Yes, since the start of the current decade, it has become a mania! The hype around cryptocurrency is attributable to blockchain technology. What started as a secure digital mode of transaction is now being used as a medium of exchange and even trading physical assets. But what is crypto essentially? Does it have a meaning beyond obscurity as is evident by its name derived from ‘cryptic’? And what are the audit (read internal) challenges around cryptocurrencies?
In this blogpost I’ll be focusing upon what internal audit looks like in the era of cryptocurrencies. But let’s first look at what are the reasons something so obscure became such a fanciful proposition. These are:
- Self-control over money and investments.
- Non-regulation by governments and banks and consequently no compliance requirements and no associated fees.
- No broker-dealer exchanges, direct trading, exchanges and trading through exchanges that are direct to customers.
- Carefully regulated demand and supply factors to effect value of the currencies and with no other factors involvement like curbing or causing inflation.
- Availability of technology like cryptography for securing, timestamping and confirming transactions.
As promising as the base case for cryptocurrencies looks, the actual situation around these is as yet far from ideal. So, let’s now understand what cryptocurrencies are, what platforms enable these, how these differ from traditional currencies and what risks these represent from an audit perspective:
|
Distinctive Features |
What’s Wrong / Could Go Wrong? |
|
No central bank backing, no universal control over what constitutes a transaction. |
Occurrence (transaction) / Existence (Asset, Contract) is undermined unless the traditional currency used to buy / invest in cryptocurrency is factored in. Specific Accounting Standards on what constitutes a typical medium of exchange transaction (sale / purchase) in cryptocurrency or an investment / divestment in an asset through cryptocurrency are presently non-existent. |
|
Transactions, assets, contracts ownership information is not publicly available since only the entity owning the key to the blockchain has this information. |
As with occurrence, the rights and obligations of transaction and their consequent assets / contracts can also not be adequately substantiated through the traditional audit (external) procedures. Additionally, once the key is lost there might not be a way to recover investments. |
|
Transactional records are not stored in traditional databases a business entity can manage, since these are stored in blocks managed by cryptography exchanges developed by blockchain developers as part of decentralized and distributed ledgers. |
The availability of records with a third party represents unique risks as far as design efficacy and compliance with controls governing these are concerned. The assertions cannot be fulfilled if there are design inadequacies in the distributed ledger control mechanisms. |
|
Records are secured due to the use of cryptography. |
Possession of / access to private and public keys could be an issue if there’s no policy governing their custody. |
|
Records are in public domain, available anywhere and transmitted securely. |
Akin to being in a cloud, security of records is dependent upon the cryptography exchange / blockchain service provider. |
|
No insurance of cryptocurrencies being digital currency. |
Insurance is not available as a risk mitigation option, thereby requiring other risk mitigation strategies. |
|
One currency globally; no foreign exchange conversion costs involved. |
Still the risks particular to the cryptocurrency are augmented by how each territory in which they’re traded deals or in fact does not deal with these! |
|
Traditional money is required and used to buy cryptocurrency. |
The value of cryptocurrency translated in the traditional currency could vary widely across exchanges and territories and is volatile. This volatility could result in significant financial losses depending upon the exposure. |
|
Cryptocurrency makes it possible to invest in itself, while traditional money investments are in different products like foreign currency forwards, futures, options, etc. |
This makes cryptocurrency inherently riskier since investments are made directly in the currency. |
|
Presently, blockchain database development and understanding is limited to a proficient few only, unlike traditional databases where knowledge is widespread and improvement is a continuous feature. |
Risks emerge from competence and proficiency of resources employed to manage cryptocurrencies and to evaluate and verify these trades. |
Though presently unregulated, the public interest and safety compulsions would eventually trigger governments to regulate the use of cryptocurrencies. So, some form of regulation over these is expected. There’s also a possibility that certain territories outrightly declare trading in these as illegal.
It’s also highly likely that accounting and financial reporting standards specific to cryptocurrency trades, investments and contracts are developed and adapted in order to ensure their accurate reporting in the financial statements of an entity that has invested in it.
