See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/351720040

The impact of client use of blockchain technology on audit risk and audit
approach—An exploratory study

Article in International Journal of Auditing · May 2021

DOI: 10.1111/ijau.12238

CITATIONS READS

32 2,065

2 authors, including:

Ravi Seethamraju
The University of Sydney
69 PUBLICATIONS 1,551 CITATIONS

SEE PROFILE

All content following this page was uploaded by Ravi Seethamraju on 27 October 2022.

The user has requested enhancement of the downloaded file.

 10991123, 2021, 2, Downloaded from https://onlinelibrary.wiley.com/doi/10.1111/ijau.12238 by University Of Sydney, Wiley Online Library on [26/10/2022]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Received: 21 February 2021 Accepted: 9 May 2021
DOI: 10.1111/ijau.12238

ORIGINAL ARTICLE

The impact of client use of blockchain technology on audit risk

and audit approach—An exploratory study

Maria Cadiz Dyball | Ravi Seethamraju

The University of Sydney Business School,

Discipline of Accounting, The University of Blockchain is claimed to disrupt the external audit function by enhancing the
Sydney, Sydney, New South Wales, Australia
reliability of both external and internal audit evidence. This study examined the
Correspondence impact of client use of blockchain technology on audit risk and audit approach. It
Maria Cadiz Dyball, The University of Sydney
referred to the Australian Auditing Standard ASA 315 Identifying and Assessing the
Business School, Discipline of Accounting, The
University of Sydney, Sydney, New South Risks of Material Misstatement and van Buuren et al.'s continuum of audit approaches
Wales, Australia.
to frame semi-structured interviews with 28 blockchain stakeholders including audit
Email: [email protected]
partners. The study found that blockchain clients are perceived to be riskier than
Funding information
other clients and that inherent and control risks are amplified. The audit approach
The University of Sydney Accounting
Foundation is not definitive with two likely approaches: a combination of direct, indirect,
account-level and entity-level evidence and an increase in indirect and entity-level
evidence. This study's findings are useful for audit practitioners, standard setters
and regulators.

KEYWORDS
audit evidence, audit risk, external audit, IT auditing

1 | I N T RO DU CT I O N Blockchain, which allows groups of transactions to be validated, time-

stamped and visible to all the parties, enables parties to transact
Considered a highly innovative business technology (Deloitte, 2016; directly with each other through a single distributed ledger
Ferrer, 2016), blockchain is expected to disrupt the audit function (Murray, 2019) and eliminates the need for centralised transaction
(Richins et al., 2017). Fundamentally an accounting technology processors such as banks or credit card networks. New transactions
(Institute of Chartered Accountants of England and Wales and other information are bundled into ‘blocks’ by individual parties,
[ICAEW], 2017, blockchain could facilitate efficient and accurate verified by the network and then chained in a sequential order to the
transfer of assets and ledgers of financial and nonfinancial informa- previously validated block (Zachariadis et al., 2019). Immutability of
tion. This means that the possibility of real-time audit is high because records, transparency, peer-to-peer transmission, distributed architec-
all transaction data are recorded in up-to-date, immutable and histori- ture and computational logic are the key principles underlying
cal distributed ledgers. Blockchain could spell the end of random sam- blockchain (Murck, 2017).
pling by auditors, enabling them to perform a check on every single There are two types of blockchains—public or permissionless and
transaction (Ernst & Young [EY], 2016). Thus, it promises efficiencies private or permission blockchains. Public blockchains can be accessed
in the conduct of audits (Schmitz & Leoni, 2019). and monitored by everyone in the network and are owned and con-
A blockchain is a decentralised ledger technology where groups trolled by no one (Swan, 2015). Every party has equal rights and privi-
of transactions between multiple parties are recorded, verified and leges with other parties, and everyone has the authority to enter or
securely stored in a chain-like data structure eliminating the need for exit, and transactions can be validated by anyone (Ali et al., 2020). Pri-
costly validation and verification processes by middlemen (Simoyama vate or permissioned blockchains are used either within an organisa-
et al., 2017). In the current system, centralised entities such as banks tion or deployed and used by a consortium of organisations where
maintain their own separate ledger, serve as intermediaries to central- only parties with permission can access them. A private blockchain is
ise the credit risk and reduce counterparty risks for each party. limited to a group of members with an intrinsic configuration that

602 © 2021 John Wiley & Sons Ltd wileyonlinelibrary.com/journal/ijau Int J Audit. 2021;25:602–615.
 10991123, 2021, 2, Downloaded from https://onlinelibrary.wiley.com/doi/10.1111/ijau.12238 by University Of Sydney, Wiley Online Library on [26/10/2022]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
DYBALL AND SEETHAMRAJU 603

defines the participants' role regarding access, write and edit informa- misstatement may exist at the overall financial report level and at the
tion on the blockchain and/or approve admission of new members assertion level for classes of transactions, account balances and dis-
(Liu et al., 2019). Whereas public blockchain is characterised by closures. To assess the potential impact of client use of blockchain
trustlessness and immutability, in private blockchain, a centralised technology on audit risk, the focus here is mainly on risks at the asser-
agency can roll back and reverse transactions if majority of the mem- tion level, which consist of inherent and control risks. Inherent risk
bers choose to (Liu et al., 2019). refers to material misstatements before consideration of internal con-
Client use of blockchain technology could potentially enhance the trols, and control risk deals with misstatements not being prevented
reliability of both external and internal audit evidence (Rozario & or detected and corrected on a timely basis by the entity's internal
Thomas, 2019). Financial information, purchase orders, invoices and control systems. As the Australian Auditing Standard ASA 315 Identify-
Internet of Things (IoT) data can be stored on secure and transparent ing and Assessing the Risks of Material Misstatement states, identifying
blockchain ledgers. Blockchains could increase the efficiency of inherent and control risk requires an understanding of the client and
recording, reconciling and auditing of accounting data. They could its environment, the applicable financial statement framework and the
allow auditors to save costs and time executing tasks and reduce the client's system of internal control. ASA 315 conforms with the Inter-
risk of human errors. These benefits, however, could only be achieved national Standard on Auditing ISA 315 issued by the International
if clients record all their transactions on blockchains (Schmitz & Auditing and Assurance Standards Board.
Leoni, 2019).
This study examined the claims that client use of blockchain tech-
nology will change financial statement audits of accounting firms. In 2.1 | Claims on the impact of the use of blockchain
particular, it examined whether and if so, how client use of blockchain technology on risks at the assertion level
technology will change audit risk and the audit approach to audit
engagements. To address the first research question on impact of 2.1.1 | Assurance of financial statements
blockchain technology on audit risk, the study referred to Australian
Auditing Standard ASA 315 Identifying and Assessing the Risks of Mate- Smith and Castonguay (2020) foresee that engagements to assure
rial Misstatement, which conforms with the International Standard on financial statements will be modified to address the unique features
Auditing ISA 315 issued by the International Auditing and Assurance of blockchain technology. The following Table 1 enumerates Smith
Standards Board. The second research question on the impact of and Castonguay's positive statements on how traditional audits would
blockchain technology on audit approach was framed by van Buuren have to be adjusted.
et al.'s (2014) continuum of audit approaches. The study analysed per- Because auditors will be relying on information recorded on
ceptions of audit risk and audit approach of a range of stakeholders, blockchains, they would need to be confident that the control system
including audit partners from first- and second-tier firms, representa- applied to the blockchain is reliable. Auditors would have to
tives from accounting and blockchain professional bodies and
blockchain developers. T A B L E 1 External auditor responsibilities over blockchain
The study addressed a need for research to identify the effects of technology in financial reporting
blockchain on auditing practice and to reveal the perceptions of and Internal controls audit
responses to this innovation among auditors (Schmitz & Leoni, 2019). • Gain an understanding of the underlying code embedded in each
While there are many claims that blockchain will disrupt financial private blockchain.
statement audits, bringing with it both opportunities and threats, • Test the operating effectiveness of controls surrounding
there is little empirical evidence to demonstrate if indeed, blockchain information posted to the blockchain.
will and if so, how. • Assess the company's policy for evaluating and accepting business
The remainder of the paper has five parts. Section 2 reviews liter- partners.

ature on the impact of blockchain on financial statement audits and • Understand the counterparty risk related to the reliability of
presents the research questions. Section 3 provides the theoretical information posted to the blockchain and its potential to be
inaccurate or corrupted.
frame and Section 4 the method. Section 5 discusses the findings, and
Financial statement audit
Section 6 concludes with a summary of the findings and future
• Perform a cost–benefit analysis, weighing the cost of obtaining
research ideas.
evidence via the blockchain over traditional legacy systems and
audit methods against the benefit from potentially improved
reliability and access to evidence on the blockchain.
2 | L I T E R A T U RE R E V I E W A N D R E S E A R C H • Apply alternative procedures to confirmations by reviewing
QUESTIONS information on the blockchain when confirmations are not
returned.

