区块链风险管理审计报告,区块链风险管理审计内容

① If blockchain technology is used to audit food safety, what is the goal?

Maintain food safety. Blockchain technology further deepens its application in the field of food safety. Its purpose is to effectively provide food safety guarantees, establish complete traceability of food safety issues, effectively help reduce consumer risks, and promptly help food companies recall problematic products in a targeted manner. , avoid the maximum risk with the minimum cost.

② How to strengthen supply chain risk management

Supply chain risk management refers to a series of measures and strategies adopted to deal with various potential risks in the supply chain. Here are some ways to strengthen supply chain risk management:

Build a risk management team: Companies can form a supply chain risk management team that is responsible for identifying, assessing and managing risks in the supply chain. The team should include professionals in different fields, such as experts in procurement, quality, logistics, etc.

Analyze supplier risks: evaluate the reliability and stability of suppliers and establish a supplier risk management mechanism. Through regular supplier surveys, audits, evaluations and monitoring, we can understand the operating status and supply capabilities of suppliers, and discover and deal with supplier problems and risks in a timely manner.

Strengthen inventory management: Set up appropriate inventory reserves in the supply chain to avoid production line stagnation and delivery delays due to supply interruptions. Reasonable inventory management methods can be adopted, such as first-in-first-out, automatic replenishment, etc., to ensure timely replenishment and updating of inventory.

Establish alternative suppliers: Establish a network of alternative suppliers in case of emergencies. When the primary supplier is unable to provide the required products or services, backup suppliers can provide timely assistance and reduce the impact of supply disruptions.

Carry out risk warning and contingency planning: regularly monitor risks in the supply chain and establish corresponding early warning mechanisms. At the same time, contingency plans should be developed to enable rapid response and handling in the event of supply interruptions or other risks, thereby reducing losses and impacts.

In short, strengthening supply chain risk management requires companies to formulate appropriate strategies and measures and implement them on the basis of full participation to ensure the stability and sustainable development of the supply chain.

③ Why Bitcoin and blockchain are favored by the 'Audit Big Four'

It can be said that the world's largest service companies are all promoting the provision of blockchain solutions to customers, providing A cheaper, more effective and faster solution to replace existing infrastructure.
Deloitte
A clear example is Deloitte, which is investing heavily in Bitcoin and blockchain technology. Deloitte’s in-house team Rubix is ​​focusing on developing blockchain applications, and Deloitte Canada recently installed a Bitcoin ATM in its Toronto office.
Illiana Oris Valiente, co-founder and head of strategy at Rubix Team explainsSaid:
“We think it’s important to show people how to earn Bitcoin as this is an entry point into understanding the wider impact of blockchain.”
Deloitte also explains how blockchain can change Industries including healthcare, financial services and infrastructure and even points rewards programs. These include Deloitte’s successful proof-of-concept trial of blockchain for transaction reporting in partnership with Bank of Ireland.
Recently, Deloitte and London blockchain startup SETL reached the first blockchain investment plan. About a month ago, Deloitte and SETL announced a collaboration to develop a contactless card that uses blockchain technology for transaction settlement.
PricewaterhouseCoopers (PwC)
PricewaterhouseCoopers (PwC) is also involved in blockchain development, including their partnership with Bitcoin blockchain startup Blockstream relation. The services giant also has a partnership with New York-based blockchain startup Digital Assets. In March 2016, PricewaterhouseCoopers released a report, believing that blockchain is a "unparalleled" opportunity to achieve a technological leap in the financial services industry.
Ernst & Young (EY)

Meanwhile, the last of the 'Audit Big Four', Ernst & Young (EY) recently established a partnership with the famous Bitcoin mining company Bitfury Group entered into a partnership to provide blockchain services by leveraging the latter’s expertise.
In addition, EY Switzerland has announced that from 2017, they will accept Bitcoin as a payment method for services. This plan demonstrates Ernst & Young’s recognition of Bitcoin, the underlying technology of which is the most powerful public blockchain.
Blockchain technology is not only popular abroad, it is also the darling of the financial community at home. Domestic giants such as LeTV Finance, Ant Financial, Internet, Tencent, Wanda, and China Post are all paying attention to blockchain technology. Puyin Group launched Puyin, a tea-based digital currency based on blockchain technology.

④ Does blockchain have compliance risks?

