Crypto Audit Insider: Internal controls for data completeness and accuracy
Our four experts David Byrd (EY), Steven Baum (Marcum), Alexis Tandéo (PwC) and Nicholas Newman (Harris & Trotter LLP) advise you on the internal controls needed to manage reporting risk.
In an audit, data integrity is crucial. However, without a counterparty to provide a transaction history, obtaining complete and accurate on-chain data to complete your accounting and financial reporting can be challenging. As a result, many crypto companies do not have their bookkeeping in order, meaning that they are not audit-ready.
Gaining a complete dataset that you can use to complete your accounting and financial reporting is one of the first pain points that need to be solved by organizations leveraging digital assets in their journey to audit readiness. Our four experts at leading audit firms EY, Marcum, PwC and Harris & Trotter LLP, explain the challenges of retrieving on-chain data, the risks associated with data integrity that entities utilizing digital assets face, and the internal controls needed to mitigate reporting risks.
Challenges of retrieving accurate and complete on-chain data
Anyone can view the transactions that have been validated on blockchains since they are public ledgers. However, retrieving comprehensive on-chain transaction histories poses a challenge due to the absence of a counterparty responsible for providing them.
Finance teams can use block explorers like Etherscan to access and retrieve on-chain transactions for constructing financial records. However, it's crucial to note that block explorers come with inherent issues, often leading to financial records that are not auditable and accurate.
Primary issues with block explorers include:
- Missing transactions (especially internal transactions related to smart contract execution).
- No transparency to the controls in place to ensure data completeness and accuracy.
- Lack of SOC 1 and SOC 2 reports.
Therefore, reliance on block explorers alone can fail to produce complete and auditable records.
Completeness and accuracy issues with data from exchanges
Some businesses may have crypto financial activity on exchanges such as Coinbase, Kraken and Binance. In this instance, you do have a source of truth since there is a counterparty that can provide a transaction history. Businesses can export transactions that have occurred on these exchanges so that they have records of them.
Sometimes, data pulled from exchanges has missing transactions, resulting in financial records that are incomplete and inaccurate. With only a single source of truth, businesses have to rely on this data. Some exchanges have SOC reports available for auditors to gain insights into their control environment. In the event that these reports are available, auditors can rely on them as well as audit confirmation responses. Where there aren’t SOC reports available, auditors may have questions about the reliability of the data.
Substantive testing for crypto audits causes costs to spiral
Since crypto organizations often have an immature internal control environment, auditors face issues in determining the extent to which risks have been identified and managed during the preparation of financial statements. As the internal control over financial reporting is not mature enough to be relied upon, more substantive testing is required.
With an increase in substantive testing, the audit takes more time and more resources, therefore costing more. Companies need to ensure that the information provided for the audit is as thorough and precise as possible.
Steven Baum from Marcum advises finance departments to consider using a sub-ledger to help produce accurate financial records and reduce the burden of testing for auditors.
“Using sub-ledger software helps to produce accurate financial records. Without it, your company risks not only financial inaccuracies but also prolonged and costly audits. Auditors, unable to confirm data accuracy, are compelled to extensively test each transaction, leading to increased time and expenses."
Just as companies might use a sub-ledger like Cryptio to complete their accounting and financial reporting, auditors might use the sub-ledger to audit clients who have crypto on their balance sheet.
The auditor’s toolkit for checking data integrity
Auditors have several tools at their disposal to test the completeness and accuracy of your financial data. In addition to block explorers and sub-ledgers like Cryptio, auditors might also rely on self-hosted blockchain infrastructure. The data retrieved by auditors can then verify the reliability of an audit client’s financial data.
Alexis Tandéo from PwC outlines how the firm tests the data integrity of crypto audit clients:
"We operate our own nodes or leverage trusted providers to independently validate wallet ownership through key pair validation and ensure transaction integrity by securely extracting blockchain information. This serves as the essential starting point to corroborate evidence, confirming that the transactions and balances recorded by the entity align with the blockchain record, utilizing traditional testing methods."
Expected internal controls for data completeness and accuracy
Inaccurate financial reporting exposes your company to various risks including penalties, fines, legal repercussions, and reputational damage.
However, the challenges around retrieving accurate crypto transaction histories often make it difficult to achieve data integrity. In addition, human error can lead to inaccuracies in your financial records.
The internal controls implemented by businesses leveraging digital assets should address the issue of whether the data can be relied upon for the production of financial statements.
David Byrd of EY recommends that you have a “Reliable Realtime Rearview Mirror” to combat the risks of inaccurate data and human error.
- Reliable: implement data completeness controls to ensure your books are complete and accurate.
- Realtime: have a system in place that enables your team to have a real-time view of your business, so you can react promptly to risks and use these insights in decision-making. Manually finding data on block explorers and pasting them into Excel is a more inefficient process that is also more prone to error.
- Rear View Mirror: you need to keep historical records for all past years. This is especially important for companies considering going public.
While every transaction executed on a blockchain is recorded on its public ledger, retrieving these transactions into a ledger where you can complete financial reporting is a challenge.
When using block explorers or solutions with third-party data providers, there could be missing information, especially with internal transfers. These types of transactions occur most commonly after smart contract execution which allow the contracts to transfer assets, trigger actions and communicate with other contracts.
