Armanino White Paper
White Paper

Real-Time Attest Reporting

by Noah Buxton, Jeremy Nau
November 06, 2019
Use of information technology to obtain audit evidence in real time, apply substantive testing to audit evidence, and issue real-time, independent accountants’ attest opinions on demand.

1. Abstract

Current third-party assurance mechanisms, such as financial statement audits and controls assurance reporting, are often misaligned with the needs of users. There are myriad examples where audit reporting could better serve the needs of management, intended users of audit reporting, and a given marketplace in general if the assurance could be provided more frequently and at lower administrative cost, and made more widely available.

In our daily lives as consumers, we have come to expect levels of transparency and confirmation which are real-time, highly available and trustworthy. The proliferation of mobile banking applications, financial technology products, online commerce, and emerging digital assets use cases are applications where technology has been leveraged to provide more B2C and C2C transparency, and more trust, all in a highly available or real-time way.

In many ways, traditional audit mechanisms need to catch up, while maintaining the stringent technical and professional standards at the very foundation of the CPA auditor’s trusted role.

Public blockchains and digital assets have provided a disruptive force to traditional notions of trust and transparency (removing the middleman). However, public applications of this powerful technology through blockchain-based business models necessarily maintain some level of centralization and thus the need for third-party assurance solutions. Similarly, for private and hybrid applications of blockchain and distributed ledger technology (DLT), full decentralization is not preferred, or even possible. Thus, such applications, whether by design or by default, are less than sufficiently decentralized1 and the need for third-party assurance solutions is alive and well.

Asset-backed stablecoins minted on public blockchains present a unique use case for assurance. Users of stablecoins, whether organizations or individual retail users, must place trust in the blockchain-enabled token generation and management, as well as the more opaque asset backing that supports the token value and redeemability. What has emerged in the asset-backed stablecoin space is a demand for third-party, independent attestations over asset backing or collateral supporting a given token. While periodic monthly reporting supports user trust in the given stablecoin, it does not offer a high degree of transparency, and it is not highly available or real-time due to prohibitive monetary and administrative costs.

Asset-backed stablecoins present a perfect use case for a real-time audit given their relative simplicity. However, they are not the only use case.

In the following pages we review the problems in attest to be solved and the background needed to understand the key issues, and we present our solutions.

2. Problem Statements

Static reporting may not meet the needs of users, and may not offer transformational levels of trust and transparency, because it is (1) made available infrequently, (2) backward-looking and (3) not widely available.

Blockchain use cases present new and emerging needs for third-party assurance. In fact, some blockchain use cases would seem to necessitate a vehicle for independent assurance, which is more continuous and made available in real time.

Asset-backed tokens present one such use case, where trust and transparency require assurance over off-chain data such as fiat currency backing, securities, real property, net asset value, etc.

Specifically, centralized asset-backed stablecoins offer the paradigm-shifting benefits of low-cost, low-friction, borderless, immediate, and immutable transfer of value, combined with trust in redeemable and stable fiat asset backing.2 However, this equation necessarily relies on adequate asset backing to support redeemability, which is confidential data of the stablecoin issuer and preserved off-chain by financial institution partners.

As more aggregate value is transferred and recorded across public, permissioned, and hybrid blockchain networks, there will be an increased need for third-party assurance for both financial accounting/reporting and internal controls, as well as real-time assurance over off-chain data.

3. Background

In May 2019, Armanino launched the first-ever real-time confirmation dashboard for stablecoin issuers (TrustExplorer 1.0). The development of this technology was a key first step in providing real-time assurance; however, the system could not support real-time reporting and automated audit report generation.

In developing TrustExplorer’s second iteration (TrustExplorer 2.0), we made core tech and feature updates to support real-time reporting; developed an internal control environment to ensure data integrity, system security and availability; and, perhaps most importantly, we developed a methodology (including people, process and technology) to ensure real-time reporting is accomplished in compliance with attest standards.

3.1 What is real-time attest?

Real-time attest is the process whereby an independent accountant collects sufficient audit evidence, and performs substantive procedures, with the aid of an information technology, in order to issue on-demand audit reporting to intended users while meeting obligations under the then-prevailing audit standards and professional ethics requirements.3 In this white paper, we use the term “real-time audit” interchangeably with real-time attest; however, it is important to note that as the future application of real-time assurance technologies proliferates, many such solutions will not be audits that meet U.S. or internationally recognized attest standards.

