As an accountant in public practice and a digital currency advocate, I frequently receive inquiries from potential clients and others about digital currency audits. The high level of theft and fraud suffered by consumers in the bitcoin community and the novelty of the technology behind many of the companies that serve them have created a climate of suspicion and mistrust lately. As a result, consumers are demanding that exchanges, trading platforms and others that hold coins on behalf of others publicly prove their reserves.
There are no technical or legal reasons why digital currency companies cannot be audited or otherwise provided with assurance services. Nevertheless, the public accounting industry has mostly shied away from the digital currency industry so far. There are several reasons for this:
- Accounting principles generally accepted in the United States (US GAAP) do not address digital currencies and may not provide authoritative guidance for several years.
- Many common audit techniques and testing procedures that are known to be in compliance with GAAS are not readily adaptable to digital currencies.
- Professional malpractice insurance requirements may limit many firms from engaging in certain types of businesses or prevent them from doing so at rates that are affordable to clients.
- Individual practitioners themselves may not understand digital currencies or may be unwilling or slow to adapt to new technologies.
By refusing to service these clients and surrendering their niche as trusted, independent third parties, public accounting professionals have created a vacuum that is being filled by non-accounting technicians. For example, Kraken, OKCoin and others have turned to bitcoin industry advocate Stefan Thomas for “audit” services. The procedure developed by Thomas, commonly referred to as a “proof of reserves audit” is limited in scope (I wrote about this recently here) and could not be legally referred to as an “audit” (or Thomas as an “auditor”) in any US state that has adopted the Uniform Public Accountancy Act. While Thomas’ procedure may be technically sound, for this reason alone it would likely be rejected by institutional investors, lenders, or regulators.
When conducted by a licensed practitioner, proof of reserves could be carried out as an agreed upon procedures engagement under the AICPA framework and other applicable rules. An agreed upon procedures engagement consists of a set of procedures that are usually intended to confirm or deny a specific factual assertion on the part of the client. The deliverable product of an agreed upon procedures engagement is the auditor’s report, which clearly states the purpose and limitations of the auditor’s work and provides an opinion as to the veracity of management’s claims.
In the digital currency industry, the assertion about which most customers are concerned is whether an exchange or trading platform maintains reserves that are at least equal to customer liabilities at any given time. By extension, this assertion reflects a commitment that the exchange is not engaged in fractional reserve activities (such as lending of customer funds without customer consent) or the use of customer funds to trade for its own account.
A well-designed agreed upon procedures engagement to establish that sufficient reserves are on hand to cover customer liabilities should have three objectives:
- Ensure that customer deposit records provided to the auditor are complete (that is, that none have been omitted).
- Ensure that the total of the combination of fiat currencies and digital currencies on hand is sufficient to cover customer liabilities as of the date and time of the test.
- Ensure that the funds claimed by the client are actually owned by the client
Of these objectives, the first is likely to be the most important for obtaining reasonable assurance, but also the most difficult for the auditor to test. Digital currency users place a premium on privacy. Many are resentful of know your customer programs or reject them outright, moving their business to less regulated exchanges (or those with fewer scruples about complying with them). Additionally, digital currency firms normally utilize email exclusively to communicate with their customers. Emailed responses to balance confirmation requests may not provide sufficient assurance under GAAS or worse- customers may ignore them altogether, leading to an unacceptably low response rate to confirmation requests.
The second and third objectives cited above can normally be met using variants of conventional techniques. For example, cash confirmations can be used to confirm fiat currency balances held at traditional financial institutions or payment processors. Bitcoin wallet ownership can be confirmed using a series of test transactions that can be verified through direct review of the blockchain. Once reserves and liabilities have been established with an acceptable degree of certainty, ensuring that the latter does not exceed the former is easy.
Agreed upon procedures engagements are limited by the same factors as full audits:
- Procedures only confirm or deny an assertion as of the date and time that testing is conducted by the auditor. The time periods immediately prior to and subsequent to tests may be subjected to little or no scrutiny (a well planned audit would consider subsequent events).
- In contrast to digital currency technology, an assurance engagement is neither decentralized nor trustless. The acceptability and usefulness of the report to its users is dependent on the perceived integrity of the auditor and the client. Moreover, the auditor may fail to detect errors or omissions that are material to the assertion being tested. It is worth noting here that the procedures typically contemplated by non-accountants in this space typically involve cryptographic proofs that can be publicly scrutinized.
Additionally, the agreed upon procedures engagement described suffers the shortcoming of being less than a full audit. While an audit considers the full spectrum of factors that could result in material misstatements in the financial statements or going concern issues, an agreed upon procedures engagement only examines the particular assertion in question. An auditor could certify the reserves of an exchange, only to see that same exchange suffer a massive theft the very next day. On the other hand, financial statement audits can be prohibitively expensive for start-ups and small businesses.
Digital currency companies considering retention of an independent auditor should carefully consider the purpose and scope of the auditor’s role. In spite of the limitations previously mentioned, an agreed upon procedures engagement may be sufficient to meet the intent of management or requirements of lenders or investors.