Skip To Main Content
A digital bitcoin moving very quickly, while passing thru a column of binary numbers

Auditing crypto-assets

CPA Canada and the Canadian Auditing and Assurance Standards Board (AASB) have collaborated with regulators, auditors and individuals in the crypto-asset industry to explore auditing approaches to respond to the risks in this evolving industry.

In general, crypto-assets and blockchain technology are exciting and innovative new technologies, but they are also complex, requiring a comprehensive combination of financial and technical knowledge to prepare and audit their financial reporting.

CPA Canada has been developing thought leadership and guidance on blockchain and crypto-assets since as early as 2016. From first discussing blockchain’s impact on financial reporting to its potential impact on audit and assurance, we then focused on crypto-assets and provided accounting guidance for both IFRS and ASPE and the audit implications.

In July 2018 we published Audit Considerations Related to Cryptocurrency Assets and Transactions and CPAB published Auditing in the Crypto-Asset Sector in December 2018. Since then, we and the AASB have established a working group with auditors and representatives from CPAB and provincial practice inspection to explore different auditing approaches to respond to the risks in this evolving industry. There are many topics to explore – from client acceptance and continuance considerations to audit approaches to respond to the identified risks.

Should all auditors accept all crypto-asset audit clients?

Not all companies that report crypto-assets are the same. For some, their business model is built around crypto-assets, and they therefore have material balances. For others, such as retailers that have started accepting payment in crypto-assets, it’s ancillary. Different business models present different audit challenges. What’s more, management of any entity is responsible for establishing and maintaining internal controls for effective operations, reliable financial reporting and compliance with applicable laws and regulations.

These are the preconditions that all auditors need to determine are present before accepting an audit engagement. No company should assume it is entitled to an audit without having prepared the groundwork to ensure the external auditors can successfully perform an audit that satisfies auditing standards requirements and meets regulatory and market expectations.

When a company reports crypto-assets in its financial statements, the engagement acceptance process can be complex. For auditors, there are key decisions to be made, such as:

  • some auditors may choose not to audit an entity with material crypto-asset transactions or holdings because they determine that they won't be able to obtain sufficiently appropriate audit evidence based on the entity's governance, controls and/or processes i.e. the audit preconditions are not present,
  • auditors may determine that they don't have the necessary competence, capabilities or resources to respond to the risks related to this evolving technology; or
  • auditors may have other concerns, such as the reputation, attitude or integrity of the entity's management.

What are CPA Canada and the AASB doing to help?

The working group mentioned above has assembled a list of topics for discussion that are unique to audits of companies that transact with or hold crypto-assets.

We have had further conversations about some of the more fundamental issues relating to the performance of these audits and will publish the results of these discussions shortly. The first three topics being discussed are:

1. The relevance and reliability of information obtained from a blockchain to be used as audit evidence

With over 2,000 crypto-assets available, there is variability in their features and the architecture of their underlying blockchain. Information obtained from a public blockchain may be a key source of information for an auditor. As such, its reliability is critical. The reliability of that information may be influenced by (a) the source of the information itself, i.e. the underlying blockchain, and (b) the appropriateness of technological resources, including IT applications used by the auditor to obtain the information (e.g. a block explorer). The group is discussing which blockchain characteristics may impact the reliability of information and what the auditor may need to consider when assessing the reliability of information obtained from a blockchain.

2. Determining the audit approach when obtaining sufficient appropriate audit evidence over the ownership assertion

The auditing standards note that in some situations, only by performing tests of controls may the auditor achieve an effective response to the assessed risk of material misstatement for a particular assertion. For self-custodied crypto-assets, the group is discussing the factors the auditor may need to consider in determining whether tests of controls are necessary to obtain sufficient appropriate audit evidence over the ownership of a crypto-asset.

3. The risks and/or controls that need to be considered regarding a custodian holding a material balance of an entity's crypto-assets

For custodied assets, the group is discussing which custodian controls are relevant to the entity’s financial reporting and how the auditor can obtain assurance over the operating effectiveness of those controls – either through obtaining an SOC 1 or 2 report, or alternative procedures.

Keep the conversation going

What audit issues have you faced when auditing entities with material crypto-asset transactions or balances? What approaches to auditing crypto-assets have you had success with? We want to hear from you. Post a comment below or email me directly.


The views and opinions expressed in this article are those of the author and do not necessarily reflect that of CPA Canada.