Auditor’s responses to assessed risks in audits of entities that hold crypto-assets
Our recent publication, Audit Considerations Related to Cryptocurrency Assets and Transactions, focused on considerations when identifying and assessing audit risks for entities that hold and transact cryptocurrencies.
However, due to limited experience auditing these types of assets, there isn’t a typical audit approach or much guidance – in Canada or globally – to help auditors respond to the assessed risks. We at CPA Canada want to help by starting a conversation here on the areas that have attracted the most attention since we issued our publication.
Understanding the blockchain underlying a specific crypto-asset
With more than 1,900 crypto-assets currently in circulation, each with its own blockchain, a fundamental question for auditors is understanding the relevant blockchain and the implications for the audit. Each blockchain is governed by its own set of rules, including cryptographic protocols and consensus mechanisms. Processing times before transactions are recorded on a blockchain also vary. Obtaining an understanding of the entity and its environment can include understanding the unique characteristics of the blockchain supporting the crypto-assets held by the entity.
Obtaining this understanding requires expertise of this new and fast-changing crypto-asset ecosystem. Do you and other members of the engagement team possess the appropriate expertise to understand the relevant risks and develop an appropriate audit response? Auditors may need to use the work of an expert in the relevant cryptographic protocols to understand and respond to the risks. In these circumstances, how might your considerations for assessing the competence of such experts be impacted by the complexity of the crypto-asset space?
Crypto-exchanges and custodians
The Canadian Public Accountability Board (CPAB) issued a call to auditors to “establish sound crypto-asset practices early on to deliver audit quality in this new frontier” in the August 2018 CPAB Express. This is indeed a new frontier for the audit profession. Auditors are accustomed to a world in which the identity of the parties to a financial transaction are known. Trusted intermediaries, including financial institutions, payment networks and regulatory authorities, act together to protect the integrity of those transactions.
When an entity holds crypto-assets, odds are those assets were obtained at one of the 200-plus centralized crypto-exchanges available worldwide. Generally, crypto-exchanges execute trades on behalf of clients by retaining custody of the private keys that control the assets; they act as brokers and custodians for their clients. In contrast to the intermediaries in the traditional securities industry, crypto-exchanges remain largely unregulated and the effectiveness of their internal control systems has yet to be meaningfully scrutinized.
The Wall Street Journal reported in July 2018 that hacking-related losses from digital currency platforms since 2011 totalled US $1.63 billion. This creates challenges when auditing whether crypto-assets held in custody by a crypto-exchange exist at year end.
Certain crypto-exchanges engage in the practice of commingling their clients’ assets in exchange-hosted wallets. When crypto-assets are commingled, a crypto-exchange reflects transactions between buyers and sellers in its own records but no movement is recorded on the applicable blockchain (i.e., off-chain transactions). When this has occurred, auditors are not able to verify a client’s transactions solely by referring to the blockchain (and further, finding a reliable way to read transactions off a blockchain may be difficult even without the commingling of assets).
Hacking of exchanges and off-chain transactions are just two examples of risks that exist in the crypto-asset market.
Are traditional audit approaches sufficient?
Traditionally, auditors have used audit procedures such as inspection and external confirmation to obtain audit evidence. But relying solely on such traditional procedures may not work when auditing crypto-assets. For example, auditors often obtain a service auditor’s report on the effectiveness of internal controls at a service organization. However, such a report often does not exist for controls at a crypto-exchange. What alternative procedures can be performed?
Another example is the external confirmations obtained from intermediaries, such as a regulated bank, as evidence of a client’s holdings and transactions. But what value can be attached to confirmations received from intermediaries that operate in the crypto-asset ecosystem?
As you can see, there is more to say about this topic than we could fit in this blog – stay tuned for future publications.
Keep the conversation going
What are your primary concerns with auditing crypto-assets? What approaches are you exploring to obtain sufficient appropriate audit evidence? We want to hear from you. Post a comment below or email me directly.
The views and opinions expressed in this article are those of the author and do not necessarily reflect that of CPA Canada.