Skip To Main Content
Two young businesswomen using an interactive whiteboard to analyze data in a modern office
Accounting
Audit

Auditing crypto-assets: The challenges dealing with third-party providers

When trading platforms or custodial wallets are involved, they add complexity to the audit process, experts say

Two young businesswomen using an interactive whiteboard to analyze data in a modern officeAuditors must prepare themselves, addressing any skills gaps prior to accepting clients in the crypto-asset sector (Getty Images/katleho Seisa)

As crypto-assets become more popular globally, governments, regulators, investors and organizations grapple with how to integrate them into existing financial systems and frameworks.

Auditors face unique challenges when evaluating financial statements with crypto-asset balances and transactions, particularly if relationships with third-party service providers, such as trading platforms or custodial wallets, exist. 

It’s a timely issue that CPA Canada, alongside the Auditing and Assurance Standards Board (AASB), are addressing through the Crypto-Asset Auditing Working Group, a collaboration with audit firms and regulators to share perspectives on crypto-assets and Canadian Auditing Standards (CAS). 

Here are four insights outlining challenges auditors face when working in crypto-asset environments using third-party service providers.

1) PREPARING FOR CRYPTO-ASSET AUDITS

Auditors must become familiar with key aspects of the crypto-assets environments their clients are engaged in before an audit process can begin, emphasizes CPA Canada’s report, Viewpoints: Applying Canadian Auditing Standards in the Crypto-Asset Sector

This requires a comprehensive understanding of the user entity (organization) and third-party relationship. Auditors should know specifics, including: what third-party services—be it trading or custodial (safeguarding of crypto-assets), for example—are being used; who controls what activities; and the nature and impact third parties have on financial balances and transactions. 

“It’s especially important for auditors to have an understanding beforehand of the third parties relied upon,” says Kaylynn Pippo, principal, research guidance and support for CPA Canada. “The auditor should anticipate whether they will be able to obtain sufficient evidence to complete the audit and form their opinion on the entity’s financial statements.”

Under current conditions, this is challenging, adds CPA Angelo Giardina, director, thought leadership at the Canadian Public Accountability Board (CPAB). The crypto-asset industry is in its infancy with many third-party service organizations still developing the controls and processes needed to support the objectives of user entities.

“This ecosystem is still trying to find its footing. Many service organizations have not had the operating effectiveness of their internal controls evaluated by auditors,” says Giardina. “There may be risks and gaps in controls and processes that need to be identified and remediated.”

2) UNDERSTANDING SERVICES PROVIDED

Understanding the services a third-party provides to a user entity in a crypto-asset environment is imperative to the auditing process, say experts. 

Services outsourced can range from processing financial transactions, such as crypto-asset trades, record-keeping of transactions and safeguarding of crypto-assets by providing storage and/or acting as custodian. 

“The key concern is that auditors will not do enough audit work if they fail to appropriately treat a third party as a service organization,” says Giardina.

“Essentially, what that means is the auditor’s required work effort differs significantly depending on if the third-party provider is determined to be a service organization or just an external information source.”

Understanding the services used reveals who (the user entity or third party) controls what activities and how this information, necessary for financial reporting, is recorded, be it within the entity’s or the third-party’s system. For example, a custodial trading platform that transacts outside the blockchain or that commingles the entity’s funds with other customers’ crypto holdings, results in the entity relying upon external record-keeping controls at the third party. If adequate internal controls are not in place or information is not accessible to the auditor, the auditor’s ability to issue an unqualified opinion is compromised. 

“When the services provided by the third party form part of the user entity’s information systems relevant to financial reporting,” explains Pippo, “a service organization relationship exists and those controls over safeguarding and record keeping of crypto, for example, would be relevant to the audit.”

3) ASSESSING RISKS AND UNDERSTANDING CONTROLS

If a service organization relationship exists, the auditor must identify and assess risks relevant to the audit and design and perform procedures to respond to those risks. If available, this may be done by obtaining and reviewing a Systems and Organization Controls (SOC) report, which is addressed in the CPA Canada report. 

Ideally, shares Giardina, when an organization is using a service organization, a service auditor (representing the service organization) provides a SOC report on the internal controls of the service organization that are relevant to the user entities’ financial reporting (known as a SOC 1 report). The SOC 1 report is accordingly relevant to the user entities’ auditors.

“Given that a service organization typically performs similar services for multiple user entities, a SOC engagement is a more efficient and effective way of having the service organization’s controls assessed. If a SOC report is not available, the user auditor still needs to get the evidence they need by, for example, contacting the service organization directly, which may not be efficient, practical or even doable,” he says. 

However, Pippo notes, in the current crypto-asset environment, SOC reports are limited in terms of availability and scope. Such reports may not yet exist for many trading platforms or custodians and, even if they do, the auditor still needs to determine whether the SOC report addresses the risks relevant to the audit, she adds. 

“If a SOC report is not available for these crypto custodians and platforms or, if a SOC report is available but does not address all the controls relevant to the audit, this could result in a scope limitation if the auditor can’t get the evidence they need from user entity controls or directly from the service organization,” she says.   

This will shift when more service organizations better document their controls and processes, leading to more detailed SOC reports that auditors can properly scrutinize, explains Jeremy Justin, chief risk officer and vice-president, strategy with CPAB. 

“The process will become easier when you start seeing a much larger number of companies that can provide those assurances to the auditors,” he says. 

4) FILLING AUDITOR SKILL GAPS 

Auditors interested in entering the crypto-asset sphere need the adequate skillset and experience, agree experts.   

In a CPAB report, Auditing in the Crypto-Asset Sector: Inspections Insights, key auditor deficiencies in crypto-asset environments highlighted include audit risks not fully assessed, unreliable information used and insufficient evidence obtained to accurately report on aspects including crypto-asset ownership, activities, etc. 

“Auditors must recognize that these are very challenging audits to deal with, within an evolving regulatory environment,” says Giardina. “Auditors need to critically assess whether they have the knowledge to take on these types of audits and access to appropriate experts and the technological tools needed to perform them.”

This, Justin adds, requires access to education and training opportunities that not only work to fill any skills gap, but also provide the relevant support and expertise unique to the crypto-asset field.

“We’re seeing a lot of auditors supplementing their teams with the right level of expertise and experts,” he says. “It’s really about education, understanding the key risks and challenges, how the blockchain works and how these complicated relationships operate.”

STAY INFORMED ON CRYPTO-ASSETS AND AUDIT

Learn more about how third-party service providers influence a crypto-asset audit with CPA Canada’s Viewpoints: Applying Canadian Auditing Standards in the Crypto-Asset Sector, report. Find out how more about auditing crypto-assets with these additional CPA Canada reports, Auditing crypto-assets: Are tests of controls needed regarding the ownership assertion? and Auditing crypto-assets: Relevance and reliability of information from a blockchain.