Auditing standards require auditors to perform comprehensive risk • Obtain reliable third-party evidence from external parties on a
private blockchain directly from the blockchain.
assessment procedures to identify audit risk, which is a function of
risks of material misstatement and detection. Risk of material Source: Smith & Castonguay, 2020, p. 126.
 10991123, 2021, 2, Downloaded from https://onlinelibrary.wiley.com/doi/10.1111/ijau.12238 by University Of Sydney, Wiley Online Library on [26/10/2022]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
604 DYBALL AND SEETHAMRAJU

understand the code embedded on the blockchain and audit the rules various and external sources of information (e.g., confirmation of bank
and accuracy of the chain on which information is recorded. Indeed, balances), auditors could bypass this step because the full transaction
according to Smith and Castonguay (2020, p.126), ‘each chain would history and supporting evidence would be retained and posted
have to be treated by the auditor as an independent accounting sys- directly on the blockchain. According to Rozario and Thomas (2019),
tem subject to controls testing if it is to be relied upon, multiplying auditors could extract and test full populations of transactions and
the number of reporting systems the auditor must test and under- accounts and advise that auditors shift their focus to the relevance
stand.’ Auditors would need to evaluate user/node access provision- and reliability of direct audit evidence. In contrast, Smith and
ing (grant, modify and remove) with a specific focus on permissioned Castonguay (2020) suggested that auditors streamline the evidence-
blockchains (Sheldon, 2019). According to Sheldon (2019, p.A21), ‘the collection process and shift their attention from substantive testing to
most sensitive component of access considers those with permission risk assessment of the controls on information on the blockchain.
to submit, relay or verify transactions as well as validate new blocks.’ However, be reminded that a primary benefit that could accrue in
Prior to the advent of the use of blockchain technology in busi- the use of a financial system blockchain application relies on the
nesses, Curtis and Turley (2007) commented that audit practitioners decentralisation and distribution of information across a number of
infer from tests of controls on whether there are risks of material mis- external parties participating in the blockchain. This implies a more
statement in the financial accounts. Particularly on clients' information pronounced consideration for external auditors to assess governance
systems (IS) and technologies, auditors recognise that ‘IS may not per- and internal control-related issues than that in traditional audits. Audi-
form as planned, with detrimental effects on the ability of these sys- tors must also consider how the other parties that their clients inter-
tems to generate relevant reliable and timely reporting’ (Bedard act with on the blockchain control and protect their data (Smith &
et al., 2005, p.148). Thus, if the client's controls on IS and technology Castonguay, 2020). In particular, auditors must assess the information
cannot be relied upon, or if testing these systems would be inefficient, technology (IT) governance and controls that exist in and around the
auditors could also end up trusting audit evidence drawn from sub- parties in the blockchain including steering committees and indepen-
stantive tests. While there is in theory an inverse relationship dent attestation of controls (Sheldon, 2019). Where the blockchain
between indirect and entity-level evidence from reliance on control application coexists with legacy systems like ERP systems in organisa-
systems and direct and account-level evidence from substantive test- tions, the interface transmission from upstream systems to the
ing of accounts, Curtis and Turley (2007) found that auditors are gen- blockchain application would also need to be assessed. Thus, the claim
erally more comfortable with direct and account-level evidence from that blockchain could spell the end of random sampling by auditors,
testing the numbers themselves than indirect and entity-level evi- enabling them to perform a check on every single transaction and
dence from inferring from tests of controls. Indirect and entity-level attain real-time audit (EY, 2016; Rozario & Thomas, 2019), is based on
evidence from these tests are viewed as soft evidence. Soft evidence a premise that governance and IT controls surrounding the blockchain
is problematic and not because it does not provide evidence to assure application are robust. The complexity of the blockchain environment
financial statements. Rather, practitioners are anxious about answer- cannot be underestimated. In 2017, Armitage et al. described different
ing to peer reviewers and the courts for the quality of the audit per- industries and different geographical regions having different require-
formed, which is assessed based on documented audit files. ments with many emerging markets not having established gover-
Institutional prescriptions of what a set of audit files should look like nance standards and guidelines (Armitage et al., 2017).
tend to be based on hard (direct and account-level) evidence obtained In summary, client use of blockchain for financial accounting sys-
from substantive tests (Dirsmith et al., 2015). Indeed, Curtis tems could pose both inherent and control risks. The decentralisation
et al. (2016) recently noted that audit standards continue to affirm and distribution of information across a number of external parties
direct audit evidence derived from substantive testing. participating in the blockchain mean that reliance on external
As with traditional audits, a high degree of confidence in the con- parties who submit, relay or verify transactions, and validate informa-
trol of the design and operation of the blockchain could be matched tion on new blocks, could lead to inherent risk. An entity's internal
by a high degree of belief in the completeness and value of transac- control system is interlinked with third parties' governance and con-
tions reported in the financial accounts. For instance, reliable enter- trol systems which surround the nodes in the blockchain thus poten-
prise resource planning (ERP) systems that integrate various units of tially heightening control risk as well. While blockchain offers
an organisation's information system also eliminate the need for unalterable and timestamped documentation of transactions and
reconciliation and adjusting entries among these units (Bae & financial information, this is dependent on the governance and control
Ashcroft, 2004). Nonetheless, Bae and Ashcroft (2004) opined that system protecting the integrity of access to the blockchain by the
auditors might have to do more tests of internal controls for ERP sys- client and external parties.
tems than they otherwise would with traditional systems because
data are electronic and thus (more) susceptible to alteration and falsi-
2.1.2 | Assurance of cryptocurrencies
fication. In contrast with blockchain, the substantive test of transac-
tions would be enhanced by having unalterable and timestamped Client ownership of cryptocurrencies poses unique challenges to audit
documentation from the company being audited and third parties. engagements. According to Vincent and Wilkins (2020), inherent risk
When previously auditors relied on matching documentation from would be high for cryptocurrency assets or transactions that exceed
 10991123, 2021, 2, Downloaded from https://onlinelibrary.wiley.com/doi/10.1111/ijau.12238 by University Of Sydney, Wiley Online Library on [26/10/2022]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
DYBALL AND SEETHAMRAJU 605

materiality levels allocated to account balances. If so, auditors need to T A B L E 2 Factors to understand of an entity to identify and assess
collect indirect and entity-level evidence that reflect an understanding risks of material misstatement per ASA 315

of why clients deal with cryptocurrency transactions, in particular, Factor Particulars

how it is linked to the entities' business strategy. In addition, at the Entity and its environment • Organisational structure,
account level, auditors should consider clients' financial reporting governance, ownership,
assertions including existence, rights and obligations, completeness business model (including the
extent by which the use of IT is
and valuation and accuracy. Because cryptocurrency is a digital asset,
integrated)
determining whether it exists could be challenging. Traditional • Industry, regulatory and other
methods used to inspect inventory may not suffice. Further, the lack external factors
of third-party confirmation of the asset also increases the difficulty in • Measures (internally and
externally) to assess financial
establishing its existence and completeness. Valuation of crypto-
performance.
currency is challenging due to a number of factors such as lack of
Applicable financial accounting
comparable assets. Given previous successful cyberattacks resulting in
framework and accounting
the complete loss of the cryptocurrency (Young, 2019), assessing the policies
robustness of cryptocurrency risk management and internal control Entity's system of internal • Control environment
systems is critical. control • Risk assessment process
Thus, this study's research questions are: • Process to monitor the system
of internal control
• Information system and
RQ1. : How do auditors perceive inherent and control risks of audits
communication, and control
of (a) financial statements on blockchain and activities
(b) cryptocurrencies?
Abbreviation: IT, information technology.