3.1.1 How real-time attest and “continuous audit” relate

Real-time attest is not “continuous audit,” although they are related in many ways. The accounting industry publications and media have used the term “continuous audit” for some time now. One practitioner, writing for the Journal of Accountancy, framed continuous audit this way:

Internal auditing’s testing of controls is based on risk and often performed months after business activities have occurred. The testing is based on a sampling approach and includes reviews of policies, procedures, approvals, and reconciliations. Today, it is recognized that this approach affords internal auditors with a narrow scope of evaluation and is sometimes too late to be of real value to business performance or regulatory compliance. Continuous auditing is a method used to perform control and risk assessments automatically on a more frequent basis.4

In a white paper almost as old as Bitcoin, audit firm Deloitte LLP offered their perspective on continuous audit and monitoring,5 which aligns with other scholarly articles on the topic: Continuous audit is a method of internal audit and monitoring of internal controls over financial accounting, reporting and other key business processes and cycles.

Therefore, real-time attest is not “continuous audit” as it is known in accounting circles today. Real-time attest is the process of an independent accountant rendering an opinion on subject matter in an on-demand and highly available manner, almost necessarily by collecting audit evidence in real time.

We think it is clear that technology can be, and has been, applied by management and by external auditors in order to get coverage over more voluminous transactions, or more complex transactions; however, creating highly available audit reporting where the “as of date” and the “report date” are the same has heretofore been unachievable.6

In this white paper, we outline how we conceptualized and deployed the world’s first real-time attest system, TrustExplorer. In the following pages we share insight into the recipe for success and some of the most important ingredients, and also a perspective about how the technology and methods apply to other use cases.

3.1.2 Types of attest reporting

First, it is helpful to clarify what “audit” and “attest” mean. For CPA readers, the terms and their associated professional standards are clear. However, audit is a term often used, but not well understood. The first key distinction to be made is “internal audit” vs. “external audit”: Internal audit is performed by the business itself, and external audit is conducted by a licensed and independent party that performs audit procedures under a defined audit standard. In this paper, the focus is on independent external audit. When speaking about the varieties of external audit or attest in the quiver of a U.S. CPA, there are just three types.7

  • Agreed-upon procedures (AUPs) – An AUP is a standard a company or client outlines when it hires an external party to perform an audit on a specific test or business process. The procedures, which are called audit standards, are designed and agreed upon by the entity conducting the audit, as well as any appropriate third parties.
  • Reviews – A review is an attest engagement designed to provide a moderate level of assurance, where the objective is to accumulate sufficient evidence to restrict attestation risk to a moderate level. To accomplish this, the types of procedures performed are generally limited to inquiries and analytical procedures (rather than also including search and verification procedures). (See AT101.55.)
  • Examinations – In an attest engagement designed to provide a high level of assurance (referred to as an examination), the practitioner’s objective is to accumulate sufficient evidence to restrict attestation risk to a level that is, in the practitioner’s professional judgment, appropriately low for the high level of assurance that may be imparted by his or her report. In such an engagement, a practitioner should select from all available procedures — that is, procedures that assess inherent and control risk and restrict detection risk — any combination that can restrict attestation risk to such an appropriately low level. (See AT101.54.)

Therefore, the highest (and, in most cases, most valuable) form of independent audit assurance is an examination opinion. Agreed-upon procedures and review engagements are perhaps not ripe for disruption by real-time attest technology because much of the value comes from the independent judgment of (human) auditors. Examination engagements, while still very much requiring the independent judgment of auditors, are a much more ready use case for real-time audit because auditors can craft both substantive tests and tests of controls using automated software tools. In the case of TrustExplorer 2.0, the real-time audit opinions available are examination opinions offering the intended users of the reports the highest available assurance offered by a public accounting firm.

