The rapid rise of crypto assets has presented both opportunities and challenges for auditors, with regulators, practitioners, and businesses grappling to establish clear guidelines and procedures.1 Even though there is no shortage of news regarding companies involved in crypto assets, in this article, we highlight regulatory scrutiny as it relates to the auditing of crypto assets, and take a deeper dive into a current hot topic, which is especially challenging for auditors given the unusual nature and complexities of the transactions: the auditing of ownership of crypto assets.

Challenges Facing Auditors

Regulatory Scrutiny

The Public Company Oversight Board (PCAOB) has in recent years been examining the audit files of public companies that transact or hold crypto assets. In its June 2023 publication "Inspection Observations Related to Public Company Audits Involving Crypto Assets" (https://pcaobus.org/documents/crypto-assets-spotlight.pdf), the regulator has identified numerous areas with audit deficiencies related to crypto assets, which included the following:

  • Crypto ownership
  • Fraud and significant unusual transactions (SUTs)
  • Relevance and reliability of information used as audit evidence
  • Revenue recognition in crypto asset transfer
  • Arrangements with mining pool operators

In light of PCAOB historical findings, the increased use of crypto assets by companies, limited regulation, the collapse of crypto exchanges, and unique risks that such assets present to companies, it is not a surprise the PCAOB made clear in June 2023 that the review of digital asset audits will be one of its 2023 inspection priorities.2

The regulator created a "target team" dedicated to reviewing audits of companies' activities associated with digital assets and commented that such reviews would not only focus on inspecting individual audit files, but also assess the audit firms' system of quality control as it relates to digital assets; for example, the regulator noted that target teams will review audit firms' "policies and procedures, including training, consultations, and the development of audit tools and techniques specific to digital assets."3

The PCAOB is not the only regulator focused on crypto assets. The Securities and Exchange Commission (SEC) also announced that one of its 2023 priorities will be the examination of registrants focusing on the offer, sale, recommendation of, or advice regarding trading in crypto assets, including assessing registrants' compliance, disclosure, and risk management practices.4

These regulatory priorities regarding crypto assets are noteworthy because as the PCAOB and SEC increase their inspections and examinations, respectively, there could be an uptick in related enforcement actions, as many enforcement actions commence after significant inspection or examination findings.

Improved Accounting Guidance, but Limited Auditing Guidance

The accounting guidance for crypto assets has evolved recently. In March 2023, the SEC issued Staff Accounting Bulletin (SAB) No. 121, which provides that reporting entities that have an obligation to safeguard crypto assets should record a liability and corresponding asset on their balance sheets at the fair value. This guidance was a welcome improvement from the prior non-authoritative guidance in the American Institute of Certified Public Accountants (AICPA) "Accounting for and Auditing of Digital Assets," which for years has been the best available guidance to practitioners and auditors as they grappled with how to account for crypto assets.

In addition, in September 2023, the Financial Accounting Standards Board (FASB) voted to set a new rule in place on the Accounting for and Disclosure of Crypto Assets that will require entities to account for bitcoin and certain other crypto assets at fair value, which will replace prior guidance of accounting for such assets as indefinite-lived intangibles subject to a periodic assessment for impairment.5,6

Audit Considerations When Auditing Ownership of Crypto Assets

Regulator's Perspectives

The auditing of ownership of crypto assets can be complex and often requires specialized knowledge, and despite the improvements in the accounting guidance for crypto assets, the auditing guidance for these assets is limited. However, the PCAOB, through its periodic Spotlight publications, did provide valuable insights with respect to the auditing of crypto assets.

In its June 2023 Spotlight publication, the regulator observed the following audit deficiencies related to the auditing of crypto assets:

  1. Auditors did not appropriately assess the risk of material misstatement related to the rights and obligations assertion related to crypto assets as they did not obtain sufficient understanding of the related controls over crypto assets.
  2. Auditors did not perform procedures to establish that the company had control over the crypto assets to support the rights and obligations assertion.

What is especially insightful is what the regulator states about what auditors should consider when auditing the ownership of crypto assets. Namely, it suggests that the performance of substantive procedures alone may not be sufficient to audit ownership and that auditors need to identify and test relevant controls. Specifically, per the PCAOB –

"...tests of controls must be performed for each relevant assertion for which substantive procedures alone cannot provide sufficient and appropriate audit evidence. For example, performing substantive procedures to verify that a public company has access to the private keys associated with the public addresses that contain a public company's crypto assets may not provide sufficient evidence that the public company has sole ownership rights over the crypto assets, as access does not necessarily imply ownership. In this instance, testing the design and operating effectiveness of the public company's internal controls over the generation and maintenance of the keys, including segregation of duties related to the key management process may be necessary to obtain sufficient appropriate audit evidence of the public company's ownership of crypto assets." 7

This is an important insight into how the regulator expects auditors to verify the ownership of crypto assets; that auditors may have to identify and test relevant controls to audit this area effectively.