Yes, the application of blockchain technology may involve compliance risks.
First of all, in some countries and regions, governments or regulatory authorities may take different stances on digital currencies and other assets based on blockchain technology, and there will be a certain degree of legal, compliance and policy risks. . For example, some countries restrict or prohibit the use of digital currencies and other Bitcoin or blockchain derivatives. Therefore, when choosing the scope of application of blockchain technology, the local legal and regulatory environment needs to be considered.
Secondly, there are trust issues between participants in private chains or alliance chains, and there are also compliance risks in the construction of trust mechanisms. For example, in the financial field, banks or other financial institutions need to consider which trust model to use when using blockchain technology to comply with social ethics and potential legal requirements. For money-related transactions, legal requirements such as anti-money laundering and counter-terrorism must also be met.
In addition, due to the immutable and public nature of blockchain technology, it may inadvertently leak personal privacy, business secrets and other confidential information, causing privacy data leaks and security risks.
Therefore, enterprises and technology companies should carefully assess potential compliance risks and formulate appropriate compliance security measures, such as complying with legal and regulatory requirements, establishing a sound privacy protection mechanism, and strengthening privacy data protection in multiple dimensions. To ensure compliance and data security of blockchain technology applications.

⑤ How to detect the risk level of blockchain smart contracts

With the acceleration of digital transformation in Shanghai, blockchain technology has been widely used in government affairs, finance, logistics, justice, etc. fields have been deeply applied. During the application process, not only new business forms and business models have been born, but also many security issues have arisen, so security supervision is particularly important. As one of the important means of supervision, security evaluation has become a focus of many blockchain R&D manufacturers and application companies. This article talks about some of our exploration and practice on the blockchain compliance security assessment that everyone is concerned about.
1. Blockchain technology evaluation
Blockchain technology evaluation is generally divided into functional testing, performance testing and security evaluation.
1. Functional testing
Functional testing is a test of the basic functions supported by the underlying blockchain system, with the purpose of measuring the capabilities of the underlying blockchain system.
Blockchain functional testing is mainly based on GB/T 25000.10-2016 "System and Software Quality Requirements and Evaluation (SQuaRE) Part 10: System and Software Quality Model", GB/T 25000.51-2016 "System and Software Quality" Requirements and Evaluation (SQuaRE) Part 51: Quality Requirements and Testing Details for Ready to Use Software Products (RUSP)" and other standards to verify whether the software under test meets the requirements of relevant test standards.
Blockchain function testing specifically includes networking methods and communication, data storage and transmission, encryption module availability, consensus function and fault tolerance, smart contract function, system management stability, chain stability, privacy protection, and interoperability , account and transaction types, private key management solutions, audit management and other modules.
2. Performance testing
Performance testing is a type of test implemented and executed to describe the performance-related characteristics of the test object and evaluate it. Most of them are used in project acceptance evaluation to verify the established Whether the technical indicators are completed.
Blockchain performance testing specifically includes high-concurrency stress test scenarios, peak impact test scenarios, long-term stable operation test scenarios, query test scenarios and other modules.
3. Security Assessment
Blockchain security assessment mainly conducts security testing and evaluation of account data, cryptography mechanisms, consensus mechanisms, smart contracts, etc.
The main basis for blockchain security evaluation is "DB31/T 1331-2021 General Requirements for Blockchain Technology Security". You can also refer to "JR/T 01" according to actual testing needs.93-2020 Blockchain Technology Financial Application Assessment Rules", "JR/T 0184-2020 Financial Distributed Ledger Technology Security Specification" and other standards.
Blockchain security assessment specifically includes storage, network, computing, consensus mechanism, cryptography mechanism, timing mechanism, personal information protection, networking mechanism, smart contracts, services and access, etc.
2. Blockchain Compliance Security Assessment
Blockchain compliance security assessment generally includes “Blockchain Information Service Security Assessment”, “Network Security Level Protection Assessment” and “Special Funding Projects” "Acceptance Evaluation" three categories.
1. Blockchain information service security assessment
Blockchain information service security assessment is mainly based on the "Blockchain Information Service Management Regulations" issued by the Cyberspace Administration of China on January 10, 2019 (hereinafter referred to as "Regulations") and refer to the national blockchain standard "Blockchain Information Service Security Specification (Draft for Comments)".
The "Regulations" aim to clarify the information security management responsibilities of blockchain information service providers, standardize and promote the healthy development of blockchain technology and related services, avoid blockchain information service security risks, and provide blockchain Provide effective legal basis for the provision, use and management of information services. Article 9 of the "Regulations" states: Blockchain information service providers that develop and launch new products, new applications, and new functions must report to the national and provincial, autonomous region, and municipality Internet Information Offices for security assessment in accordance with relevant regulations.
