions (removes middlemen) -eliminates the double spend problem (the same digital token being spent more than once) -enables creation of scarce digital assets -advances network resiliency
bitcoin as a deflationary currency
-discourages spending due to negative inflation rate (value goes up over time) *conflict- Bitcoin only has value if people use it, but why use it if its value goes up over time?
brief overview of Bitcoin
-each bitcoin can be broken down to eight decimal places -21 million bitcoins are to be released by the year 2140
when using the work of another practitioner, you are responsible for
-engagement complying with professional standards, legal requirements, and firm policies -determining if the practitioner's report is appropriate for the circumstances
types of Bitcoin wallets
-hot storage: internet connection required to access wallet -cold storage: no internet connection required -full node: runs a full node and implements all the functions of the blockchain -lightweight: uses a connection with a series of servers to obtain information
SOC 2 reports
-intended to meet needs of a broad range of users who need control information relevant to security, availability, processing integrity of systems as well as confidentiality and privacy of information -2 types, and use is restricted
SOC 1 reports
-intended to meet needs of entities that use service orgs and the CPAs that audit them in evaluating the effect of the controls on the user entities' financial statements -effect financial statements -2 types
SOC 3 reports
-intended to meet needs of users who need assurance about security, availability, processing integrity, confidentiality, or privacy, but don't have the means of using a SOC 2 report -general use, freely distributed
Bitcoin details
-is implemented using blockchain -can process about 7 transactions per second, with new blocks added about every 10 minutes -new bitcoins are released by the protocol in coinbase transactions, which represent rewards granted when new blocks are created
other threats and concerns
-it can be cost prohibitive to maintain a full node or mining operation, which leads to more centralized control -transactions are irreversible and anonymous, which clashes with US banking regulations -blockchain is not an efficient storage mechanism for large files -blockchains are not interoperable
assurance timeline
-limited assurance is needed for review engagement, conclusion, and negative assurance -reasonable assurance is needed for examination engagement, opinion, and positive assurance
blockchain
-linear model that is used to store data -the first block is known as the genesis block *book analogy- can be thought of as a book, where the book in its entirety represents the blockchain and each individual page represents a block
Satoshi conspiracies
-many conspiracies of who Satoshi could be (Nick Szabo, Craig Wright, Hal Finney) -many motives to claim to be Satoshi (Satoshi has 1 million bitcoin)
validated transactions
-meet all three criteria -are stored in a full node's memory pool (staging area) -miners take these transactions and work to add/confirm them into blocks
broadcast the winning nonce
-miner that solves the proof of work by finding an appropriate nonce broadcasts that nonce to the nodes -as part of this process, the associated transactions are then added to/confirmed in a new block -hash of the confirmed block then becomes the previous block hash that is included in the header of the subsequent block -miners use this previous block hash when working to confirm the next block
opinions and conclusions
-opinion made during examination engagement, conclusion expressed during review engagement -relate to if the subject matter is in accordance with criteria and fairly stated
address
-participation in Bitcoin begins by establishing an address that can be sent bitcoins -steps to derive an address: cryptographic seed (random information collected to create a private key) -> private key (password) -> public key (anyone can see) -> blockchain address
acceptance of a change in the terms of the engagement
-practitioner can only agree to a change in terms if reasonable justification exists -if there is reasonable justification, practitioner should issue a report on the change that doesn't reference original engagement, procedures, and scope limitations
examination engagement
-practitioner obtains reasonable assurance (high, not absolute) by obtaining sufficient appropriate evidence to be able to draw conclusions to base their opinion on -same level of assurance as needed for a financial statement audit
agreed-upon procedures engagement
-practitioner performs procedures and reports the findings, without providing an opinion or conclusion -parties agree upon and are responsible for the sufficiency of these procedures
engagement documentation
-prepared on a timely basis, final file assembled no later than 60 days after report release date -practitioner shouldn't discard documentation, and if they amend it they have to document the reasons and when and by whom the amendment was made
Bitcoin blockchain
is public and permissionless (anyone can read the ledger and write transactions)
features of blockchain (book analogy)
-provides a linear record of something, allows you to go back and view the ledger at a specific point in time -comprised of individual blocks of data, and these blocks have size limitations -blocks must remain in a specific order -blocks can only be added to the end of the blockchain, but not removed (append only)
ledger
-provides a record of bitcoin transactions, which is shared, replicated, and distributed -is append only, verified, and agreed-upon -submitted transactions must be verified, and there is consensus on the data added via blocks
engagement partner assuming responsibility for the work of another practitioner
-required to communicate clearly with the other practitioner and evaluate the adequacy of their work -involvement is affected by your understanding of the other practitioner and degree to which they are subject to common quality control policies
cryptocurrency exchanges
-similar to how a stock exchange functions -creates a place for buyers and sellers to be matched, providing a level of anonymity for the parties involved -maintains custody of cash and cryptocurrencies used in the exchanges
initial coin offering
-somewhat similar to how companies might raise funds using an IPO -typically begin with a white paper outlining the new blockchain and its cryptoasset -lots of scams and is not yet well regulated, so buyer beware
attestation engagement
-types are examination, review, or agreed-upon procedures engagement -performed under AT-C standards and related to subject matter that is the responsibility of another party
is blockchain necessary? EY 5 point test
1) are there multiple parties in the ecosystem? 2) is establishing trust between all parties an issue? 3) is it critical to have a tamper proof, permanent record of transactions? 4) are we securing the ownership or management of a finite resource? 5) does the ecosystem benefit from improved transparency?
