Auditing and Crypto: Testing Ownership

Do repost and rate:

How can you test/prove "ownership" when it comes to cryptocurrencies?

CPA procedures on Crypto balances

The world of business and banking institutions have developed, over many years, systems where an organization can say they have "Cash in Bank" and a financial auditor - the folks who provide an auditor's report with the company's financial statement that says, "In our opinion, the financial statements referred to above present fairly, in all material respects, the financial position of XYZ Corporation ... " - can work with the client to send a "confirmation" (a standardized form or, increasingly, an electronic trigger for the bank to confirm (or provide details or deny) the request for information. Part of that arrangement is understanding when balances are being held on behalf of others, such as a lawyer holding their clients' funds. Note that "confirmation" in audit-speak is different than confirmation in blockchain-speak.

But what about Crypto?

Custodians

An "advantage" to NYKNYC?

We highly encourage those with material amounts of crypto to manage their own assets, which means they should manage their own keys and ownership.

If the money is with a custodian, are Binance, Kraken, COINBASE or other exchanges equipped to respond to an auditor's request on behalf of their client? Yes ... to some extent. Here is what each has to say, and the limitations for their ability to comply:

Coinbase: https://help.coinbase.com/en/custody/managing-your-account/updating-account-users/authorized-signatory-and-auditor-list

Kraken: https://support.kraken.com/hc/en-us/articles/360047704472-Auditor-cooperation

Binance: no such guidance easily found

While there are hybrid situations, where amounts are held by custodians but the holder has access to keys, these are not common.

Non custodial

Non custodial environments are more challenging. Most of the checklists suggest having the enterprise sign something with their "private key" to prove ownership of the amount at the related address. There are many challenges here:

  • If you follow the guidance of Satoshi from the Bitcoin whitepaper, you have used a different key for every transaction. A look at one of my teaching Bitcoin wallets will show many transactions - the wallet tracks it all for me. A system that can pull all of the active addresses from the wallet so the auditor can have a list and start checking whether I hold the private keys would be a bit of a pain.
  • While having access to the private key is vitally important, it doesn't "prove" anything legally. I have heard the story of five brothers, each with their own businesses. They have separate auditors, separate banks. They each want to borrow money from the bank and use crypto as collateral. By sharing a private key, they can put together 50,000 each, put 250,000 into crypto, and then go to their bankers individually using the shared key as proof that they hold - individually - 250,000, not 50,000. Yes, one could try to take the entire 250,000 from the rest of the family, but through this collusion, they each made 50,000 look like 250,000 (or 1,250,000 in borrowing power).

This is something that at least some of the profession understands. Here is what the Canadian Public Accountability Board has to say:

"The procedures above may be useful to verify an entity’s access to the private key and control over the related assets. However, an entity’s access to a private key should not be interpreted by auditors to mean that the entity has ownership rights to the related crypto-asset. This is because there is a risk that an entity could share the alphanumeric sequence of a private key with others such that multiple entities or individuals could assert ownership rights over the same crypto-asset."

Guidance

The audit profession is trying to put together documents to help, but has a way to go. Here are some key documents:

AICPA

Accounting for and Auditing Digital Assets

CPA Canada:

VIEWPOINTS: Applying Canadian Auditing Standards (CASs) in the Crypto-Asset Sector AUDITING CRYPTO-ASSETS: DO YOU NEED TO TEST CONTROLS WHEN OBTAINING AUDIT EVIDENCE TO SUPPORT THE RIGHTS (OWNERSHIP) ASSERTION? 

VIEWPOINTS: Applying Canadian Auditing Standards (CASs) in the Crypto-Asset Sector AUDITING CRYPTO-ASSETS: RELEVANCE AND RELIABILITY

OF THE INFORMATION OBTAINED FROM A BLOCKCHAIN TO BE USED AS AUDIT EVIDENCE

How can you help make auditors ready for blockchain and blockchain ready for auditors?

 https://www.publish0x.com

Regulation and Society adoption

Ждем новостей

Нет новых страниц

Следующая новость

All content provided by the site, hyperlinks, related applications, forums, blogs, social networks and other information is taken from third-party sources and is intended for reference only. We make no warranties with respect to our content, including but not limited to accuracy and timeliness. No part of the content we provide is financial advice, legal advice or any other form of advice intended for any of your personal purpose. Any use of our content is entirely at your own risk. You should conduct your own research, review, analysis and verification of our content before relying on them. Trading is a very risky activity that can lead to large losses, so consult your financial Advisor before making any decision. No content on our site is a public offer or invitation to action.

This resource may contain 18+materials

© 2016-2024