Debunking Common Misconceptions About Auditing Digital Assets

When talking with audit professionals, we have noticed a few misconceptions about auditing digital assets that are worth discussing. The most prominent misconceptions relate to proving ownership and confirming transaction details of digital assets (typically cryptocurrencies) as part of a financial statement audit. We have heard the following assumptions that may seem reasonable at the outset, but are not prudent when diving deeper:

1. "The blockchain itself is basically an audit, therefore all transactions are inherently correct and can be used as evidence to confirm financial statement account activity."
2. "Confirming ownership is unnecessary; all the activity is on the blockchain and readily viewable by any party."
3. "Confirming ownership is unnecessary; private keys can be duplicated and hypothetically distributed to multiple parties who can claim ownership of the same funds on their own financial statements. Therefore, confirming ownership of the private keys doesn't consider the potential for nefarious activities and should not be relied upon for audit evidence."
4. "Confirming ownership is impossible. If I have access to the client's private keys, I, along with a bad actor, could steal the keys and related funds. This is too risky a procedure to perform during an audit."

We have heard these reasonings from small CPA firms as well as Big 4 auditors. While no authoritative guidance has been declared by the PCAOB, we would invite auditors to think critically in how to best test digital assets.

Diving deeper into each of these assumptions, here are considerations an auditor may think about when applying this logic to an audit.

• The blockchain itself is basically an audit, therefore all transactions are inherently correct and can be used as evidence to confirm financial statement account activity.

Blockchains, for the most part, contain complete and accurate data. An auditor will have to consider the underlying blockchains, how much hash power secures those blockchains, and what the auditor risk tolerance is.

Blockchain data, however, is only half of the equation. Companies holding crypto assets typically keep records independently on their own accounting software (i.e. Quickbooks, Xero, Intacct). Unless the company utilizes an industry-specific accounting system (such as Ledgible, SoftLedger, Libra or Balanc3) that derives wallet balances and transaction history directly from the blockchain, the auditor will have to reconcile internally kept records with the external blockchain data.

While not terribly difficult, the auditor must understand that reconciling internally held records to the blockchain data is vital in verifying the company accounted for all transactions noted on the public blockchains involving company wallets. If auditors do not perform this procedure, there is a risk that inaccurate transactions or an incomplete set of transactions were recorded on the company books.

• Confirming ownership is unnecessary; all the activity is on the blockchain and readily viewable by any party.

While it is true that all wallet and transaction activity is viewable on the blockchain, this does not mean confirming ownership of the wallets related to the company financial statements is a moot point. A wallet and transaction on the company's records may not actually be owned by them. If no ownership procedures are performed, a company could simply claim a specific wallet address is theirs, point to the blockchain to show the balance, and include unowned assets on their financial statements.

• Confirming ownership is unnecessary; private keys can be duplicated and hypothetically distributed to multiple parties who can claim ownership of the same funds on their own financial statements. Therefore, confirming ownership of the private keys doesn't consider the potential for nefarious activities and should not be relied upon for audit evidence.

The ability to duplicate private keys is by design in blockchain protocols. Duplicating keys is a crucial item when creating the appropriate safeguards to protect your funds. As evidenced by many cases before, maintaining your keys in a centralized environment creates a concentrated point of failure.

However, just because private keys can be duplicated, that does not make them insufficient as audit evidence. In fact, private key verification is most likely the best form of audit evidence available. While it is true that two companies could be sharing a private key, or that a private key could have been compromised and a hacker is waiting patiently to steal funds, the auditor has a few methods to mitigate risks when confirming ownership of wallets during an audit.

• To address fraud considerations, an auditor receives a management representation letter from the pertinent members of the company attesting (among other items):
  • Management has no knowledge of fraud within the company.
  • Management is responsible for systems designed to detect and prevent fraud.

Management representation letters do not catch all fraud, but they do act as a deterrent, placing sole responsibility for the data presented on the members of management, including fraud and related party considerations. In addition to receiving the management representation letter, the auditor exercises professional skepticism at all times during the audit.

(Management also attests to other items that are relevant for Item C regarding internal controls:

1. The management team acknowledges its responsibility for the system of financial controls.
2. Management is responsible for the proper presentation of the financial statements in accordance with the applicable accounting framework.
3. All financial records have been made available to the auditors.
4. Management has disclosed all liens and other encumbrances on its assets.
5. All contingent liabilities have been disclosed.
6. All related parties' transactions have been disclosed.)

If the private keys truly belong to another party, but management is representing ownership on their own financial records, the auditor can perform procedures that may uncover inconsistencies between company books and blockchain data. When reconciling company books to blockchain data, the auditor should inquire about the nature of transactions, along with ensuring all transactions reconcile exactly to the company's internal records. If the wallets are truly owned by a third party, the company books may not reconcile to the data on the blockchain (as the true owner performed their own transactions), and management may not be able to describe relevant details of a transaction (such as external party, reason for tx, etc.)

As part of the audit, management should review the controls in place related to key creation, management, and disposal. If management has documented, designed and well-functioning controls, or follows a standard, such as the CryptoCurrency Security Standard, the auditor can gain comfort that the company's keys have been managed securely and not disseminated to third parties or bad actors.

• Confirming ownership is impossible. If I have access to the client's private keys, I, along with a potential bad actor, could steal the keys and related funds. This is too risky a procedure to perform during an audit.

Exposing private keys at any point is risky. However, the auditor and management can agree to a procedure that mitigates these risks and allows proper verification of ownership. This can include viewing balances on wallet GUIs or obtaining digital signatures. If performed in secure environments, these procedures can be both effective and secure.

As digital assets become mainstays on company financial statements, we invite auditors to think critically about the current necessities and auditing problems at hand. Digital assets will only become more complex with time (non-fungible tokens, tokenized assets, stablecoins), and it is vital that the profession moves quickly in understanding and accounting for this change in technology.