What auditors want to see from crypto companies with PwC, EY & Deloitte
In a recent panel from the Crypto Finance Forum (CFF), leaders from the world of auditing and crypto came together to discuss the intricacies of auditing in the crypto space. The panel included Jeff Rundlet, Head of Accounting Strategy at Cryptio, who moderated, David Byrd, Partner and Blockchain Strategy Leader at EY, Christopher Huber, Director at PwC, and Erica Lacerenza, Managing Director at Deloitte.
The conversation revolved around getting companies ready for crypto audits, understanding the unique risks in the crypto industry, and the importance of controls in financial reporting. Here are the highlights from the discussion.
Getting ready for crypto audits
Jeff opened the discussion by emphasizing the need to understand how to navigate the challenges of crypto audits, especially for companies that are new to the process. He stressed the importance of building trust in the financials of crypto companies and making audits more regular.
"So we've heard from three different companies talk a high level about getting through crypto audits. So now we're going to do a deeper dive into crypto audits from the very beginning to the best practices."
Onboarding and audit acceptance
The conversation then moved to the steps leading up to the audit process. David shared his thoughts on how to onboard new clients successfully and the need for a shared evaluation process between the audit team and risk management professionals.
"The best path that I've seen is one where we understand the prospect, we go very deep and assess what they do, what do we think of the risks? Can those be mitigated? Really own that evaluation and work closely with your risk management professionals."
The maturity of companies and audit acceptance
The panel discussed whether companies need to reach a certain stage of maturity before they are suitable for audit acceptance. Christopher pointed out that it's more about the company's preparedness and ability to manage its financial reporting functions effectively.
"It's more the latter. Some companies take on audits from the beginning, and it depends on their understanding and readiness."
Unique risks in crypto audits
Erica highlighted that the risks in crypto audits depend on the company's position in the ecosystem, its products and services, and its corporate journey. She emphasized the importance of setting up a robust risk management framework and considering various types of risks, including those related to digital assets.
"I would say that the risks depend on where the company is in the ecosystem. So what products and services are you offering and then where are you on your corporate journey as well"
David expanded on the key risks auditors consider in the crypto industry, such as private key management, custody of assets, and counterparty risks. He emphasized the importance of evaluating and understanding the counterparties that companies rely on.
"That evaluation of counterparty risk is just something that we've seen can sometimes be lacking at companies”
First-year vs. ongoing audits: building trust in the audit relationship
The panel discussed the differences in focus and effort between first-year audits and ongoing audits. Christopher pointed out that first-year audits require more effort due to the need to build knowledge and trust, while ongoing audits become easier as trust develops.
"Year one is definitely the hardest because you have to build knowledge from the base."
Additionally, he emphasized the importance of building a strong relationship with the audit partner and the value of proactive communication with auditors. He suggested that being open about issues can lead to a smoother audit process.
"I think the best audits I've ever had are where the client comes to me and says, 'Hey, we have this issue,' and being proactive versus being quiet about it."
The role of audit readiness
David highlighted the importance of audit readiness and the need for companies to engage in ongoing readiness for audits, even if they already have an auditor. He stressed the need for continuous preparation in the fast-evolving crypto space.
"A big part of what we do is just helping companies get ready for an audit."
The panel looked at 3 major players for audit readiness consideration: internal controls, SOC reports and various tools and techniques for successfully executing your audits. Here’s a more detailed breakdown of each one.
1. Internal controls in crypto audits
The panel discussed the significance of controls in crypto audits. They emphasized the need for controls to address various risks, including private key management, data accuracy, and completeness. They also stressed the importance of internal controls.
"Make sure you have the basics down, your cash, your other important processes, and identifying the risks in there."
2. The quality of SOC reports
The discussion delved into the quality of SOC (Service Organization Control) reports and their importance in crypto audits. The panel highlighted the need to carefully evaluate the scope and type of SOC reports provided by third-party vendors.
"If you're relying on a third-party custodian or some other services, then that's that classic thing that you're always going to see. Do they have a SOC one type two, ideally. That's what we all want."
3. Tools and techniques for crypto audits
The panel discussed the tools and techniques developed for handling crypto audits. Erica mentioned Deloitte's proprietary blockchain auditing tool, Deloitte Omnia Digital Assets – which streamlines blockchain data for reliable audit evidence.
"We have a tool that we use to harvest bulk blockchain data and streamline it for reliable audit evidence."
Christopher talked about PwC's tool, Halo for crypto data, which provides direct integration into blockchains.
"Halo for crypto does direct integration into blockchains and provides comfort over the ownership of keys without the need for private key sharing."
Audit readiness and technical competency
The panel concluded the discussion by highlighting the importance of technical competency and clear communication between crypto experts and auditors. They emphasized the need for companies to understand the technical aspects of their operations and the importance of educating auditors about their businesses.
“Focus on technical competency and making sure you speak the right languages because so often you guys (crypto natives) have heard these topics at all the conferences, right? Getting us (auditors) that operate in this space to really understand. Obviously you're not going to get all the engineering level knowledge, you know, but understanding enough of it that's relevant to what your job is.”
Key takeaways for successful crypto audits
Auditing in the crypto industry comes with unique challenges and risks that require a tailored approach. Companies aiming for crypto audits should prioritize audit readiness, establish robust risk management frameworks, and work closely with auditors to navigate the complexities of the crypto ecosystem.
Building trust and open communication between auditors and clients is crucial for successful crypto audits. Continuous preparation and controls are essential components to ensure the quality and reliability of financial reporting in the crypto space.
As the industry evolves, companies should strive to educate auditors on their businesses and work closely to address the specific risks associated with cryptocurrencies and blockchain technology. This discussion highlights the critical role of auditors in the crypto industry and provides insights for companies looking to undergo crypto audits.
Table of contents
- Getting ready for crypto audits
- Onboarding and audit acceptance
- The maturity of companies and audit acceptance
- Unique risks in crypto audits
- First-year vs. ongoing audits: building trust in the audit relationship
- The role of audit readiness
- Audit readiness and technical competency
- Key takeaways for successful crypto audits