Crypto Audit Insider: Internal controls for treasury operations, custody and payments
Our four experts David Byrd (EY), Steven Baum (Marcum), Alexis Tandéo (PwC), and Nicholas Newman (Harris & Trotter LLP) advise you on the internal controls you need to implement as a business with crypto financial activity to mitigate risks associated with wallet management, custody and payments.
Treasury functions have expanded significantly within businesses utilizing digital assets. With broader access to company wallets, finance teams have to establish effective internal controls to mitigate the risks associated with access to and control of assets.
Our four experts from industry leaders EY, Marcum, PwC, and Harris & Trotter LLP divulge key practices to help finance leaders ensure their treasury operations have the appropriate internal controls to ensure that assets remain under company control.
Establishing the reliability of blockchains
Audit firms generally conduct risk assessments on blockchains to determine their reliability. However, companies leveraging digital assets should do due diligence and ensure that the blockchains they’re using are reliable to use for business purposes.
Steven Baum from Marcum recommends asking the following questions to begin a risk assessment of a blockchain:
- Are there reliable block explorers for the chain?
- Are there various data sources where you can confirm transactions and investigate the reliability of the ecosystem?
- Has there ever been a 51% attack on the chain?
Data sources that finance teams can check to assess reliability include:
- Block explorers for the chain being used.
- Foundation with funds to promote the growth and maintenance of the ecosystem.
- Number of ecosystem participants (e.g., companies, number of developers).
Understanding smart contract risks
Implementing smart contracts on the blockchain involves risks such as:
- Coding errors and bugs.
- Security vulnerabilities.
- External data inaccuracies or compromises.
- Privacy concerns.
- Scalability issues.
Alexis Tandéo of PwC recommends implementing documented controls to ensure that the code has been tested before implementation on the blockchain.
"The finance team must ensure that the key smart contracts for its operations have been coded and reviewed according to standard controls either by internal teams or external independent auditors with the necessary expertise: technical, cybersecurity, legal, etc."
Ascertaining true ownership and control of assets
Finance teams need to answer an important question before going to audit: whether their assets can be taken away from them.
David Byrd from EY highlights the risks that businesses face around establishing true ownership and control of assets:
"Superuser access and token functionalities like burning, freezing, or transferring assets can threaten control. Businesses need to monitor these risks, along with checking OFAC blacklists, to ensure true ownership and control."
Finance teams need to investigate with sufficient granularity to satisfy their auditors’ concerns around ownership of assets.
Greater access to wallets is an issue
At companies that are operating in the digital assets landscape, access to company wallets is not restricted to finance teams but also to the engineering, IT, and data teams.
On-chain businesses not only use blockchains as their financial rails but also to build products. As a result, tech teams need access to wallets to perform testing and deploy smart contracts among other technical functions. Since the rate of access is greater at these companies, the risk of fraud increases.
Thorough documentation around which users have access to which wallets is essential for auditors to verify ownership and control of wallets. Companies need to therefore provide auditors with an up-to-date list of the wallets under their ownership and who has access to each of these wallets.
Importance of a wallet management policy
For firms with crypto financial activity, having a wallet management policy is essential.
Nicholas Newman of Harris & Trotter LLP suggests that businesses with on-chain operations outline the following steps in their wallet management policy:
- The purpose of the wallet and how it is used.
- The backup procedures in the event a wallet needs to be recovered.
- The storage of passwords and how they are kept secure.
- Custody arrangements.
- The people who can access the wallet and are approved to sign transactions.
This policy addresses how the business addresses the risks around physical access to and security of wallets and assets.
Internal controls for treasury operations and custody
Since there are concerns around companies' true ownership and control over their digital assets, robust internal controls must be instituted for treasury operations and custody, demonstrably safeguarding asset ownership and restricting control to designated authorized users.
Implementing ITGCs specifically for wallets becomes crucial in mitigating risks. These ITGCs address key vulnerabilities, including:
- Physical access control: Restricting physical access to hardware wallets and private keys.
- Transaction authorization: Implementing multi-signature or other approval workflows for transaction initiation.
- Fraud detection: Employing anomaly detection and monitoring systems to flag suspicious activity.
- Data security: Encrypting sensitive data and securing backups to prevent unauthorized access or manipulation.
Inventory check of wallets
While secure wallet management is vital for audit readiness, ensuring complete disclosure of all company-owned assets across all wallets in financial statements is equally crucial.
To accurately capture all transactions for financial reporting, conducting regular and thorough inventory checks of company wallets is paramount. This helps avoid omissions and discrepancies during audits.
Auditors may employ a technique called "mind mapping" to visualize the interconnectedness of wallets provided by the client. This allows them to trace transactions comprehensively and potentially identify missed assets or chains.
To proactively mitigate such oversight, companies with on-chain activity should mirror the auditor's approach by pre-emptively mapping their wallets. This self-audit can help identify any missing chains or assets before formal audit procedures begin, saving time and ensuring complete disclosure.
Reconciliation controls
Performing reconciliation controls can help businesses determine whether unauthorized transactions have been executed in company wallets. Without robust reconciliation controls, companies remain vulnerable to unauthorized transactions draining their digital asset holdings.
Reconciliation controls, including regular transaction matching and anomaly detection, highlight unauthorized activity when it occurs. These controls provide real-time insights and identify unauthorized transactions or misstatements. As a result, these controls can limit the extent to which these issues damage the company.
