As the adoption of distributed ledger technology increases,1 crypto assets are more frequently showing up on enterprise balance sheets.2 Some auditors may find this surprising and may not yet understand the implications of the technology.3
ISACA defines distributed ledger technology as a distributed, protected journaling and ledger system.4 This technology can be used for anything from crypto assets (e.g., Bitcoin) to other value-bearing objects (e.g., financial instruments). The technology enables persistent, cryptographically-proof ledgers to record transactions.
Auditing crypto assets requires special technical skills including understanding blockchain transaction logic and data analysis.
Auditors may come across business transactions involving crypto assets acquired by an enterprise when auditing, triggering the auditor to examine whether these assets have been properly recorded and disclosed. Therefore, auditors must learn practical approaches and procedures for auditing crypto assets to manage the audit risk associated with such assets effectively.
Financial Audits
Financial audits are meant to improve the trust level among stakeholders, including shareholders, suppliers, clients, and the government. This is accomplished by the auditor expressing an opinion on whether the financial statements, such as the balance sheet, income statement, and cash flow statement, were prepared in compliance with applicable financial reporting frameworks in all material respects. This conclusion should be based on an audit carried out in conformity with the International Standards on Auditing and pertinent ethical standards as published by the International Auditing and Assurance Standards Board (IAASB).5 The IAASB develops auditing and assurance standards and guidance for all certified public accountants (financial auditors) based on a shared standard-setting process.
Assertion-based audit procedures are a key element of these auditing standards. Assertions are explicit or implicit statements and estimates made by the legal representatives of the entity being audited about the recognition, measurement, presentation, and disclosure of information provided to confirm it complies with applicable accounting standards. Assertions may relate to various types of transactions, account balances, or financial statement information (financial statement items, comments in the notes, management report, or other reporting instruments).
As part of identifying, evaluating, and responding to the risk of material misstatements, auditors use assertions to assess the various types of potential misstatements that may occur.
Auditing Crypto Assets
Audit risk related to acquired crypto assets may exist at each assertion domain concerning account balances and related disclosures. These assertions include existence, rights and obligations, completeness, accuracy, valuation and allocation, classification, and presentation.
Auditing crypto assets requires special technical skills including understanding blockchain transaction logic and data analysis. This is due to the persistence and transparency of the distributed ledger technology, which is the technical foundation for crypto assets.
Consider the example of financial auditors obtaining bank confirmation to verify relevant contractual relationships between an audited entity and a bank. To audit bank deposits and financial instruments, auditors can compare the use of blockchain explorers with the request for bank confirmations as a means of confirmation made by third parties.
Assertion 1: Existence
When a client acquires crypto assets, the assertion claims that the recorded crypto assets exist. This means that if an enterprise’s balance sheet lists these assets, it is the auditor’s responsibility to verify that the assets recorded in the balance sheet exist.
The existence of acquired crypto assets can be verified using blockchain explorers because the blockchain continuously records transactions between network participants that take place on its network. These are free web-based tools for querying account balances on the blockchain. A blockchain is a transparent database that can be accessed using search queries. Blockchain explorers are connected to the underlying ledger database through an interface usually accessible in a user-friendly manner on the web. This process is much quicker than the equivalent process for obtaining conventional bank confirmations.
To make use of blockchain explorers, the auditor needs to gather information concerning the public keys of the client’s wallets and use them as a search key on the blockchain explorer. Inquiries, listings prepared by the entity being audited and formal confirmations made by third parties will provide the required information.
First, the auditor should access the blockchain explorer and enter the client’s wallet address’ public key into the search field of an explorer. Figure 1 shows an example of the client’s wallet view on the blockchain explorer.
Next, a wallet statement can be generated by clicking the button. The user must then select the relevant reporting date (e.g., the financial statement closing date of 31 December 2022) as shown in figure 2.
To serve as a basis for audit procedure proofs and documentation, the queried data can be exported as a PDF file after clicking the button to generate the statement in figure 2. The data relevant to the financial statement is then retrieved from the blockchain and documented in the exported PDF file.
Figure 3 shows the ending balance (amount of bitcoin) held as of 31 December 2022: 0.16418798 BTC.
The wallet statement can be used to assess the holdings’ market value and analyze transactions.
The quoted closing amount can be converted to a national local currency (e.g., the Great British Pound [GBP]) using a service that tracks currency prices (figure 4).
In addition, all transactions affiliated with the searched wallet address are shown. These can be further analyzed and evaluated in the generated PDF for the set search period. If no transactions occurred in the time period, the statement will reflect that (figure 5).
Assertion 2: Rights and Obligations
This assertion claims that the beneficial owner holds or controls the rights to the acquired crypto assets. Assets must be recorded on the balance sheet of the beneficial owner.
Therefore, the auditor must verify to whom the crypto assets belong. The beneficial owner is the owner of the private key and is, by cryptography, the only one who can account for the underlying asset.
Transactions of crypto assets are based on asymmetric cryptography consisting of a public and private key. Unlike the public key, which represents the identity as a pseudonym (similar to a bank account number), the private key serves as proof of authorization for the pseudonym (comparable to a PIN as a password).
The rights and obligations assertion concerning acquired crypto assets can also be efficiently verified using a blockchain explorer.
Crypto assets can be managed on a storage medium called a wallet. The wallet behaves like a custodian bank account where the custodian provides safekeeping and asset servicing for clients. However, in contrast to classic portfolio management, crypto asset investors can use a wallet to dispose of their assets themselves, without the need for intermediaries, if they wish to do so. These wallets are available in different configurations, such as a software or hardware solution, and the communication between wallet and blockchain takes place through the key pair.
