Three key challenges when auditing crypto assets
Given the complexity, speed of innovation, and the absence of official authoritative accounting guidance, it can be hard to audit crypto assets. Andre Sterley, Digital Asset Leader at SAPRO, provides insights into the three key challenges.
The market for crypto assets has evolved significantly over the past few years, expanding to a market capitalization of more than $3 trillion (at its peak in Nov 2021).
The continued expansion introduced new assets and technologies, offering several benefits and opportunities, and attracting the global attention of retail investors, financial institutions, central banks and regulators.
Auditors and accountants need to stay abreast of developments, and the implications of those developments and update their approach accordingly.
Given the novelty of this emerging asset class and speed of innovation in the world of crypto, definitions, risk assessments, and potential procedures all need to be regularly updated and evaluated.
Here are three of the most common challenges auditors face in crypto asset engagements.
1. The competence challenge
The first challenge when auditing crypto asset transactions that are material to the financial statements is that of competence – of the firm, the engagement team, and the client.
Key insights from regulators such as the Public Company Accounting Oversight Board (PCAOB) in the US and the Canadian Public Accountability Board (CPAB), reveal that auditors often do not have an adequate understanding of the audit risks involved when they designed their audit approaches. At a client level too, auditors are not properly evaluating management’s understanding of crypto-related risks.
Client acceptance and continuance decisions must be based on careful consideration of not only the respective industry and the firms’ depth of crypto knowledge, but perhaps most importantly, how the specific client uses crypto assets.
A “plain vanilla” crypto fund, for example, may trade only the top 10 most liquid crypto assets, on the most trusted, regulated, and reputable crypto exchanges.
Another “not so plain vanilla” fund may be involved in various decentralized finance (DeFi) activities, such as lending/borrowing, staking, derivatives and perhaps even hold some non-fungible tokens (NFTs).
As you can imagine, the latter fund will require an audit team with a different level of crypto expertise to perform an effective risk assessment and, audit response.
Over the years I have found that the public accounting firms that have lowered the risk related to the aforementioned competency challenges and are leading out in serving crypto clients have excelled in three key areas:
- they have developed and regularly update their own digital asset audit methodology
- they have prioritized ongoing digital asset training
- they are focused on digital asset recruiting
All industries evolve and require ongoing professional development but given the speed at which the crypto world moves, it is imperative to prioritize ongoing training in-house. This is especially important considering how hard it is to find CAs, CPAs, and qualified auditors that have an in-depth understanding of the collection of technologies surrounding the world of crypto and blockchain.
2. The custody challenge
Crypto has come a long way since the Bitcoin Whitepaper was authored in 2008. From perishable paper wallets, essentially a piece of paper with a private and public key printed on it, to bank-grade qualified custodians. Even US banks are now allowed to be crypto custody providers.
There are three main ways a client may provide for custody of their crypto assets. Often it is a mix of all three. Each custody solution will influence the risk, nature, extent, and practicality of the audit procedures to be performed.
The client takes control of their digital assets generally without relying on any third party. They control the private keys used to sign transactions and spend funds. With self-custody the client also takes on all the risks related to controlling and safeguarding the keys.
A well-defined crypto custody policy: Among the key best practices that should be part of that custody policy is that of access: having three login identifiers, including two-factor authentication (2FA). However, many of the operating companies in this sector are either start-ups or early-stage businesses, that often lack documented internal control processes and evidence of the operating effectiveness of key internal controls.
With key man risk, for example, you may find that three senior employees have full access to the private keys of the company. An internal control recommendation could be that none of the three has full access; rather, two of the three cryptographic signatures be required to authorize withdrawals.
Storage: When it comes to storage, they may be using a vendor with data centres concentrated in one geographic area which poses business continuity risks. Also critical is to evaluate private key access controls. Private keys should be stored in a location which is access-controlled, fire and water-resistant, electromagnetic pulse resistant and encrypted.