3.1.3 Subject matter

In applying each of the three attest standards, a CPA will focus their inquiry, inspection, confirmation, validation and other procedures they define on a specified subject matter. Some of those subjects include:

  • Financial statement audits – An analysis of the fairness of the information contained within an entity’s financial statements.
  • Internal controls audits (SOC and/or ICOFR) – An examination of a service organization’s internal control over financial reporting relevant to the customer’s financials (System and Organization Controls, or SOC), or an organization’s internal control over financial reporting for the company’s own financial reporting (ICOFR, SOX 404).
  • Information systems audit – A review of the controls over software development, data processing, and access to computer systems.
  • Compliance audits – An examination of the policies and procedures of an entity or department, to see if it is in compliance with internal or regulatory standards.
  • Construction audits – An analysis of the costs incurred for a specific construction project.
  • Investigative audit – An investigation of a specific area or individual when there is a suspicion of inappropriate or fraudulent activity. The intent is to locate and remedy control breaches, as well as to collect evidence in case charges are to be brought against someone.
  • Operational audit – A detailed analysis of the goals, planning processes, procedures, and results of the operations of a business.
  • Tax audit – This is an analysis of the tax returns submitted by an individual or business entity, to see if the tax information and any resulting income tax payment is valid.

A very recent form of subject matter over which auditors have been asked to opine, is asset-backed stablecoins. Armanino has completed multiple cycles of ongoing static attest reporting for large-market-cap stablecoin issuers.

3.2 Stablecoins

These digital assets are used for trading on exchanges and for peer-to-peer payment, and in more novel future use cases such as automated payment of dividends in security token offering (STO) models.

While there has not been a clear ruling on the classification of stablecoins as securities or non-securities under the U.S. Securities and Exchange Act of 1933, most industry experts agree that asset-backed stablecoins, specifically coins such as the U.S. dollar-backed TrueUSD (TUSD), likely do not meet the definition of an investment contract security interest laid out in Howey. (See Securities and Exchange Commission v. Howey Co. No. 843. Argued May 2, 1946.)8

As of the publication date of this paper, the top six asset-backed stablecoins are Tether, TrueUSD, USDC, Paxos, GUSD and DAI. The first five are U.S. dollar-backed stablecoins, whereas DAI is a crypto-collateralized stablecoin (we will set this aside for now). The value of these tokens fluctuates by fractions of a percent daily based on supply and demand; however, all the listed coins publicly commit to 1:1 redeemability for U.S. dollars.9

The top six asset-backed stablecoins have a total market capitalization in excess of $4 billion as of the publication of this white paper. For a nice resource on stablecoin prices and market caps, see the Messari Stablecoin Index.10

3.3 Prevailing means of assurance in blockchain ecosystems

Over the past five years, the current ecosystem of public blockchain projects, software-as-a-service providers, exchanges, custodians, wallet providers and others have come to rely on traditional mechanisms of financial, controls and security assurance. Current regulatory regimes for money service businesses require state licensure, which in many cases requires the submission and review of audited financial statements and an independent accountant’s opinion regarding internal control over financial reporting (ICOFR) and/or IT and security controls. Thus, a number of key categories have emerged:

  • Financial statement audits – Examination opinions issued by CPAs.
  • ICOFR audits – Typically examination opinions covering design and effective operation of internal controls.
  • System and Organization Controls audits (SOC 1 & SOC 2) – Examination opinions under the Statement on Standards for Attest Engagements No. 18 (SSAE18).
  • Periodic audit/attest opinions over other subject matter (AT-C 205) – Examination opinions that can cover subject matter such as asset backing for a stablecoin, escrow account balances, and other matters.
  • Crypto-specific controls standards – There are emerging standards such as the CryptoCurrency Security Standard (CCSS) that will likely rely on qualified auditors, and perhaps attest standards for issuing of opinions on compliance.
  • Agreed-upon procedures (AUPs) – Independent accountants’ reports on specific procedures performed have been used in both stablecoin asset-backing scenarios and other niche use cases. One very interesting use of AUPs has been gaining independent review of cold storage wallet generation and private key material life cycles at high-volume custodial exchanges.

3.4 TrustExplorer 1.0

The initial genesis for TrustExplorer was a client’s interest in obtaining assurance solutions that could differentiate them in the marketplace and provide a higher level of trust to their users. In response, Armanino designed the TrustExplorer system. TrustExplorer 1.0 was designed to be a dashboard and not an examination (AT-C 205) or attest solution.