RQ2. : How do auditors perceive their approach to audits of

(a) financial statements on blockchain and (b) cryptocurrencies, environments in which clients operate (Knechel, 2007) and improve
based on their assessment of inherent and control risks—will assessment of risks surrounding the validity of assertions and assump-
they rely on indirect and entity-level evidence from testing of tions in the financial statements (van Buuren et al., 2014). It also
controls or direct and account-level evidence from substantive emphasises the availability of an array of audit evidence at the asser-
testing of accounts? tion, account and entity levels (e.g., Peecher et al., 2007). The contin-
uum of audit approaches according to van Buuren et al. (2014) is
shown below:
3 | THEORETICAL FRAMING The audit approaches are determined by the focus of the audit
evidence: nature (direct versus indirect) and level (account versus
A theoretical frame drawn from ASA 315/ISA 315 and van Buuren entity). As auditors rely increasingly more on indirect and entity-level
et al.'s (2014) continuum of audit approaches allowed us to answer evidence, the audit approach shifts from primarily substantive-based
the study's research questions. ASA 315 is an authoritative guideline to a business risk approach. The audit approaches are distinct in terms
that assists auditors in assessing, inter alia, inherent and control risks. of the relative focus on risk assessment, control reliance and substan-
Auditing ‘standards can be conceptualized as normative theories’ tive testing.
(Malsch & Salterio, 2016, p. 5) and as authoritative guidelines that can On pp. 110–111, van Buuren et al. (2014) described the four cat-
be used to examine their usefulness in directing auditors' practices egories of audit approaches. A primarily substantive-based audit
(Griffith et al., 2015). Studies that mobilise auditing/ethical/regulatory approach focuses on identifying and assessing inherent risks and
standards are ‘excellent source for insights into areas where further direct evidence that are directly linked to assertions and drawn from
experimental, archival or analytical modelling research might be fruit- substantive tests. A systems-based audit approach relies on a client's
ful’ (Malsch & Salterio, 2016, p. 15). ASA 315 is used here to frame control systems in evaluating inherent and control risks and focuses
the study's answers to RQ1, how auditors perceive inherent and con- on direct evidence. A business-risk-resulting-in-material-misstatement
trol risks of audits of financial statements on blockchain and approach extends the systems-based approach but involves assessing
cryptocurrencies. audit risks at both the entity and account level with a focus on under-
Table 2 below lists the factors identified in ASA 315 that auditors standing how effectively business processes are managed and on the
need to understand to identify and assess the risks of material misstate- risk of material misstatement. The BRA approach relies on indirect
ment at the financial report and assertion levels of entities they audit. audit evidence obtained from high-level and entity-level business con-
To answer RQ2, this study uses van Buuren et al.'s (2014) model trols and focuses on how the company manages its business model.
of a continuum of audit approaches arising from a consideration of Thus, this continuum of audit approaches denotes the relative impor-
clients' business risks as required by ASA 315/ISA 315. ASA 315/ISA tance of various forms of evidence in audit planning and allows for a
315 was introduced to address the increasingly changing range of approaches.
 10991123, 2021, 2, Downloaded from https://onlinelibrary.wiley.com/doi/10.1111/ijau.12238 by University Of Sydney, Wiley Online Library on [26/10/2022]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
606 DYBALL AND SEETHAMRAJU

Direct evidence is regarded as more objective in nature (Joe

et al., 2011) and more useful if the audit is reviewed by regulatory
bodies (Curtis & Turley, 2007). Direct evidence is more convincing for
some audit assertions, such as existence of assets, than for other
assertions such as valuations of intangible assets where subjectivity is
present. Auditors may see indirect evidence only when they believe
direct evidence is insufficient, or it is costly to collect such evidence.
On balance, BRAs are considered less useful when the audit clients
have poor control environments (Curtis & Turley, 2007).
In adopting van Buuren et al.'s (2014) model of continuum of
audit approaches, we accept that the ‘the convex pattern in Figure 1
does not represent a “frontier” of evidence combinations, but actually
reflects an opportunity set within which any given audit will fall’
(p. 111). Particularly for this study, we anticipate that auditors assur-
ing blockchain enabled financial accounting systems and
cryptocurrencies will be guided by ASA 315/ISA 315 and apply judge-
ment on the optimal audit approach to pursue.

F I G U R E 1 The relation between the focus of evidence and the

4 | METHOD
continuum of audit approaches.
BRA: Business risk audit: Extensive use of the business risk
Accounting research on blockchain and its impact on businesses is assessment as part of the audit evidence collection process, including
embryonic in all aspects of theoretical grounding, method and empiri- assessing risks regarding the business model, as well as key business
cal work (Frizzo-Barker et al., 2020; Schmitz & Leoni, 2019). This processes.
BRMM: Business risk resulting in material misstatements audit
exploratory study answered the research questions identified above
approach: Moderate use of business risk assessment as part of the
using a cross-sectional qualitative field study. It employed semi-
audit evidence collection process, mainly focused towards key
structured interviews because they are effective in securing in-depth business processes.
responses from participants (Palys, 1992; Yin, 2009). Systems-based: This approach focuses on relying on internal control
An interview guide was primarily informed by ASA 315. It systems as essential part of the audit evidence process with a limited
prompted interviewees to provide their views on factors identified in use of business risk assessment.
Substantive-based: This audit approach focuses on substantive testing
Table 2—the entity and its environment, financial accounting frame-
as a principle part of the audit evidence process with limited use of
work and accounting policies and entity's system of internal controls business risk assessment.
and the audit approach. The semi-structured interviews allowed Indirect evidence: Evidence that is indirectly linked to management's
research participants to discuss what they thought were relevant assertions in the financial statements and is to a certain extent
answers to the prompt questions (Kvale, 2007; Qu & Dumay, 2011). circumstantial of nature, for example, a market development
benchmark-analytical procedure regarding the assertion of valuation
When appropriate, there were follow-up questions to explore further
of investments in production facilities.
the points raised by the informants. The study was conducted from
Direct evidence: Evidence that is directly linked to management's
February 2019 to January 2020. assertions in the financial statements, for example, external
The study's informants included a range of stakeholders from confirmation regarding the assertion of existence of debtors.
audit firms, blockchain providers, regulatory bodies and standard set- Account-level: Evidence regarding test of controls and transaction
ters and accounting bodies. Understandably, the informants from the testing at the account level: Balance sheet accounts, profit and loss
accounts and disclosure thereof.
audit firms and accounting bodies had more insights into the financial
Entity-level: Evidence regarding test of controls at the entity level, for
accounting framework, accounting policies and audit approach inter- example, segregation of duties and firm-wide strategic marketing
view questions. Particulars of the 28 participants including their plans to enhance brand-name reputation.
organisational role, years of employment and the length of the inter- Source: van Buuren, Koch, van Nieuw Amerongen &
views are presented in Table 3 below. Wright (2014), p. 110 [Colour figure can be viewed at
wileyonlinelibrary.com]
A purposeful sample of informants was appropriate because they
have either knowledge of, or, experience with blockchain technology
and emerging technology generally and their impact on the conduct
of audits. The study's respondents were the most productive infor- author. Following university-approved ethics protocols, the partici-
mants to answer our research questions (Marshall, 1996). Respon- pants and their employers were assured complete anonymity in the
dents were identified from the authors' network of professional collection and reporting of data in ensuing publications and reports.
relationships and from a blockchain conference attended by the first Sixteen participants were interviewed by both authors, 10 by the first
 10991123, 2021, 2, Downloaded from https://onlinelibrary.wiley.com/doi/10.1111/ijau.12238 by University Of Sydney, Wiley Online Library on [26/10/2022]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
DYBALL AND SEETHAMRAJU 607

