The collapse of FTX and the subsequent arrest of its founder and former Chief Executive Sam Bankman-Fried has generated plenty of headlines in recent weeks. But the fallout from FTX is likely to have longer-term consequences. It has cast a light over the financial crime risk within the crypto sector, and the challenges of providing audit and assurance of crypto firms.

Cryptocurrency business models pose a unique set of challenges for audit and assurance, predominantly stemming from the nature of crypto assets themselves, which can be hard to verify. Proving ownership can also be tricky; custody arrangements can differ greatly and the complexity of cryptographic keys raise questions around who actually controls an asset. 

The price of certain crypto assets, particularly cryptocurrencies, can also be extremely volatile. Ownership may provide the holder with some benefit – eg as a medium of exchange in some transactions – but generally there is no intrinsic value to the assets, nor are they backed by more conventional financial assets or a fiat currency. The price is driven by speculation and anticipation akin to tulip bulbs in 17th century Amsterdam. This makes auditing the assets’ value very difficult.

Views on how to account for crypto are also diverging internationally. The Financial Accounting Standards Board (FASB) recently announced a move towards fair value accounting, where in the recent past IAS 2: Inventories and IAS 38: Intangibles have been the predominant standards applied. It means that auditors must rely on the interpretations of their firms or advisory decisions by international accounting policy setters.

Without a coherent regulatory and legal framework to deal with the specific features and characteristics of the crypto assets, there is an expectation gap in respect of how these firms are run and what is expected of them. For example, how customer assets and funds are ring-fenced or protected by crypto-exchange. The absence of capital and liquidity requirements coupled with poor risk management also heighten risks in respect of firm resilience. 

There can be limited visibility into the structure and ownership of crypto businesses. A number of firms have large global footprints and complex operating structures. This raises audit risks around governance and decision-making; ownership, control and location of assets; and an increased susceptibility to fraud. The risks are heightened if parts of the business are sited in jurisdictions that lack strong legal and regulatory frameworks. Indeed, the crypto firm may well be in such jurisdictions to avoid any scrutiny of – or control over – its activities. 

Part of the issue with crypto firms is the lack of sufficient internal controls.

“Firms often suffer from very immature internal control environments, which create issues for auditors when they are trying to ascertain to what extent key risks to the preparation of financial information have been identified and appropriately managed,” says Reuben Wales, ICAEW’s Head of Financial Services. “Systems and controls that govern how expenditure, investment and extension of credit are approved are a further concern. It increases risks when it comes to misappropriation of assets, fraud or decisions that lead to significant risks to the firm’s assumptions around going concern.”

There may be limited visibility to the internal workings of the businesses and auditors may not have access to the information/documentation required to complete audits, which makes it more likely that audit firms – particularly larger ones – won’t accept the work. This might mean that smaller audit firms, who may not have the resources to audit complex technology and IT systems, end up taking the work.

Customer safeguarding

ICAEW wants to see a coherent framework for recognition, valuation and disclosure in respect of crypto assets, Wales explains. In the past auditors have been able to overcome complexities in other asset classes within financial services but this has only been through policy and standard setters working closely together to determine the most appropriate treatment.

Further steps also need to be taken in the regulatory space to ensure that we have rules that safeguard customer assets and funds and that firms are clear on the systems and controls that are needed to do so.

“As these firms are closer to parts of the market with increased volatility and are more likely to be subject to run-type dynamics, we would also welcome a robust prudential framework that ensures capital and liquidity and commensurate risk management is at a level where these firms are able to exit markets without widespread disruption,” Wales says.

Wales believes that auditors need to assess how effective their existing internal audit methodologies are in the context of crypto assets, specifically around the audit evidence that determines custody, ownership, control and existence. They should also invest in training to ensure they understand crypto assets, both existing and emerging. Crypto firms themselves must also implement good governance and control environments in line with their size and complexity.

“Through the combination of these actions, the inherent risks to audit posed by crypto firms are lowered,” says Wales. “The ability and willingness of auditors to engage with these firms and provide evidenced-based opinions is greatly increased.”