What to consider when auditing cryptocurrencies: ICEAW
Nov 27, 2024
ICAEW’s Digital Assets Working Party has produced a publication for auditors that highlights the common risks to be considered in the audit of cryptocurrencies.
Crypto is a Greek word meaning ‘hidden’ or ‘secret’, Alexis Nicolaou, Partner and Head of Blockchain at Grant Thornton Cyprus, explains: “However, blockchain can provide much better visibility into crypto activities.”
Nicolaou is a member of the ICAEW Digital Assets Working Party’s (DAWP) Audit and Assurance workstream that worked on Considerations for auditing cryptocurrency, which offers auditors some critical questions and considerations when auditing cryptocurrencies, including common risks. It specifically covers entities that:
hold (either directly, or indirectly through a custodian), and/or trade cryptocurrencies;
provide cryptocurrency exchange services; or
are exposed to cryptocurrencies indirectly – for example, by holding cryptocurrency related exchange-traded funds (ETFs).
The cross-faculty DAWP was created in early 2023 to respond to developments in the digital assets space, including the fall of FTX. The working party’s audit and assurance workstream developed the publication in September 2024 to share knowledge and experiences. “We wanted to share common practices and challenges in the audit of cryptocurrencies, to both educate and prompt further conversations on the topic,” says Esther Mallowah, Head of Tech Policy at ICAEW.
With American accounting bodies getting ahead of the curve when it comes to auditing cryptocurrencies, the time was right for ICAEW to develop the publication for its members, says Nicolaou. He suggests that auditors need to consider whether to engage with clients in the crypto space.
Crypto capable
“What are the factors that you need to take account of when assessing the firm’s own capabilities for onboarding such a client? That is the starting point. Do you have enough knowledge in-house to actually be able to offer such a service?”
Auditing cryptocurrencies does require a change of mindset, says Matt Hayes, Risk Assurance Senior Manager at PwC Hong Kong and another contributor to the guidance. “If you look at financial institutions and how we’ve audited those in the past, there’s generally been a reliable source of third-party evidence. There are many people within the transaction chain that you can source your audit evidence on, particularly around their existence and ownership. Whereas when it comes to auditing a crypto balance, a lot of that then falls away through the technology.”
Auditors need more of an agile mindset, he explains. Auditors really need to understand how the technology operates and how it differs from standard financial products, he says. “It’s incumbent on us as auditors to be able to find solutions to technological advancements.”
Some elements of the audit around a cryptocurrency are not much different from your typical audit, Hayes says. It is a sector that is moving towards institutionalisation, with new regulatory regimes being developed. “All the major financial hubs are looking to implement some sort of regulation in this area, which helps auditors get comfortable that there may be mitigations to the risk of fraud, unlike in the past.”
A different mindset
Until that regulatory framework is in place, audit firms should be vigilant when considering whether to engage with a cryptocurrency client, says Nicolaou. “Assess the integrity and overall business strategy of the client.”
It will be different to the sort of things that auditors are used to, he says. It can potentially remove tools and practices that auditors rely on when it comes to auditing a particular balance. “It is very different and if you don’t have that understanding, you will struggle to effectively audit a crypto balance.”
For example, auditors need to understand the custody model for the cryptocurrency they are auditing. The client might be using a third-party custodian that looks after the assets on their behalf. In which case, the auditor can rely on reporting from that custodian. They might also be self-custodians, or using a hybrid model, with a technology platform that acts as custodian that the client looks after.
“Those are the three big custody models that we see at the moment. But it’s also a very fast-moving area,” says Hayes.
Some things stay the same
Nicolaou adds that it’s not a million miles away from auditing financial services companies. Questions around how they generate income, how they secure the product, their systems, communication and interactions with clients are the same, he says. “Translate all that into the crypto world, the digital assets world, and it’s exactly the same. You’ve got the security system that you need to assess. You’ve got the dealings with the clients that you need to review.”
Auditors need to assess how the company makes its income and how it is operating, says Nicolaou. “There are more complicated products coming on to the market continuously, so understanding the product and the process through which that product is being put on the market, from a security perspective, a product perspective, etc, it’s very important for the auditor to have that know-how, and ensure that the management has a good knowledge of how they actually go about doing their business.”
Expert advice
The publication is designed to share knowledge about cryptocurrency audit, though Nicolaou says that he is not expecting smaller audit firms to have in-house knowledge of auditing cryptocurrencies. “We expect they will need to call in some experts to deal with these audits, as they would with any other company with a product they have less experience with.”
Auditors shouldn’t be scared of developing the expertise to take on board clients with a crypto balance, says Hayes. “I think we probably do everyone a bit of a disservice if we don’t take the time to understand it.”
[Author: ICAEW Insights]