TABLE 3 Informants' organizational role, years of experience and length of interviews

Role Experience (years) Length of interview (min)

a
1 Executive leader of an accounting body (A ) 25 96
2 Executive leader of an accounting body (B) 34 57
3 Auditor and blockchain developer 16 92b
4 Blockchain developer 15
5 Blockchain user and lawyer 14 57
6 Manager in a user organisation 24 75
7 Executive leader of a blockchain association 25 49
8 Blockchain developer 20 53
9 Manager in a user organisation 20 60
10 Senior partner in a second-tier accounting firm (1)c 28 49
11 Blockchain developer 15 25
12 Blockchain developer 16 48
13 Senior partner in a first-tier accounting firm (2) 37 52
14 Partner in a first-tier accounting firm (3) 16 75
15 Manager in an accounting body (B) 13 70
16 Senior partner in a first-tier accounting firm (4) 32 67
17 Senior partner in a second-tier accounting firm (1) 31 65
18 Partner in a first-tier accounting firm (2) 15 52b
19 Senior partner in a first-tier accounting firm (2) 35
20 Partner in a second-tier accounting firm (1) 20 30
21 Partner in a first-tier accounting firm (3) 23 53
22 Blockchain developer 15 46b
23 Auditor and technology developer 18
24 Technology developer 26 82
25 Executive leader in an accounting body (C) 35 56
26 Partner in a first-tier accounting firm (4) 20 80b
27 Partner in a first-tier accounting firm (4) 20
28 Manager in a first-tier accounting firm (4) 5
Average 22
a
There were three accounting bodies (A, B and C) represented.
b
Group interview.
c
There were four first- and second-tier firms (1, 2, 3 and 4) represented.

author and two by the second author. The interviews went from that the informants assigned to them (Yin, 2009). After the data col-
30 min to about 100 min. The informants agreed for the interviews to lection, the authors independently coded all the interview transcripts
be audio-recorded and professionally transcribed. The transcriptions according to the factors identified in Table 2 and van Buuren
were returned to the participants for validation and confirmation as et al.'s (2014) focus of audit evidence and continuum of audit
accurate records of the interviews. There was one transcript that was approaches. The results of the coding were compared. There was a
returned with minor amendments. broad agreement with each other's coding of themes, and in two
The data collection and analysis were interwoven in an iterative instances, when there were differences, further discussion helped to
cycle of ‘interview-analyse-refine-interview’ (Miles & arrive at a consensus.
Huberman, 1991). Each interview was followed by a debrief and note-
taking by the authors, which allowed them to identify patterns,
themes and the range of perceptions by the participants, which were 5 | FI ND I NG S
later compared with the content of subsequent interviews. When
interviews were conducted by one author, both authors continued There are two main parts to the findings—perceptions of inherent and
with the debriefs and data analysis. These steps were helpful to control risks of audits of financial statements on blockchain
understand the phenomena being examined through the meanings and cryptocurrencies (RQ1) and of the audit approach to these
 10991123, 2021, 2, Downloaded from https://onlinelibrary.wiley.com/doi/10.1111/ijau.12238 by University Of Sydney, Wiley Online Library on [26/10/2022]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
608 DYBALL AND SEETHAMRAJU

engagements (RQ2). The first part is framed by ASA 315, which to market, some pigs are pumped up with hormones
requires auditors to understand the client and its environment, the and they look just as good and shiny as the others. So,
applicable financial statement framework and the client's system of what we wanted to provide for the pig farmers was a
internal control. The study's findings will be discussed accordingly, tool that they could essentially create a digital version
starting from the research participants' perceptions of risks associated of that asset that could be trusted as a way of proving
with clients using blockchain technology and the environment in out the value.
which they operate, followed by perceptions of the applicable finan-
cial statement framework and the systems of internal control. This … blockchain as a way of keeping that digital record up
first part will conclude with an assessment on the impact of these fac- to date and time-stamping each edition, which might
tors on perceived inherent and control risks. be a photo of the pig eating sweet potatoes, a vaccina-
The second part of this section analyses the research participants' tion record, anything else, just using a really simple tag
views on the audit approach to clients using blockchain technology. in the pig's ear to identify which pig you are talking
This analysis will be guided by van Buuren et al.'s (2004) continuum of about and then a pretty easy mobile application that
audit approaches, which are determined by the nature and level was built by Switch Maven and it all links back to the
of audit evidence required in an engagement. one digital record.

The auditors interviewed for this study professed that they

5.1 | Perceptions of inherent and control risks (would) ask a slew of questions to evaluate business risk arising from
a blockchain client's business model:
5.1.1 | Entities using blockchain technology
How well do they do it? Are they speculating? Do they
Clients adopting new technology are viewed as inherently risky by really have a business plan? Do they have the right
the study's informants. Clients adopting blockchain were identified people that are in place that are going to make the
as riskier than others because of blockchain's connection with and right decisions? (Interviewee 10).
origin in its development from the cryptocurrency bitcoin. Particu-
larly on audit engagements, there is a perception of heightened Indeed, audit firms appear to be risk-averse themselves, prefer-
risk because audit firms seem to lack expertise and capacity ring to obtain engagements with clients with robust business models.
to assure cryptocurrencies and other blockchain applications Coupled with the lack of blockchain skills in audit teams (Interviewee
including financial accounting systems. Hence overall, entities 18), audit firms have hitherto engaged with a small number of clients
using blockchain technology or trading in cryptocurrencies are using blockchain technology:
considered high-risk clients. Interviewee 18 articulated these
observations: There are certain business models we are comfortable
with. One business model that historically demon-
You know you are having an audit client that purports strated a healthy cash flow, so exchanges, funds, cus-
to be trading in that currency, do they know what they todians, things where we can see there's a need in the
are talking about? Should we do the audit because we market, there's a client-base and there's a healthy cash
do not take on every audit, we decide whether we can flow coming in (Interviewee 27).
do it. So, do they have, do we have the expertise to do
the audit, these are the sort of questions that we have There's been many more clients that we have not
to grapple with because it is new. decided to work with due to an assessment of their
background experience and skill set in this area or the
In seeking to understand a (potential) blockchain client's business potential even reputational risk of what they do
model, it was revealed that the use of blockchain technology in busi- (Interviewee 18).
ness processes could dramatically change a client's business model. To
illustrate, Interviewee 12 described a case where inventory could be I mean we were approached to audit a blockchain or a
digitally traced through the production process using blockchain tech- bitcoin miner. No way. It's too risky. The technology,
nology when previously this was not done: the proof that you own it … (Interviewee 21).

Pig farmers are producing a very valuable asset … that The expressed views indicate that entities' longevity is a consider-
asset is more or less valuable depending on how the ation and that the cash position, a market demand and the capabilities
pig is treated, whether it's washed, fed sweet potatoes, of staff and management are indicative of a sound business model. As
vaccinated, whatever else. But there's no way of prov- Interviewee 21 iterated, clients using blockchain technology are, over-
ing out that information at the moment. When they go all, viewed as high risk.
 10991123, 2021, 2, Downloaded from https://onlinelibrary.wiley.com/doi/10.1111/ijau.12238 by University Of Sydney, Wiley Online Library on [26/10/2022]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
DYBALL AND SEETHAMRAJU 609

However, specifically on blockchain technology itself, this study how can you guarantee that there's integrity there? So
found evidence to support positive statements about the benefits of in bitcoin, everyone is incentivised to maintain the
blockchain to clients (e.g., EY, 2016; Rozario & Thomas, 2019), which integrity because, guess what, the incentive is in
could mitigate inherent risk. bitcoin, when you win a block, you have got paid
in bitcoin, and as a result, the built-in economic incen-
tive secures the network. You take that out, you have
5.1.2 | The perceived risk of the use of blockchain nothing to secure the network, except for the word of
technology the people managing it (Interviewee 9).

