When crypto met audit
The world of Audits, and the world of Cryptocurrencies are lightyears apart in the minds of many. Audits have the reputation for being solid, staid, and respected. Cryptocurrencies, on the other hand, are based on new technologies that many people outside of the industry barely understand, and are aimed at replacing – or at least upending – traditional currencies.
These two industries might have remained completely separate for years to come, had it not been for several recent high-profile and high-impact incidents in the world of cryptocurrencies.
The biggest such event was the spectacular fall of FTX, ostensibly one of the world’s largest and high profile cryptocurrency exchanges.
The curious case of FTX
How can an exchange go bankrupt and lose billions of dollars, one might ask?
It has been widely reported that FTX was shifting customer funds into a crypto trading firm called Alameda Research, and had poor internal controls and almost none of the checks and balances traditionally required of a large company.
Once FTX was declared bankrupt, the administrators moved in, attempting to salvage value for investors and creditors. They found almost nothing of value, prompting other large crypto companies to seek to reassure the market.
How does one assure the market with regards to assets, liabilities, and income? With an independent audit, of course!
Many of these companies claimed that a full audit could not be performed because of time constraints, and so engaged audit firms in a “Proof of Reserves” report. This report of limited scope, while not an official audit, was thought to be able to assuage doubt regarding reserves held by the crypto companies.
In the end, these reports were met with skepticism by the market, and investors and other stakeholders have been clamoring for full audits by reputable firms.
With cryptocurrencies on the verge of becoming mainstream, setbacks like these are doing them no favors in the search for credibility as the industry matures.
The only way to move forward with confidence, is to be audited by reputable firms who’s output represents the currency of trust to the wider financial community.
Why crypto needs audit
While a “traditional” audit examines companies’ financial information to ensure that they are accurate and comply with relevant laws and regulations, in the case of cryptocurrency, an audit can be used to ensure that the underlying technology, such as the blockchain, is functioning properly and that the funds being held in a particular ‘wallet’ or exchange are secure.
There are a number of different types of audits that can be performed on a cryptocurrency-related organization or project. Some examples include:
- Security audits: These are used to assess the security of a particular blockchain or cryptocurrency, looking for vulnerabilities that could be exploited by attackers.
- Compliance audits: These are used to ensure that a cryptocurrency-related organization is compliant with relevant laws and regulations, such as anti-money laundering (AML) and know-your-customer (KYC) requirements.
- Operational audits: These are used to assess the overall efficiency and effectiveness of a cryptocurrency-related organization or project.
Is audit ready for crypto?
While audits can provide valuable assurance for investors, organizations and users, it’s important to note that the crypto industry is still in its early stages of development and standardization, which means that there are no clear guidelines for how to perform an audit in this space. This is a challenge for auditors as well as for investors, as it makes it difficult to determine the veracity of an audit report.
As recent hype surrounding crypto (as well as the size of the market) has increased, audit firms have begun getting more involved with crypto businesses but they face the risk of reputational damage, or worse. So as much as crypto companies were desperate for the reputational boost of a full audit by the biggest names, this enthusiasm was not necessarily reciprocated on the audit side.
Part of this hesitation was structural: many audit firms just did not have the skills, knowledge or even the software platform tools to properly audit complex crypto transactions.
Binance, one of the biggest players in this market, has also weighed in on the matter. CEO Changpeng Zhao noted that many audit firms do not have the necessary expertise to effectively audit cryptocurrency exchanges. The company has also complained of Big 4 audit firms being “unwilling” to audit the company.
The “Proof of Reserves” engagement was thought to potentially be a good middle ground; vague engagement parameters, vague outcome, with all parties covered by vague language – however this sentiment did not play out as many first hoped.. Most audit firms quickly dropped any proof of reserves work.
The Financial Times described one such engagement as follows: “Mazars says it ran an agreed-upon procedure (AUP), meaning its staff could give only factual findings within the parameters Binance had predefined. The accounting firm made no extra inquiries, formed no opinions, and offered no assurances — including around the validity of the whole exercise.”
In the end, the SEC itself stepped in, stating that “Investors should not place too much confidence in the mere fact a company says it’s got a proof-of-reserves from an audit firm” and that having such a report “is not enough information for an investor to assess whether the company has sufficient assets to cover its liabilities.”
The future of crypto – and audits
This internal contradiction is indicative of a bigger problem facing the audit industry. Business has changed tremendously over the last few years, from crypto to AI, blockchain to automation. Auditors are not armed with the expertise to dive into code, decipher complex transactions, or understand a computer’s decision making (essentially they could be blinded to risk assessment which in and of itself represents an untold level of liability).
If anything, the ongoing FTX drama and subsequent industry upheaval is a clarion call to both the Crypto and the Audit communities to realize that the future of audit is upon us. What has been, is not what can continue to be moving forward.