The "Blockchain Information Service Security Specification" is a construction and preparation project led by the Institute of Information Engineering of the Chinese Academy of Sciences and jointly participated by Zhejiang University, China Electronics Technology Standardization Institute, Shanghai Information Security Evaluation and Certification Center and other units. National standards for evaluating the security capabilities of blockchain information services. The "Blockchain Information Service Security Specification" stipulates the security requirements that blockchain information service providers of alliance chains and private chains should meet, including security technical requirements and security assurance requirements as well as corresponding test and evaluation methods, and is suitable for guiding blockchain Chain information service security assessment and blockchain information service security construction. The security technical requirements and guarantee requirements framework proposed by the standard are as follows:
Figure 1 Blockchain information service security requirements model
2. Network security level protection evaluation
The main basis for network security level protection evaluation includes "GB/T 22239-2019 Basic Requirements for Network Security Level Protection" and "GB/T 28448-2019 Network Security Level Protection Evaluation Requirements".
As an emerging information technology, the application system built by blockchain is also an object of level protection and needs to be evaluated for level protection in accordance with regulations. The general requirements for level protection security evaluation are applicable to the evaluation of the infrastructure part of the blockchain, but currently there are no blockchain-specific security requirements. Therefore, the expansion requirements for blockchain security evaluation still need to be further explored and studied.
3. Special fund project acceptance evaluation
According to the relevant regulations of the Municipal Economic and Information Technology Commission,Information technology special fund projects are required to issue a safety evaluation report during project acceptance. The acceptance evaluation of blockchain application projects will be carried out in accordance with Shanghai’s latest blockchain local standard "DB31/T 1331-2021 General Requirements for Blockchain Technology Security".
3. Exploration and practice of blockchain security assessment
1. Standard preparation
Shanghai Assessment Center actively participates in the preparation of blockchain standards. Led by the Shanghai Evaluation Center, Suzhou Tongji Blockchain Research Institute Co., Ltd., Shanghai Qiyin Information Technology Co., Ltd., Shanghai Moheng Network Technology Co., Ltd., the First Research Institute of Telecommunications Science and Technology and other units participated in the preparation of the blockchain local standard " DB31/T 1331-2021 "General Requirements for Blockchain Technology Security" was officially released in December 2021 and will be officially implemented on March 1 this year. The blockchain national standard "Blockchain Information Service Security Specification", which the Shanghai Assessment Center participated in the preparation of, is in the stage of soliciting opinions.
At the same time, the assessment center also participated in the compilation of primary and intermediate textbooks for blockchain engineering technicians organized by the Ministry of Human Resources and Social Security and led by Tongji University, and was responsible for compiling the chapter "Testing the Blockchain System".
2. Project Practice
In recent years, the Shanghai Assessment Center has conducted a large number of blockchain security assessment practices based on relevant technical standards, including grade protection assessment, information service security assessment, project security assessment, etc. In the evaluation practice, the main security issues discovered are as follows:
Table 1 Blockchain is mainly a security issue
Serial number
Evaluation items
Problem description
1
Consensus Algorithm
The consensus algorithm uses Kafka or Raft consensus and does not support Byzantine fault tolerance or tolerate malicious node behavior.
2
On-chain data
On-chain sensitive information is not encrypted, and all data on the chain can be accessed through the query interface or blockchain browser.
3
Cryptographic Algorithm
The random numbers used in the cryptographic algorithm do not meet the randomness requirements of GB/T 32915-2016.
4
Node Protection
For the alliance chain, security protection measures failed to be configured for the area where the node server is located.
5
Communication transmission
When communicating between nodes, the blockchain and upper-layer applications, no secure information transmission channel has been established.
6
Consensus Algorithm
The number of nodes deployed in the system is small, and sometimes the number of fault-tolerant nodes required by the consensus algorithm is not even reached.
7
Smart Contract
The operation of the smart contract is not monitored, and problems that arise during the operation of the smart contract cannot be discovered and dealt with in a timely manner.
8
Services and Access
Upper-layer applications have access control flaws such as unauthorized and unauthorized access, leading to business confusion and data leakage.
9
Smart Contract
Smart contract coding is not standardized. When an error occurs in the smart contract, the smart contract freezing function is not provided.
10
Smart Contract
The running environment of smart contracts is not isolated from the outside, and there is a risk of external attacks.
3. Tool Application
When the evaluation center organized and compiled the "DB31/T 1331-2021 General Requirements for Blockchain Technology Security", it has considered the connection needs with the level protection evaluation. The "infrastructure layer" security in DB31/T 1331 is consistent with the relevant requirements of the secure physical environment, secure communication network, security area boundary, secure computing environment, security management center, etc. of level protection, "protocol layer security", "extension layer" "Security" more reflects the unique security protection requirements of the blockchain.
Based on the relevant security requirements of DB31/T 1331, the assessment center is organizing and compiling extended blockchain assessment requirements. The relevant results will be applied to the network security level protection assessment tool - Assessment Expert. By then, evaluation institutions using the "Evaluation Expert" software will be able to carry out blockchain security evaluations accurately, standardly and efficiently, discover blockchain security risks, and put forward corresponding rectification suggestions

