Cryptocurrencies are some of the most frequently encountered crypto assets and this publication focuses on the audit of entities that hold (directly or through a custodian) and/or trade them, provide cryptocurrency exchange services, or are exposed to them indirectly, for example by holding related exchange-traded funds (ETFs).
Due to their unique nature, cryptocurrencies can present novel challenges for auditors. Whilst risks such as valuation and existence that auditors may be already be familiar with apply to cryptocurrencies, the underlying blockchain technology and its distinctive characteristics affect the nature of risks and the type of evidence gathered.
The publication is not a comprehensive guide but aims to introduce key concepts, ethical considerations, and common risks associated with auditing cryptocurrencies.
Ethical considerations
Ethical considerations are crucial in any audit. Auditors keep in mind relevant ethical considerations, including those defined in the Financial Reporting Council (FRC)’s Ethical Standard and the International Ethics Standards Board of Accountants’ Code of Ethics (IESBA Code). The five key principles include:
- integrity;
- objectivity;
- professional competence;
- due care;
- confidentiality; and professional behaviour.
Professional competence is particularly important when accepting and conducting an audit of an entity involved in the fast-evolving world of cryptocurrencies because such assets can be difficult to account for and audit. They also require knowledge of technical concepts such as blockchains.
Objectivity may also be a challenge if the audit firm is engaged to perform any non-audit cryptocurrency-related work, such as valuation work, in addition to the financial statement audit. A self-review threat arises if auditors intend to use that work when forming a judgment relevant to the audit engagement.
The identification of ethical risks and relevant mitigations are commonly achieved through a firm's quality management processes and are the responsibility of the firm’s ethics partner.
Risk assessment
Auditors aim to understand the entity’s IT and business environments including its cryptocurrency strategy, operations, internal controls, and its role in the cryptocurrency ecosystem. Enquiries auditors may make of management to better understand the entity and its environment include:
- the entity’s motive for holding and transacting in cryptocurrencies;
- the types of assets held, acquisition methods, and safeguarding controls;
- use of third-party custodians and their control systems;
- types of wallets used and management controls for wallet access and key generation;
- nature, frequency, volume, and value of cryptocurrency transactions; and
- reflection of on- and off-chain transactions in the entity’s books and records.
Entity’s risk assessment
It is necessary for management to be able to identify the unique risks posed by cryptocurrencies, including the entity’s susceptibility to fraud and accounting for related party relationships and transactions. Management should also implement appropriate processes and controls to prevent, detect and mitigate such risks.
Enquiries auditors may make of management and other relevant parties to better understand the entity’s risk assessment process include, but are not limited to processes relating to:
- identifying and mitigating risks related to cryptocurrencies;
- ensuring due diligence and anti-money laundering checks are performed on counterparties;
- compliance with legal and regulatory frameworks;
- identifying new risks from changes in laws, regulations, and blockchain technology;
- identifying related-party transactions on the blockchain; and
- monitoring the effectiveness of relevant third parties’ internal controls.
Another consideration when assessing the robustness of management’s risk assessment process is that, even when management possesses an appropriate level of technical capability in cryptocurrency technologies, competence may not necessarily indicate that they are equally capable in relation to financial reporting.
Wider Processes and Controls
Auditors understand the entity’s processes and controls related to cryptocurrency transactions, focusing on:
- authorisation of transactions and counterparty identification;
- monitoring cryptocurrency transactions on the blockchain;
- assessing the reliability of blockchain records and extraction strategies; and
- determining appropriate classification, size, and cut-off for transactions.
The decentralised nature of blockchain means that cryptocurrency transactions are not necessarily restricted to normal business hours and can vary in the speed at which they are processed. Careful consideration of potential cut-off issues is warranted.
Management enquiries to aid auditors’ knowledge may consist of the following.
- Reliability and integrity: How does the entity ensure the reliability, integrity, and availability of blockchain information.
- Accuracy in reconciliations: Methods used by management to confirm accuracy in cryptocurrency reconciliations.
- Controls for data completeness and accuracy: Controls in place to ensure the completeness and accuracy of data used in reconciliations.
- Recording transactions: How cryptocurrency transactions and balances are recorded in the entity’s books.
- Third-party information: Verification of information acquired from third parties when transactions are not processed on a blockchain.
- Public addresses control: Volume of public addresses controlled by the entity and the dispersion of cryptocurrency balances among those addresses.
- Transaction authorisation: Validation that each transaction is authorised by an appropriate individual.
- Security breaches: Detection of security breaches that could compromise the entity’s keys.
- Data extraction tools: Tools used to extract transactions and balances from relevant blockchains.
- Blockchain reliability: Consideration of the reliability of each blockchain and the chosen data-extraction tools.
- Point-in-time balance: Challenges in determining a point-in-time balance, especially with privacy coins.
- Related-party transactions: Identification of related-party transactions on the blockchain, as clarified by ISA (UK) 550 Related Parties.
Safeguarding
Ownership and control of private keys are crucial for confirming cryptocurrency ownership. Methods of safeguarding private keys can include multi-signature addresses, encryption, key generation security, and physical security of key storage facilities. Auditors also consider management’s assessment of fraud risks, including misappropriation of cryptocurrencies and undisclosed related-party transactions.
Relevant information for auditors to consider include information about the initial key-generation process, backups, access to perform transactions, and segregation of duties.
Cryptocurrencies held on behalf of clients
Entities holding cryptocurrencies for clients need processes to:
- track client balances separately from their own;
- onboard new clients;
- authorise and monitor transactions; and
- ensure sufficient cryptocurrencies are held to meet client obligations.