There is recognition of the benefits of reducing audit risk when clients The concern with access and integrity of controls and governance
adopt blockchain technology alongside the added risk. The first set of could obviate the benefits of elimination of duplication of work and
comments highlights the perception of a reduction of audit risk by the immutability of information, which will impact on perceived inherent
study's participants from eliminating duplication of work and and control risks.
the immutability of information, which are lacking in legacy systems:

I remember systems where you had a file and the com- 5.1.3 | The environment and an applicable
pany, through two or three people working at a file and financial accounting framework
there would be different versions of the same file. The-
re's replication taking place right at different times and The reference to potential lack of integrity of the blockchain network
then you'd have mismatches as well and conflicts that's may be reflective of the environment of entities using blockchain. A
taking place and that would be problematic because lack of regulation and standards and an absence of government guide-
what version am I really looking at? I understand that lines and policies on preferred blockchain technology options
cannot happen in blockchain (Interviewee 17). heighten the audit risk. Consider the following comments:
On accounting standards,
Well, how do you know that your IT department did not
change those records? Well I cannot tell. Whereas if it's on Personally, I know that trying to use bitcoin with XXX
a blockchain and it's public and it's transparent, they can say bank, they won't even talk to you about it, they won't
that was the record, it was recorded at that time and no even transfer money into bitcoin. From their point of
one has been able to change it ever since (Interviewee 7). view, it's just a complete no-go zone. But on the other
hand, there are clients that will accept payment by –
Nonetheless, there is also a view that inherent and control risks you can do BPAY, you can do this, you can do that,
could increase. Countering the comments by Interviewees 17 and and you can do bitcoin. So, for those teams out there,
7 above are perceptions of issues relating to access to they'll potentially come into my area and say how do
(Sheldon, 2019) and governance of the blockchain network. we account for bitcoin. I run the financial instruments
topic team actually and so I'm like, ‘No, it's not really a
Just because a transaction is recorded on a blockchain financial instrument. It's an intangible. Go and talk to
does not necessarily mean it's the truth – you can skew the intangible team.’ Intangible team is like, ‘Oh, no it's
the results in some form. Even the blockchain access, really a financial thing. Go and talk to these guys.’ But
I think there's identity cards which you can hack at the moment, the accounting standards do not really
into. So where are the access points of these data, handle it as a currency. But the accounting standards
how these data can ultimately feed into the system do not handle gold as a currency and most people think
that we are supposed to be very confident about the of gold as a currency (Interviewee 16).
data that's coming from? We know that we can keep
running a report out of SAP if something does not line It was clear from our interviewees that standards on how to
up and we can keep doing reconciliations and do our account for cryptoassets were viewed as important (cf. Vincent &
own tests of the data and reconcile make sure that Wilkins, 2020):
everything adds up. With blockchain, obviously, there's
more amounts of data that we have to be able to There are tax implications, obviously. Again, if you are
understand (Interviewee 15). holding your cryptoassets, you need valuations and
what the tax treatments are, the tax law itself is not
Who manages the blockchain, who's running it? And if clear. I think there are management accounting issues,
there are other people running it, if they do not have and then it gets – whether it's accounting, I do not
an incentive to maintain the integrity of the system, know, but it's financial skill set (Interviewee 7).
 10991123, 2021, 2, Downloaded from https://onlinelibrary.wiley.com/doi/10.1111/ijau.12238 by University Of Sydney, Wiley Online Library on [26/10/2022]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
610 DYBALL AND SEETHAMRAJU

Thinking of the implications of setting accounting standards for know currently and a new technology and make sure it
cryptoassets, there was a view that these standards would need to be still works without completely removing the benefits
built into the accounting software and blockchain applications so that of that technology? I think, if you wanted to be
common issues such as definitions, formatting and classifications are permissionless, does that really work? (Interviewee 26).
averted and to reduce audit risk.
So, the blockchain is the next much more complex ver-
As of today, APIs (application programming interfaces) are sion of ledgers which transact data. Identity platforms
available - they are trying to connect to different sources transact identity data. Financial platforms transact finan-
and, again, it is doing a wonderful job to put everything at cial data. So, which regulatory framework do you apply
one place, but when we talk about using blockchain to to a technology that can handle multiple at the same
put everything using one immutable system. Some part time? Very difficult – it's the complexity (Interviewee 6).
of the auditing work is going to be made efficient; abso-
lutely. For example, latest accounting standard or any Further, there was a perception that it could be necessary to have
accounting standard that was implemented last year, you standards and/or guidelines on data, models, controls and governance.
rely on people to actually meet that accounting standard.
You will then have an auditor who will come and verify, So, there's technical standards, there's data standards,
‘Yes, this company has met the latest accounting stan- there's governance standards – all very important.
dard that was introduced last year.’ If it was already built How are you governing this? How are you as anybody
into the system, huge time saver for that accountant or – some organisation creates a new blockchain, how are
management accountant who's using reports and less you going to govern the changes to that data model?
work for auditor as well. (Interviewee 23). How do you govern the changes to the data? … how
the different blockchain protocols interoperate really
Understandably, the absence of an applicable accounting stan- down in the ones and zeros – important. And there a
dard has resulted in lack of uniformity in reporting of crypto curren- bunch of industry standards, right? (Interviewee 5).
cies in financial reports:
Although standards are useful, Interviewee 8 pointed out that
We've seen divergent practice in Australia because we they are not always a requirement for blockchain technology to
audited one company and another company that was develop and be adopted by clients. Nonetheless, the lack of consen-
audited by a different firm that also wanted to list. I do sus on accounting and technology standards could increase inherent
not know if they ended up listing, but their accounting and control risks. The lack of uniformity in reporting cryptocurrency
was fair value but through equity. Ours was say value assets compromises comparability across entities' financial reports
through profit and loss. Because we see that was their including the assets or profits recognised. The lack of consensus on
business, so we thought that those gains and losses, technical standards could also adversely impact the interoperability of
whatever they made on those Bitcoin should actually blockchain applications. This means that business partners may not be
be reflected on the profit and loss, but there is not an able to fluidly access each other's systems to complete and validate
accounting standard that specifically says that's the data transactions. This scenario potentially stymies the promise of
answer. The other firm went with the intangible stan- real-time audit and substantive tests on 100% of the transactions.
dard and the intangible standard says as long as it's What might the implications of the lack of standards on tests of enti-
traded, you can fair value but that has to go through ties' systems of internal controls be?
equity. So, I think there's still some global debate on
what is it (Interviewee 14).
5.1.4 | Entity's system of internal control
However, as Interviewee 10 reminded, there may be individuals
and entities that may not report their cryptocurrencies because they are While auditors routinely seek to understand their clients' systems of
immaterial to their total assets. This suggests that inherent risk is also internal control, there is a view that a notion of reliance on a client's
dependent on the significance of crypto assets relative to total assets. internal controls might be more pronounced for audit engagements in
On technology standards, there was also a view of risk arising a blockchain environment. Consider the following comment:
from technology standards that may need to be different across
industries and jurisdictions because of industry, national and interna- Unlike a lot of traditional businesses, you cannot just
tional demands and requirements. do a substantive audit with this. It's a lot more compli-
ance, a lot more controls-based, and especially from
There's some guidance there but it's not definite, it's going concern perspective, if you look at things like
not constant globally, so how do you build of what you security and those aspects, you would not want it to
 10991123, 2021, 2, Downloaded from https://onlinelibrary.wiley.com/doi/10.1111/ijau.12238 by University Of Sydney, Wiley Online Library on [26/10/2022]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
DYBALL AND SEETHAMRAJU 611

