Audit Considerations For Digital Assets

Published in

Oregon Blockchain Group

7 min readApr 23, 2024

The proliferation of digital assets in the financial world has grown new opportunities in the emerging marketplace. Due to their relatively new form digital assets represent a new paradigm in risk management. In this paper, I explore the risk considerations for digital assets on balance sheet items. Risks associated with digital assets could lead to systematic and financial impacts on consumers and the overall economy, this effect is tenfold when dealing with digital assets in an operational capacity. To dilute some of these complexities this paper will focus on the risk considerations of digital assets as a capital reserve and will assess holding digital assets to strengthen balance sheet positions. Therefore this paper will not focus on high-volume transactions of digital assets within an organization.

Risk Considerations

Digital assets refer to a digital store of value or medium of exchange stored on the blockchain and verified cryptographically. The Federal Reserve Board in Washington published a discussion related to the financial stability implications of digital assets in 2022 [5]. The board concludes that the digital asset ecosystem is prone to the buildup of financial vulnerabilities & novel risks associated with these new technologies that exacerbate these vulnerabilities. These vulnerabilities are cause for caution as professional standards state “the objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error ”[4].

For the purpose of holding digital assets on the balance sheet, the reporting entity would not have to worry about transaction volume monitoring or the intricacies of DEFI. The entity will only be completing the action of buying and holding the assets, being most concerned with key management, custody of the assets, and the measurement of fair value. The CFTC has outlined 14 digital asset risks to keep in mind when assessing the risk of digital assets the most important for our purposes being Commingled customer assets, Lost or stolen private keys, New and Novel/High volatility, and Run Risk. Deloitte has also published a Digital asset risk assessment framework outlining 10 key risk areas to consider [2]. Using both of these points our areas of risk with their focus on digital asset holdings are the following:

Commingled customer assets; (Deloitte) Anti-money laundering, Conflict of Interest, Account Reconciliation.
New and Novel/High volatility; (Deloitte) Quality of market surveillance, Complexities with forked or airdrop, compliance with applicable laws
Run Risk; (Deloitte) Solvency, market manipulation, Fraud
Lost or stolen private key; (Deloitte) Security Breach

Looking further the AICPA published a report going over accounting and auditing for digital assets in which they outline some key areas to understand the entity’s process of controls. Of these, the most important for balance sheet items are Digital asset safeguarding, Digital asset valuation, and digital assets held by third parties [3, 56]. In order to both simplify and generalize the areas of assessment the most important balance sheet items seem to be key management, custody of assets, and asset valuation.

Key Management

Many digital asset blockchains, including the largest blockchains such as Bitcoin and Ethereum, consist of public and private keys needed to access digital assets [3]. Possession of the private key, or the “seed” inputs, is required to access the digital assets held and transfer digital assets from one address to another. Thus maintaining the security of private keys is essential to mitigate the risk of misappropriation or loss of funds [3]. The misuse or lack of security around these keys can leave companies vulnerable to outside phishing, hacker, or social media attacks which are common for stolen private keys [1]. Therefore access at each stage of the key-generation process should be monitored to verify that duties are compatible with their responsibilities. To do so there are some internal strategies that can be utilized for proper key generation, use, storage, backup, and protection.

Physical security: Although digital assets are virtual in nature and do not exist in a physical sense, private keys may be generated and stored on a physical device [4, pg 57]. Controls over the entity’s ability to hold, copy, or transmit private keys should be considered in maintaining physical security.

Encryption or “Sharding” private keys: For additional security, an entity may separate their private keys into multiple components which is known as sharding [4, pg 58]. These “shards” can be distributed to various physical or virtual locations and maintained under the control of different individuals for better internal controls.

Multi-signature addresses: Some entities may also rely on multi-signature wallets or addresses to require a consensus of multiple parties to initiate transactions. Multi-Sig wallets are similar to sharding except instead of needing the collection of one private key a malicious actor would need to gain access to multiple private keys in order to transfer or move funds.