⑥ Blockchain Risk control under the paradigm: reducing strategic risks, foreseeable risks

Marco Jancetti ( Marco Iansiti) Karim Lakhani, "Harvard Business Review" Chinese version, January 2017, the article "The Truth about Blockchain"

Research in the field of technological innovation Experience tells us that only by eliminating obstacles in technology, government control, organization and society can the blockchain revolution truly take place. If you don’t know how blockchain will occupy the high ground, it would be a mistake to rush into blockchain innovation.

Systemic risk. Speaking of systemic risks, we have to mention dramatic global economic downturns such as the credit crunch that followed the financial crisis of 2008-2009. For most companies, that is an external event that cannot be predicted or controlled. Global regulators are reshaping the financial world to avoid similar crises, and an important step in their strategy is to enhance the role of central counterparties (CCPs). A CCP is an entity that is inserted between the two parties in a financial transaction. After both parties agree to a transaction, CCP becomes a seller to any buyer and a buyer to any seller. In this process, CCP reduces counterparty credit and liquidity risk exposure through networking, reducing the risk of direct contact between the two parties when one party defaults, but the risk of doing so is still concentrated. The main roles of CCP are: 1. Manage settlement operation tasks and reduce settlement risks; 2. Approval through membership statusAccurately and implement margins (initial and changing) to monitor individual credit risk and provide transparent risk management; 3. Deal with defaulting parties; 4. Monitor systemic risks in the market.

In financial markets managed based on blockchain, many CCP principles may be eliminated. It is conceivable that functions 1 and 2 of CCP will be replaced by smart contracts. DAOs are designed to create a relationship between two parties. Once certain terms embedded in the smart contract are touched, the receivables can be automatically transferred from one party to the other. Functions 3 and 4 of CCP can also be improved by blockchain technology, but it is unlikely to be fully automated because it requires a high degree of directionality and large-scale scene analysis capabilities. Relevant blockchain startups such as Digital Asset Holding and D-Pactum are working with CCP to redesign their technology in the direction of distributed ledgers and smart contracts without changing the role given to CCP by recent laws and regulations. This could develop into fundamental measures to increase the resilience of the financial system. On the distributed ledger, transparent and standardized transaction processes can be designed, and the relationship between capital and margin can occur automatically, thus reducing the risk burden of intermediary managers. By encoding smart contracts signed by each participant, the rules for managing crisis events can be as certain as possible.

Cyber ​​risks. This is the last external risk we will analyze, but not the least. Indeed, a lack of understanding or attention to the risks associated with cyber risks or critical infrastructure failures such as control systems, energy, transportation, telecommunications and financial infrastructure has the potential to have far-reaching consequences for national economies, multiple economic sectors and global businesses . The responsibility for conducting risk assessments and setting up risk management systems now falls on each business, but their internal practices and processes vary widely, and small businesses with immature risk management systems are more vulnerable to cyberattacks in this context.

Is blockchain a viable solution? no doubt. The development of digital currencies extends the secure use of cryptography and creates a business model with new types of resilience against cyberattacks. A complete system on a distributed ledger could provide a higher level of cybersecurity than a company's standard firewall technology. Because the distributed ledger is automated, and because of the principles of information sharing and the robustness of the consensus protocol, the ledger history is omnipresent and unchangeable. Therefore, in this system, high-tech cyber attacks can be prevented before they occur.

However, at the end of the analysis of external risks, it is worth noting that the emergence of digital currency has created for the first time a circulating currency that is not related to national, multinational government decisions or any real economy. In reality, the value of digital currency fluctuates greatly, but its direction and time are different from the market, thus maintaining non-correlation with a certain country's currency or stock market. Therefore, Bitcoin is called "digital gold". Like gold, digital currencies have beenUsed as a safe-haven asset to limit the impact of macroeconomic risks.

In conclusion, before we delve into the amazing utility of blockchain in risk management, it is important to understand that blockchain is not a panacea. It should be viewed as one of many technologies building the next generation of risk management infrastructure.