be like, ‘Yeah, they've got no security controls,’ but we name associated with it because no one can see if they
are able to substantiate year-end balance but the next are holding on to that bitcoin. Now, think about it, if
day, someone hacked them and it was all gone; so the- I'm relying on those produced documents from a com-
re's those aspects. pany based on some statement that I could also gener-
But if you think about from a cryptocurrency perspec- ate, then yes, whatever information you provided is
tive, if it's an exchange we know how to audit a normal true and correct. How can you actually do that? My
exchange but what is different, so what do we need to understanding, you'd have to be a miner or a part of
add, what's the different control there, how could they the network to be able to verify whatever claims are
be designing a control to mitigate a risk in a different made (Interviewee 23).
way and how we make sure we are comfortable with
that, so we have got lots of that work that's done and To answer RQ1, on auditors' perceptions of inherent and control
then we used that when we do an audit. So that's where risks of audits of (a) financial statements on blockchain and
it's different to a traditional audit (Interviewee 26). (b) cryptocurrencies, the study identified three distinctive aspects of
blockchain technology that could impact on these risks. First, its bene-
However, it is not a clear-cut case for reliance on tests of con- fits of confirmation and reliability of data rely on a network of external
trols. Recognising that blockchain applications involve a network of partners in a blockchain platform. The environment in which
parties, a focus on clients' internal control systems may be too narrow blockchain platforms operate, however, lacks technical, data and gov-
and result in underestimating inherent and control risks and indeed ernance standards. These observations have adverse implications for
detection risk: both inherent and control risks because there is perceived uncertainty
in the integrity of blockchain platforms. Secondly, there is not a finan-
I think IT system a lot of times is more around financial cial accounting framework for cryptocurrencies. Hence, there is varia-
reporting. I think now you'll need to focus more on the tion in reporting of cryptoassets. The implication for inherent risk is
whole IT architecture because that really will impact therefore not known, increasing the uncertainty around audit engage-
on financial reporting. So, a lot of times, you'll look at ments with blockchain clients. Thirdly, the seeming lack of ability of
the general ledger and you are not as worried about auditors to assure financial information and assets on blockchain plat-
the subsystems that feed into the general ledger forms either through tests of controls or substantive testing increases
because you are looking at reconciliation at a particular audit risk generally and, in particular, detection risk.
point in time. Now, it's all just one ecosystem of trans-
actions (Interviewee 10).
5.2 | Perceptions of audit approach to blockchain
The network nature of blockchain applications poses a further clients
challenge to the ability of audit teams to identify and test controls in a
blockchain environment (Smith & Castonguay, 2020). Recall too an This section analyses participants' views on the audit approach to cli-
earlier comment (Interviewee 18) that audit firms may not yet have ents using blockchain technology using van Buuren et al.'s (2004) con-
adequate capability to navigate through blockchain applications. tinuum of audit approaches. The analysis is tied to insights from
Section 5.1 on perceived inherent and control risks of audit engage-
So, when you are auditing, you are trying to work out ments with blockchain clients.
how fraud can happen? So supposedly my thing is Interviewee 26's comment below captures a prevailing view among
blockchain is what it is and what it cannot be – and it's the study's participants on a lack of understanding of cryptoassets and
truth and everything. I'm sceptical. So, we would need blockchain applications by users of financial reports. This situation makes
to understand how it can be manipulated or mis- audit engagements with blockchain clients particularly challenging:
represented so that the financial information that it
drives – how can directors or management misrepre- So, people do not understand how Bitcoin works or
sent it in their financials? I think once we have done blockchain works, then it's very difficult to explain to
that, maybe, we will change the approach to risk map- them how you are getting comfort over existence and
ping and risk assessment (Interviewee 20). rights and obligations and how you are taking that to
the different assertions (Interviewee 26).
There is a suggestion that risk mapping and assessment might
require auditors to be a miner in the blockchain node. This will allow them Auditors perform substantive procedures or tests of controls as a
to verify controls and indeed by implication, transactions and assets. result of risk assessment procedures. They may perform these proce-
dures concurrent with risk assessment procedures when it is efficient
If I'm not a miner, if I'm not in that node, yes, I will have to do so (ASA 315). Among our participants, there are two views on
my unique identifier that I have to share. There's no how audit engagements with blockchain clients might be like:
 10991123, 2021, 2, Downloaded from https://onlinelibrary.wiley.com/doi/10.1111/ijau.12238 by University Of Sydney, Wiley Online Library on [26/10/2022]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
612 DYBALL AND SEETHAMRAJU

Not that different … So, a traditional audit may be Accessing data on the blockchain platform is anticipated to require
based on controls and based on sample sizes from a auditors have user/node access with permission to verify transactions
substantive perspective. The evolution of an audit pro- (Sheldon, 2019; Smith & Castonguay, 2020). There appears to be con-
cess is already moving towards more information and sensus on this position among the study's participants:
more data (Interviewee 18).
There are still many ways we could audit them but one
I think the audit approach to them would be very of them might evolve into becoming part of that pro-
control-based, very IT-based. I do not think there's cess, being inside that ledger system, being one of the
going to be as much –select the sample and do sub- – you can call them nodes or whatever the terminology
stantive ticking and bashing of things. I think it's going you want to use, but one of the verifiers of the actual
to move to control-based, which theoretically should ledger itself (Interviewee 18).
speed up the audit once you understand the control
environment (Interviewee 10). If we really want to audit these blockchains we need to
be part of the blockchain. So, we need to be an active
The view expressed by Interview 18 indicates that, overall, the participant on the blockchain. So, when I come to you
heightened inherent and control risks with blockchain audit engage- and say, ‘What's the number in your account?’ I do not
ments would result in both indirect and entity-level audit evidence and need to ask you for – I just need to know your account
direct and account-level evidence. Note that this view suggests an and then I'll look at it myself (Interviewee 28).
institutional expectation of a range of audit evidence that counters Cur-
tis and Turley's (2007) earlier findings that auditors are more at ease So, we need to be in it; we cannot really work around
with providing more direct and account-level evidence in audit files. It things, but we need to be in it, potentially
also questions the observation by Curtis et al. (2016) (cf. Dirsmith et al., (Interviewee 20).
2015) that auditing standards enshrine a preference for direct and
account-level audit evidence. The reference to ‘more information and This manner of obtaining audit evidence is tightly linked to the
more data’ coupled with an observation in Section 5.1.1 that the inherent and control risks around ownership of assets and integrity of
study's auditors would also assess business risk by asking blockchain transactions on blockchain platforms. Interviewee 14 described this
clients a slew of questions on their business models indicates that the scepticism in regard to cryptocurrencies as follows:
audit approach would include elements of the whole continuum of
approaches described by van Buuren et al. (2014). You tell me that you have got a Bitcoin address, you give
A second and different view is that there will be a shift towards more me the Bitcoin address, I can look it up, I can see what
indirect and entity-level evidence and less direct and account-level evi- the transactions are. But how do I know it's yours? how
dence. The audit approach described here, taking into account observa- do I know it's not yours? how do I know it's not that per-
tions in Section 5.1.1, indicates an amalgam of a system-based, business son's and you are pretending? (Interviewee 14).
risk resulting in material misstatements (BRMM) and a BRA approach.
Specifically on tests of control systems, Interviewee 20 described It is useful to restate a comment presented in Section 5.1.4 by
the process as follows: Interviewee 26 that suggests that there could be an increase in indi-
rect and entity-level evidence while not totally discounting direct and
So, it's the algorithm and the accuracy of the data account-level evidence in audit engagements with blockchain clients:
going in, so who's checking? From an audit perspective,
we would be wanting to see the accuracy because It's a lot more compliance, a lot more controls-based,
obviously what goes in determines what comes out, and especially from going concern perspective, if you
which then goes into the financials. So, whatever is in look at things like security and those aspects,
the financials, we have got to try and give comfort to you would not want it to be like, ‘Yeah, they've got no
the users that it's accurate, complete, so we have security controls,’ but we are able to substantiate
to actually test (Interviewee 20). year-end balance but the next day, someone hacked
them and it was all gone; so there's those aspects.
On substantive procedures, there is a view that auditors accessing
client's data through an electronic financial accounting system is Indeed, the lure to collect direct and account-level evidence
normal practice, which could be extended to blockchain applications: seems strong for auditors because it is possible for auditors to have
access to information on the blockchain. This is particularly useful
I've done data analytics, it's all about getting all your with high-risk transactions and accounts because blockchain theoreti-
client's data and using live data to do the test, so it's cally allows 100% sampling, comprehensive, efficient real-time analy-
not that big a step from there (Interviewee 19). sis and confirmation of transactions and account balances:
 10991123, 2021, 2, Downloaded from https://onlinelibrary.wiley.com/doi/10.1111/ijau.12238 by University Of Sydney, Wiley Online Library on [26/10/2022]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
DYBALL AND SEETHAMRAJU 613

