The Public Company Accounting Oversight Board released a new advisory report to provide information for auditors and audit committees about audits involving cryptoassets, such as Bitcoin and other digital currencies.
The Spotlight document, Audits Involving Cryptoassets – Information for Auditors and Audit Committees, calls for a greater focus by some auditors on the identification and assessment of the risks of material misstatement to the financial statements related to cryptoassets, as well as the planning and performing of an appropriate audit response.
The report also highlights considerations for addressing certain responsibilities under PCAOB standards for auditors of issuers transacting in cryptoassets. The PCAOB also suggests questions that audit committees should ask their auditors when transactions involving cryptoassets or holdings of cryptoassets are material to the issuer’s financial statements.
Such questions include:
- What is the experience of the engagement partner and other senior engagement team members with cryptoassets?
- Would the firm be able to supplement the engagement team’s expertise if necessary (e.g., by engaging relevant specialists)?
- What is the auditor’s understanding of the technology underlying the issuer’s cryptoasset-related activities?
Internal Controls for Cryptoassets
Of particular interest to internal auditors may be the report’s take on what auditors should consider as they assess internal controls related to cryptoassets. According to the PCAOB document, “the auditor should obtain a sufficient understanding of the issuer’s internal control over financial reporting, including its information systems relevant to financial reporting, to identify the types of potential misstatement, assess the factors that affect the risks of material misstatement, and design further audit procedures.”
Understanding relevant controls related to transactions involving cryptoassets may include, for example:
- Understanding controls over the generation and management of private keys (i.e., access passcodes), which are important to addressing risks relating to the existence of balances of cryptoassets.
- When important internal controls reside at a third party, determining whether a service auditor’s report addresses those controls, or whether the controls would need to be tested directly by the issuer’s auditor to obtain evidence of their effectiveness.
- Understanding controls over the reliability of blockchain information to be used as audit evidence (e.g., controls that address alterations to the information stored on blockchain).
- Understanding controls over cryptoasset-related transactions that are recorded outside the blockchain (e.g., information about customer transactions in a trading platform’s system) and therefore not covered by the same controls as transactions recorded on the blockchain.
The report can be found on the PCAOB website.