Blockchain is often described as a technology that eliminates the need for trust. In reality, it changes where trust resides. That distinction matters for executives accountable for governance, risk, and assurance in increasingly decentralised environments.

Since publishing my recent ISACA Journal article on blockchain risk and auditing, the most common question I have been asked is a very practical one: how do you actually apply this in real audits without starting from scratch? The short answer is that I did not abandon existing frameworks. I changed how I interpret them.

Traditional audit and control models were designed for centralised systems, reversible changes, and human decision-making. Blockchain systems operate through immutable records, cryptographic controls, and consensus-based validation. As a result, risk does not disappear. It shifts location. Effective oversight requires executives to understand where control truly lives in these environments. One of the most important changes is recognising that trust is embedded in code and collective agreement rather than in roles or hierarchy. Governance risk now arises from validator concentration, protocol upgrade mechanisms, and off-chain decision-making forums. These elements require the same level of scrutiny as access rights and approval workflows in traditional IT systems.

Smart contracts further raise the stakes. Once deployed, they are often permanent. Errors cannot be rolled back, and remediation options are limited. From an executive perspective, this elevates the importance of assurance before deployment. Rigorous testing, independent review, and clear ownership of the smart contract life cycle are no longer technical preferences. They are fundamental risk controls. Consensus mechanisms also demand leadership attention. Whether a platform relies on proof-of-work or proof-of-stake, excessive concentration of validation power can undermine resilience and integrity. Executives should expect visibility into validator diversity, governance participation, and monitoring of abnormal network behaviour. Decentralisation that exists only in theory provides little protection in practice.

Immutability, one of blockchain’s defining features, strengthens audit trails but restricts the ability to correct. This requires a deliberate shift toward preventive and compensating controls. Strong reconciliation processes, privacy-preserving techniques, and clear error-handling procedures become essential. When mistakes cannot be reversed, foresight becomes the most valuable control.

Importantly, established frameworks remain relevant. ISO/IEC 27001, COBIT, and NIST continue to provide structure and assurance when applied thoughtfully. Access control becomes key management. Change management becomes governance-approved upgrades. Incident response becomes coordinated action in systems where transactions cannot be undone. Continuity, not reinvention, is what enables effective oversight. Assurance models must evolve alongside the technology. Blockchain systems operate continuously, and oversight should reflect that reality. Periodic audits alone are insufficient. Continuous monitoring of transactions, validator behaviour, and smart contract execution provides earlier signals and stronger executive confidence.

Blockchain does not eliminate risk. It reshapes it. Executives who understand this shiftand adapt their governance accordingly are better positioned to realise the benefits of blockchain while maintaining trust, compliance, and resilience.