For a large entity, the management of keys & custody may be a cumbersome and complex task to keep track of. For those reasons, third parties can be used for key management and custody or storage of digital assets.

Commingled Funds/Third-Party Risk

The CFTC outlines risks of anti-money laundering with commingled funds. Some third-party custodians may hold the assets of many entities & put the assets into one fund. Being able to distinguish whose assets are whose in a custodian is important for making sure the platform doesn’t use balance sheet items for their operations and potentially lose the funds. The state of New York has outlined ‘guidance on custodial structures for customer protection in the event of insolvency’. According to this report, “Customer virtual currency should be maintained in either (i) separate on-chain wallets and internal ledger accounts for each customer under that customer’s name or (ii) one or more omnibus on-chain wallets and internal ledger accounts that contain only virtual currency of customers held under the virtual currency entities custodian’s name as agent or trustee for the benefit of those customers” [6, section i]. The AICPA report echos much of the same information adding that audit procedures to test digital asset ownership by obtaining signed messages may require interaction with the custodian. The report also outlines questions and considerations to take as an auditor with custodians under ‘Recognition of digital assets when an entity uses a third-party hosted wallet service’ [4, pg 9]. The importance of knowing the assets the entity has/has control over is also important for one of the most complicated aspects of digital assets, valuation.

Valuations

Valuations are probably the trickiest and still heavily debated aspect of digital assets. According to the Federal Reserve on the stability of these assets ‘High correlation among crypto-assets and low explanatory power of valuation measures suggest a large role for risk appetite in driving the prices of these assets’ [5, valuation pressures]. Furthermore, in an interview with Ryan Leopold, capital markets assurance leader at PwC, Mr. Leopold reflects that ‘the regulatory standards do not yet capture all crypto offerings. Current valuation methods presented by the FASB & U.S. Accounting Standard Board are exploring fair value accounting for crypto assets. However, under the International Financial Reporting Standards (IFRS), issuers can measure intangible assets at cost and assess for impairment which is recorded in P&L. However if the issuer wants to remeasure the asset at any increase it must go through other comprehensive income (OCI) and not P&L [3].

Seeing how these controls work in real companies I reviewed disclosures related to one of the most prominent holders of digital assets on their balance sheet — MicroStrategy.

Real Example — MicroStrategy

MicroStrategy has two key disclosures that outline the internal controls we are looking for: “Custody of our Bitcoin” & “Risks Related to Our Bitcoin Acquisition Strategy and Holdings” [7]. According to the custody disclosure “private keys that control our bitcoin will be held offline or “cold” storage” [7]. The disclosure also mentions that the company uses a third-party custodian to hold their funds, however, the company has a due diligence process in which they evaluate that the service can monitor the safekeeping of their bitcoin. The disclosure further mentions that their custodians are New York Department of Financial Services regulated, also stating that they follow the Guidance on Custodial Structures for Customer Protection in the Event of Insolvency, mentioned earlier [7]. Under the acquisition disclosure, the company mentions that they use the FASB standard and record their Digital assets (Bitcoin) at fair value, and do regular impairment assessments on the asset. The company also mentions that they have a valuation allowance of around $500 million which is attributed to a deferred tax asset on their bitcoin — something they do not plan to recognize.

Micro strategy still outlines in their ‘Forward-Looking Information And Risk Factor Summary’ that changes in regulation can still affect their recorded holding, and they are still at risk of potential security breaches from third parties [7, pg3]. However, this paper has highlighted some of the current regulations out there, the conversations happening within the field, and the real-world examples of them being used. Digital assets are a relatively new asset class that are constantly evolving & offers new nuanced risks. It is important for accountants to have at least a basic understanding of the controls and regulations in place in order to know how to deal with these assets as the industry & their use matures. Hopefully, this paper has at least provided a starting point for some of the key risk areas accountants should consider and how to properly assess a company’s internal controls with digital assets so that they may make a more informed decision in the future.