The Center for Audit Quality (CAQ) has released Continuing Your Digital Assets Journey: A Tool for Audit Committees (May 2023). This publication examines digital asset-related topics and provides questions for audit committees to consider when discussing these matters with management and the auditor. Continuing Your Digital Assets Journey is aimed at audit committees of companies that hold or transact with digital assets and is an in-depth follow-up to the CAQ’s prior publication, Jumpstart Your Digital Assets Journey: A Tool for Audit Committees. See CAQ Publishes a Primer for Audit Committees on Digital Assets, February-March 2023 Update.
Continuing Your Digital Assets Journey discusses five broad topics. For each topic, the discussion includes a list of questions the audit committee may want to ask management and the auditor. Below are brief excerpts from the topics, along with examples of the questions.
1. Regulatory, legal, and compliance with laws and regulation
“The digital asset legal and regulatory environment is rapidly evolving and audit committees should expect continued developments. It is important for audit committees to exercise oversight and understand whether management involves the appropriate parties to monitor, evaluate, and comply with applicable laws and regulations.”
Example of question for management: Has management considered how the company’s business strategy related to digital assets may be impacted by future regulation?
Example of question for auditor: What is the auditor’s understanding of the legal and regulatory framework to which the company is subject?
2. Risk assessment and consideration of fraud
“Generally, transacting with digital assets can give rise to new or heightened risks, including fraud risks. The audit committee can utilize its oversight role to understand management’s and the external auditor’s risk assessment, including consideration of fraud risks arising from the company’s digital asset activities.”
Example of question for management: Has management evaluated how relationships with service providers or other external parties may give rise to risks that the company may be a victim of fraud perpetrated by an external party?
Example of question for auditor: What risks impacting the financial statements has the auditor identified based on how the company has structured their digital asset holdings and transactions?
3. Safeguarding digital assets
“Most digital assets are akin to bearer assets – meaning whoever has access to the private key for a digital asset has the ability to control the digital asset. Therefore, private key custody and private key management are essential aspects of safeguarding digital assets. * * * Depending on their specific facts, circumstances, and risk profile, digital asset holders may elect to self-custody their digital assets, where they are responsible for the safeguarding of their private keys in a non-custodial wallet, or they may choose to use a third-party custodian to safeguard digital assets on their behalf.”
Example of question for management: What are some of the key risks and responses that management has considered related to the company’s safeguarding and custody practices?
Example of question for auditor: What risks has the auditor identified related to the custody model selected by management?
4. Due diligence and third-party monitoring
a. Blockchain Due Diligence. “It should be a priority for companies transacting with digital assets to understand the digital assets and underlying blockchain that the company is engaging with. As part of the risk assessment process and prior to engaging in digital asset transactions, companies should perform due diligence on the digital assets and underlying blockchain with which they intend to transact.”
Example of question for management: What due diligence procedures has management performed to assess the reliability of the blockchain(s) the company uses?
Example of question for auditor: Does the auditor have experience and expertise dealing with the digital assets and blockchain(s) management engages with?
b. Third Party Due Diligence. “In addition to understanding the blockchain itself, it is important to understand the risks that arise from engaging with third parties in the digital asset ecosystem. The risks may vary based on the nature of the relationship between the company and the third party. Practicing careful due diligence and monitoring for changes with third parties is important to safeguarding a company’s digital assets. It is also important to keep in mind that the pseudo-anonymity provided by the blockchain can sometimes make it hard to identify counterparties to transactions.”
Example of question for management: How does management perform due diligence on third parties? Based on due diligence procedures, what risks or concerns were identified?
Example of question for auditor: Has the auditor identified any financial reporting risks related to the company’s interactions with third parties related to its digital asset transactions?
c. SOC 1 Type 2 Reports. “There is a wide range of maturity of third-party service providers (exchanges, trading platforms, custodians, etc.) and the sophistication of internal controls over the service provider’s activities and reliability of data may vary. * * * In most circumstances companies should obtain a SOC 1 Type 2 report from a service provider, if available, to understand and evaluate the control environment at the service provider.” (A SOC 1 Type 2 report is a report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.)
Example of question for management: Is management able to obtain a SOC 1 Type 2 report for service providers, including custodians? If not, what alternative procedures will management perform?
Example of question for auditor: Is the auditor able to obtain sufficient appropriate audit evidence (through SOC 1 Type 2 report or alternative procedures) about the company’s digital asset transactions with, or digital assets held at third parties?
5. Accounting and auditing
a. Maintaining Independent Books and Records. “Management may obtain information from the exchange where they trade digital assets or where digital assets are custodied. However, when obtaining information from third parties, it is important to consider the reliability of that data. * * * Additionally, it is important to validate that the company has the appropriate infrastructure to support the financial reporting process as it relates to digital asset transactions.”
Example of question for management: Does management have processes to reconcile its books and records to third-party data and the blockchain?
Example of question for auditor: Has the auditor identified any risks related to the systems and controls that support recording digital asset transactions?
b. Related Parties. “From a financial reporting perspective, it is important for management to develop appropriate processes and controls to determine the identity of counterparties in transactions. This is essential to validate the completeness of related party transactions for disclosure in the financial statements. External auditors may also be focused on related party digital asset transactions that are not conducted at arms-length as such transactions could fraudulently inflate the price of a digital asset, particularly if the asset is thinly traded.”
Example of question for management: Has management identified risks around related party transactions? What procedures and controls has management implemented to identify related party transactions?
Example of question for auditor: Is the auditor able to obtain sufficient evidence about any related party transactions?
c. Critical Audit Matters. “Audit committees should also be aware that depending on the nature, complexity, magnitude, and materiality of digital asset transactions and account balances, the audit procedures over such accounts may involve especially challenging, subjective, or complex auditor judgement and may be determined to be a critical audit matter (CAM).”
Example of question for auditor: Has the auditor identified any CAMs related to digital assets? How did the auditor reach their conclusion?
Comment: Continuing Your Digital Assets Journey concludes with this observation: “Audit committee oversight in areas such as compliance with applicable laws and regulations, identification and assessment of risks, and financial reporting, is essential as the digital assets landscape continues to evolve. An understanding of key digital assets topics as well as the questions to ask management and the auditor will help audit committees effectively exercise their oversight responsibilities.” Audit committees of companies that are involved with digital assets may want to refer to this publication as they seek to increase their understanding of the risks inherent in this evolving field. The suggested questions for management and for auditors could also serve as a foundation for dialogue on these risks.