For financial auditing purposes, the power of disposal over a wallet must be proven to the auditor because only the beneficial owner of the private key must comply with accounting rules regarding the underlying asset. The auditor, on the other hand, must verify who has the actual power of disposal over the crypto assets. For example, a scenario to be distinguished is a custody-trustee relationship.
To determine the power of disposal, evidence can be obtained by a technical process using a cryptographic message signed by the wallet. The auditor may also inspect the client’s wallet disposal.
Due to manipulation risk, the auditor should analyze the wallet transaction log and clarify suspicious transactions, in particular the ones carried out around the financial cut-off date. This may occur when the enterprise’s financial situation is over- or understated, affecting the enterprise’s value.
Assertion 3: Completeness
This assertion claims that all acquired crypto assets that should have been recorded were recorded and all related disclosures that should have been included in the financial statements were included. In other words, it is the auditor’s responsibility to verify that all disclosures are included in the balance sheet.
The completeness assertion concerning acquired crypto assets can also be efficiently verified using a blockchain explorer.
The auditor must collect all relevant (contractual) relationships between the client and crypto exchanges and custodians because such relationships are indicators for business transactions. Applicable accounting standards such as US Generally Accepted Accounting Principles (GAAP) and International Financial Reporting Standards (IFRS) may require records of these transactions to be kept for a certain amount of time (it varies based on national regulations and authorities). To gather the information in question, the auditor needs to inquire about all affiliated public keys and check the acquired crypto assets on a blockchain explorer, as noted in assertion 1. Performing transactional data analysis helps auditors verify whether the disclosed crypto assets are plausible and exclude the possibility of missing transactions as business events that must be recorded.
Assertion 4: Accuracy, Valuation and Allocation
This assertion claims that acquired crypto assets have been included in the financial statements at the appropriate amounts, any resulting valuation or allocation adjustments have been appropriately recorded, and related disclosures have been appropriately measured and described. In other words, auditors are responsible for verifying that the recorded assets are disclosed with their proper values on the balance sheet.
By using a blockchain explorer, the auditor can search for the client’s public keys to obtain evidence regarding all relevant valuation parameters depending on applicable accounting rules.
Consider the example in assertion 1: The market value of the holdings as of the reporting date in GBP is obtained by multiplying the holdings by the price as of the reporting date. In this example, on 31 December 2022, the client’s wallet had 0.16418798 BTC, as shown in figure 3. If the balance sheet is recorded in GBP, this amount needs to be converted by multiplying it with the closing price of 13,677.88 GBP/BTC, as shown in figure 3, which then determines the market value as of 31 December 2022.
Assertion 5: Classification and Presentation
The last assertion claims that acquired crypto assets have been recorded in the proper accounts. The balance sheet contains different asset classes; therefore, the auditor must verify that each asset is disclosed under the correct classification on the balance sheet.
By providing retrievable transaction records in a real-time manner, distributed ledger technology enables the possibility of continuously auditing transactional data.
As determined by national accounting rules, acquired crypto assets are regularly classified as assets. In Germany, for example, different balance sheet items can be applicable depending on the nature of the crypto asset. Therefore, the auditor must have sufficient knowledge about the fundamentals of crypto assets.
Conclusion
By providing retrievable transaction records in a real-time manner, distributed ledger technology enables the possibility of continuously auditing transactional data.
To audit bank deposits and financial instruments, auditors can compare using a blockchain explorer with obtaining bank confirmations in the traditional way. Key takeaways from the comparison include:
- The assertions concerning existence, rights and obligations, completeness, and valuation aspects of acquired crypto assets can be efficiently verified using a blockchain explorer.
- Blockchain datasets are tamper-free as they derive from the implemented code logic. Typically, these datasets are publicly retrievable and continually archived.
- Bank holdings and crypto assets both have limitations due to their susceptibility to deception. To inflate its balance sheet by capital lending initiatives, the client could borrow crypto assets just before the cut-off date to feign the number of crypto assets to be audited. From an audit perspective, this can be countered through the use of data analytics techniques and a blockchain explorer to analyze transactions.
Blockchains are transparent and often open-accessible ledgers that enable auditors to retrieve independent information, providing audit evidence. With the necessary knowledge and appropriate tools, it is possible to effectively audit crypto assets.
Endnotes
1 Chainalysis, “The 2023 Global Crypto Adoption Index: Central and Southern Asia Are Leading the Way in Grassroots Crypto Adoption,” 12 September 2023, http://www.chainalysis.com/blog/2023-global-crypto-adoption-index/
2 Barber, J.; et al.; “FASB Adopts Changes to Accounting and Disclosure Standards for Digital Assets,” Lexology, 26 September 2023, http://www.lexology.com/library/detail.aspx?g=adc59b81-eb83-4b6c-9efc-f8ad8b0ef2ec
3 American Institute of Certified Public Accountants, “Blockchain Technology and Its Potential Impact on the Audit and Assurance Profession,” http://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/blockchain-impact-on-auditing
4 ISACA®, “Glossary,” http://a9ir.tdwang.net/resources/glossary
5 International Auditing and Assurance Standards Board (IAASB), http://www.iaasb.org/standards-pronouncements
KILIAN TRAUTMANN | CISA, CCAK, CCSK
Works as an IT senior audit expert in the financial industry. His articles address issues at the intersection of IT, compliance, and auditing and have been published in various internationally renowned journals. He is engaged in the digital trust working group affiliated with the ISACA® Germany chapter.