External audit will also find its way around the challenges reflected in cryptocurrency trading, since the International Standards on Auditing (ISAs) are not transaction specific, but audit objectives and approach centric, the core objective being obtaining assurance over relevant financial statement assertions for these transactions and balances.
However, owing to the intricate nature of cryptocurrency related transactions, I reckon an external audit approach would likely be aimed at gaining bulk of assurance through substantive procedures including analytical procedures rather than the tests of controls.
But what would a high-level internal audit program for cryptocurrency typically and minimally look like?
|
Governance |
Review entity’s strategy in dealing with cryptocurrency? Review the intent of the strategy, hedging risks or earning speculative returns? Review policies and limits / exposures on the use of different types of cryptocurrencies. Review systems instructed by the Board to communicate transactions and changes in trades, assets and contracts and seek approval for these. Review objectives specified by the Board for use of cryptocurrency and whether mechanisms are in place to evaluate if these objectives are being fulfilled. Review whether the Board is fully cognizant of the risks associated with dealing in cryptocurrencies and has instituted risk management and control systems to safeguard against these. Review compliances with policies, limits, systems and mechanisms through transactional testing. |
|
Risk Management |
Review if the entity’s risk registers have adequate coverage of risks pertaining to use of all types of cryptocurrencies the entity is invested in. Review if the risk capacity and tolerance thresholds have been adjusted in accordance with the use of cryptocurrencies. Review if risk identification, assessment and evaluation and mitigation have all been improved following introduction of the entity to cryptocurrencies. Review if the entity has identified both downside and upside risks pertaining to the use of cryptocurrencies. Test the risk identification for completeness of potential risks mapping not just with the types of cryptocurrencies used, but also the exchanges and direct trading partners used, the types and quality of encryptions used and available, the capabilities and security profiles of blockchains used and available, etc. Test the risk assessment and evaluation for completeness and accuracy in the context of objectively calculated potential exposures and accurate ratings aligned with heat maps revised after induction of cryptocurrencies. Test the completeness and accuracy of risk mitigation approaches documented through alignment with risks identified and approaches available but not assessed as viable for the risks identified. |
|
Controls |
Review the design effectiveness of controls aligned with policy requirements and risk mitigation strategies within the domains of assertions like occurrence / existence, rights and obligations, accuracy / valuations, etc., communications and escalation, review and approvals, authorizations, custody of keys, ITGCs, encryption platform and technologies, blockchain technologies, technical updates, service provider reputation and learning from past incidents. Review the costs of controls against the risks being mitigated by such controls. Review the competence, ability, skillset and understanding of the people tasked with exercising controls. Review formally laid out procedures, control manuals to identify responsibilities are clearly delineated. Perform analytical reviews of the transactional data to confirm the activity during the period and identify conforming and non-conforming patterns to all relevant other information available about the activity during the period. Perform transactional testing to verify functioning of controls designed. |
Yes, this is high level and its minimum possible guidance. What else to expect from something designed in a cryptic manner? Moreover, cryptocurrency scams and frauds are also pretty common, and the entity needs to design control procedures to guard against these risk factors. Certainly, the internal auditors are also required to be mindful of these factors when planning the audit of cryptocurrencies.
But what is the most significant takeaway out of this learning? It is the competence and ability of the internal audit team tasked with reviewing cryptocurrency transactions. The team must make sure it has the desired skillset in this regard before offering to venture in the cryptocurrency ecosystem.
Such a skillset would not just have an adequate understanding of the intricacies involved in blockchain systems and cryptography, but an advanced understanding of the risks and opportunities involved. Remainder of the relevant information will be entity specific, and it is equally important that the auditors are able to assess the entity’s use of cryptocurrency with the general trends and information available within the blockchain industry.
Since cryptocurrency ecosystem will continue evolving, internal audit needs to continue its learning trajectory. And this learning should continue even if it becomes cryptic!