3.4.1 Dashboard — what users see

The purpose of the TrustExplorer dashboard is to give a real-time look at the TrueUSD (or many others in the future) token balance, per the Ethereum Blockchain and the dollars held in escrow at trust companies and used to collateralize the stablecoin.

TrustExplorer simply shows two balances in the form of bar graphs. On the left side is the balance of the tokens issued on the Ethereum Blockchain. In order to derive this bar graph, Armanino hosts and controls a full Ethereum node. A microservice within the application, called an explorer, extracts new and existing blockchain data, translates it to a readable format and writes that data to a database. The application layer of the dashboard can then query the database to populate the left side of the dashboard with the total circulating supply of ERC-20 tokens. Blocks are added to the Ethereum Blockchain every 10 to 20 seconds; therefore, TrustExplorer parses and indexes blockchain data every 15 seconds to ensure that the most updated wallet balances and total circulating supply numbers can be presented.

On the right side of the dashboard, the total balance of dollars “backing” or collateralizing the stablecoin is presented. Dollar balances are derived via REST API directly from the database of accounts held at the trust companies. API calls are made every 30 seconds; the response (account balance) is written to the Armanino TrustExplorer database. As multiple trust companies are used, these balances are summed to an omnibus balance by the application and presented.

As Ethereum (geth) nodes have proven to be more temperamental than anticipated, the TrustExplorer architecture runs multiple nodes with load-balanced queries. Similarly, API gateways require maintenance and monitoring to ensure their effective and consistent operation; TrustExplorer uses a number of monitoring controls to support seamless operations.

3.5 Standards are evolving

Armanino believes that the nature of blockchain technology, as well as the specific and unique scenario presented by asset-backed stablecoins, presents the perfect opportunity for a real-time attest solution. As the 2019 exposure draft of the Statement on Auditing Standards (SAS) “Audit Evidence” clarifies:

A55. Some electronic information (for example, records maintained on a blockchain) is available on a continuous basis during the audit. In such cases, auditors may develop procedures using automated tools and techniques, such as audit data analytics or artificial intelligence, to obtain information about transactions on a real-time basis.

And with that, the door has opened to real-time attest.

4. Solution

4.1 Embracing change

The audit profession must evolve and embrace proven technologies to enable the collection of more audit evidence, issue audit reporting more frequently, and make such reporting more widely available. Part of Armanino’s ability to achieve the first real-time attest report is that we have embraced this need for change by empowering our people to experiment with new technology and by investing in ideas with potential.

4.2 A golden opportunity

Time and time again, we have seen that key innovations are often about timing and a little bit of luck. Armanino is a service business; we design and deliver solutions for clients. Therefore, clients are a necessary component of any Armanino innovation. The same is true here.

The combination of a transparent blockchain technology to query token balances, the use of real-time connections to financial institutions for asset balances, and the support for such a real-time solution in the emerging audit standards all supported this move. However, we also needed a client that would partner with us in this experiment. TrustToken provided the perfect partner: a forward-thinking team, a core focus on transparency and compliance, and an enthusiasm to try something new.

This was a golden opportunity that allowed Armanino to develop and deploy the TrustExplorer technology.

4.3 Working within the standards, not against them

One key feature of the story of real-time attest is that Armanino sought to develop a real-time attest solution that met the current audit and professional standards, not one in contravention of those important standards.

4.3.1 Relevant attest standards for asset-backed stablecoin reporting

The AICPA Statement on Standards for Attest Engagements (SSAE No. 18) and the clarified section, AT-C 105,15 “Concepts Common to All Attestation Engagements,” apply to stablecoin audit engagements. AT-C 105 also applies to myriad other private company examination engagements in the blockchain and crypto sphere. The examination vehicle used to perform Armanino’s real-time attestation engagement through the TrustExplorer platform is governed by SSAE No. 18 and AT-C 205, “Examination Engagements.”<16

Per AT-C 105, an examination engagement is:

... an attestation engagement in which the practitioner obtains reasonable assurance by obtaining sufficient appropriate evidence about the measurement or evaluation of subject matter against criteria in order to be able to draw reasonable conclusions on which to base the practitioner’s opinion about whether the subject matter is in accordance with (or based on) the criteria or the assertion is fairly stated, in all material respects.

