AICPA White Paper Helps Auditors Conducting SOC Engagements for Organizations Using Blockchain

The American Institute of CPAs (AICPA) issued a white paper to help auditors providing SOC for Service Organization (SOC) reports on organizations that have incorporated blockchain into their service delivery systems.

The report is titled Implications of the Use of Blockchain in SOC for Service Organization Examinations and was developed by a working group of the AICPA assurance services executive committee (ASEC). The paper examines the skills and competencies auditors need to perform such engagements, the unique features of blockchain, the risks associated with using blockchain and how the use of blockchain by service organizations may affect their SOC examinations.

“As the use of blockchain increases, it’s likely that more service organizations will decide to use blockchain. Auditors hired to perform their SOC engagements need a deeper understanding of the technology and the risks it presents to the service organization and those who use their services,” Amy Pawlicki, vice president of assurance and advisory innovation for the AICPA, said.

The paper is divided into two parts. Part one presents an overview of blockchain, including a discussion of the different types of blockchain networks and some of their unique features, and also identifies specific risks of using blockchain. Part two presents an overview of relevant professional standards and criteria governing SOC for Service Organization examinations, and also discusses the need for the engagement team to possess knowledge about blockchain and the specialized skills and competencies to perform the engagement, including the use of specialists when appropriate. Part two also describes the unique elements of the auditor’s understanding of a service organization’s system when blockchain is integral to and interfaces with that system, and discusses unique considerations when forming an opinion on the description of a service organization’s system that includes blockchain, the suitability of the design of the controls, and in a type 2 examination, the operating effectiveness of controls.

While this paper specifically addresses SOC 1 and 2 examinations, it also may be helpful to a practitioner performing a SOC for Supply Chain examination. In March 2020, the AICPA unveiled a new supply chain risk management reporting framework to help manufacturers, producers, distribution companies, and their customers and business partners identify, assess and address supply chain risks.

“Service organization management is responsible for identifying and assessing blockchain-related risks, and for designing and implementing effective controls to mitigate those risks to acceptable levels,” Pawlicki said. “When performing a SOC engagement, it’s critical for auditors to understand those risks and controls.”