Preparing for your Audit – Tips for Companies in the Business of Bitcoin or other Cryptocurrency
Year-end can be a high-pressure time due to the volume of work that needs to be completed on tight deadlines. You may also have the additional task of getting through an audit.
Navigating an audit can be challenging even when you are engaged in a mature industry. If you’ve opted to make cryptocurrency a material part of your assets and/or revenue portfolio, it’s important to know what the implications are for your audit. Cryptocurrency is an emerging industry, meaning that an understanding of this sector is not widespread amongst audit firms. Moreover, the regulatory body (in Canada, the Canadian Public Accountability Board, “CPAB”) that oversees auditors to ensure that they are conducting their work in compliance with the relevant auditing standards is similarly in the early stages of establishing quality baselines for these audits. As a result, audit procedures are evolving year over year, as are the questions and concerns raised by CPAB’s annual inspections of completed audits.
Part of our business at Decision Point is assisting audit firms in providing assurance over cryptocurrency-related balances. However, our larger mandate is to solve problems for our clients and make life easier where we can. With this goal in mind, we’ve assembled some key audit considerations for companies with material cryptocurrency operations.
Mining Pool Participation
From an audit perspective, mining pool participation poses certain challenges. If you are reporting mining revenue on your financial statements, auditors are obligated to trace this revenue back to its source in order to verify its occurrence, accuracy and classification. To accomplish this task, auditors will require access to your pool statements.
With the above in mind, it is important to consider the following points with respect to your audit when selecting mining pools:
Does the pool provide statements?
Are the statements available for the entire duration of your participation in the year being audited?
Will you need to retrieve these statements monthly, or will the pool retain the data for the prior year, to be accessed at a future date?
Are these statements accessible in csv or xlsx formats (easier for auditors to work with, thus translating to lower bills)?
Are these statements also accessible in pdf format containing the pool’s official header? If not, your auditors may ask to observe you retrieving the pool statements from the pool website in order to validate that they have not been tampered with.
Do these statements contain basic information such as the transaction hash, date and amount for each deposit into your wallet?
Controls around private keys, recovery seeds and transaction approval
The management of cryptocurrency wallets draws several parallels to the management of traditional bank accounts. Typically, businesses restrict which individuals have access to fiat bank accounts belonging to the company, and which specific privileges accompany each level of access. For instance, someone performing bank reconciliations may have the ability to view account activity and retrieve bank statements; however, they should not also be able to make changes within the accounts or approve transactions. These same principles should apply to your management of cryptocurrency wallets, and your policies in this area will be of critical significance to your auditor.
Of specific concern with respect to cryptocurrency wallets is the safeguarding of the private key. If a private key is lost, so is the ability to move the funds within the corresponding wallet and there is no recourse (QuadrigaCx is a well-known example of suspected private-key loss). It is critical that you establish a business continuity plan that provides more than one individual with access to the private keys. It is additionally advisable that backup copies of the keys be maintained to mitigate the risk that the keys are destroyed by an act of God or force majeure. The same principle applies to the safeguarding of recovery seeds which are provided with certain cold wallets (i.e. Trezors).
Determining who within your organization is authorized to approve transactions of cryptocurrency is a similarly critical area. Basic cryptocurrency wallets only need one individual (who is in possession of the private key) to authorize outgoing transactions. This arrangement creates a single-point of failure issue, rendering your organization highly vulnerable to misappropriation, theft and cyberattacks. Use of multi-signature wallets is highly advisable as they require more than one private key to authorize transactions. You can set the wallet to have any total number of private keys and then set how many of these keys out of the total are required for authorization. It is recommended to scale the number of keys required for authorization according to your business size, keeping in mind that requiring more keys for authorization lowers the risk of ill-intentioned collusion within your organization.
Miner oversight and reasonability of revenue
If you are engaged in cryptocurrency mining, you will be recording revenues based on the cryptocurrency you earn throughout the year. Your auditors will likely seek to verify the occurrence and accuracy of your revenue through more than one testing approach.
At a point in time, given a set of miners and data that can be retrieved from the underlying blockchain, you can calculate your expected earnings. For your auditor, such a model will help them gain comfort over the mining revenue you have reported. Operationally, these models serve the critical purpose of providing you with oversight over your mining effectiveness. If you are participating in a pool, this kind of exercise is important to ensure that the pool is appropriately compensating you for the hashing power that you are providing them. Even if you are not participating in a pool, such a model can help you to define revenue expectations and evaluate where your performance lands in relation. Information of this sort can provide valuable operational insights into your mining facility and weaknesses therein that are harming your bottom line.
Decision Point can assist in developing a revenue model that will provide you with these key operational insights and that can easily be updated on your own accord going forward.
Considerations around use of 3rd party providers
Typically, when you provide auditors with 3rd party information (for example, data from your payroll provider, bank statements, etc), your auditors take this information as being correct. Auditors are usually able to make this assumption because the organizations in question have retained auditors of their own to attest to the internal controls in place within their business. Given the emerging nature of the cryptocurrency environment, most service providers operating within this space do not typically have such attestations. As a result, auditors typically need to perform additional procedures in these areas to validate the information from these providers.
Cryptocurrency exchanges are a good example of a commonly used service provider by those engaged in mining. Complications arise when clients make use of exchange wallets, which allow the user to retain funds within the exchange itself. When a client has material sums of money in an exchange account at year-end, auditors are faced with the task of providing assurance over the ownership and value of these funds. Without confidence in the internal controls in place at the exchange itself, this task can be quite cumbersome. As a result, it is generally recommended that clients liquidate any holdings they have within exchange accounts before year-end.
As the cryptocurrency industry continues to mature and proliferate, we expect the approaches taken by auditors to be refined. Moreover, we expect major service providers in this area to adapt to the reporting needs of their burgeoning institutional client bases by providing clear data that is backed by assurance over their internal controls. In the meantime, it is important for businesses operating in this sector to remain up to date on how to best facilitate their annual audit in an efficient fashion. At Decision Point, we are here to help.