May 6, 2020
Debunking Common Misconceptions About Auditing Digital Assets
Posted by Jeremy Nau
When talking with audit professionals and CPAs, we have noticed a few misconceptions about auditing digital assets that are worth discussing. The most prominent misunderstandings relate to proving ownership of digital assets and confirming transaction details as part of a financial statement audit. We have heard the following assumptions that seem reasonable, but don’t hold up to scrutiny:
- “The blockchain itself is basically an audit. Therefore, all transactions are inherently correct and can be used as evidence to confirm financial statement account activity.”
- “Confirming ownership is unnecessary; all the activity is on the blockchain and readily viewable by any party.”
- “Confirming ownership is unnecessary; private keys can be duplicated and potentially distributed to multiple parties who can claim ownership of the same funds on their financial statements. Therefore, confirming ownership of the private keys should not be relied upon for audit evidence.”
- “Confirming ownership is impossible. If I have access to the client’s private keys, I, along with a bad actor, could steal the keys and related funds. Therefore, ownership confirmation is too risky of a procedure to perform during an audit.”
We have heard these reasons from small CPA firms as well as Big 4 auditors. While the PCAOB has declared no authoritative guidance, we would invite auditors to think critically in how to best test digital assets.
Diving deeper into each of these assumptions, here are considerations an auditor may think about when applying this logic during an audit.
- The blockchain itself is basically an audit. Therefore, all transactions are inherently correct and can be used as evidence to confirm financial statement account activity.
Blockchains, for the most part, contain complete and accurate data. An auditor will have to consider the underlying blockchains, how much hash power secures those blockchains, and what the auditor risk tolerance is.
Blockchain data, however, is only half of the equation. Companies holding crypto assets typically maintain records on their accounting software (e.g., Quickbooks, Xero, Intacct). Unless the company utilizes an industry-specific accounting system (such as Ledgible, SoftLedger, Lukkaor or Blox) that derives wallet balances and transaction history directly from the blockchain, the auditor will have to reconcile internally kept records with external blockchain data.
While not terribly difficult, the auditor must understand that reconciling internal records to the blockchain verifies the company accounted for all transactions noted on the public blockchains involving company wallets. If auditors do not perform this procedure, there is a risk that inaccurate transactions or an incomplete set of transactions were recorded on the company books.
- Confirming ownership is unnecessary; all the activity is on the blockchain and readily viewable by any party.
While it is true that all wallet and transaction activity is viewable on the blockchain, this does not mean confirming ownership of the wallets is a moot point. A company may not actually own a wallet that is on the company’s records, and a transaction may not actually involve them. If no ownership procedures are performed, a company could simply claim a specific wallet address is theirs, point to the blockchain to show the balance and include unowned assets on their financial statements.
- Confirming ownership is unnecessary; private keys can be duplicated and distributed to multiple parties who can claim ownership of the same funds on their financial statements. Therefore, confirming ownership of the private keys should not be relied upon for audit evidence.
The ability to duplicate private keys is by design. Duplicating (or backing up) keys is crucial to safeguard assets from loss or theft. As evidenced by many cases before, maintaining your keys in a centralized environment creates a concentrated point of failure.
Just because private keys can be duplicated, does not make them insufficient as audit evidence. In fact, private key verification is one of the best forms of audit evidence available. While it is true that two companies could be sharing a private key or that a hacker compromised a private key and is waiting patiently to steal funds, the auditor has a few methods to mitigate risks when confirming ownership of wallets during an audit.
To address fraud considerations, an auditor receives a management representation letter from the pertinent members of the auditee attesting that (among other items):
- Management has no knowledge of fraud within the company.
- Management is responsible for systems designed to detect and prevent fraud.
Management representation letters do not catch all fraud. Still, they do act as a deterrent, placing sole responsibility for the data presented on the members of management, including fraud and related party considerations. In addition to receiving the management representation letter, the auditor always exercises professional skepticism during the audit.*
If the private keys genuinely belong to another party, but management is representing ownership on their financial records, the auditor can perform procedures that may uncover inconsistencies between company books and blockchain data. When reconciling company books to the blockchain, the auditor should inquire about the nature of transactions, along with ensuring transactions reconcile to the company’s internal records. If a third party truly owns the wallets, the company books may not reconcile to the data on the blockchain (as the true owner initiated their own transactions), and management may not be able to describe relevant details of a transaction (such as external party, reason for transaction, etc.)
As part of auditing digital assets, management should review the controls in place related to key creation, management and disposal. If management has documented and designed well-functioning controls or follows a standard, such as the CryptoCurrency Security Standard, the auditor can gain comfort that the company’s keys have been managed securely and not disseminated to third parties or bad actors.
- Confirming ownership is impossible. If I have access to the client’s private keys, I, along with a potential bad actor, could steal the keys and related funds. Confirming ownership is too risky a procedure to perform during an audit.
Exposing private keys at any point is risky. However, the auditor and management can agree to a procedure that mitigates these risks and allows proper verification of ownership. This can include viewing balances on wallet GUIs or obtaining digital signatures. If performed in secure environments, these procedures can be both effective and secure.
As digital assets, and auditing digital assets, become more and more popular on company financial statements, we invite auditors to think critically about the current necessities and auditing problems at hand. Digital assets will only become more complex with time (central-bank digital currencies, tokenized assets, stablecoins), and it is vital that the profession moves quickly in understanding and accounting for these changes in technology.
*Management also attests to other items that are relevant for Item C regarding internal controls:
- The management team acknowledges its responsibility for the system of financial controls.
- Management is responsible for the proper presentation of the financial statements in accordance with the applicable accounting framework.
- All financial records have been made available to the auditors.
- Management has disclosed all liens and other encumbrances on its assets.
- All contingent liabilities have been disclosed.
- All related parties’ transactions have been disclosed.
Jeremy is a manager in Armanino’s Blockchain practice, with more than 4 years of experience performing compliance, internal and blockchain-technical audits. He has experience leading and participating in cryptocurrency/blockchain engagements for exchanges, crypto-startups, and stablecoins. Jeremy authors Armanino’s blockchain audit memos, and he has helped develop proprietary procedures to test digital assets for reliance during an audit.
A Certified Blockchain Professional and member of the Cryptocurrency Certification Consortium, Jeremy is also a Certified Public Accountant (CPA) and Certified Management Accoutant (CMA). He holds a Bachelor of Business Administration, Accounting from California State University, Chico.