Critical Audit Matters in Crypto
What are the biggest challenges to verify in the digital asset industry? What are the biggest risks of fraud or material financial misstatements?
What are Digital Assets?
Digital assets are fungible and non-fungible tokens that live on blockchains. These are different from other things on the internet because they are secured by cryptography and consensus mechanisms to ensure identifiability. The identifiability of these tokens as separate from one another, and in the same way, the same as one another, allows them to be treated as assets with markets where they can be traded, in addition to being sent and received by different entities or individuals. These digital assets, also known as cryptocurrencies or NFTs, are stored in “wallets” that encrypt a private key to create a public key. Transactions are signed using private keys, which means it is incredibly important to safely store private keys and to not sign fraudulent transactions. By failing to do either of these, someone could gain access to a wallet’s private key, allowing them to take all of the digital assets in the wallet. The three largest digital assets by market capitalization are Bitcoin, Ether, and BNB having market capitalizations of $1.2 trillion, $357 billion, and $91 billion, respectively. These three digital assets are also the native currencies of three prominent blockchain networks: Bitcoin, Ethereum, and Binance Smart Chain.
Companies
In considering the audit implications of the digital asset industry, I will discuss the critical audit matters (CAMs) of three different companies that operate in the space. MicroStrategy ($MSTR) is a provider of enterprise analytics and mobility software. The company’s main product is the MicroStrategy platform which allows organizations to analyze data and distribute business insight through reports and interactive dashboards. Additionally, MicroStrategy offers cloud-based services and solutions in areas such as hyperintelligence, mobile productivity, and security for a wide range of industries including finance, healthcare, retail, and government. MicroStrategy has also invested heavily in Bitcoin making up 76% of MicroStrategy’s $4.73 billion in assets at $3.63 billion.
Coinbase ($COIN) is a leading cryptocurrency exchange platform that enables users to buy, sell, transfer, and store digital assets securely. Founded in 2012, Coinbase is known for its user-friendly interface, which caters to both novice and experienced cryptocurrency enthusiasts and traders. The company also provides a suite of financial services including institutional-grade custody services and various educational resources to help users understand cryptocurrency markets and technologies.
Marathon Digital ($MARA) is a digital asset technology company that specializes in mining cryptocurrencies. The company operates various mining facilities in the United States and is one of the largest Bitcoin mining companies in North America. Marathon Digital emphasizes sustainable practices by seeking to utilize renewable energy sources and aims to improve the decentralization, security, and transaction verification speed of Bitcoin.
MicroStrategy CAMs
A CAM that stood out in MicroStrategy’s 2023 10-K related to digital assets was “Evaluation of audit evidence pertaining to the existence and control of the digital assets”, which identified existence and control of the digital assets as a CAM in relation to notes 2g and 4. This was difficult for KPMG to audit because the digital assets are controlled through private keys that are held by third parties in multiple locations. To address this critical audit matter, KPMG evaluated the effectiveness of internal controls. This was done by comparing company records of digital asset holdings and transactions with the custodian’s records. Additionally, KPMG had specialists go and visit custodian locations to check private key generation, storage, as well as comparing the custodial service ledger to the public blockchain. By doing this, KPMG tested digital asset existence and control by reconciling three different ledgers: MicroStrategy to the custodian, and the custodian to the blockchain.
This CAM and way of addressing the CAM is not a surprise. In a Journal of Accountancy podcast with Kyle Sewell, an auditor at BDO and member of the AICPA’s Digital Assets Working Group, discusses different digital asset auditing implications (Amato). One of his focuses was surrounding third party service organizations relating to digital assets, which may require a SOC 1 or SOC 2 report. This was also something mentioned as a key consideration in a PwC article, as they mentioned the importance of SOC 2 Type 1 reports (Kajirian). SOC 2 reports assess internal controls for compliance operations, and a Type 1 report is one measures these controls at a point in time (Koch). Sewell drew attention to the implications for custodians of digital assets which may comingle funds and be responsible for private key storage, and the result for this is the that the auditor must ensure that they gather sufficient information regarding the internal controls over financial reporting (ICFR) of the service organization. To assist auditors with this process, Sewell calls to recently authored Chapter 4 of the Digital Asset Practice Aid which focuses on key challenges surrounding system and organization control reports and guidance surrounding whether a SOC report is sufficient for the needs of the audit. This was something addressed in a PwC article as well — that auditors must consider the controls of a third party service provider (Kajirian). While this isn’t an exhaustive list nor is it authoritative, it does give some assistance to auditors in the field.