One example of an ideal solution is a fireproof safe with air-gapped laptops (i.e. incapable of connecting wirelessly or physically with other computers or network devices) that are stored inside a faraday bag and sealed in a dry bag.
Backup and recovery processes: Should disaster strike, or key holders are compromised, data backup and recovery processes should be in place to ensure the organization can still access private keys and seed phrases (a unique sequence of words to regenerate private keys) in these events.
Compromise: A key compromise policy ensures that the management team knows what steps to take if keys have potentially been compromised to minimize disruption and potential losses. Without a well-defined policy, incorrect actions may be taken unintentionally, and losses/disruptions extended.
Grant and revoke policy: A well-documented policy for granting and revoking access to crypto keys or seeds ensures privilege-restricted access, and determines how keys are generated and deleted, and how assets are transferred when required.
II. Custody on a crypto exchange
Should clients store their crypto assets on a crypto exchange, a vendor due diligence should be conducted as part of the acceptance and continuance process.
Some of the key points that should be covered as part of the due diligence process include, the regulatory status of the exchange, insurance details, KYC/AML risks, control environment (e.g. SOC report), reputation (e.g. hacks), how long it’s been in operation and audit reports (e.g. proof of reserves).
Another key challenge for auditors in dealing with crypto exchanges relate to application programming interfaces (APIs). Auditors want to be able to independently source and aggregate transaction data directly from the various exchanges that the client may be trading on.
The challenge is that ‘read-only’ APIs are not always as well maintained as ‘write-only’ APIs, which may result in an incomplete population of data, for example. Accessing historical data for the period under audit may also be difficult, as some exchange APIs may only provide for a limited time frame, three months for example. The best practice to overcome this is to setup an ongoing API connection and for the auditor to regularly (e.g., monthly) download all transaction data.
III. Crypto custodians
Unlike the early days of crypto, we now have regulated, licensed, insured, and audited crypto asset custodians. This makes the audit procedures relatively painless, by requesting a direct confirmation like that of the common bank confirmation, for example.
3. The accounting challenge
Historically, in the US, GAAP standards required most crypto assets to be accounted for as indefinite-lived intangible assets unless special industry guidance was applicable, such as an investment company accounting for a crypto fund where you can account for it at fair value. Under IFRS, the situation has been similar, although there may be an appropriate classification of inventory if the crypto assets are held in the ordinary course of business.
The call for fair value
Perhaps the biggest and most prevalent issue has been the call for fair value accounting when it comes to crypto assets. MicroStrategy is perhaps the most public example of a company that’s been saddled with the indefinite-lived intangible assets model to account for its billions in US dollars of Bitcoin at cost less accumulated impairment. Only downward adjustments are allowed; upward movements are ignored.
Consequently there has been an increasingly overwhelming amount of feedback from public accounting and industry incumbents calling for fair value accounting and digital asset-specific authoritative accounting guidance.
From standard-setting bodies like the FASB and the IASB, one of the arguments has been that crypto is not yet pervasive, especially among operating companies. A case that has evidently become harder to defend each year. Finally, in May this year, the FASB added crypto to its technical standards-setting agenda.
Additionally, on October 12, 2022 the FASB has decided that companies that hold crypto (within the scope of their project) should:
- Measure crypto assets at fair value, using the guidance in Topic 820, Fair Value Measurement.
- Recognize increases and decreases in fair value in comprehensive income each reporting period.
- Recognize certain costs incurred to acquire crypto assets, such as commissions, as an expense (unless the entity follows specialized industry measurement guidance that requires otherwise).
Undoubtedly, a decision which will be very well received by the industry and may encourage companies to hold crypto on their balance sheet.
The FASB board also noted that they will consider presentation, disclosure, and transition at a future meeting.
Blockchain is fundamentally an accounting technology, so if any profession should be paying close attention, it’s the accounting profession.
The rise and adoption of digital assets and the dearth of experienced accounting, audit and tax practitioners in this area, presents incredible business and career development opportunities for those brave enough to not only learn about, but embrace this new wave of disruptive technology.