AT-C 205 is currently the industry standard for performing periodic escrow balance confirmations and is the preferred vehicle for evaluating management’s assertions relating to the subject matter of escrowed dollars and outstanding token balances held and/or represented on blockchains.

Per section AT-C 205.01,

... the requirements and guidance in this section [AT-C 205] supplement the requirements and guidance in section 105, Concepts Common to All Attestation Engagements.

Therefore, Armanino conducted a detailed analysis and documentation of considerations for how the real-time nature of report issuance through TrustExplorer fits with the standards, both AT-C 105 and AT-C 205. Additionally, as AT-C 105.02 states:

When performing an attestation engagement, the practitioner should comply with: this section; sections 205, 210, or 215, as applicable; and any subject-matter AT-C section relevant to the engagement when the AT-C section is in effect and the circumstances addressed by the AT-C section exist.

To fulfill this requirement, we also analyzed the applicability of any subject-matter AT-C section as relevant to the engagement when the circumstances suggest. In addition, we examined and documented our analysis of how the real-time nature of the engagement and issuance of audit reports impacts how we as practitioners comply with AICPA’s Code of Professional Conduct, specifically Section 0.300, “Principles of Professional Conduct.”

In summary, Armanino analyzed and documented how we can meet audit standards and professional duties in a real-time audit scenario.

  • SSAE No. 18: Statement on Standards for Attest Engagements
  • AT-C Section 105: Concepts Common to All Attestation Engagements
  • AT-C Section 205: Examination Engagements
  • Code of Professional Conduct, Section 0.300, Principles of Professional Conduct

4.4 Key areas of consideration

In analyzing the impact of attest and professional standards on the issuance of examination reports in real time, we encountered many areas in which a move from static reporting periods to real-time reporting presented significant challenges. Below are a few of the top examples.

  • Audit risk assessment and designing and performing adequate substantive procedures.
  • Exercising proper supervision review and approval of the audit engagement.
  • Building on existing internal processes to ensure preservation of audit evidence, procedures and review.
  • Collecting management’s representations.
  • Assessing management’s assertions.
  • Designing and building an environment of internal control, as well as testing management’s controls, such that risk of material misstatement can be reduced to acceptably low levels.
  • Applying risk assessment and tests of controls to subservice providers and key vendors.

For most of the seven top considerations listed above, Armanino designed features, controls and monitoring into our TrustExplorer platform’s Admin Portal to address an audit standard or requirement. In this regard, we have been able to leverage technology to solve many of the issues presented in the move from static to real-time reporting. In addition, many of the features of the Admin Portal are also extended to our clients, allowing them the opportunity to interact with key documents, view database records, monitor API connections, and even pull the “ripcord” (temporarily halting the issuance of new reports) if they come to know of a condition or event that would impact their representation, assertions or terms of engagement.

As we look to apply our lessons learned to other existing and emerging use cases for real-time audit, we plan to provide more detail on each of these key areas. We see the application of real-time audit being very broad and look forward to contributing to the public research domain that will make assurance highly available to intended users and the public, reduce the administrative costs and burden on clients, and increase trust and transparency in the assurance mechanisms themselves.

4.5 Jumping in the pool

Another critical area of consideration for audit firms that wish to service client needs in the space, perhaps even through real-time reporting in the future, is being a participant in the network. Yes, we recommend auditors obtain firsthand experience by holding and transacting in a digital asset of their choice, and also experimenting with wallet structures and self-custody. Perhaps more important is that audit organizations operate nodes on different blockchain networks, or license access to a “Trusted Node as a Service” and/or Hosted Explorer and learn to read and parse data from them directly.17

For TrustExplorer, we leveraged experience gained in running Bitcoin and Ethereum nodes for financial audit purposes to host nodes in our TrustExplorer tech stack. This is a key architectural and control feature of TrustExplorer: It does not rely on third-party data or blockchain API services. Rather, we run multiple nodes in our cloud infrastructure environment and load-balance queries to those nodes.