why 21 million bitcoins are to be released by 2140?
21 million bitcoins * 100 thousand parts per bitcoin = 21 trillion -21 trillion dollars is the same as the global money supply when Bitcoin was created (objective to become a global currency)
hashing transaction data
data from individual transactions are hashed, then hashes are hashed together until all transactions are used to create a single root hash which becomes part of the data represented in the block header -hash for one block is included in part of the hash for the next block
permissionless blockchain
anyone can write transactions to the blockchain
high fee
becomes more appealing for miners to include your transaction in the next confirmed block -earnings are also used to incentivize miners to use their computational power to support the blockchain rather than working to fraud it
Bitcoin wallet
bitcoins are not actually stored in the wallet, your keys to get into your account are stored
how could Satoshi's identity be proven
by accessing Satoshi's wallet and releasing bitcoin
examples of reasonable justification for requesting a change in the engagement
changes in circumstances affecting requirements of responsible party of a misunderstanding of the nature of the original engagement
examples of changes that cannot be considered reasonable
changes relating to incorrect, incomplete, or unsatisfactory information
cryptography
code writing, is used extensively, used in private and public keys to send and receive cryptoassets, hashing transactions, and hashing block header data to solve the proof of work and link blocks
section 105
concepts common to all attestation engagements
peer to peer network
distributed system of nodes with equal rights
leadership responsibilities for quality in attestation engagements
engagement partner should take responsibility for appropriateness of procedures, compliance with standards, accordance to firm policies, documentation being maintained, appropriate consultation
section 205
examination engagements
timing of blockchain's emergence
financial crisis of 2008 caused upside-down mortgages due to the burst of the housing bubble (mortgage is greater than house's value), complex financial instruments that passed risk through to the public, bailout of major banks using taxpayer money -result is low trust in financial institutions and the federal government
SOC 1 report type 2
focus on the suitability of the design and operating effectiveness of controls throughout a specified period
SOC 1 report type 1
focus on the suitability of the design of the controls as of a specified date
merkle tree
hashes all the transactions, reduces the amount of data needed to represent transactions
mining tools
have evolved to achieve a higher hash rate and thus achieve a higher likelihood of confirming the block and earning its rewards and fees -early tools of central processing units and graphical processing units were originally used for gaming -application specific integrated circuits are the most evolved tools, designed specifically for mining bitcoin
subject matter of an attestation engagement
historical/prospective performance, physical characteristics, historical events, analyses, systems and processes (internal controls) and behavior -can be at a point in time or for a period of time
51% attack problem
if 51% of the nodes (and the majority of miners' hashing power) work together, previously recorded transactions can be changed which allows the fraudster to double spend cryptocurrency -can combat this with high hash rate and geographically distributed nodes and miners
fraudulent transactions
if a node tries to introduce a fraudulent transaction, the nonce produced from the proof of work will not work for the other nodes -there will be consensus across the chain that the fraudulent transaction is not valid
overpowering a blockchain
if there are more dishonest nodes than honest nodes, and if they control the majority of the hashing power on the blockchain, there is a possibility that the blockchain can be rewritten
forking
if there is not consensus amongst nodes about which new block is valid or whether changes to the protocol should be accepted, the blockchain might fork -soft fork is backward compatible, hard fork is not backward compatible
cryptocurrency
includes bitcoins, altcoins, and stablecoins
encryption
it is a misconception that data stored on blockchains are encrypted -public blockchain ledgers are grounded in the idea of transparency (anyone can view)
proof of stake mining
just one node will be made responsible for adding the next block, which is more environmentally friendly
sections of SOC 1 and 2 reports