Cryptocurrencies held via third parties
Auditors understand how entities using third-party custodians ensure these custodians have appropriate controls. In obtaining an understanding of controls implemented by the entity over third parties, auditors may consider the entity’s processes for:
- initiating and authorising transactions with third parties;
- recording and reconciling transactions in the entity’s records;
- validating third-party control over cryptocurrencies, especially when commingled; and
- monitoring the effectiveness of third-party controls, including the third-party’s controls for conducting risk assessments of clients.
This risk assessment process helps auditors identify and address potential material misstatements in the financial statements of entities involved in the cryptocurrency ecosystem.
Specific risks
Here we explores in further detail some of the common risks related to cryptocurrencies.
Onboarding
In making a client acceptance decision, the flowing factors are considered:
Risk management - Risks are considered both when onboarding new entities, and for existing audit clients that have become holders of cryptocurrency. They are also considered for entities – whether existing clients or new – that are dealing with cryptocurrencies without 'touching' them, for example, through net settling in cash.
Auditor competencies and skillsets – The audit firm considers whether it has the necessary experience and internal structures, and whether its engagement teams have the competence and capabilities to understand blockchain technology, and assess risks of material misstatement. This includes knowledge of cryptocurrencies, the entity’s use of them and the relevant IT systems.
Management’s competence and responsibility - Auditors assess whether the entity’s management has the skills to maintain adequate controls and records and can prepare financial statements. This is crucial due to the complexity of blockchain technology and the unique risks associated with cryptocurrencies.
Management’s integrity and ethical values - Auditors consider the integrity and ethical values of management, especially given the potential for cryptocurrencies to facilitate criminal activities, including financing terrorism and money laundering. This includes assessing management’s reputation and background, the nature of the entity’s operation and its compliance with laws and regulations, including Anti Money Laundering (AML) and Know Your Client (KYC).
Valuation risks
The focus here is on companies that report under International Financial Reporting Standards (IFRS) and where cryptocurrencies are measured at fair value through profit and loss.
Auditing the fair value of a cryptocurrency can be challenging as identifying its principal market, verifying the accuracy of pricing data and determining an arm’s length market price for related party transactions may not be straight forward.
The following risks are considered by auditors.
- Inappropriate initial, and/or subsequent, measurement bases selected by the entity.
- Fair value of cryptocurrencies with observable inputs is inappropriately determined.
- Fair value of cryptocurrencies using significant unobservable inputs, including model-based and alternative approaches, is inappropriately determined.
Cryptocurrencies held as intangibles are subject to impairment requirements. Auditors may evaluate the entity’s impairment analysis to validate accurate tracking of carrying values. This includes understanding the entity’s policies for monitoring the application of impairment triggers and the approach to tracking the carrying value of cryptocurrencies.
Ownership and Control
Blockchain technology’s pseudo-anonymity can make it challenging to obtain audit evidence for sole ownership and control of digital wallets. Although the blockchain ledger may provide the public address of transacting parties and the value exchanged, it may not provide information to identify the counterparty.
Certain blockchain operations can also obviate the need for third-party intermediaries for the execution of transactions, limiting the information available to prove ownership.
Auditors are usually present to observe key and wallet generation ceremonies and then conclude on the operating effectiveness of key management lifecycle controls from wallet inception to the end of the audit period.
They understand the number of private keys, who has access, and the controls over key management by performing the following non-exhaustive list of procedures.
- Review of documentation: for key generation and management during the audit period, and for any control testing procedures performed to conclude on their operating effectiveness.
- Review of key generation scripts and software: to determine the number of keys (or shards thereof) generated.
- Review of reconciliations and reconciliation controls: to determine whether breaks are effectively investigated and resolved.
- Review of blockchain transactions: for evidence that a third party may be using the wallet to transact.
- Review of confirmations and ISAE 3402 or US-style Type 1 SOC reports : for third-party custodians to assess the sufficiency of procedures performed by service auditors over the custodian and its control environment.
Risks around accuracy of data
Verifying the accuracy of data in the audit of cryptocurrencies is challenging due to the complexities of blockchain technology and the integration of data into financial systems. Auditors understand the following:
- IT General Controls (ITGCs): around nodes connected to the blockchain, other relevant systems and the wider IT environment.
- Accuracy and reliability of blockchain explorers: Public blockchain explorers have generally not been independently tested to validate completeness and accuracy of data. Some independently tested blockchain explorer services are available at a cost.
When extracting data from a blockchain, auditors can run their own nodes on the blockchain or use third-party nodes. To decide, auditors may carefully consider the following factors.
Running the Auditors' Own Node
Benefits: More reliability due to direct data extraction from the blockchain, also ensuring data privacy and autonomy.
Challenges: High data storage and bandwidth requirements, high maintenance, high costs such as electricity as well as potential independence issues.
Using Third-party Infrastructure Nodes
Benefits: Simplified node management, scalability, cost-effectiveness, and availability of support and maintenance services.
Challenges: Reliance on third-party providers, centralization risks, privacy and security concerns, as well as limited customization options.
Next Steps
ICAEW’s future work on digital assets will focus on facilitating debate and building understanding of the impact of blockchain and digital assets on the profession. This includes collaborating with various stakeholders, such as accountants, regulators, policymakers, educators, technologists, and service providers.
Complete the FDW eLearning course
Considerations for auditing cryptocurrencies
What are the common risks in the audit of cryptocurrencies and what procedures can be performed to address these risks?
Read the complete publication