tip of iceberg floating showing under water iceberg in ocean
|

Proof Of Reserves Is Not An Audit

Home » Blog » Proof Of Reserves Is Not An Audit

OKCoin announced last week that the China based bitcoin exchange has reserves on hand exceeding 100% of customer funds entrusted to it.  The analysis, conducted by Ripple CTO Stefan Thomas, followed similar procedures completed at Kraken, Bitfinex and others that were intended to build customer trust in the assertion that  funds would not be lost in an exchange failure.  That trust may be misplaced.

An audit is a wholistic series of procedures designed to ensure that management’s assertions about the business and its status as a going concern are not improper or obviously flawed.  In the case of bitcoin, the statement that the exchange holds an amount of coins that is equal to or greater than the amount deposited by customers is only one (very limited) assertion. Proof of reserves is not an audit in the generally accepted meaning of the term.

There are many reasons why an exchange might go out of business, subjecting its customers to a partial or total loss.  Thus, audits must be planned and carried out in a way that subjects every aspect of the business to some form of scrutiny.  For example:

Proof of reserves does not consider the completeness or accuracy of customer records.  Instead, customers must check for themselves whether they were included in the procedure.  Traditional audits typically employ statistical sampling and both positive and negative confirmations to adjust for this limitation, since lack of rejection by customers cannot be relied upon as proof of acceptance.

Proof of reserves does not check the state of reserves before or after the date of the procedure.  This means that reserves could have been bolstered just for the procedure, even though they are normally much lower than what is claimed.

Proof of reserves examines no other assets or liabilities besides bitcoins on hand and deposit records. This means that the exchange could be technically or actually insolvent at the time the analysis was conducted and no one outside the organization would know. Since there are no laws protecting bitcoin deposits like bank deposits, it isn’t impossible for creditors to rank higher than depositors in a bankruptcy proceeding.

Proof of reserves does not consider whether the accounting system and security procedures are sufficient and appropriate to prevent theft, embezzlement, or other forms of malfeasance. This means that weak security could result in loss of customer funds and insolvency, regardless of what actual reserves were before the theft.

Proof of reserves does not contemplate whether the business is in compliance with applicable laws or whether the management team is qualified and fit for service.  This means that the exchange could have 100% reserves and still fail due to regulatory action, taking customer funds down with it.

I could go on, but I think I’ve made my point.

The fact that only one person carried out the analysis is also problematic.  Auditors are required to be independent in word and deed and technically qualified to perform the work.  It is unlikely that anyone would question Stefan Thomas’ technical qualifications, but he may not be independent with respect to OKCoin or any other exchange with which he has worked.  To my knowledge, he has made no assertion either way. The basic problem with auditing is that the public must trust the auditor in order to rely on the audit.  Using the same person repeatedly reduces the problem of trust to a single point of failure.

When well designed and executed as part of a full audit, proof of reserves can be a valuable procedure for confirming an important part of the financial statements of an exchange.  However, proof of reserves is not an audit in itself.  Don’t fall into the trap of relying on this procedure alone to prove that the exchange where you store your treasure is safe and sound.

Similar Posts

One Comment

  1. Pingback: Bitcoin Tax Blog

Comments are closed.