As a result of the missing information, the data used for accounting and financial reporting is inaccurate. To mitigate the risk of misstatement in financial records, crypto finance teams should ensure that the data retrieved matches what is recorded on the blockchain’s ledger.
Companies can carry out balance discrepancy checks to ensure that their on-chain data is accurate and complete. In this process, the balances that are recorded on the company balance sheet are compared with the balances displayed on-chain. If there are no discrepancies then the data can be considered complete. If there are discrepancies, teams need to investigate where the discrepancies stem from and rectify them as best as possible.
Reconciliation controls are essential for companies to ensure their data is accurate and correct and to mitigate the risk of fraud and manipulation of financial records.
Some companies operating in the crypto industry record transactions that occur off-chain in their internal database. For example, exchanges record trades, revenue, and fees within their database. Companies need to compare the records they keep internally to a second set of records to ensure they are correct and in agreement. To ensure auditable books, these companies need to reconcile their off-chain transactions with their on-chain holdings.
Reconciliation controls go beyond just checking balances since finance teams need to check that all transactions have been labelled and mapped correctly during this process. These reconciliation controls allow finance teams to investigate discrepancies on a more granular level.
For businesses that have an omnibus wallet, such as exchanges or any custodial product, Nicholas Newman from Harris & Trotter LLP recommends conducting balance checks at monthly intervals to ensure transaction reconciliation:
“It’s best practice to perform this balance discrepancy check monthly to ensure that the data within your internal database matches the on-chain balances of your company omnibus wallet. As auditors, we would conduct a balance discrepancy check by looking at two different sources for the on-chain data, such as Cryptio and Etherscan.”
The pillar of trust: Upholding data integrity in audits
Data integrity poses a significant hurdle to finance teams in their journey to audit readiness. Retrieving accurate and complete on-chain transaction histories can be challenging, increasing the risk of inaccurate financial statements. The challenges around achieving data accuracy contribute to a more complex audit process.
With immature internal control environments, auditors often carry out substantive testing during crypto audits. The heightened testing involved in crypto audits amplifies costs and prolongs the audit. Leveraging sub-ledger software, such as Cryptio, can alleviate this burden, streamlining the audit process and enhancing accuracy in financial records.
Additionally, internal controls play a pivotal role in ensuring data completeness and accuracy, with balance checks and reconciliation controls emerging as crucial practices.
Coming next month: Internal controls for treasury operations, custody and payments
About David Byrd, Partner, EY
David is a Partner at EY and the firm’s Blockchain Strategy Leader for Assurance. His role involves guiding asset managers, banks, exchanges, and custodians in achieving their goals within the blockchain and digital asset landscape. Leading EY's Digital Asset Research Center, he oversees teams dedicated to supporting Assurance, Tax, and Consulting initiatives. With an in-depth technical grasp of blockchain technology and custody solutions, David actively contributes to the development of digital asset tools used by EY for audit and audit readiness engagements. Additionally, he communicates with regulators worldwide and prominent industry associations to exchange insights and foster best practices in the realms of accounting, auditing, compliance, and digital asset valuation.
About Steven Baum, Partner, Marcum
Steven is a Certified Public Accountant, Partner at Marcum LLP and serves as the Digital Asset and Blockchain Industry Co-Leader. Steven has close to 15 years of experience working with a wide range of industries, most notably digital assets and technology. Steve is known for his expertise in assisting businesses with transactional engagements, including IPO's, Token Launches, reverse mergers, Private Placement Offerings, and mergers/acquisitions, but also for his charismatic business acumen. You can find Steve at many industry conferences, speaking and connecting with industry leaders. Steve holds a BS in Accounting from Hofstra University and a Master's in Accountancy from Rutgers University.
About Alexis Tandéo, Director - Digital Assets Trust Services, PwC
Alexis is a Director at PwC in its Digital Assets Trust Services practice. He provides various services to institutional clients, corporations and startups to help them navigate the challenges of digital asset management. He supports some of the industry’s largest players to implement internal controls that address the risks inherent in crypto businesses. Additionally, he consults on financial reporting compliance requirements for companies in the crypto realm and provides accounting and regulatory reviews.
About Nicholas Newman, Partner, Harris & Trotter LLP
Nicholas is a Partner & Head of Digital Assets at Harris & Trotter LLP, leading the firm’s digital assets practice. He works with some of the most prominent entities in the crypto industry including 1inch, Wintermute, and Blockchain.com, supporting them with audit, advisory, accounting, bookkeeping, compliance, and taxation services. With expertise in crypto and audit, he is able to support companies with diverse cases, shape regulatory frameworks and collaborate globally as an independent member of BKR and community-led interest groups like Web3CFO. Nicholas championed Harris & Trotter LLP's innovative Proof of Reserve service powered by Chainlink, ensuring transparency in clients' on-chain and off-chain reserves, bolstering their financial credibility.
Table of contents
- Challenges of retrieving accurate on-chain data
- Completeness issues with data from exchanges
- Substantive testing causes costs to spiral
- The auditor’s toolkit for checking data integrity
- Expected internal controls for data completeness and accuracy
- The pillar of trust: Upholding data integrity in audits