With the rapid rise and adoption of digital assets and cryptocurrencies, the accounting and auditing landscape faces new challenges. Digital assets, which include cryptocurrencies such as bitcoin, ethereum and other blockchain-based tokens, present unique considerations for auditors due to their novel nature and the complexities involved in their transactions.
In terms of financial reporting requirements, cryptocurrencies do not meet the definition of cash or a financial asset under IFRS Standards, so digital assets should be accounted for as intangible assets under IAS 38, Intangible Assets. If the digital assets are held for sale, they could be classified as inventory under IAS 2, Inventories.
Public blockchain transactions are transparent and can be traced using explorers
When it comes to auditing, several risks relating to digital assets and cryptocurrencies need to be assessed, including client acceptance and continuance; related-party transactions; the use of a service organisations; and risks affecting multiple assertions, most notably those concerning existence, valuation and ownership (ie rights).
Risk of existence
Auditors must verify the authenticity and completeness of digital assets holdings to establish whether those reported on the balance sheet actually exist. Given the virtual nature of these assets, this can pose unique challenges.
In terms of blockchain verification, public blockchain transactions are transparent and can be traced using blockchain explorers. Auditors can verify transactions and balances against the blockchain ledger, but will need to consider the relevance and reliability of information obtained from a blockchain explorer.
When it comes to verifying cold storage or hardware or software wallets, physical inspection and access verification will be required. Multi-signature wallets add further complexity, as they require multiple keys for transaction authorisation.
Auditors must determine that the valuation methods used are appropriate and reflect fair value
In addition, many companies offer various types of custodial solutions, which present unique audit considerations. Some solutions will include digital assets in commingled accounts, while others will provide segregated solutions.
Valuation risk
Digital assets are highly volatile, with their market values subject to significant fluctuation. Auditors must determine that the valuation methods used are appropriate and reflect fair value.
For example, auditors will need to check multiple cryptocurrency exchanges to determine the fair value at the reporting date; the chosen exchange rate should reflect an active and orderly market. They should also implement procedures to evaluate the client’s choice of principal market, especially when a client uses a ‘pricing aggregator’ for valuation; such entities do not provide a price at which transactions may be made because they are not a market or exchange.
Determining ownership can be complex due to the anonymity of blockchain transactions
For digital assets classified as intangible assets and carried at cost less impairment, impairment testing is critical. Unless carried at fair value, auditors must evaluate whether declines in market value are temporary or indicative of a permanent impairment.
Risk of ownership
Determining ownership of digital assets can be complex due to the anonymity and pseudonymity features of blockchain transactions. Auditors need to establish whether the entity claiming ownership has legal rights to the digital assets, as well as considering the timing of procedures to provide appropriate audit evidence.
For example, auditors should review legal documents and agreements to verify ownership claims. This includes agreements with custodians and counterparties.
They also need to verify if the ownership of digital assets is tied to control over private keys, ensuring that the entity has exclusive control over keys associated with the reported digital assets, or whether a receivable with a third party exists instead. Obtaining independent confirmations from third parties, such as custodians or service providers, can help verify ownership and control over digital assets.
Entities should have strong custody arrangements, including secure storage solutions
Internal controls
Effective internal controls and robust governance frameworks are vital to managing risks associated with digital assets. Auditors should evaluate the entity’s internal control environment. This includes custody and safekeeping.
Entities should have strong custody arrangements, including secure storage solutions and access controls for private keys. If the custodian has a SOC 1 or ISAE 3402 Type II engagement performed, the auditor should request a copy and assess the controls at the service organisation as part of documenting, design and implementation of controls of the entity (including the user-entity controls documented in the service organisation report).
In addition, procedures for authorising and recording digital asset transactions must be clearly defined and consistently applied.
Cybersecurity
Cybersecurity is a critical concern when auditing digital assets. The risk of hacking, fraud and cyberattacks means auditors need to assess the entity’s cybersecurity measures, including network security (measures to protect against unauthorised access, malware and phishing attacks); incident response (protocols for detecting and responding to security breaches); and the security measures employed by third-party service providers, such as exchanges and custodians.
Auditing digital assets and cryptocurrencies requires a comprehensive understanding of the unique risks and challenges. Auditors must remain vigilant in verifying existence, ensuring accurate valuation and confirming ownership. As the landscape of the digital asset ecosystem continues to evolve, so too must the methodologies and approaches employed by auditors.