managements assertion on controls, service auditor's report on controls, description of the system, service auditor's tests of controls, other information provided by service org
hashing block header data
mathematical puzzle which requires the resulting hash to begin with a pre-specified number of zeros -the current difficulty determines this requirement
incentive to find the nonce
miner that finds a correct nonce receives a block reward (newly issued bitcoins) and fees offered by included transactions (specified by the transaction initiator)
proof of work mining
miners repeatedly apply a different nonce to the block header data until they generate a hash that begins with at least a certain number of zeros -uses a lot of electricity
multisig approach
multiple private keys required to release funds
SOC 2 Trust Services Criteria
reports on controls relevant to security, availability, processing integrity, confidentiality, or privacy
SOC 1 ICFR
reports on controls relevant to user entities' internal controls over financial reporting
using the work of another practitioner
obtain an understanding if the other practitioner is independent and compliant, understand their professional competence, communicate clearly about their findings, be involved in their work, determine whether to refer to them
hash collisions
occur when two pieces of digital content produce the same hash, which is not useful
private blockchain
only authorized parties can read the blockchain ledger and submit new transactions
permissioned
only authorized users can write transactions to the blockchain
SOC 2 reports play an important role in
oversight of organization, vendor management programs, internal corporate governance, risk management processes, regulatory oversight
difficulty
periodically adjusts so that blocks are created approximately every 10 minutes, and is adjusted every two weeks or 2,016 blocks based on current hash rate
review engagement
practitioner obtains limited assurance by obtaining sufficient appropriate evidence in order to express a conclusion
mining
process of adding transactions to blocks, which then become a part of the permanent blockchain ledger -miners hash the inputs to a block and compete to solve a puzzle that will allow the block to be added to the blockchain
types of blockchain
public and permissioned is less common, private and permissionless is not realistic, private and permissioned is for enterprised users
use of SOC 1 reports
restricted to management of service org, user entities, and user auditors
block reward halving
reward issued in the coinbase transaction is cut in half, which occurs every 4 years or 210,000 blocks -current block reward is 6.25 bitcoin every 10 minutes
hashing
running digital content through an algorithm to produce a fixed-length string of letters and numbers to uniquely represent the content -the same content will always produce the same hash if run through the same algorithm -any changes to the content will result in a completely different hash -cannot recreate the original content from the hash
Dapp
series of smart contracts used to build a decentralized application
smart contracts
short computer programs on Ethereum which encode rules of an agreement and act like an automated escrow service, and once triggered, they are irreversible
SOC 3 Trust Services Criteria for General Use Report
simplified version of SOC 2 that can be read by anyone
sharding approach
single private key with multiple parts required to release funds
forks in Bitcoin
there have been forks in Bitcoin, and the hard forks have resulted in new altcoins (Bitcoin Cash, Bitcoin Gold)
SOC 2 reports are unique because
they detail the service auditor's tests of internal controls at a service org
difference between traditional accounting and blockchain
traditional accounting relies on double entry rules to balance the transactions of a single entity, whereas blockchain allows the balance of transactions among all entities using a shared ledger
key relationships
user entity -> service org -> subservice org -> service org -> service auditor -> internal auditor -> service auditor -> service org -> completed SOC report
DAO
uses a series of dapps to build a decentralized autonomous organization, which is a corporation that runs completely autonomously based on programmed logic
Bitcoin hash
uses the 64 character hash SHA 256, regardless of the size of the data file to be hashed
criteria for verifying new transactions
whether the sender has sufficient funds, whether the transaction is signed, and whether funds are directed to an existing address
peer to peer version of electronic cash
would allow online payments to be sent directly from one party to another without going through a financial institution (no government interference)