Coinbase CAMs
A CAM for Coinbase in their 2023 10-K related to digital assets is “Customer Crypto Assets, Crypto Assets Held, and USDC- Crypto Assets in Cold Storage — Refer to Notes 2, 9, and 10 to the financial statements”. This critical matter starts by pointing out how private keys to crypto wallets must be safeguarded and explaining how Coinbase holds their own corporate crypto as well as customer crypto in cold storage wallets, bringing attention to the importance of keeping Coinbase and customer private keys safe. Deloitte then addresses cold storage assets as a CAM due to the difficulty obtaining evidence to address the risk of a material misstatement related to the rights and obligations of the digital assets. Deloitte then provided an extensive list of ways the CAM was addressed including the following:
- Consulted experts
- Tested controls on physical access, key generation, and segregation of duties
- Tested reconciliation controls of internal books and blockchains
- Tested segregation of corporate crypto and customer crypto
- Tested controls on customer deposits and withdrawals
- Obtained evidence to evaluate balances for segregation between corporate and customer funds
- Used proprietary audit tool to get blockchain evidence on existence of balances
- Obtained evidence that management controls private keys through decoding cryptographic messages or through observing movement of selected assets
Out of the three critical audit matters across three different companies, Deloitte’s response to the Coinbase CAM they identified was the most extensive. One thing they did to address the CAM that stood out to me was the last point mentioned where they used private keys to decode cryptographic messages. This is something that’s possible through the asymmetric cryptographic technology that blockchains use. In Bitcoin, this is done using hashing and in Ethereum, this is done using elliptic-curve cryptography which is more optimized for signature aggregation.
Marathon Digital CAMs
The first thing that stood out about Marathon was its opinion on internal controls. Marcum had expressed an “an adverse opinion on the effectiveness of the Company’s internal control over financial reporting because of the existence of material weaknesses”. However, the audit firm only listed one critical audit matter: revenue recognition. Marathon’s revenue is tied to providing Bitcoin transaction verification services to transaction requestors, in addition to the Bitcoin network through a mining pool. Marathon also provides the service of performing hash calculations to third party pool operators alongside collectives of third-party Bitcoin miners as a participant. My interpretation of this is that Marathon executes transactions through mining, provides verification of different transactions if requested, and also participates in larger mining pools. The CAM was pertaining to the audit effort required to perform audit procedures over the completeness and occurrence of revenue recognized. The reason why the revenue recognition in Bitcoin mining is challenging is because who gets the Bitcoin payment every 10 minutes is random. As such, it can be challenging to determine whether or not the reward is entitled to Marathon or not. The auditor must determine which miner gets the reward, whether or not Marathon controls the associated receipt, and whether or not they owe that to a third party, such as a collective mining pool.
To address the CAM, Marcum performed site visits to make observations of physical controls and mining equipment inventory. Marcum also traced financial performance data to the blockchain to test occurrence and accuracy of mining revenue, in addition to performing analytical procedures over the completeness and accuracy of revenue recognized. The audit firm independently confirmed with third-party mining operators the contractual terms in determination of mining revenue, mining rewards earned, and wallet addresses for rewards to test occurrence and accuracy of mining revenue. Lastly, Marcum confirmed year end digital asset balance with the custodians of the company’s wallets. This last point could be related to the adverse opinion over internal controls. As previously discussed with MicroStrategy, sometimes SOC 1 or SOC 2 reports may be required to evaluate internal controls. Failure to produce adequate SOC 1 or SOC 2 reports from third-party service providers, such as custodians, could impact the audit over internal controls of the company.
Where do we see These CAMs Outside the Digital Asset Industry?
CAMs first were implemented after June 30, 2019. And included different language from standardized wording. CAMs have 3 main requirements according to PCAOB AS 3101: communication to the audit committee, material financial statement accounts or disclosures, and/or challenging, subjective, or complex auditor judgement. With these 3 considerations, revenue recognition issues were the most frequent, followed by intangible assets. In looking at the 3 CAMs identified above, MicroStrategy and Coinbase point to specific disclosures made in the financial statements (meeting requirement 2 of AS 3101), and Marathon identified revenue recognition which is the most common CAM. The popularity of revenue recognition as a CAM likely stems from its materiality to financial statements, industry-specific practices, and risk of fraud and error (Zhang).
