In September 2019, the Commission for Auditing of EXPERTsuisse ‒ the professional association of Swiss certified experts on auditing, taxes and fiduciary ‒ published a Q&A guidance on the audit of cryptocurrencies.
It was developed by auditors of six major audit firms with specific knowledge and experience in cryptocurrencies and distributed ledger technology. The guidance is based on an exemplary case and focuses on Bitcoin due to numerous possible conditions and circumstances depending on the token, its origin and how the companies handle their holdings. It covers the consideration of the internal control system and procedures to obtain audit evidence about the relevant assertions in the financial statements.
The Q&A stresses the importance of an effective internal control system pertaining the handling of the private keys. The whole life cycle is comprised in order ensure the entity’s exclusive control over the private keys in case of the entity managing its own wallets. The controls should inhibit unauthorized access to the private keys as well as to recovery seeds. Adequate measures can include e.g. an entitlement management with multisignature solutions for the authorization of transactions and the consideration of necessary redundancies. Companies with cryptocurrency holdings ought to regard not only operative controls but also accounting-related controls during the year and in the process of financial statement preparation, like the process of tracking transactions accurately and completely together with a proper valuation. In the Q&A several aspects and control designs are presented for controls related to cryptocurrency holdings. Audit clients should be aware that an inadequate internal control system in this context might result in higher audit fees due to additional audit procedures and increased risk or even a disclaimer of opinion.
Within the audit an entity will have to demonstrate existence of its cryptocurrency holdings. This relates particularly to the control over private keys. Two ways of providing evidence are micro transactions and sign message. The suitability and execution of these procedures depend on the circumstances and timing of the audit. The Q&A elaborates on the necessary steps and considerations of the procedures.
For the auditor it is important to take the degree of reliance of different sources into account when verifying transactions or determining balances of public key addresses on the blockchain. The information can be accessed directly or via providers. Even though the Bitcoin blockchain is public, query errors or incorrect displays might lead the inconclusive or insufficient evidence.
The sort and extent of audit procedures depend on numerous aspects and will vary from client to client. Relevant factors are the type of token being held, their origin, underlying DLT characteristics, whether the company manages the private keys on its own or uses external storage services, the effectiveness of the internal control system and processes as well as the timing of the audit, just to mention a few. The auditor has to choose his or her audit approach for each client respectively, but the recently issued Q&A provides orientation on an exemplary base case which can be adapted accordingly and helps to foster crypto activities in Switzerland.
The Q&A is available for members of EXPERTsuisse at https://www.expertsuisse.ch/q-and-a in German, French and English.
Author: Heiko Petry (Board Member Working Group Tax / Accounting / Structuring and Audit Senior Audit KPMG AG)