You're doing 100 percent auditing, sampling the one assessment of the impact of risks at the assertion level on the focus
you think is high risk. Does not matter if it is under five of audit evidence and audit approach for blockchain entities.
bucks or million dollars, but it got picked up. So, you This study found that there is a general perception that
now have all parties confirm that particular transaction blockchain clients are riskier than other clients and that the inherent
is real, is genuine. So, that can be used as an evidence and control risks are amplified in audit engagements with blockchain
(Interviewee 3). entities. These perceptions are primarily tied to the fact that there is
no consensus on accounting and technical standards on blockchain
You can go to more real-time auditing, because theo- applications. The lack of consensus undermines the benefits from the
retically the books close, they can close at any point in use of blockchain platforms such as integrity and validation of data on
time (Interviewee 10). these platforms. Further, this study revealed that audit firms are yet
to develop the capability to assure blockchain transactions, which
To answer RQ2 on auditors' perceptions of the audit approach to impacts on detection risk. However, the impact of the identified
audits of (a) financial statements on blockchain and inherent and control risks on the audit approach is not definitive as
(b) cryptocurrencies, this study found two views—(1) an amalgam of there are two distinct views. The first view is an approach that results
the four audit approaches described by van Buuren et al. (2014) and in the use of direct, indirect, account-level and entity-level evidence.
(2) an approach that resembles a systems-based or BRMM approach. The second view relies more on indirect and entity-level evidence.
The first view suggests that both direct and account-level evidence This exploratory study's findings, insights and limitations identify
and indirect and entity-level evidence will be required in audits with areas for future research. The two views on the audit approach for
blockchain clients. The second view is a noticeable shift to relying blockchain clients reflect consideration of the elements of audit risk,
more on indirect and entity-level evidence, which translates to an control reliance and substantive testing in audit engagements. Each
audit approach that resembles either a systems-based or BRMM approach is theoretically distinctive in terms of the relative focus on
approach. A systems-based approach focuses on relying on internal each element (van Buuren et al., 2014). The exploratory nature of this
control systems as essential part of the audit evidence process with a study was able to identify that there could be a shift in the relative
limited use of business risk assessment. A BRMM approach on the emphasis on these elements. However, this finding requires further
other hand moderately uses business risk assessment as part of examination through case studies of audit engagements with
the audit evidence collection process but mainly focused towards key blockchain clients or experimental studies. The fact that blockchain is
business processes. The second view on an audit approach recognises a platform for a network of parties confirmed that an entity's system
that the benefits to audit engagements from clients using blockchain of internal controls is permeable to governance controls of the net-
technology are largely dependent on the control and governance sys- work of parties on the blockchain. Thus, van Buuren et al.'s (2014)
tems of the blockchain network (Sheldon, 2019; Smith & continuum of audit approaches that includes a spectrum of account-
Castonguay, 2020), which as yet are characterised by a lack of con- level and entity-level audit evidence may need to be adjusted to
sensus on accounting and technical standards. accommodate network-level evidence. This proposition could be
examined further through interviews with relevant stakeholders
including audit practitioners, standard-setting bodies and regulators.
6 | C O N CL U S I O N
AC KNOW LEDG EME NT
While there are claims that client use of blockchain technology will This study was funded by The University of Sydney Accounting Foun-
change how audits are conducted (Rozario & Thomas, 2019; Schmitz & dation through its 2018 Engaged Research Scheme.
Leoni, 2019; Smith & Castonguay, 2020), there is hitherto scant publi-
shed academic research on whether audit practitioners agree with CONFLIC T OF INT ER E ST
these statements, and if so, why and how. To address this gap in the Both authors declare that they have no conflict of interest.
academic literature, this study referred to ASA 315 and van Buuren
et al.'s (2014) continuum of audit approaches to explore stakeholder DATA AVAILABILITY STAT EMEN T
perceptions on the impact of client use of blockchain technology on The research data that support the study's findings are not shared. The
risks at the assertion level and the approach to audit engagements. data are not publicly available due to privacy and ethical restrictions.
Framing the study with ASA 315 allowed an exploration of percep-
tions of inherent and control risks, through an analysis of how ET HICS APPROVAL STATEMENT
blockchain technology has impacted entities' business models, All procedures performed in our study involving human participants
whether there are a financial accounting framework and accounting were in accordance with the ethical standards of The University of
policies relating to cryptocurrencies, which are by-products of this Sydney (Project number: 2018/689.
technology and the kinds of control systems required to ensure that
transactions on a blockchain are reliable. Mobilising van Buuren OR CID
et al.'s (2014) continuum of audit approaches facilitated an Maria Cadiz Dyball https://orcid.org/0000-0001-6196-0142
 10991123, 2021, 2, Downloaded from https://onlinelibrary.wiley.com/doi/10.1111/ijau.12238 by University Of Sydney, Wiley Online Library on [26/10/2022]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
614 DYBALL AND SEETHAMRAJU

RE FE R ENC E S blockchain. Current Issues in Auditing, 13(2), A19–A29. https://doi.org/

