New guidance on auditing crypto-assets

CPA Canada and the Auditing and Assurance Standards Board (AASB) Working Group on Auditing Crypto-Assets has published two Viewpoints with guidance for auditors. Learn about issues to consider and how to tackle when auditing crypto-assets.

Due to the unique risks and complexities of crypto-assets and the underlying blockchain technology, auditors are considering additional factors before accepting clients with material crypto-asset transactions or balances. The engagement partner needs to determine whether the engagement team has the appropriate skills and consider management's understanding of crypto-asset risks and internal controls in place to mitigate those risks. In some cases, it may not be possible to audit crypto-assets without relying on the effective operation of relevant controls.

CPA Canada members raised issues where no best practices had yet been identified to approach the audit of crypto-asset transactions and balance.

CPA Canada response and guidance

CPA Canada and AASB staff established a Crypto-Asset Auditing Working Group with practitioners and representatives from audit regulators to discuss the issues raised in more depth. Based on the discussions of this working group, we recently released two Viewpoints papers covering the following topics:

Determining whether to take a controls approach to obtain audit evidence regarding the ownership rights of crypto-assets

As highlighted in our July 2018 publication Audit Considerations Related to Cryptocurrency Assets and Transactions, addressing ownership risk is difficult because of the pseudo-anonymous nature of the transacting parties. For example, for entities with complex business processes and systems who report a large number of transactions in crypto-assets, addressing ownership risk may only be possible through testing the operation of internal controls. This Viewpoint publication outlines several factors for the auditor to consider when making this determination, keeping in mind that each client and situation is unique and requires crypto-asset subject-matter expertise and professional judgment.

Assessing the reliability of information obtained from a blockchain, when that information is being used as audit evidence

Crypto-asset are not physical assets and they only exist on a blockchain; the audit procedures performed will typically involve using information from the related blockchain. For this reason, auditors need to consider the reliability of the blockchain from which the information is derived, and any IT applications, such as block explorers, used to obtain or view the relevant information. Not all blockchains are created equal and the generalization that transactions recorded on a blockchain are tamperproof may not always be the case. It's important that the auditor is not relying on information from a blockchain without first understanding and appropriately responding to (in the context of their audit) the risks that could result in inaccurate or incomplete information on a given blockchain.

What's next for the working group?

We are currently developing a paper on the risks that may be relevant to an audit if the audited entity's asset are held by a third party, such as a crypto-asset custodian or trading platform. In a traditional financial statement audit using a more traditional third-party service organization, there would typically be a System and Organization Controls (SOC) report available for the auditor to use as part of its audit evidence. However, service organizations in the crypto-asset sector may not have a SOC report and further, appropriate internal controls may not yet be established at the service organization. This is a concern not only for auditors and the entities using the service organizations but also for the Canadian Securities Administrators (CSA) and the Investment Industry Regulatory Organization of Canada (IIROC), who proposed establishing a framework that provides regulatory clarity to trading platforms and may address some of these unique risks.

If a SOC report is unavailable, is it possible for an auditor to test the relevant third-party controls directly at the service organization? Are there other compensating controls at the audited entity the auditor could perform procedures over?

Keep the conversation going

Are you or your firm struggling with the issues discussed above? What other concerns do you have with auditing crypto-assets? Have crypto-assets entities in Canada (and related third parties) established appropriate internal controls over financial reporting? We want to hear from you.

Post a comment below or email me directly.

Conversations about Audit Quality is designed to create an exchange of ideas on global audit quality developments and issues and their impact in Canada.

Disclaimer

The views and opinions expressed in this article are those of the author and do not necessarily reflect that of CPA Canada.

About the Author

Taryn Abate, CPA, CA, CPA (IL)

Director, Audit and Assurance, CPA Canada