⑦ Classification of blockchain audit objectives

Under blockchain technology, the traditional audit objectives of authenticity and integrity are no longer important, and need to shift to risk warning and decision support.
First of all, the irreversibility and timestamp of the blockchain can ensure that the data is not modified at will. In the blockchain system, the premise for each transaction to be valid is that the system reaches a consensus on the ownership of digital assets, and once reached, it cannot be modified. Reflected in the audit, after a transaction occurs and is recorded, if you try to modify it, subsequent accounting processing requires all blockchains to be modified, and it will be very difficult to falsify it.
Secondly, under the distributed accounting rules, transaction data is stored in each block, and each block is shared by traders and confirmers. If a block fails or is attacked, the chain will Other participants can still operate as usual and keep copies of the books recording complete data, which ensures the integrity of the accounting data.
In the audit work, as long as the transactions are verified for fraud, the authenticity and completeness audit objectives can be quickly achieved. For example, in traditional raw material audits, it is necessary to verify the invoices, inspections and warehousing of the procurement process. Now it is only necessary to verify the authenticity of the invoices and physical objects in the warehousing process, and other links can be omitted. For example, when department A picks materials, other departments will also record the quantity of materials picked by department A. If department A wants to modify its own quantity of materials, it needs to modify the records of all other departments at the same time, which is very difficult. This guarantees Authenticity and completeness of material collection records. Correspondence and verification of accounts receivable, accounts payable, and transactions can also be handled similarly.
In short, due to the non-modifiable and public nature of the blockchain, the correctness and legality of transaction rights and obligations, pricing, deadlines, posting and summary, classification, and disclosure can be effectively guaranteed. The focus of auditing should shift to in-process supervision, risk warning and decision-making support. For example, if certain monitoring and analysis indicators are set in the blockchain audit software, abnormal operating behavior of the audited unit can be discovered at any time to achieve ongoing supervision. Set thresholds for key indicators, such as automatic early warning when the bad debt rate of accounts receivable reaches 20%, reminding auditors of problems, changing regular audits to "all-weather" audits, and giving full play to the risk warning function. In addition, blockchain technology has an auxiliary decision-making function due to its large amount of data and data processing capabilities. During the audit process, blockchain data analysis capabilities can be used to trace the recovery of accounts receivable and bad debts, and propose relevant solutions. Targeted improvement suggestions.

⑧ Investment value and security of blockchain

Investment value of blockchain

Blockchain is considered to be the most disruptive since the invention of the Internet technological innovation. Blockchain combines cryptography, economics, game theory and computingIt has the characteristics of irreversible transactions and irreversible data, and has commercial value in many fields. Its applied research has expanded to fields such as finance, energy, logistics, education, culture and social services.

Blockchain technology will create opportunities for the development of new generation information technologies such as cloud computing, big data, Internet of Things, artificial intelligence, etc., and can comprehensively promote the upgrading of information technology and realize the leapfrog of the information industry. development.

Blockchain security

Privacy protection Cryptography ensures that unauthorized persons can access the data, but cannot parse it.

The resulting business features include trustworthiness: blockchain can provide a naturally viable distributed ledger platform without the need for additional third-party intermediaries;

Enhanced security: Blockchain technology is conducive to safe and reliable audit management and account settlement, reducing the possibility of crime and various risks.

⑨ How to apply blockchain technology and what role it can play

Take buying a house as an example: Buying a house is a complex transaction process, and the participants include sellers, buyers, intermediary companies, Housing authorities, banks, appraisal companies, tax bureaus, etc. Throughout the transaction process, all participants must record their own ledgers separately. Checking these ledgers is a very time-consuming and laborious task, and the verification cost is very high. That's why the entire process of buying a home now takes an average of two months.

In addition to being time-consuming and labor-intensive, since there is very little information that can be verified by a single participant, there is a risk of being "cheated at both ends" by the intermediary company, or "sold for more than one house". However, blockchain provides a solution: integrating all participants' ledgers into a trustworthy and non-tamperable digital ledger, which can be queried by all participants. In this way, every aspect of the home buying process is clearly visible, and everyone can conduct transactions with less time and effort.

Bitcoin is the first application of blockchain technology. Without the operation and management of any centralized organization, Bitcoin has maintained stable operation for many years without any problems. Through this case, everyone saw the potential of blockchain technology.

In order to prevent single points of failure and systemic risks, the current financial industry requires strict supervision and layer-by-layer audits to control risks, which also results in high internal costs. The traditional cross-border settlement method is through intermediaries like SWIFT, so the settlement speed is very slow. However, Bitcoin has been running perfectly for many years without the operation of a centralized institution. It can not only realize settlement and clearing in real time, but also There was not a single accounting error.

According to a report released by Santander, Spain’s largest bank, if all banks around the world use blockchain technology internally around 2020, they will save approximately US$20 billion in costs per year. Such data is enough to illustrate the huge changes that "blockchain" has brought to the traditional financial field.and breakthroughs.