Importance of Internal Controls

Given the importance of the design of internal controls over the ownership of crypto assets, auditors need to perform robust risk assessment procedures including understanding the design of controls in place over control of crypto assets. These procedures are required on all audits, under both PCAOB and AICPA standards; however, they are especially important when evaluating controls over crypto ownership in light of PCAOB's position.

However, the custody of crypto assets and establishing ownership and related controls can be particularly challenging, especially when multiple parties have access to digital wallets, and when it is not clear whether others, in addition to the company, could gain access to the company's wallets containing crypto assets. Such complexities make the evaluation of controls over ownership of crypto assets more challenging than traditional financial assets. The establishment of carefully designed safeguards and controls, at the outset when access and wallets are established, is critical.

Auditors can consider the following when evaluating the design of the company's controls over ownership of crypto assets:

  • How are crypto assets custodied at the company (exchange account, third party custodian, non-custodial wallet/self-custody)?
  • Does the company use a third party to custody crypto assets for the company? What are the terms and conditions for those relationships? Does the custodian have a completed System and Organization Controls (SOC) report that the auditor can obtain and evaluate?
  • What are the procedures to access and execute crypto asset transactions?
  • What controls are in place to safeguard the wallets/accounts that hold crypto assets?
  • How does the company know and monitor who is able to access the wallets/accounts?
  • How do the controls address the risk that others may have improperly obtained private keys to gain access to wallets?
  • How can the company change the design of wallet access controls if the current design is inadequate in addressing the relevant risks?
  • What if the company's controls over custody/ownership are inadequate – is it still possible to perform substantive audit procedures to address the relevant risks?

As auditors consider these questions (among others) during their assessment of a client's design of controls over ownership of crypto assets, they should evaluate whether any insufficient design of controls or lack of controls, represents potential control deficiencies and whether they could rise to a level of significant deficiencies or material weaknesses.

Auditors can also consider these questions as they (1) perform root cause analyses for any audit deficiencies that may have been identified by the PCAOB or others in this area and (2) develop tailored remedial actions to help prevent similar future deficiencies.

Audit firms should assess whether they have sufficient expertise and capabilities to serve crypto clients with due professional care and might determine whether it is appropriate to obtain assistance from outside advisors.8 Similarly, before accepting crypto clients, auditors should ask whether the company is "audit ready," including assessing whether management has the appropriate experience and capabilities to design and implement effective internal controls. Some companies might find they need assistance from outside service providers to enhance their capabilities when designing processes and controls over crypto assets.

Recap

To adequately audit the ownership of crypto assets, auditors might be required to identify and sufficiently test the company's controls, and the performance of substantive procedures alone may not be sufficient. Appropriate testing of controls requires unique expertise given the unusual nature and complexities of the transactions.

How Ankura Can Help

The Ankura Audit Advisory group has expertise in helping audit firms of all sizes improve audit quality, enhance their system of quality control (or quality management), and navigate through the PCAOB inspection process and SEC and PCAOB enforcement actions. Ankura's Audit Advisory group, in collaboration with Ankura's digital asset experts, teamed up to help auditors improve audit quality on audits involving crypto assets. Learn more here.

Footnotes

1. For purposes of this article, and consistent with Staff Accounting Bulletin 121, the term "crypto asset" refers to a digital asset that is issued and/or transferred using distributed ledger or blockchain technology using cryptographic techniques.

2. In PCAOB SPOTLIGHT "Inspection Observations Related to Public Company Audits Involving Crypto Assets", p. 4, the PCAOB stated "We will continue to focus on identifying public companies that have material crypto asset holdings and/or significant activity related to crypto assets, placing emphasis on relevant focus areas and assertions related to the existence, occurrence, valuation, rights and obligations, and presentation and disclosure of crypto assets."

3. PCAOB SPOTLIGHT "Staff Priorities for 2023 Inspections", p. 8

4. SEC Press Release, "SEC Division of Examination Announced 2023 Priorities".

5. The rule is set to go into effect for 2025 annual reports for calendar-year public and private companies, which can adopt the changes early. The FASB expects to formally issue the standard by year-end.

6. Please refer to Ankura insight article "Current State of Affairs: Financial Reporting and Regulation of Crypto Assets" at https://angle.ankura.com/post/102iekm/current-state-of-affairs-financial-reporting-and-regulation-of-crypto-assets for more information on the crypto accounting guidance developments.

7. PCAOB SPOTLIGHT "Inspection Observations Related to Public Company Audits Involving Crypto Assets", p. 6.

8. Please refer to Ankura insight article Common PCAOB Inspection Findings and Actions Firms Can Take to Improve Audit Quality and Reduce the Risk of Regulatory Enforcement Actions, Paul Naberezny (ankura.com)for additional information regarding the importance of appropriate technical competence and industry experience as part of a firm's acceptance and continuance process.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.