When talking with audit professionals, we have noticed a few misconceptions about auditing digital assets that are worth discussing. The most prominent misconceptions relate to proving ownership and confirming transaction details of digital assets (typically cryptocurrencies) as part of a financial statement audit. We have heard the following assumptions that may seem reasonable at the outset, but are not prudent when diving deeper:
We have heard these reasonings from small CPA firms as well as Big 4 auditors. While no authoritative guidance has been declared by the PCAOB, we would invite auditors to think critically in how to best test digital assets.
Diving deeper into each of these assumptions, here are considerations an auditor may think about when applying this logic to an audit.
Blockchains, for the most part, contain complete and accurate data. An auditor will have to consider the underlying blockchains, how much hash power secures those blockchains, and what the auditor risk tolerance is.
Blockchain data, however, is only half of the equation. Companies holding crypto assets typically keep records independently on their own accounting software (i.e. Quickbooks, Xero, Intacct). Unless the company utilizes an industry-specific accounting system (such as Ledgible, SoftLedger, Libra or Balanc3) that derives wallet balances and transaction history directly from the blockchain, the auditor will have to reconcile internally kept records with the external blockchain data.
While not terribly difficult, the auditor must understand that reconciling internally held records to the blockchain data is vital in verifying the company accounted for all transactions noted on the public blockchains involving company wallets. If auditors do not perform this procedure, there is a risk that inaccurate transactions or an incomplete set of transactions were recorded on the company books.
While it is true that all wallet and transaction activity is viewable on the blockchain, this does not mean confirming ownership of the wallets related to the company financial statements is a moot point. A wallet and transaction on the company's records may not actually be owned by them. If no ownership procedures are performed, a company could simply claim a specific wallet address is theirs, point to the blockchain to show the balance, and include unowned assets on their financial statements.
The ability to duplicate private keys is by design in blockchain protocols. Duplicating keys is a crucial item when creating the appropriate safeguards to protect your funds. As evidenced by many cases before, maintaining your keys in a centralized environment creates a concentrated point of failure.
However, just because private keys can be duplicated, that does not make them insufficient as audit evidence. In fact, private key verification is most likely the best form of audit evidence available. While it is true that two companies could be sharing a private key, or that a private key could have been compromised and a hacker is waiting patiently to steal funds, the auditor has a few methods to mitigate risks when confirming ownership of wallets during an audit.
Management representation letters do not catch all fraud, but they do act as a deterrent, placing sole responsibility for the data presented on the members of management, including fraud and related party considerations. In addition to receiving the management representation letter, the auditor exercises professional skepticism at all times during the audit.
(Management also attests to other items that are relevant for Item C regarding internal controls:
If the private keys truly belong to another party, but management is representing ownership on their own financial records, the auditor can perform procedures that may uncover inconsistencies between company books and blockchain data. When reconciling company books to blockchain data, the auditor should inquire about the nature of transactions, along with ensuring all transactions reconcile exactly to the company's internal records. If the wallets are truly owned by a third party, the company books may not reconcile to the data on the blockchain (as the true owner performed their own transactions), and management may not be able to describe relevant details of a transaction (such as external party, reason for tx, etc.)
As part of the audit, management should review the controls in place related to key creation, management, and disposal. If management has documented, designed and well-functioning controls, or follows a standard, such as the CryptoCurrency Security Standard, the auditor can gain comfort that the company's keys have been managed securely and not disseminated to third parties or bad actors.
Exposing private keys at any point is risky. However, the auditor and management can agree to a procedure that mitigates these risks and allows proper verification of ownership. This can include viewing balances on wallet GUIs or obtaining digital signatures. If performed in secure environments, these procedures can be both effective and secure.
As digital assets become mainstays on company financial statements, we invite auditors to think critically about the current necessities and auditing problems at hand. Digital assets will only become more complex with time (non-fungible tokens, tokenized assets, stablecoins), and it is vital that the profession moves quickly in understanding and accounting for this change in technology.