Auditors of Crypto Assets Struggle to Satisfy PCAOB

Aug. 8, 2023

The audit regulator wants much more proof than a blockchain ledger to verify the existence and ownership of cryptocurrencies and other digital assets.

If a company owns an asset, it should be able to prove ownership to a financial auditor. Simple, right? Not in the world of cryptocurrencies and other crypto assets.

Several crypto-focused audit guidance pronouncements, inspection observations, and practice aid documents from the Public Company Accounting Oversight Board (PCAOB), the Canadian Public Accountability Board (CPAB), and the AICPA were published in the past year.

But will they help auditors struggling with fundamental issues such as establishing the existence and ownership of digital assets to the level of certainty the PCAOB wants?

The proof of a digital asset’s ownership on the blockchain — a string of alphanumeric characters or possession of a private key — is not sufficient and appropriate audit evidence to support a financial statement entry.

“The benefits of the anonymity in the blockchain are [to the] detriment of the auditors achieving their goals in the audit,” Jackson Johnson, president of Johnson Global Accountancy, told CFO.

Johnson, a former PCAOB staffer who advises midsize audit firms on audit quality issues, works with firms when the PCAOB or the Securities and Exchange Commission (SEC) investigate their audits of companies with cryptocurrency assets and revenue.

Given the lack of transparency in cryptocurrency transactions and the lack of governance mechanisms in the oversight of crypto asset activities, U.S. regulators are concerned about the possibility of fraud, market manipulation, theft of assets, illicit finance, and more, according to a PCAOB staff spotlight publication released in June.

The PCAOB is also hyper-aware of a potential repeat of bankruptcies and potential fraud by crypto market participants since the bankruptcy of the trading platform FTX, which may have lost as much as $8.7 billion in customers’ funds, exposing “the structural vulnerability of some business models involving crypto assets,” said the PCAOB.

Impossible Expectations
To be clear, crypto asset audits are not the crypto “assurance” or “proof of reserves” endorsements some crypto platforms tout as evidence of their holdings. Those are non-audit arrangements that, according to SEC Chief Accountant Paul Munter, “are neither as rigorous nor as comprehensive as a financial statement audit and may not provide any reasonable assurance to investors.”

“Honestly, I’ll tell you, the audit teams don’t have the answers that the regulator is looking for right now.”

The PCAOB’s purview is financial statement audits, and the level of rigor and proof the PCAOB wants for crypto-assets, is exponentially higher. One example is the recommendation that auditors test the design and operating effectiveness of the public company’s internal controls over the generation and maintenance of the private keys that control access to crypto assets.

Another, from CPAB’s advisories on crypto assets, recommends auditors engage blockchain and cryptography specialists to evaluate the reliability of blockchain ledgers on which assets are held.

The CPAB also states that in some cases, auditors will also need to evaluate and test the relevant controls of the custodian holding the client’s crypto assets to ensure records and balances are complete and accurate and to establish if the client’s crypto assets are commingled with those of other customers.

The auditor sees the assets in the wallet, prints it out, and puts it in the work papers. But, Jackson said, the PCAOB’s questioning goes something like this:

PCAOB staff: Who owns that wallet?

Auditor: The company does.

PCAOB: How do you know that?

Auditor: Well, I got the credentials from the CFO.

PCAOB: How do you know it’s not the CFO’s wallet? How do you know that these assets are in the company’s name and not an individual’s? What are the controls around the custody of the record-keeping of those credentials? Who else in the company has access to those credentials? Are they secured?

“Honestly, I’ll tell you, the audit teams don’t have the answers that the regulator is looking for right now,” Johnson said. “Regulators are setting an expectation that isn’t possible, so far, for the auditor to achieve. The auditors are doing the best that they can with the limited guidance that’s there.” In the end, there are limitations on audit evidence, Johnson said.

Engaging Investors
The carefulness with which the Big Four approach the selection of audit clients that hold crypto assets, or are in the crypto business, underscores the uncertainty. “They’re being much more risk averse from a client acceptance perspective,” said Johnson. The auditing problems are more acute for mid-market and smaller audits firms because “they’re the ones that are doing most of these audits,” said Johnson.

Those mid-market firms don’t get inspected annually by the PCAOB and they have neither the time nor the resources to get their voices heard, said Johnson.

The path to a solution for all auditors, says Johnson, is a multi-stakeholder approach, bringing to the table the PCAOB, auditors, academics, and investors. Johnson said this could be done through the investor advocacy group of the PCAOB.

Auditors could describe their challenges, but perhaps more importantly, auditing firms and the PCAOB could probe investors on what information they value when assessing crypto assets and businesses. Said Johnson: “Regulators are not satisfied, but I haven’t seen a discussion where the investors are weighing in on the expectation gap.”

[CFO]