In 2017, cryptocurrencies and other blockchain projects experienced exponential rises in value. In 2018, trading prices for the top cryptocurrencies corrected downward-some would say "bottomed out." (See Figure 1.)
However, initial coin offerings (ICOs) and startup projects abounded, almost doubling in number versus the prior year. (See Figure 2.) Venture capital and retail investor funds have continued to pour into the space, which has now gained the attention of institutional investors. With fewer viable projects (i.e. those with a demonstrated use case and a strong development team to monetize their crypto solutions) and with investor demand chasing returns, the decline in the market has moderated.
Figure 1: Global Market Cap, May 31, 2017, to December 2018
Figure 2: Summary of Initial Coin Offerings by Year
With the explosion of companies venturing into the world of cryptocurrenciesi in the last few years, auditors are being called on to apply their skills, and the attest standards, to new and unfamiliar scenarios. In applying current accounting and auditing standards in this emerging and evolving space, auditors are faced with new challenges, including: understanding the environment of internal controls and risks unique to blockchains; understanding the underlying technologies, including internally developed platforms to support blockchain transactions; and developing appropriate audit procedures over digital asset transactions and balances.
The scoping and execution challenges now extend beyond "crypto-native" companies and projects-such as exchanges and miners-to non-crypto-native organizations holding crypto, investing in crypto, or transacting in crypto. Crypto asset balances are finding their way to more balance sheets.ii In a few years, auditing cryptocurrency transactions and balances will be part of most auditors' toolkits. For now, it remains the domain of those with specific technical knowledge and tools.
Over the past five years, Armanino has developed and applied audit procedures to a wide variety of use cases, from the world's leading virtual currency exchange to small startup projects, and many in between. The purpose of the following guide is twofold:
A major takeaway is that all companies with a balance sheet or income statement containing digital assets cannot be treated equally. In fact, the level of risk, as well as the execution and delivery efforts of the auditor, can increase or decrease significantly depending on the considerations discussed below.
Financial Statement Accounts
Segregated vs. Commingled Accounts
On vs. Off Balance Sheet
Audit Impact. As with all audits, gaining a general understanding of the m importance. When a company holds digital assets, there is an added complexity It is key to understand the breakdown of accounts that are composed of or currencies and wallets making up these accounts. Similar procedures should be held off balance sheet. Another key insight from the financial statements is determining materiality and scoping from an account perspective. Once audit considerations and scoping mechanisms are applied, auditors will have a general outline for scope. However, until the underlying blockchains, wallets and third-party custodians (see sections 2-4) are noted, the full scoping picture will not be apparent.
MANAGEMENT INSIGHT: If possible, segregate financial statement accounts by currency and use case. Along with simplifying internal accounting processes, segregated accounts disperse risk among the financial statement accounts Segregated accounts also ease the auditing process for both external auditors and a company's internal finance team (as the fiance team will be providing the related supporting documentation).
Network Currency vs. dAppiv Token vs. Other
Blockchain Security
Audit Impact. From an auditor's perspective, it is key to understand the underlying blockchains that the crypto assets are native to. Along with gaining comfort over the network security considerations of each blockchain,v the auditor will use the list of in-scope blockchains to determine what type of node explorers or external tools will be needed.
MANAGEMENT INSIGHT: Building "on top" of - or acquiring digital currencies or tokens built "on top" of-blockchains is advised. During an audit, the benefits of this are twofold. Network security is typically greater (hash rates and network participants/nodes), and the data and tools available are much more robust. If tools are unavailable for smaller blockchains to verify transactions or ownership, the auditor may have to qualify the audit opinion.
Hierarchical Deterministic (HD) vs. "Just a Bunch of Keys" (JBOK)
Single-Signature vs. Multi-Signature & Multifactor Authentication (MFA)
Single-Use vs. Multi-Use
Key Storage and Transaction Broadcast
Audit Impact. Along with general considerations of volume, wallet structure will most likely have the largest impact on the scope of the digital assets audit. HD wallets will be easier to manage than an assortment of JBOK (independently generated) wallets. The number of key signers (multi-sig)vii also tends to increase the time needed to perform audit procedures. In general, the easier the digital assets are to transfer (e.g.,single signature, hot wallets), the easier it will be to perform the audit procedures. However, this trade-off for ease of use is accompanied by an increase in security risk. The auditor should also understand the tools used by the company to create the keys, as well as the process to sign and broadcast transactions. Depending on the complexity of the wallet schema, the auditor should be prepared to use node explorers, QR code technologies and various client software.
MANAGEMENT INSIGHT: As security is of utmost importance, the company should not take measures detrimental to security for the sake of an "easier" audit. However, management can ensure a smooth audit by documenting policies and procedures related to key creation and transaction signing/broadcasting. Management should also be willing to prove ownership of wallets, either via sending funds or digital signatures. Management should also keep all keys for any wallets that held crypto assets for three or more years!