Key management
While custody arrangements may vary, thorough documentation of custody procedures is essential for every company. This safeguards assets and paves the way for smooth regulatory audits.
Companies choosing self-custody with a hardware wallet must demonstrate two crucial aspects:
1) Exclusive ownership of the private keys.
2) Secure and controlled seed generation environment.
Finance teams can periodically test whether their private keys are still operational by executing a small transaction and then verifying whether this is represented on-chain using a block explorer. Auditors may test whether audit clients can access private keys by making them sign a digital signature to prove control of the wallet.
Backup and recovery process
A robust backup and recovery plan is crucial for all company wallets, especially those requiring multi-signature authorization, which may have added complexity but enhanced security. Even when using a third-party wallet manager, finance teams must actively verify and monitor the existing backup and recovery controls.
If companies self-custody, spreading funds across multiple wallets can be useful as it reduces the risk of losing all funds if one wallet is compromised. Companies with crypto assets might also consider storing funds in a secure offline wallet like a hardware device. This physically isolates your assets, significantly reducing the risk of online attacks and unauthorized access.
Regular testing of the backup process is essential. If a company is using a custodian to hold its assets, it must independently verify the custodian’s disaster recovery procedures. Inadequate backup and recovery plans expose companies to risks such as permanent loss of funds or operational delays during recovery.
SOC reports for custodians
Custodians of assets must have available SOC reports (depending on the specific circumstances, an external auditor may determine that a SOC 1 Type 2 is essential).
These reports provide auditors with independent assurance that the custodian maintains effective internal controls over financial reporting. This helps auditors significantly reduce testing procedures and speed up the audit process.
Using a custodian with a SOC 1 Type 2 report offers benefits like enhanced security, reduced compliance risks, and improved audit efficiency. This ultimately translates to greater peace of mind for companies entrusting their valuable assets. In many jurisdictions, SOC reports are a regulatory requirement for custodians, further underscoring their critical role in safeguarding assets.
Navigating the crypto industry demands heightened vigilance
Risks associated with ownership, control, and security of crypto assets are numerous. Companies leveraging these assets must establish proof of ownership and control of their holdings, ensuring that their assets are not at risk of being seized or frozen by either third parties with superuser permissions or regulatory authorities.
Conducting risk assessments of the specific blockchains and smart contracts businesses rely on unveiling potential vulnerabilities before assets are exposed. This crucial step, alongside robust wallet management policies and internal controls, paves the way for seamless audit readiness and secure asset ownership. Implementing hardware wallet cold storage, and regular anomaly detection through internal controls strengthens security and mitigates fraud risks within company wallets.
About David Byrd, Partner, EY
David is a Partner at EY and the firm’s Blockchain Strategy Leader for Assurance. His role involves guiding asset managers, banks, exchanges, and custodians in achieving their goals within the blockchain and digital asset landscape. Leading EY's Digital Asset Research Center, he oversees teams dedicated to supporting Assurance, Tax, and Consulting initiatives. With an in-depth technical grasp of blockchain technology and custody solutions, David actively contributes to the development of digital asset tools used by EY for audit and audit readiness engagements. Additionally, he communicates with regulators worldwide and prominent industry associations to exchange insights and foster best practices in the realms of accounting, auditing, compliance, and digital asset valuation.
About Steven Baum, Partner, Marcum
Steven is a Certified Public Accountant, Partner at Marcum LLP and serves as the Digital Asset and Blockchain Industry Co-Leader. Steven has close to 15 years of experience working with a wide range of industries, most notably digital assets and technology. Steve is known for his expertise in assisting businesses with transactional engagements, including IPOs, Token Launches, reverse mergers, Private Placement Offerings, and mergers/acquisitions, but also for his charismatic business acumen. You can find Steve at many industry conferences, speaking and connecting with industry leaders. Steve holds a BS in Accounting from Hofstra University and a Master's in Accountancy from Rutgers University.
About Alexis Tandéo, Director - Digital Assets Trust Services, PwC
Alexis Tandéo is a Director at PwC in its Digital Assets Trust Services practice. He provides various services to institutional clients, corporations and startups to help them navigate the challenges of digital asset management. He supports some of the industry’s largest players to implement internal controls that address the risks inherent in crypto businesses. Additionally, he consults on financial reporting compliance requirements for companies in the crypto realm and provides accounting and regulatory reviews.
About Nicholas Newman, Partner, Harris & Trotter LLP
Nicholas Newman is a Partner & Head of Digital Assets at Harris & Trotter LLP, leading the firm’s digital assets practice. He works with some of the most prominent entities in the crypto industry including 1inch, Wintermute, and Blockchain.com, supporting them with audit, advisory, accounting, bookkeeping, compliance, and taxation services. With expertise in crypto and audit, he is able to support companies with diverse cases, shape regulatory frameworks and collaborate globally as an independent member of BKR and community-led interest groups like Web3CFO. Nicholas championed Harris & Trotter LLP's innovative Proof of Reserve service powered by Chainlink, ensuring transparency in clients' on-chain and off-chain reserves, bolstering their financial credibility.
Table of contents
- Establishing the reliability of blockchains
- Understanding smart contract risks
- Ascertaining true ownership and control of assets
- Greater access to wallets is an issue
- Importance of a wallet management policy
- Internal controls for treasury operations and custody
- Navigating the crypto industry demands heightened vigilance