Our four experts, David Byrd (EY), Steven Baum (Marcum), Alexis Tandéo (PwC) and Nicholas Newman (Harris & Trotter LLP) provide insights into how to structure your team to ensure a smooth audit process.

Your people are the bedrock of your success in audits. Having an experienced and knowledgeable team to lead your company through a financial audit is key to attaining audit readiness. This team should understand the key challenges faced by crypto companies in the audit process and be able to implement internal controls that can mitigate the risks of non-compliance and fraud. 

We interviewed four experts at leading audit firms EY, Marcum, PwC, and Harris & Trotter LLP to create a guide on how to structure your team to ensure audit success. Their insights will help any crypto CFO or financial controller understand the risks associated with your company’s personnel and the internal controls you need to put in place to mitigate them.

Auditors seek to understand the personnel structure at your business

Before committing to an audit for a crypto client, auditors seek to understand the structure of personnel within your organization.

Alexis Tandéo, Director - Digital Assets Trusts Services, PwC tells us that the audit firm clarifies two fundamental questions concerning the organization’s personnel whenever they are approached by a potential client:

1. Management and supervision: Is the appropriate level of control implemented by those in charge of managing operations? 
2. Expertise and experience: Does the management team responsible for the day-to-day cryptoasset operations possess a sufficient level of knowledge in this field, especially with regard to the inherent risks? 

With these questions suitably addressed, auditors can begin the assessment of inherent risks and challenges they might face during the audit. If the auditor identifies an excessive number of risks, they might opt not to conduct an audit for your organization.

Inexperience with audit is a significant challenge for crypto enterprises

Auditors need to feel confident that they can work with the individuals who they are collaborating with during the audit process. This can be difficult when dealing with inexperienced finance teams. Lacking people who understand the challenges and risks your business faces is a key hurdle in attaining audit readiness.

However, Harris & Trotter’s Nicholas Newman identifies a skills gap in many crypto organizations:

“Many crypto companies approach us thinking they are audit-ready. As soon as we start examining their records and documents, it becomes clear that they aren’t handling crypto transactions adequately in their financial records. A lot of finance professionals just don’t know how to manage them and don’t adequately record these on-chain transactions. In some instances, they just ignore them. In either case, the financial records aren’t accurate.”

Audits for companies that lack this depth of experience in their finance team are considered higher-risk and auditors might decline to take them on as a client.

Oversight and involvement from your board is needed to ensure good governance

In addition to the finance and accounting team, auditors require active engagement and supervision from a board of directors entrusted with maintaining sound governance practices.

Discrepancies and unpreparedness for audits often arise due to a potential disconnect between founders and finance teams. Here, the board can play a crucial role in supervising financial decisions and ensuring the existence of well-documented policies and procedures. They can often bridge the divide between founders and finance teams, ensuring that financial activity is disclosed correctly and financial risks are managed appropriately.

However, documentation of policies and procedures is not enough. Auditors need to see that you adhere to these policies. Companies that cannot show evidence of good governance with proper policies and processes in place are also considered to be higher-risk audits.

Expected internal controls around your company’s personnel

Maintaining effective internal controls is essential to mitigating the risks associated with the people working at your company. Our four experts suggest the most important 

internal controls you should implement to combat risks including manipulation of financial records, non-compliance, data breaches, and fraud.

Access controls

Ensuring that the correct people have access to your company’s systems and cryptoassets is a necessary step in attaining audit readiness. Companies have to comply with regulations around maintaining the confidentiality and integrity of data. Implementing IT General Controls (ITGC) like access controls mitigates the risks of non-compliance and manipulation of financial records.

For crypto companies, the primary access controls associated with digital asset custody are around company wallets. David Byrd from EY recommends having:

• Robust private key management: ensure that prying eyes can’t get insight into your wallets.
• Backup and recovery process: document the procedure to follow if you lose control of the primary wallet.
• Event of termination procedure: if someone with access to wallets and/or private keys is fired, there needs to be a policy in place that treats this issue.

Disclosure of related party transactions

Auditors scrutinize the transactions between related entities, especially in the crypto space, since on-chain transactions have a higher degree of anonymity, which companies like FTX have exploited in recent times.

Auditors first want to see a clearly defined policy around related party transactions. All related party transactions should be disclosed in financial statements, whether they are considered income, expenses, or incoming loans (from directors or investors). Then auditors need to see authorization of these transactions, with clear segregation of duties between people involved in the approval process.