If a company's operations will support the use of HD wallets, they significantly reduce the number of procedures performed by an auditor to ensure proper ownership of those wallets.
And a note on standard security measures: Following the Cryptocurrency Security Standard (https://cryptoconsortium.org/standards/CCSS) is always highly encouraged; however, most items outlined by the C4 fall outside the standard financial statement audit scoping considerations.
Access
Confirmation & Custody
Audit Impact.The auditor will need to ensure that access to the exchange account (and underlying wallets), as well as transaction data, is sufficient and appropriate to perform audit procedures. If the exchange account is no longer accessible, the auditor should be assured a balance confirmation (comparable to a bank confirmation) is attainable.
MANAGEMENT INSIGHT: Keep access passwords and 2FA for the associated exchange accounts, even if no longer in use. Historical data may be needed from these accounts during an audit. Developing relationships with reputable exchanges that may be able to provide historical account balance confirmations is an added safety net.
Transaction
Wallets
Audit Impact The number of wallets and transactions can have a significant impact on the scope of an audit. The auditor should ask about the overall volume of the operation, in conjunction with other significant items (e.g., wallets, blockchains).
MANAGEMENT INSIGHT: In terms of audit preparation, management typically does not have much control over operational aspects that affect the audit scope. However, management should be aware that increases in wallet number and structure, transaction volume, in-scope blockchains, and reporting mechanisms have a material and varying effect on audit scope.
Customized Accounting Systems vs. Third-Party Solutions
Report Data and Reliability
Audit Impact. The availability of clean, accurate and sufficient data is key to validating transaction histories. Often, companies dealing in digital assets create internally developed custom software to fit their needs. The auditor should understand how these systems derive and compile data (e.g., from internally hosted platforms, or even hosted nodes) and examine the underlying logic. The availability of transaction and wallet identifiers (i.e., public addresses and transaction IDs) from the data downloads is also important when reconciling transaction histories. Basis and transaction tracking are also key for tax purposes. Auditors relying on reporting from homegrown software tools and databases will need to place increased emphasis on IT general controls, specifically change management and privileged logical access.
MANAGEMENT INSIGHT: Management should determine the most effective method for their company to track digital assets. Management may opt to develop in-house reporting tools. If so, management should document policies and standard operating procedures to govern logical access and change management, as well as preserve evidence of management's testing of the functionality and underlying report logic.
Management may also opt to use a third-party crypto accounting tool. Some of the ones we have seen in the field include Ledgible, Libra, SoftLedger, Balanc3 and Blox. Each tool has pros and cons that management should weigh against organizational objectives.
Ask the financial statement auditor to provide you a set of illustrative IT general controls that management can review against existing internal policies and procedures. Armanino works closely with clients to ensure that the requirements for internal controls are clearly defined. While the chosen auditor cannot implement these controls for you, they should spend the time to share best practices and examples with you to facilitate management's success in implementing controls.
As shown by the considerations above, each audit that includes digital assets is unique, with its own set of dynamics and challenges. Management and potential auditors should engage in transparent discussions regarding the audit environment to ensure a distinct audit scope and delineated audit plan.
Audit Impact.The auditor should be prepared to encounter brand-new situations for which clear guidance by the AICPA and other governing bodies is not yet available. As always, the auditor should use his or her best professional judgment. Part of that judgment includes gaining a sufficient understanding of the underlying technologies involved in the audit before accepting or continuing an audit engagement. Experience transacting in digital assets, researching from authoritative sources in the space, and a general interest are the building blocks for developing expertise. Certifications such as the Certified Bitcoin Professional (CBP) designation, which indicate a certain level of subject matter competence, are also available to audit professionals.
MANAGEMENT INSIGHT: The inherently technical nature of digital assets raises the difficulty of engaging competent auditors. Knowledge and familiarity of the crypto space by the audit team can dramatically decrease the time and effort needed to perform procedures for both management and the external auditors. While more auditors are expanding their knowledge in this space, UTXOs, HDwallets and asymmetric cryptography are still not in the typical audit plan.
To ensure a smooth audit, management can use some of the pointers above. Generally, these include documenting policies and procedures for processes surrounding digital assets (and all processes, for that matter), keeping all wallet keys and exchange information for seven or more years, employing HD wallets where appropriate and ensuring robust reporting mechanisms.
Note: This white paper focuses on the scoping considerations related to digital assets stored on public blockchains, and it does not necessarily include all potential technical accounting considerations (e.g., classification, exchange rates, disclosures). This white paper does not cover considerations for traditional audit cycles, impacts of information technology and application controls, regulatory and legal considerations, or security controls and measures.
March 06, 2019