Oversight of Crypto Auditing: Asking the PCAOB to Go Out of Bounds
By Dan Goelzer
On January 25, Senators Elizabeth Warren and Ron Wyden wrote to PCAOB Chair Erica Williams raising serious questions about the work of accounting firms that have issued reports on companies engaged in the cryptocurrency industry. They point, for example, to FTX CEO Sam Bankman-Fried’s public assertions that FTX’s U.S. affiliate had “passed its US GAAP audit” performed by two PCAOB-registered accounting firms and to “proof-of-reserves” reports regarding custody of crypto assets reviewed by PCAOB registered firms. The Senators cite public statements suggesting that some of the accounting firms involved lacked independence and assert that the activities of these firms “tarnish the credibility of the PCAOB and undermine confidence in the PCAOB-registered auditors.” The thrust of the letter is that the PCAOB should review the crypto work of these accounting firms and possibly take action against them.
Chair Williams has previously publicly stated that FTX’s audits are outside the PCAOB’s jurisdiction, since FTX was not a public company. Senators Warren and Wyden reject this contention:
“But this statement does not appear to be consistent with PCAOB Rule 3100, which states that ‘a registered public accounting firm and its associated persons shall comply with all applicable auditing and related professional practice standards,’ or PCAOB Rule 3200, which states that ‘in connection with the preparation or issuance of any audit report, a registered public accounting firm and its associated persons shall comply with all applicable auditing standards adopted by the Board.’ This rule is clearly not restricted solely to public companies.”
They contend that the PCAOB’s jurisdiction over auditors of SEC-registered securities broker-dealers provides a source of authority over auditors that issue reports on companies involved in the crypto industry:
“Moreover, some of these crypto firms arguably should fall within the PCAOB’s jurisdiction given the SEC’s position that companies performing broker-dealer functions in the crypto market should be registered as broker dealers. Regardless, the PCAOB must act to maintain its rigorous standards for audit firms.” (emphasis in original)
The letter concludes with this pointed question: “Will you commit to using your inspection authority to evaluate and publicly report on auditors that provided services for any crypto company acting as a broker dealer, even if the firm was not registered as such with the SEC?”
The work that some PCAOB-registered accounting firms have performed for clients in the cryptocurrency industry may well have been, at best, questionable and possibly in violation of the standards of the American Institute of Certified Public Accountants that apply to private company audits. But that does not give the PCAOB jurisdiction over their conduct. If Congress wants the Board to become involved in policing audit and other reports that accounting firms provide to crypto participants, it will have to amend the law to give it that power. Alternatively, if the SEC believes these crypto companies should register as broker-dealers (and permits them to do so), their auditors’ work will then fall within the PCAOB’s jurisdiction. Until then, it is pointless to criticize the PCAOB for failing to involve itself in the crypto space.
The origin of the PCAOB puts the scope of its authority in perspective. Congress created the PCAOB in the Sarbanes-Oxley Act (“SOX”). That legislation passed Congress almost unanimously in July 2002 in the wake of a series of well-publicized public company audited financial reporting failures, culminating in the collapse of Enron. Auditing had, for many decades, been essentially a self-regulated profession. Congress concluded that, as far as the audits of public companies like Enron were concerned, quasi-governmental oversight in the form of the new PCAOB should replace self-regulation.
As enacted in 2002, SOX required that both public company financial statement auditors and the auditors of certain reports that securities broker-dealers must file with the SEC register with the PCAOB. Congress neglected, however, to authorize the PCAOB to inspect or set standards for the work of broker-dealer auditors. The 2010 Dodd-Frank Act, passed in the aftermath of the Madoff scandal, corrected that oversight. Dodd-Frank gave the PCAOB the same authority over accounting firms that issue reports that broker-dealers file with the SEC as it has over firms that audit public company financial statements.
As this brief history makes clear, Congress did not create the PCAOB to oversee auditing generally or even to regulate all activities of PCAOB-registered accounting firms. Aspects of accounting firms’ practices that do not relate to the preparation of audit reports that public companies and broker-dealers are required to file with the SEC were simply not on Congress’s radar.
The possibility remains, as Senators Warren and Wyden seem to argue, that, whatever Congress’s reasons for creating the Board, the PCAOB does in fact have the power to oversee crypto auditing. Their letter points specifically to PCAOB Rules 3100 and 3200, but a closer reading of those rules, and the statutes on which they rest, does not support that notion.
As a threshold matter, it is important to bear in mind that the Board’s rules can’t provide it with any broader authority than does the legislation under which the Board operates. SOX and the Dodd-Frank Act, not the Board’s rules, determine the scope of its power. But whether one focuses on the statutes or on the Board’s rules, the PCAOB lacks authority over accounting firm crypto auditing.