4.6 The state of traditional assurance in a blockchain world

Armanino has worked with every type of client in the blockchain ecosystem, from individual high-net- worth investors to the largest global exchanges. The past five years on this path have been incredibly instructive. While the power of trustless and decentralized networks cannot be overstated, it is also true that even transactions secured and made trusted by cryptographic consensus mechanisms often have an off-chain component, which is not “trustless.”

Asset-backed stablecoins are another perfect example, where one side of an economic transaction can be highly secure and trustless, while the trust in the backing and redeemability of the stablecoin itself relies on more traditional mechanisms of trust and transparency.

Overall, we believe the role of CPAs is further solidified in times of technological disruption because CPAs and auditors can provide vital mechanisms of trust as anchors in the sea of change.

5. Conclusion

Blockchain technology was born from a unique and powerful combination of existing technologies. Similarly, real-time attest was born from a combination of existing technologies and methods to form something new. Real-time attest is a way of issuing reports, but also a methodology of its own that can, with careful consideration, be applied to myriad use cases.

Download White Paper

1 “Sufficient decentralization” is a term that was used by the Securities and Exchange Commission’s William Hinman in a June 14, 2018, speech regarding treatment of digital assets as regulated securities. It is used in a slightly different context here to refer to cases in which third-party assurance remains relevant to considerations of trust in, and transparency of, data.
2 For more on stablecoins, see The State of Stablecoins 2019: Hype vs. Reality in the Race for Stable, Global, Digital Money:
3 We did not derive this definition from an outside source; rather, this definition reflects the application of the technology to the real-world use case specified in this white paper.
4 “A framework for continuous auditing: Why companies don’t need to spend big money,” by Josh Shilts, CPA/CFF, CGMA, March 1, 2017:
6 Take a typical financial audit scenario where a fiscal year ends on December 31 (the “as of” date), and the audited financials are made available three months later, on March 31 (the “report date”).
7 See AT Section 101.01 — “Attest Engagements.”
8 When Valerie Szczepanik (Associate Director of the Division of Corporation Finance and Senior Advisor for Digital Assets and Innovation at the SEC) discussed stablecoins at the SXSW conference in March 2019, she hinted that non-asset-backed stablecoins, or those that rely on a supply-and-demand mechanism to keep their prices stable, “might be getting into the land of securities” because, according to her, if buyers are promised that somebody else will be holding or guaranteeing a profit or controlling the price, the token could be a security. However, she did not make these same conclusions for asset-backed stablecoins like TUSD, the asset currently covered by the TrustExplorer platform.
9 Note that by Tether’s own admission they are not 1:1 backed (see Tether Lawyer Admits Stablecoin Now 74% Backed by Cash and Equivalents). The company is processing redemptions on their redemption page.
12 ERC-20 is the protocol name for one prevalent type of token that can be issued on the Ethereum Blockchain. ERC-20s have features that allow them to act as programmable money in conjunction with smart contracts (programs) running on the Ethereum Blockchain.
13 A RESTful API is an application program interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data. This technology is widely relied upon across banking and fin-tech, and is highly reliable and auditable. REST technology is generally preferred to the more robust Simple Object Access Protocol (SOAP) technology because REST leverages less bandwidth, making it more suitable for internet usage.
14 If issued as final, this proposed SAS will supersede SAS No. 122, Statements on Auditing Standards: Clarification and Recodification, as amended, Section 500, “Audit Evidence” (AU-C Section 500).
17 The “Trusted Node as a Service” (TNaaS) is another Armanino first in the blockchain space. See our other public writings on this topic for more. In short, TNaaS services have been made available to leading projects and auditors in order to support trusted access to blockchain data, with a layer of traditional assurance mechanisms and reporting.

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Related News & Insights
Tracking SaaS Success
Discover the ways SaaS metrics can be used to your advantage.

June 21, 2022 | 10:00 AM - 11:00 AM PT
SOX Internal Control Crypto
Knowing when to implement or improve a process can help your organization save countless resources.

June 9, 2022 | 11:00 AM - 12:00 PM PT
Regulatory and Industry News Alerts from Armanino
Here’s how to avoid noncompliance, plus tips for reporting the ERC on financial statements.

May 25, 2022