Authorization and approvals process

To mitigate the risk of accounting fraud, related party transactions should be approved by your company’s board, which follows a well-defined policy that outlines the approvals process. Auditors need to see evidence of your authorization and approvals process in work.

Steven Baum from Marcum provides the following blueprint:

• The business case for transactions should be given in writing.
• The board needs to approve transactions after examining these legal documents.
• In your audit documentation, you should supply the board minutes where transactions have been approved. 

Segregation of duties

Segregation of duties during the authorization and approvals process is an important control to mitigate the risk of fraud and manipulation of financial records. This control ensures that team members who have access to company wallets cannot both initiate and approve transactions. It is crucial to have this internal control in place for wallet management and financial reporting.

Alexis Tandéo from PwC, says “To design effective internal controls, it is essential to establish an appropriate division of responsibilities between those who perform accounting or control procedures and those who supervise these activities. Ideally, transaction processing and related tasks should be organized in such a way that the work of one person is independent of that of another, or serves as a dual control.”

Attaining audit success begins with the structure of your team

Preparing for a crypto audit requires you to assess every aspect of your business for risks and evaluate the most effective ways of mitigating them. Ensuring that you have the requisite skills and knowledge within your team to go through an audit successfully is key. The team involved in the audit process must understand the challenges and risks and be able to proactively implement the necessary internal controls.

The journey to audit readiness also relies on the involvement of a board that can provide good governance practices. The board can oversee the process of implementing and testing your controls which help to maintain the confidentiality, integrity of data, and transparency in financial activities, reducing the risk of non-compliance and fraud.

Next in the series: Expected controls for data completeness and accuracy

About David Byrd, Partner, EY

David is a Partner at EY and the firm’s Blockchain Strategy Leader for Assurance. His role involves guiding asset managers, banks, exchanges, and custodians in achieving their goals within the blockchain and digital asset landscape. Leading EY's Digital Asset Research Center, he oversees teams dedicated to supporting Assurance, Tax, and Consulting initiatives. With an in-depth technical grasp of blockchain technology and custody solutions, David actively contributes to the development of digital asset tools used by EY for audit and audit readiness engagements. Additionally, he communicates with regulators worldwide and prominent industry associations to exchange insights and foster best practices in the realms of accounting, auditing, compliance, and digital asset valuation.

About Steven Baum, Partner, Marcum

Steven is a Certified Public Accountant, Partner at Marcum LLP and serves as the Digital Asset and Blockchain Industry Co-Leader. Steven has close to 15 years of experience working with a wide range of industries, most notably digital assets and technology.  Steve is known for his expertise in assisting businesses with transactional engagements, including IPO's, Token Launches, reverse mergers, Private Placement Offerings, and mergers/acquisitions, but also for his charismatic business acumen.  You can find Steve at many industry conferences, speaking and connecting with industry leaders.  During Steve’s free time, he loves to travel abroad, hike and enjoys boating.  When at home in Hoboken, NJ, Steve enjoys dining and exploring all that the New York City area has to offer with his wife, Kristyn. Steve holds a BS in Accounting from Hofstra University and a Master's in Accountancy from Rutgers University.

About Alexis Tandéo, Director - Digital Assets Trust Services, PwC France

Alexis is a Director at PwC in its Digital Assets Trust Services practice. He provides various services to institutional clients, corporate and startups to help them navigate the challenges of digital asset management. He supports some of the industry’s largest players to implement internal controls that address the risks inherent in crypto businesses. Additionally, he consults on financial reporting compliance requirements for companies in the crypto realm and provides accounting and regulatory reviews. 

About Nicolas Newman, Partner & Head of Digital Assets, Harris & Trotter LLP

Nicholas is a Partner & Head of Digital Assets at Harris & Trotter LLP, leading the firm’s digital assets practice. He works with some of the most prominent entities in the crypto industry including 1inch, Wintermute, and Blockchain.com, supporting them with audit, advisory, accounting, bookkeeping, compliance, and taxation services. With expertise in crypto and audit, he is able to support companies with diverse cases, shape regulatory frameworks and collaborate globally as an independent member of BKR and community-led interest groups like Web3CFO. Nicholas championed Harris & Trotter LLP's innovative Proof of Reserve service powered by Chainlink, ensuring transparency in clients' on-chain and off-chain reserves, bolstering their financial credibility.