Written by: Christopher A. Harney
In the past decade, the field of crypto has surged in advancements and popularity—leaving regulators scrambling to keep up with its rapid expansion. Cryptoassets (and transactions involving cryptoassets) are beginning to appear on issuer financial statements, creating a new scenario for auditors to encounter. As a result, auditors need to identify and assess the risks of material misstatement to these financial statements, and also begin to design and perform appropriate audit procedures that are responsive to these specific risks.
The Public Company Accounting Oversight Board (PCAOB) has recognized the lack of clarity and direction provided in this sector, and recently released specific guidance detailing proper procedures for auditors to follow during an audit involving cryptoassets. Although the PCAOB exclusively oversees the audits of publicly traded companies, given the lack of other guidance in this area, you can be sure all auditors will be considering this guidance carefully on all audits involving crypto. So as a digital asset owner, what can you expect from these audits, and how can you prepare to allow for a smooth, simple audit?
If you’re a company that holds any material amount of digital assets and are looking to engage your first audit firm, these are the PCAOB guidance points that you need to know.
Information for Auditors: Responsibilities Under PCAOB
Under the new guidance, the PCAOB recommends that audit firms:
1. Undertake only engagements that the firm can reasonably expect to be completed with professional competence. Quality performance of these engagements’ requires certain specialized skill, knowledge, and competence relating to cryptoassets.
For owners and issuers of digital assets, the experience of your prospective auditor in this field should be a major consideration. There are some critical things you need to look for in an auditor to determine which firm could bring the expertise needed to reliably and accurately analyze your specific crypto needs. In order to choose correctly, ask the firm:
- What’s the level of experience the engagement team has with cryptoassets?
- Who would be your main point of contact at the firm in relation to crypto-related questions?
Once you’ve verified the knowledge of the firm and chosen a course, you can begin to inquire about the types of requests or information that will be needed to support the audit.
2. Appropriately consider the risks associated with providing professional services in the particular circumstances. For example, due to the anonymous nature of cryptoassets, it may be more difficult to recognize when an asset or transaction involves fraud, related parties, or illegal actions.
To prepare, you should understand how your prospective auditor views your company from a risk perspective. Inquire about how the firm views risk in the crypto industry with questions such as:
- Are there specific areas of this industry in which the firm is unable to accept clients?
- What type of client acceptance process should you expect to go through?
- Do they have other clients like you?
3. Determine whether specialized skill or knowledge is needed for the audit, because the engagement team may require it in various crypto-related areas (i.e. cryptography, distributed ledger technology, valuation, regulations, or crypto-related transactions).
From the partner to the staff person, you need to understand who’s going to be working on your engagement and ensure you’re comfortable with the expertise they’ll bring to the table. Ask for professional profiles of the auditors you’ll be working directly with, and ask pointed questions to determine their knowledge base specifically related to crypto.
4. Obtain an understanding of the issuer and its environment (focusing on the issuer’s involvement and transactions involving cryptoassets to effectively identify and assess risk). Determine the types of potential misstatements, as well as the magnitude of each as a result of these types of crypto-related transactions.
As someone who’s an expert in your specific crypto field, you’re probably going to be a step or two ahead of your auditor in terms of technological know-how. Because of this, you should be prepared to do a deep dive into the nuances of your digital assets, their associated risks, and their objectives with your auditor so they can design appropriate audit procedures.
5. Obtain an understanding of the issuer’s objectives, strategies, and related business risks that might reasonably be expected to result in risks of material misstatement. The risk of error and non-compliance could be higher if the issuer’s personnel are not familiar with digital assets.
Also be prepared to educate your auditor on the specifics of your crypto objectives, their accounting implications, the level of crypto expertise in your company, and your level of knowledge surrounding the regulatory guidelines established for cryptoassets. Your auditors may want to know:
- Which individuals generally deal in crypto-related transactions within your company
- The level of experience those individuals have with cryptoassets
- How long your company has been involved with crypto assets and in what capacities
6. Obtain a sufficient understanding of the issuer’s internal control over financial reporting (including its information systems relevant to financial reporting) to identify the types of potential misstatement, asses the factors that affect the risks of material misstatement, and design audit procedures accordingly.
There are new internal processes and controls in crypto companies that are extremely difficult to maneuver. Determining ownership of an asset isn’t as simple as it is in the securities and commodities realm. The documentation around ownership and authentication in the crypto environment is vastly different, and there isn’t a stable infrastructure built around crypto to easily decipher these risks. The same issues lie in transactions with securities and commodities, but with crypto, the challenges are hard to resolve and much more ambiguous.
Your auditors are going to have a lot of questions about this, and you’re going to have to get them comfortable with these issues. Ask your auditor how they’ve dealt with these issues in the past to garner a better look at if they’re the right choice for your company.
Be prepared to answer:
- What’s the process surrounding the authorization, initiation, processing, and recording of cryptoasset transactions (including who’s involved, programs utilized, vendors utilized, etc.)?
- What are the processes surrounding the verification of digital asset data and the mitigation of illegal activities?
7. In identifying fraud risks, the discussion amongst the key engagement team members should include focus on the potential for material misstatement due to fraud, as well as management override of controls. This could result in misuse of holdings of cryptoassets and related party transactions.
During an audit involving digital assets, auditors will have significant fraud concerns. There’s built-in anonymity around crypto, so auditors will most likely be wary of your businesses’ compliance with regulations such as anti-money laundering (AML) or know your customer (KYC). There will also be heightened concern about, and focus on, possible related party transactions generally. Your business should be ready to allay those concerns by providing accounts of procedures implemented to remain compliant.
The new PCAOB guidance serves as a preliminary roadmap for auditors to follow in their efforts to navigate the uncharted territory of crypto. By understanding the upcoming processes that your auditors will conduct, you’ll be able to proactively prepare to guarantee a smoother audit.