The rapid penetration of Decentralized Finance (DeFi) in the world economy has catalyzed the emergence of FinTech companies across diverse segments such as (A) cryptocurrency mining, (B) digital asset custody, and (C) payment processing. In addition, new services like staking validation, crypto derivatives trading, and stablecoin issuance are gaining significant traction. Consequently, investor interest in these areas is increasing, heightening the necessity for independent auditors to rigorously examine and audit the financial statements of entities operating within this dynamic and expanding ecosystem.
Audits of crypto companies involve unique challenges, including testing complex technology and compliance with regulatory frameworks. This article provides a structured approach on the audit of crypto companies, focusing on key areas like IT general controls (ITGC), IT application controls (ITAC), revenue, and compliance.
CRYPTO COMPANY TYPES
Most cryptocurrency companies can be summarized into three broad categories: These are blockchain validators, cryptocurrency custodians, and payment processors.
Crypto Company Types
01 Crypto Validators
A cryptocurrency validator is a company that participates in the validation and verification of transactions on a blockchain network. Validators are integral to the security and integrity of decentralized blockchains, using the raw computational requirements in Proof of Work (Mining) or staking their cryptocurrency in restrictive wallets and using these consensus mechanisms to confirm new blocks to the blockchain ledger in Proof of Stake (Staking). In return for validating blocks and transactions, the company receives a portion of the newly minted cryptocurrency and the transaction fees.
02 Crypto Custodian
A cryptocurrency custodian company ("Custodian) is a company that provides secure storage solutions for the holders of digital assets to safely hold enormous amounts of cryptocurrency. These companies tend to offer additional services such as the ability to trade cryptocurrencies with other users or staking services.
The Custodian can function as an exchange where users can trade cryptocurrencies directly with one another or through an order book system. This exchange itself acts as an intermediary, matching buy and sell orders. These companies earn fees on each transaction performed by the users on their exchange.
03 Crypto Payment Processing
As the use of cryptocurrency for payments grows, crypto payment processors play a vital role in enabling other businesses (i.e., merchants) to accept and manage digital transactions. These companies offer services that enable businesses to accept cryptocurrency payments, either by integrating crypto payment gateways or providing tools for easy conversion of crypto to and from fiat.
Audit Challenges
Given the distinct types of cryptocurrency companies, there are many different and varied audit challenges that may occur. Below is a useful summary for stakeholders of crypto companies to evaluate the adequacy of the auditor involved in the audit of these crypto companies.
Audit team Competence.
For every engagement, the challenge starts with acceptance and continuance. The major challenge is whether the firm has the capabilities and the competence to audit cryptocurrency clients. Cryptocurrency may be equivalent to fiat at the highest level, but the underlying technology and transactions make it quite complex to understand and audit. Several considerations need to be considered when determining whether to accept a new and/or continue with an audit client for the upcoming cryptocurrency-related assurance engagement:
- Does the engagement team have the training and experience to perform an audit of a cryptocurrency client from the above specific segments? Each segment of the crypto sector requires different skills and focus areas.
- Does the client's management have the appropriate experience and competence to allow for a proper audit? How can you get high-level comfort prior the accepting the engagement?
- Does the audit team have IT specialists who can lead in the tech side of the audit and communicate with client's IT team on scoping and testing strategies?
- Does the audit team have legal expert (in-house or external) who can assist in understanding the compliance and regulatory requirements?
INFORMATION TECHNOLOGY GENERAL CONTROLS - ITGC
A key challenge in auditing crypto clients is the technological environment of the entity. This is critical for the audit as cryptocurrency is entirely reliant on technology, coupled with the large volume of transactions and/or a large dependence on other service providers. Accordingly, the precise ITGC scoping of the list of software used in key crypto processes is critical.
The audit should include risk assessment, evaluation/testing of controls on significant risks (such as digital revenue and cryptocurrency assets), and controls over manual entries (from the IT system to the financial statements). It's a rebuttable presumption that only substantive audit testing will not be an adequate audit procedure to audit large volume of transactions.
As the list of software that is in the scope of testing could be unreasonably large, auditors should consider relying on SOC reports (SOC 1 or SOC 2) of those software providers and focusing only on the adequacy of Complementary User Entity Controls (CUECs).