Shell was a company that appeared to have some similar CAMs. One that seemed similar to the existence and control of digital assets was around “Exploration and Evaluation Assets”, which regarded proven and unproven reserves. One major consideration on the value of E&E assets was whether a license is expected to be renewed, whether sufficient data exists to indicate that the carrying value of E&E assets is likely to be recovered, and whether or not commercially viable quantities of resources exist. To address this, auditors mainly tested controls on write offs and impairment rather than testing for existence of said assets. A revenue recognition CAM was cited as “the measurement of unrealized trading gains and losses”. The CAM discussed the potential for unauthorized trading activity or deliberate misstatement of Shell’s positions. In a similar way, Marathon Digital could have deliberately claimed mining revenue that did not belong to them. To address this, auditors looked more at the valuation of these positions rather than the controls on who could make trades. The concern on who could make trades was less of an issue for Coinbase and MicroStrategy as they used extensive private key management procedures (EY).
Accounting Literature Discussion
An Ernst & Young article focused on auditor responsibilities, the first of which was to evaluate the actual blockchain protocol that was being used. Whether or not the blockchain is reliable or has the possibility to be manipulated is an important thing for auditors to keep in mind. A couple things EY mentioned was for auditors to consider whether the blockchain is widely used, is it open source, and how many developers are active on it. Another thing that EY discussed was how the risks can vary depending on the asset and how the client interacts with it. For example, a pegged asset might present different risk than those without intrinsic value such as utility tokens and native digital assets like Bitcoin. Asset backed tokens must also consider the smart contracts securing the assets. Digital assets typically have a higher number of interested parties whether its holders, developers, or miners. Lastly, EY discusses how auditors must consider if transactions are executed manually or automatically via smart contracts, which might open the door to hacking, software flaws, or inaccurate oracle data. It also mentions contrasting regulation based on jurisdiction as something for auditors to be aware of (Boillet).
These are good things to consider as an auditor. As a crypto expert, I would agree that private key management and the blockchain itself are the most important considerations for a company transacting with digital assets. Another thing I would have liked to have seen would be a focus. One thing that was interesting to me was that the companies that are holding digital assets are currently not holding them in any complex derivatives positions “onchain”. As companies begin to take more complex derivatives positions, or “DeFi” (decentralized finance) positions such as rate swaps, or even staking their assets, they will need to have more complex audits. A consideration for auditors in the future might surround smart contract auditors. Companies like Hacken, CertiK, and OpenZeppelin typically perform audits on smart contracts to make sure there are no bugs or hacking vulnerabilities. In the future, I expect these companies to require SOC reports or more consideration from auditors regarding their internal controls. Staking assets will also require more in-depth auditor processes, such as SOC reports. I imagine almost all public companies will hire professionals to do their staking, in the same way they hire professional custodians to handle their digital assets and private keys.
Sources:
Amato, Neil. “An Updated Practice Aid and How It Can Assist in Audits of Digital Assets.” Journal of Accountancy, 1 Sept. 2023, www.journalofaccountancy.com/podcast/cpa-news-an-updated-practice-aid-and-how-it-can-assist-in-audits-of-digital-assets.html.
Boillet, Jeanne. “How to Audit the next Generation of Digital Assets.” EY, MIT OpenCourseWare, 30 Jan. 2020, www.ey.com/en_us/insights/assurance/how-to-audit-the-next-generation-of-digital-assets.
“Coinbase 2023 10-K.” SEC.Gov | EDGAR Full Text Search, 15 Feb. 2024, www.sec.gov/edgar/search/#coin-20221231.htm.
EY. “Critical Audit Matters.” Critical Audit Matters Browse, www.auditanalytics.com/0002/critical-audit-matters-browse.php?aofk=478739. Accessed 17 May 2024.
Kajirian, Anna. “Audit and Accounting: Navigating Complexity in a Rapidly Changing Environment.” PwC, www.pwc.com/us/en/services/digital-assets/digital-assets-audit-services.html. Accessed 17 May 2024.
Koch, Kim. “What Is a SOC Report, and Why Is It Important?” What Is a SOC Report? | Moss Adams, 17 May 2021, www.mossadams.com/articles/2021/05/what-is-a-soc-report.
“Marathon Digital 2023 10-K.” SEC.Gov | EDGAR Full Text Search, 28 Feb. 2024, www.sec.gov/edgar/search/#mara-20231231.htm.
“MicroStrategy 2023 10-K.” SEC.Gov | EDGAR Full Text Search, 15 Feb. 2024, www.sec.gov/edgar/search/#mstr-20231231.htm.
Zhang, Jian. “A Summary of Early Critical Audit Matter Reporting.” The CPA Journal, 30 Mar. 2021, www.cpajournal.com/2021/03/31/a-summary-of-early-critical-audit-matter-reporting/.