It is helpful to start with the second rule the Senators cite, PCAOB Rule 3200. As noted above, Rule 3200 states: “In connection with the preparation or issuance of any audit report, a registered public accounting firm and its associated persons shall comply with all applicable auditing standards adopted by the Board and approved by the SEC * * *.” The key to understanding the scope of Rule 3200 is the introductory phrase “In connection with the preparation or issuance of any audit report”. “Audit report” is defined in SOX, as amended by the Dodd-Frank Act, to mean a document, report, notice, or other record “prepared following an audit performed for purposes of compliance by an issuer, broker, or dealer with the requirements of the securities laws * * *.” PCAOB Rule 1001(a)(vii) incorporates this definition into the Board’s rules.
Audit reports on the financial statements of private companies, like FTX, and auditor reviews proof of reserves statements issued by crypto market custodians are not “prepared following an audit performed for purposes of compliance with the requirements of the securities laws” and therefore are not within Rule 3200. In that regard, they are unlike the financial statement audit reports that public companies must file with the SEC under the Securities Exchange Act or the audit reports on financial statements and other documents that registered broker-dealers must file under that Act.
The contention that a company should be registered with the SEC as a broker-dealer does not add anything to the analysis. Although the issue remains unsettled, the SEC takes the position that most crypto assets are securities and therefore that entities that act as cryptocurrency brokers or dealers should be registered. But nothing in the securities laws requires unregistered broker-dealers to make any type of compliance filings, audited or otherwise, with the Commission. If an entity is operating as a securities broker-dealer without registering with the SEC, it is violating the law and subject to SEC enforcement action. But it does not follow that its auditor is subject to PCAOB oversight. Of course, if and when the entity does register as a broker-dealer, it would then be required to make audited filings with Commission — and those audits would be within the PCAOB’s authority.
The other PCAOB rule cited in the Warren-Wyden letter, Rule 3100, has the same scope as Rule 3200. Rule 3100 provides: “A registered public accounting firm and its associated persons shall comply with all applicable auditing and related professional practice standards.” But this mandate does not apply to any and all assignments that a registered accounting firm happens to undertake, such as an audit of a crypto exchange. Congress carefully limited the phrase “applicable auditing and related professional practice standards” to the standards used by registered firms in the preparation of “audit reports”. And, as already discussed, “audit reports” includes only reports that must be prepared to comply with the securities laws. (The appendix to this post explains in more detail the limited scope of the Board’s authority over professional standards.)
* * *
So far, Congress has not seen fit to adopt a regulatory framework for the cryptocurrency industry. If and when it does, consideration should be given to audit requirements for professional crypto market participants and to the need to subject the accounting firms that issue their audit reports to PCAOB oversight. Similarly, the SEC has not seen fit to develop a mechanism for companies that deal in cryptocurrency to register as securities broker-dealers. Until either of those things occurs, crypto firm auditors will not be subject PCAOB oversight. Implying that the PCAOB is derelict in failing to police the activities of these accounting firms unfairly “tarnish[es] the credibility of the PCAOB” — in the words of Senators Warren and Wyden — by suggesting that it should act on a problem that is beyond its authority.
Appendix — PCAOB authority to establish and enforce “auditing and related professional practice standards”
PCAOB Rule 1001(a)(viii) — which is based on Section 110(5)(B) of SOX — defines “auditing and related professional practice standards” to mean “the auditing standards, related attestation standards, quality control standards, ethical standards, and independence standards * * * and any other professional standards, that are established or adopted by the Board under Section 103 of the Act.” SOX Section 103, in turn, provides that:
“The Board shall, by rule, establish * * * such auditing and related attestation standards, such quality control standards, such ethics standards, and such independence standards to be used by registered public accounting firms in the preparation and issuance of audit reports, as required by this Act or the rules of the
Commission, or as may be necessary or appropriate in the public interest or for the protection of investors.” (emphasis added)
Accordingly, the PCAOB’s authority to adopt professional standards, and the obligation of registered firms to follow those standards, is limited to the context of preparing and issuing “audit reports”. The phrase “audit report”, in turn, includes only “a document, report, notice, or other record * * * prepared following an audit performed for purposes of compliance by an issuer, broker, or dealer with the requirements of the securities laws.” See discussion above. The inclusion at the end of Section 103 of the phrase “or as may be necessary or appropriate in the public interest or for the protection of investors” is not a license for the Board to roam into other areas of accounting firm practice; it simply means that, in addition to standards explicitly required by the Act or the SEC’s rules, the PCAOB can adopt additional standards related to the preparation of audit reports if it thinks it is necessary or appropriate to do so.
In short, the PCAOB’s authority over the professional standards used by registered accounting firms, and its and its authority to require compliance with those standards, is limited to engagements related to audits performed to meet the requirements of the federal securities laws.
