Auditing digital assets: The purpose remains the same, but the approach should be different
As digital assets are becoming prevalent in financial statements, the industry faces unique challenges and risks on how to audit this new asset class.
The auditing of any asset, whether it’s traditional or digital, has the objective of allowing the auditor to decide whether the financial statements are in compliance with an applicable financial reporting framework. Gaining sufficient audit evidence and verifying whether the asset exists, who the owner is and what its value is depends on two things:
- Availability of data
- Ensuring that obtained data are valid and accurate
Changing the way auditing works
Blockchain is expected to have a significant impact on the way transactions are initiated, processed, authorised, recorded and reported. The technology has several valuable traits that can change and improve the way auditors execute engagements, including the following:
- Blockchain contains a public history of transactions and provides an immutable proof that the transaction occurred. This makes the verification process faster and more cost-effective for auditors (assuming the source is trustworthy) than a typical database.
- With multiple parties sharing a ledger in private networks, auditing on an industry level becomes accessible since there are no differences in the books.
- Blockchain enables almost real-time settlements of transactions, which makes it possible to perform an audit whenever it’s required, instead of months or even years after the fact. In return, regulators can take real-time action and prevent rather than punish.
So, if all transactions are captured in an immutable ledger and available on demand and in real time, what’s left for an auditor to audit? A lot, actually.
A record of transaction is not enough
Blockchain is auditable by design. The transactions performed on ledger are permanently recorded across the nodes and cryptographically protected so they can’t be modified or replaced. After every transaction occurs, it gets “timestamp” proof of what happened, when and how. And thanks to the immutable nature of ledger, a verified history of the transactions can be obtained for auditing purposes anytime.
However, while in practice auditors can access certain data from a blockchain-based system, they often require more information than the record of transaction to complete a thorough audit.
The sad truth is that a blockchain-based record of transaction provides enough data for just one aspect of auditing. Recording a transaction on a blockchain doesn’t alleviate the risk that the transaction is unauthorised, fraudulent, illegal, linked to off-chain side agreement or even inaccurately classified due to human input error. Auditors can have trouble verifying who the actual owner behind the transaction is, who the other counterparties participating in the transaction are or the legal nature of those transactions. In other words, a record of transactions is not enough.
Digital assets are mostly designed to be pseudonymous, concealing an account holder’s real identity behind an alphanumeric code. This alphanumeric code is known as the private key and is used to prove ownership of currency or validation of a bank balance.
The challenge lies in ensuring that the keys in fact belong to the client and don’t simply represent access to an account. In a blockchain ecosystem, access to the private key doesn’t necessarily imply ownership. In addition, there is always the possibility that a client hasn’t reported all keys in his possession or shared them with other parties.
To verify the identity of the sender, custodians, such as exchanges, often have KYC (know-your-customer) procedures in place. And although KYC procedures are capable of identifying the sender, they don’t confirm the identity on the other end — the receiver. Instead, an exchange has to expect that the opposite exchange has the same procedures in place, which unfortunately isn’t always the case.
We can’t rely solely on blockchain
Once ownership has been proven, the auditor has to rely on the blockchain to verify the existence of a digital asset. Evaluating the existence of a digital asset requires relying on a blockchain protocol upon which the asset resides. Most of the digital assets use transparent public blockchains, where anyone can read and track the recorded transaction with the help of an address number.
Blockchain protocols are intended to make blockchains resilient to tampering. However, we shouldn’t simply assume that all protocols are effective and that the information recorded on them can be trusted. The amount in which we can rely on a protocol will depend on factors such as the consensus mechanism, robustness of cryptography, controls around the blockchain, external parties contributing to transactions and the reliability of their processes.
Another challenge remains in determining how to rely on transactions that aren’t on the protocol. For instance, many crypto exchanges have a practice of pooling their clients’ assets and addresses in centralised wallets. When this happens, a crypto exchange reflects transactions between buyers and sellers of the same asset in its records but not on the blockchain ledger. Instead, the transactions are occurring on a secondary system (i.e., “off chain”).
The secondary system is usually not blockchain-based but a database that is updated every time a transaction occurs, assigning assets from a central wallet to a specific customer. With transactions departing from a centralised wallet, there is no audit trail available, which makes it hard to verify the entity’s transactions by relying on the blockchain record. Therefore, exchanges need to have additional systems in place to perform thorough auditing.
One potential solution to this issue is to have segregated accounts in place. With segregated accounts, balances are publicly viewable and auditable “on chain,” and every customer has its wallet with transactions recorded on the blockchain. The audit trail becomes more trustworthy, reliable and enriched.
Determining the legal nature of a transaction requires a holistic approach
Due to their pseudo-anonymous nature, digital assets are often subject to illicit use. According to the “Crypto crime report” published by a blockchain analysis tool, Chainalysis, $2.8 billion in Bitcoin were traced from criminal entities to exchanges solely in 2019.
Digital assets allow criminal actors to buy and sell illicit goods and services, ranging from weapons to people, narcotics, child pornography, organs and terorrism financing. In 2016, ITMC (The Ibn Taymiyya Media Center) became the first terrorist organisation to launch a public crowdfunding donation campaign using digital assets. The campaign, named Jahezona, was launched with a goal of financing weapon buying.
Regulatory frameworks, such as know-your-customer (KYC), anti-money-laundering (AML) policies and “travel rule,” are addressing challenges regarding the money laundering and terrorism financing. However, different jurisdictions have different regulatory and accounting approaches, and we’re still lacking a regulatory framework on a global scale.
Moreover, the lack of an exact taxonomy, where there is no single definition possible, leaves auditors to struggle with classifying digital assets and raises questions. Should the asset be audited as a store of value, a financial instrument, an investment tool or something completely different?
RIDDLE&CODE’s Digital Asset Custody — drawing more conclusions and answering more questions
Digital asset custodians must provide a number of audit statements in order to satisfy auditors and their customers. With that in mind, RIDDLE&CODE’s Digital Asset Custody uses an auditing system that:
- Stores data necessary for auditing within a single system;
- Collects more data than, for instance, the Bitcoin blockchain network;
- Uses tamper-proof blockchain to record these data; and
- Provides human-readable exporting documents and direct access to auditors.
Our system relies on R3C ledger, which is designed to be completely GDPR compliant and shares access to the relevant data in compliance with privacy requirements. The ledger itself only contains arbitrary data hashes as part of transactions being signed off by public-private key pairs. This means that the data itself is not stored on the R3C. Instead, it is possible to associate a piece of data with a storage identifier without giving access to the highly sensitive private keys.
In comparison to traditional audits, thorough audits of digital assets may seem complex. Auditing in a blockchain environment carries unique challenges that need to be addressed by not only auditors but all participants in the ecosystem. It requires thoughtful examination of basic considerations within traditional audit frameworks, while at the same time, new guidelines and practices. With the right approach, technology and infrastructure, a thorough audit of digital assets is completely achievable.