Ali, O., Ally, M., Clutterbuck, P., & Dwivedi, Y. (2020). The state of play of 10.2308/ciia-52540
blockchain technology in the financial services sector: A systematic lit- Malsch, B., & Salterio, S. E. (2016). Doing good field research: Assessing
erature review. International Journal of Information Management, 54, the quality of audit field research. Auditing: A Journal of Practice & The-
102199. https://doi.org/10.1016/j.ijinfomgt.2020.102199 ory, 35(1), 1–22. https://doi.org/10.2308/ajpt-51170
Armitage, S., HJou, W., Sarkar, S., & Talaulicar, T. (2017). Corporate gover- Marshall, M. N. (1996). Sampling for qualitative research. Family Practice,
nance challenges in emerging economies. Corporate Governance Inter- 13(6), 522–525. https://doi.org/10.1093/fampra/13.6.522
national Review, 25, 148–154. https://doi.org/10.1111/corg.12209 Miles, M. B., & Huberman, A. M. (1991). Qualitative data analysis: A source-
Bae, B. & Ashcroft, P. (2004). Implementation of ERP systems: Accounting book of new methods (Second ed.). Sage Publications.
and auditing implications. https://www.researchgate.net/publication/ Murck, P. (2017). Who controls the blockchain? Harvard Business Review,
228948897. Accessed 10.12.2020. April 19. https://hbr.org/2017/04/who-controls-the-blockchain
Bedard, J. C., Graham, L., & Jackson, C. (2005). Information systems risk Accessed 16.01.2021
and audit planning. International Journal of Auditing, 9(2), 147–163. Murray, M. (2019). Tutorial: A descriptive introduction to the blockchain.
https://doi.org/10.1111/j.1099-1123.2005.00267.x Communications of the Association for Information Systems, 45(paper
Curtis, E., Humphrey, C., & Turley, W. S. (2016). Standards of innovation in 25), 464–487. https://doi.org/10.17705/1CAIS.04525
auditing. Auditing: A Journal of Practice & Theory, 35(3), 75–98. https:// Palys, T. S. (1992). Research decisions: Quantitative and qualitative perspec-
doi.org/10.2308/ajpt-51462 tives. Harcourt Brace Jovanovich Canada Inc.
Curtis, E., & Turley, S. (2007). The business risk audit—A longitudinal case Peecher, M. E., Schwartz, R., & Solomon, I. (2007). It's all about audit qual-
study of an audit engagement. Accounting, Organizations and Society, ity: Perspectives on strategic systems auditing. Accounting, Organiza-
32(4–5), 439–461. https://doi.org/10.1016/j.aos.2006.09.004 tions and Society, 32(4–5), 463–485. https://doi.org/10.1016/j.aos.
Deloitte, LPP (2016). Blockchain: Enigma, Paradox, Opportunity. https:// 2006.09.001
www2.deloitte.com/content/dam/Deloitte/nl/Documents/financial- Qu, S. Q., & Dumay, J. (2011). The qualitative research interview. Qualita-
services/deloitte-nl-fsi-blockchain-engima-paradox-opportunity- tive Research in Accounting & Management, 8(3), 238–264. https://doi.
report.pdf. Accessed 3.05.2018. org/10.1108/11766091111162070
Dirsmith, M. W., Covaleski, M. A., & Samuel, S. (2015). On being profes- Richins, G., Stapleton, A., Stratopoulos, T. C., & Wong, C. (2017). Big data
sional in the 21st century: An empirically-informed essay. Auditing: A analytics: Opportunity or threat to the accounting profession? Journal
Journal of Practice & Theory, 34(2), 167–200. https://doi.org/10.2308/ of Information Systems, 31(3), 63–79. https://doi.org/10.2308/isys-
ajpt-50698 51805
Ernst & Young (EY). (2016). Building Blocks of the Future. http://www.ey. Rozario, A. M., & Thomas, C. (2019). Reengineering the audit with
com/gl/en/services/assurance/ey-reporting-building-blocks-of-the- blockchain and smart contracts. Journal of Emerging Technologies in
future?utm_source=Reporting%3A%20Related%20insights%26utm_ Accounting, 16(1), 21–35. https://doi.org/10.2308/jeta-52432
campaign=Reporting%3A%20September%202016%26utm_medium= Schmitz, J., & Leoni, G. (2019). Accounting and auditing at the time of
ey.com%26utm_term=Building%20blocks%20of%20the% blockchain technology: A research agenda. Australian Accounting
20future#item3. Accessed 03.05.2018. Review, 29(2), 331–342. https://doi.org/10.1111/auar.12286
Ferrer, E.C. (2016). The Blockchain: A New Framework for Robotic Swarm Sheldon, M. D. (2019). A primer for information technology general control
system. https://arxiv.org/pdf/1608.00695v1.pdf accessed considerations on a private and permissioned blockchain audit. Current
01.08.2019. Issues in Auditing, 13(1), A15–A29. https://doi.org/10.2308/ciia-
Frizzo-Barker, J., Chow-White, P. A., Adams, P. R., Mentanko, J., & 52356
Ha, D. (2020). Blockchain as a disruptive technology for business: Simoyama, F., Grigg, I., Bueno, R. L. P., & Oliveira, L. C. D. (2017). Triple
A systematic review. International Journal of Information Manage- entry ledgers with blockchain for auditing. International Journal of
ment, 51(102029), 1–14. https://doi.org/10.1016/j.ijinfomgt.2019. Auditing Technology, 3(3), 163–183.https:///doi.org/10.1504/
10.014 IJAUDIT.2017.086741 Accessed 28.09.2020
Griffith, E. E., Hammersley, J. S., & Kadous, K. (2015). Audits of complex Smith, S. S., & Castonguay, J. J. (2020). Blockchain and accounting gover-
estimates as verification of management numbers: How institutional nance: Emerging issues and considerations for accounting and assur-
pressures shape practice. Contemporary Accounting Research, 32(3), ance professionals. Journal of Emerging Technologies in Accounting,
833–863. https://doi.org/10.1111/1911-3846.12104 17(1), 119–131. https://doi.org/10.2308/jeta-52686
Institute of Chartered Accountants of England and Wales (ICAEW). (2017), Swan, M. (2015). Blockchain: Blueprint for a new economy. O'Reilly.
Blockchain and the Future of Accountancy. https://www.icaew. van Buuren, J., Koch, C., van Nieuw Amerongen, N., & Wright, A. M.
com/-/media/corporate/files/technical/information-technology/ (2014). The use of business risk audit perspectives by non-big 4 audit
technology/blockchain-and-the-future-of-accountancy.ashx Accessed firms. Auditing: A Journal of Practice & Theory, 33(3), 105–128. https://
03.05.2018. doi.org/10.2308/ajpt-50760
Joe, J., Wright, A., & Wright, S. (2011). The impact of changes in the Vincent, N. E., & Wilkins, A. M. (2020). Challenges when auditing
reporting environment and client and misstatement characteristics on cryptocurrencies. Current Issues in Auditing, 14(1), A46–A48. https://
the disposition of proposed audit adjustments. Auditing: A Journal of doi.org/10.2308/ciia-52675
Practice & Theory, 30(2), 103–124. https://doi.org/10.2308/ajpt- Yin, R. (2009). Case study research: Design and methods (4th ed.). Sage.
50007 Young, J. (2019). Round-up of crypto exchange hacks so far in 2019: How
Knechel, W. R. (2007). Business risk audit: Origins, obstacles and opportu- can they be stopped? https://cointelegraph.com/news/round-up-of-
nities. Accounting, Organizations and Society, 32(4–5), 383–408. crypto-exchanges-hack-so-far-in-2019-how-can-it-be-stopped.
https://doi.org/10.1016/j.aos.2006.09.005 Accessed 15.01.2021.
Kvale, S. (2007). Doing interviews. Sage. https://doi.org/10.4135/ Zachariadis, M., Hileman, G., & Scott, S. V. (2019). Governance and
9781849208963 control in distributed ledgers: Understanding the challenges facing
Liu, M., Wu, K., & Xu, J. J. (2019). How will blockchain technology impact blockchain technology in financial services. Information & Organiza-
auditing and accounting: Permissionless versus permissioned tion, 29(2), 105–117. https://doi.org/10.1016/j.infoandorg.2019.
03.001
 10991123, 2021, 2, Downloaded from https://onlinelibrary.wiley.com/doi/10.1111/ijau.12238 by University Of Sydney, Wiley Online Library on [26/10/2022]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
DYBALL AND SEETHAMRAJU 615

AUTHOR BIOGRAPHI ES
multi-disciplinary and industry relevant, exploring the evolving
relationships between IT-enabled innovations and performance.
Maria Cadiz Dyball is an associate professor in the Discipline of His research has been published at Information Systems Frontiers,
Accounting at The University of Sydney. Maria's research is in the Australian Accounting Review, Business Process Management
areas of accounting professionalization and management controls. Journal, Engineering Management Journal, Assessment and Evalua-
Her research has been published at leading journals such as tion in Higher Education and Management Review.
Accounting, Auditing and Accountability Journal, Accounting &
Finance, Asia-Pacific Journal of Management, Corporate Governance:
An International Review, Critical Perspectives on Accounting,
Financial Accountability & Management and Journal of Business How to cite this article: Dyball, M. C., Seethamraju, R.. The
Ethics. impact of client use of blockchain technology on audit risk and
audit approach—An exploratory study. Int J Audit. 2021;25:
Ravi Seethamraju is an associate professor in the Discipline of
602–615. https://doi.org/10.1111/ijau.12238
Accounting at The University of Sydney. Ravi's research is

View publication stats