Cryptoassets and auditing

While cryptoassets are growing in popularity, there is a lack of specific guidance on dealing with the issues around them, including over-reliance on blockchains, ownership of cryptowallets and even criminal dealing. Auditors will need to ensure best practice, says David Lyford-Tilley.

At a recent meeting of ICAEW’s Technical and Practical Auditing Committee, I hosted a discussion on some of the auditing issues surrounding cryptoassets that firms are now facing. 

The discussion came on the back of an increasing focus on these issues as the asset class has gained in popularity, with more firms following Elon Musk’s Tesla in dipping their toes into the field – albeit with most looking just to take payments, rather than trading more seriously. However, audit procedures in the field are still relatively immature.

Key concerns identified include auditors’ over-reliance on blockchains, exchanges and other online data sources in the sphere to provide information, rather than verifying that information themselves. This is particularly true for pricing data – while there is a bevy of online sources, there is a dearth of transparency about these sources’ controls. There are also concerns that insufficient use is being made of specialist experts in the field, instead relying on auditors’ judgement alone.

There are also auditing issues over exclusive ownership – while checking the contents of a cryptowallet is usually straightforward, there is little to prevent the cryptographic keys to that wallet being shared among several users. While this doesn’t appear to be common in practice, it’s hard or impossible to rule out, perhaps requiring steps as major as moving the entire balance into a newly created account. 

Checking controls around the private keys will be a crucial step, as these effectively are the same as the control of the funds, with no regulator or bank from which to seek recourse should an employee decide to abscond with them.

As in many crypto areas, there is also concern that auditors may inadvertently be adding legitimacy to balances that are the product of criminal dealing or which are being used for money laundering. These reputational issues around cryptoassets have their basis in legitimate concerns, and auditors should approach these balances with caution.

While crypto is growing in popularity, it is still relatively small and rare compared with many of today’s top auditing concerns, and any specific guidance from the Financial Reporting Council is unlikely to be forthcoming. So it will be necessary for auditors to make and maintain their own best practice in the field. Crypto is a rapidly evolving space, and so auditors will need to stay on top of developments and continue to consider the issues for their clients. It’s critical to keep the aims of audit in mind and to properly assess how to test to minimise the risk of undetected material misstatement. 

Crypto 101

Cryptocurrencies started with the original, Bitcoin, in 2009. However, since that first invention, many other competitors have entered the space.

Cryptocurrencies and other cryptoassets typically use a blockchain system to track ownership, which removes the need for any central authority. These systems often, but not always, mean that transactions are open – visible to anyone – but pseudonymous – not identifiable with a real-world actor. 

This makes tracing transactions simple, but proving ownership more challenging.

Economic models vary, but most use calculation-intensive proof-of-stake algorithms to verify transactions and reward those that do the calculations – the so-called miners – with newly minted coins. Most cryptoassets are subject to swinging valuations.

As well as companies that accept cryptoassets as a form of payment, auditors may also need to consider more cryptocentric companies, such as online exchanges, or miners.

About the author

David Lyford-Tilley, Technical Manager, Tech and the Profession, Tech Faculty, ICAEW