Auditing Blockchains

by Ronald Chichester, Esq.

Presented at the ISACA One-Day Conference
December 4, 2017
Houston, Texas


I am a lawyer

But I'm not your lawyer

If this were legal advise, it would be followed by a bill

Auditing Blockchains

Audit a What?

A Blockchain

A blockchain is a decentralized list of records (called blocks), which are linked and secured using cryptography (to form a chain).

Blockchains are used in:

Cryptocurrencies like Bitcoin

Corporate Ledgers

E-Commerce (both B2B and B2C)

State Laws are Changing

e.g. Delaware SB 69 allows companies: use cryptocurrencies in e-commerce use blockchains for, e.g., a general ledger

...shares of company stock to be sold/recorded on a blockchain.

Corporations Are Adopting


No Bank Delays


Continuous Audit

What is there to audit?

The integrity of the blockchain

The transactions on the blockchain

The procedures that use the blockchain

Implementation of the Blockchain

  • Blockchains are implemented in software on a network
  • You will have to audit the network AND the source code AND the compilation of that source code AND the invocation mechanism of the executable code
  • You will need to be familiar with TCP/IP, routing, etc.

Implementation of the Blockchain

  • You will also need to be familiar with popular blockchain languages (C++, Javascript and Python)
  • You will need to know how software is compiled and executed on a server that is connected to the network
  • Yes, this means that you will have to go through every line of code.  Are you ready for that?

Transactions of the Blockchain

Blockchains record transactions, not balances.

The Transaction Process

  1. Origination (creation)
  2. Signature (authorization)
  3. Broadcast (to the network)
  4. Validation (by a node)
  5. Propagation (to the other nodes)
  6. Verification (by a mining node)
  7. Confirmation

Anatomy of a record

Example: Cryptocurrency

Someone wants to send bitcoin to someone else

Example: Cryptocurrency

Both the sender and the receiver have a respective address

An address could look like: 1L75eRMgeCwAxEjD1oWXjLgud9jxwxm34u

You can look at an address online at a site like

Inforamtion about a bitcoin address

How is anything kept private?

The answer is cryptographic keys

typically held in a wallet

Example: Cryptocurrency

So someone with access to the balance at
wants to send money to someone else who has an address at

But wait!

If you don't want to send all of your bitcoin, then you need a change address

... like 1DFMzaJWsGCGCTwbeM4Kw4LxHsMnuodqqN

of which you control with a cryptographic key

So now we have...

1L75eRMgeCwAxEjD1oWXjLgud9jxwxm34u (0 Btc)
1N6syVXHuQ7h6nikuQADi1MBXX2thdBRv (0.5 Btc)
1DFMzaJWsGCGCTwbeM4Kw4LxHsMnuodqqN (0.4998 Btc)

Note: Usually each change address is new/unique which complicates tracking.


Ultimately, the transaction has three pieces:

  1. An input (the originating address)
  2. An amount (in this case, in bitcoin)
  3. A receiving address

A typical bitcoin transaction


There is software that simplifies the review of a transaction

That software is called a Block Explorer

There are lots of block explorers

An example of a block explorers is

Notez Bien!  Some of the block explorers give more information than others... but anything more than what was in the core statement is guesswork.

Procedures related to the The Blockchain

This part is pretty straightforward, traditional auditing.

Who can add a transaction to the blockchain.

How transaction statements are sent or received to the blockchain.


Ronald Chichester