Private Keys
Due to the electronic intangible nature of cryptocurrency, it makes them more vulnerable to theft or loss, particularly due to the private keys' susceptibility of becoming lost or stolen. The audit should focus points on how private keys are handled and secured, assess the access and authorization with 3rd party digital wallets and exchange platforms where private keys are held by another entity, the transaction approval process regarding crypto asset transfers, and assess the transactions recorded to the blockchain to check for any discrepancies in the custodian's systems.
Securities
There are challenges regarding the classification of cryptocurrency with securities, stemming from the evolving regulatory landscape, uncertainty in legal classifications, the inherent complexities of crypto assets, and the lack of clear guidance on how cryptocurrencies should be classified for financial reporting purposes.
Blockchains
To view the cryptocurrency blockchain, auditors will typically use tools called blockchain explorers to review the information recorded on blockchain ledgers. Auditors should perform procedures such as performing the background check on said explorers to ensure they are designed and operate effectively to extract the relevant and accurate information from the blockchain.
Mining
Cryptocurrency mining on Proof of Work currencies, such as Bitcoin, involves the substantial use of computational power to validate transactions and secure the blockchain networks. The recognition of mining rewards (often issued in cryptocurrencies) will need to be assessed through inventory, intangible assets, and revenue recognition criteria. Most of the miners join Mining Pools which further complicates the work required from the auditor to obtain reliance on the allocations received from the Pool to participating entity.
Staking
In contrast to Proof of work currencies, Proof of Stake cryptocurrencies, such as Ethereum, involves locking up a certain amount of cryptocurrency to support the operations of a blockchain network in exchange for staking rewards. Auditors should verify the cryptocurrency within the staked wallets and verify the staking rewards received. Auditors should also check for penalties or slashing events that might result in a loss of staked assets to ensure it is properly documented and accounted for.
Processing payments
Like in the payment processor industry, auditors need to review how the client record's revenue, especially for transaction fees, or fiat-crypto conversions, and confirm their compliance with the treatment under IFRS 15. Due to the enormous number of transactions, auditors will need to analyze controls over batching and settlement processes, and, with respect to fraud detection, monitor transactions for irregular patterns or unauthorized activities. As cryptocurrency prices are volatile, auditors will need to assess the adequacy of real-time conversion mechanisms to minimize exposure risk. Subject to full control reliance on the system, the auditor might consider using Big Data analytical tools which enhance their audit procedures. Finding the nail in haystack is almost impossible with old school substantive audit testing.
Agent vs Principal
Critical judgment is required in determining whether the company is the principal or the agent in their revenue transactions, especially between the client's customers. There should be an evaluation on the presentation of revenue on either a gross or net basis. For example, does the company control the cryptocurrency before it is transferred to the customer (gross) or acts as an agent by arranging for transactions between users of the exchange or from a supplier (net). Mining and staking might involve third-party providers (e.g., staking-as-a-service). Auditors should review agreements to determine who controls the asset including who holds the risk of penalties or slashing.
Impairment of Mining Equipment
As per IAS 36, at the end of each reporting period, an entity is required to assess whether there is any indication that an asset may be impaired.
Cryptocurrency mining equipment is particularly prone to impairment as the equipment's performance deteriorates faster over time due to the increasing computational power requirements over time, fluctuating energy and highly volatile cryptocurrency prices, and technological obsolescence.
Compliance
Regulatory variability and compliance requirements further complicate audits, especially if the entity is operating in multiple jurisdictions. As cryptocurrency is a developing industry and the recent scandals in the news, regulators and governments around the world are continually implementing new laws and regulations to crack down on potentially fraudulent or criminal activities.
Auditors should obtain an understanding of the jurisdictions of client operates in, and what are regulatory requirements to operate in those countries such as licensing, "Anti-money laundering" and "Know your customer." These will necessitate the involvement of Compliance legal experts to properly address and audit the compliance risk.
Conclusion
Competent auditors and quality procedures are required to do an effective audit of cryptocurrency companies. They will need to be on top of the complex technological environment within these companies, challenges in auditing the financial reporting, and changes regulations surrounding the cryptocurrency industry.
Originally published November 2024
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.