A Look Into How Cryptocurrencies Will Be Audited
Crypto Related Guidelines In Japan: A Recap
With the enactment of the amended Payment Services Act in April 2017, Virtual Currency Exchange (VCE) Service Providers will now be subject to financial statements audits and segregation of funds audits.
Because comparability of financial statements is considered one of the key qualities of accounting, financial statements are prepared according to accounting standards and other guidance to ensure consistency across different companies.
In order to maintain consistent audit quality, audits are also performed according to audit standards and other guidance.
However, no such accounting or auditing standard/guidance regarding crypto existed up until recently.
This would have led to varying practices in accounting and needless to say, auditing for cryptos and to address this issue:
- on May 31, 2017, the “Practical Guidance Regarding the Agreed Upon Procedures Over the Segregation of Customer Assets at Virtual Currency Exchange Service Providers” (Segregation of Funds AUP Guidance)
- on March 14, 2018, the “Tentative Practical Solution on the Accounting for Virtual Currencies under the Payment Services Act” (PITF38)
And finally, on June 29, 2018, the “Practical Guidelines for Financial Statements Audits of Virtual Currency Exchange Service Providers” (Financial Statement Audit Guidance) was released.
We now have a series of guidelines that can be used to prepare financial statements and perform audits for crypto-related businesses.
See the table below for a recap of crypto-related accounting/auditing guidelines that have already been released in Japan.
For someone like me who’s been involved in the accounting/auditing profession for over 10 years, this is truly remarkable.
In the past few decades, the rules of accounting and auditing have been changing dramatically.
Unfortunately, these changes were not led by Japan, rather they were mainly led by the US and certain European countries.
The reality was (at least in my eyes) that accounting standards that were determined as USGAAP and IFRS were being imported into Japan with a few adjustments to make it “suitable” for Japan.
Same goes for the auditing standards.
However, things seem to be different for cryptocurrencies.
As far as I’m aware, the US has not yet officially released any crypto related accounting and auditing guidelines, which pretty much puts Japan in front with a wide lead.
The Financial Statement Audit Guidance that was just released provides CPAs and audit firms (auditors) with guidelines when performing financial statement audits of VCE service providers.
The auditors will be performing their audits based on these guidelines so for the VCE service providers, the same guidelines will act as a useful guide when building up their organization and preparing for the audit.
By reading through the Financial Statement Audit Guidance and trying to predict what the audits of VCE service providers are going to be like, I will try to present the following:
- to the VCE service providers, information that is useful in building up their organization and preparing for the audit
- to the customers of VCE service providers, a peek into what goes on behind the scenes and how audits will be performed over their funds
I won’t be going into general audit topics and will be focusing on those that are specifically related with crypto.
An actual copy of the Financial Statement Audit Guidance can be downloaded from the JICPA link below.
Let’s start from the beginning of the document and work our way down.
The article ended up being rather long so if you’re just interested in the actual audit testwork, you can skip down to 4. Audit Procedures in Response to Assessed Risks.
I Scope of this Guidance
1. Scope (para 1-4)
(1) Audit Regulations Applicable to VCE Service Providers (para 5)
(2) Characteristics of Financial Statement Audits of VCE Service Providers (para 6-9)
3. Definitions (para 10)
Para 3 states: “all virtual currencies applicable under the Payment Services Act are in scope for financial statements audits of VCE service providers that are performed according to this guidance”.
Currently, the accounting standards (PITF38) do not give any guidance on how to treat ICOs that are done by the company itself or its affiliates (self ICOs).
However, under the Financial Statement Audit Guidance, cryptos that are issued from self ICOs are considered cryptocurrencies, and therefore will be subject to financial statement audits.
If you’ve done an ICO or are planning to do one, it is very important that you discuss beforehand with the auditor.
When there’s no clear accounting guidance to fall back on, a company will need to build up their accounting position by referencing related accounting standards and also by going back to basic accounting principles.
The responsibility of preparing financial statements lies with the company so the company should first prepare a position paper or whitepaper (yes, we call position papers whitepapers in the accounting world) that logically outlines the company’s accounting position and present that to the auditors as a basis for discussion.
Because there’s no clear accounting guidance, the auditor won’t be able to give you a Yes or No answer on the spot.
So, the timing to bring this up should not be right before the ICO, it should be done well before that to avoid any surprises.
Para 4 states that the document outlines how the guidance should be used alongside other auditing standards and that it is not requiring anything new that the auditing standards previously did not require.
What this means is that though cryptos are new, the audit itself will be performed according to the existing audit framework.
Para 9 outlines the objective of a financial statement audit, reminding us that the objective of a financial statement audit is to express and opinion on the reasonableness of the financial statements and that it does not provide any assurance regarding the blockchain itself
Para 9 is also pretty deep; it touches on 51% attacks (malicious miners taking over the blockchain by accumulating more than half of the network hashing power).
Just a few days ago, monacoin, BitcoinGold, and ZenCash were under 51% attacks that caused a loss in funds.
51% attacks are not just theoretically possible, they are real-life risks that need to be considered when setting up controls and processes (ex. increase the number of require