A Look Into How Cryptocurrencies Will Be Audited
Crypto Related Guidelines In Japan: A Recap
With the enactment of the amended Payment Services Act in April 2017, Virtual Currency Exchange (VCE) Service Providers will now be subject to financial statements audits and segregation of funds audits.
Because comparability of financial statements is considered one of the key qualities of accounting, financial statements are prepared according to accounting standards and other guidance to ensure consistency across different companies.
In order to maintain consistent audit quality, audits are also performed according to audit standards and other guidance.
However, no such accounting or auditing standard/guidance regarding crypto existed up until recently.
This would have led to varying practices in accounting and needless to say, auditing for cryptos and to address this issue:
- on May 31, 2017, the “Practical Guidance Regarding the Agreed Upon Procedures Over the Segregation of Customer Assets at Virtual Currency Exchange Service Providers” (Segregation of Funds AUP Guidance)
- on March 14, 2018, the “Tentative Practical Solution on the Accounting for Virtual Currencies under the Payment Services Act” (PITF38)
And finally, on June 29, 2018, the “Practical Guidelines for Financial Statements Audits of Virtual Currency Exchange Service Providers” (Financial Statement Audit Guidance) was released.
We now have a series of guidelines that can be used to prepare financial statements and perform audits for crypto-related businesses.
See the table below for a recap of crypto-related accounting/auditing guidelines that have already been released in Japan.
For someone like me who’s been involved in the accounting/auditing profession for over 10 years, this is truly remarkable.
In the past few decades, the rules of accounting and auditing have been changing dramatically.
Unfortunately, these changes were not led by Japan, rather they were mainly led by the US and certain European countries.
The reality was (at least in my eyes) that accounting standards that were determined as USGAAP and IFRS were being imported into Japan with a few adjustments to make it “suitable” for Japan.
Same goes for the auditing standards.
However, things seem to be different for cryptocurrencies.
As far as I’m aware, the US has not yet officially released any crypto related accounting and auditing guidelines, which pretty much puts Japan in front with a wide lead.
The Financial Statement Audit Guidance that was just released provides CPAs and audit firms (auditors) with guidelines when performing financial statement audits of VCE service providers.
The auditors will be performing their audits based on these guidelines so for the VCE service providers, the same guidelines will act as a useful guide when building up their organization and preparing for the audit.
By reading through the Financial Statement Audit Guidance and trying to predict what the audits of VCE service providers are going to be like, I will try to present the following:
- to the VCE service providers, information that is useful in building up their organization and preparing for the audit
- to the customers of VCE service providers, a peek into what goes on behind the scenes and how audits will be performed over their funds
I won’t be going into general audit topics and will be focusing on those that are specifically related with crypto.
An actual copy of the Financial Statement Audit Guidance can be downloaded from the JICPA link below.
Let’s start from the beginning of the document and work our way down.
The article ended up being rather long so if you’re just interested in the actual audit testwork, you can skip down to 4. Audit Procedures in Response to Assessed Risks.
I Scope of this Guidance
1. Scope (para 1-4)
(1) Audit Regulations Applicable to VCE Service Providers (para 5)
(2) Characteristics of Financial Statement Audits of VCE Service Providers (para 6-9)
3. Definitions (para 10)
Para 3 states: “all virtual currencies applicable under the Payment Services Act are in scope for financial statements audits of VCE service providers that are performed according to this guidance”.
Currently, the accounting standards (PITF38) do not give any guidance on how to treat ICOs that are done by the company itself or its affiliates (self ICOs).
However, under the Financial Statement Audit Guidance, cryptos that are issued from self ICOs are considered cryptocurrencies, and therefore will be subject to financial statement audits.
If you’ve done an ICO or are planning to do one, it is very important that you discuss beforehand with the auditor.
When there’s no clear accounting guidance to fall back on, a company will need to build up their accounting position by referencing related accounting standards and also by going back to basic accounting principles.
The responsibility of preparing financial statements lies with the company so the company should first prepare a position paper or whitepaper (yes, we call position papers whitepapers in the accounting world) that logically outlines the company’s accounting position and present that to the auditors as a basis for discussion.
Because there’s no clear accounting guidance, the auditor won’t be able to give you a Yes or No answer on the spot.
So, the timing to bring this up should not be right before the ICO, it should be done well before that to avoid any surprises.
Para 4 states that the document outlines how the guidance should be used alongside other auditing standards and that it is not requiring anything new that the auditing standards previously did not require.
What this means is that though cryptos are new, the audit itself will be performed according to the existing audit framework.
Para 9 outlines the objective of a financial statement audit, reminding us that the objective of a financial statement audit is to express and opinion on the reasonableness of the financial statements and that it does not provide any assurance regarding the blockchain itself
Para 9 is also pretty deep; it touches on 51% attacks (malicious miners taking over the blockchain by accumulating more than half of the network hashing power).
Just a few days ago, monacoin, BitcoinGold, and ZenCash were under 51% attacks that caused a loss in funds.
51% attacks are not just theoretically possible, they are real-life risks that need to be considered when setting up controls and processes (ex. increase the number of required confirmations for deposits).
(Appendix 1) Understanding the VCE service provider
Appendix 1 provides information on how a VCE service provider operates.
I thought that it was very well laid out; even an auditor that isn’t fond of cryptos should be able to understand the basics of how the business operates.
My personal favorite is the third one that talks about agent operations.
It goes pretty deep and mentions white label solutions (OEM of trading software) and the linking of domestic trading pools with foreign trading pools.
I could feel the enthusiasm and passion of the person writing these guidelines.
The forth one regarding the handling of cryptos, talks about wallets.
While admitting the convenience to the user provided by the use of hot wallets, the guidance assumes that hot wallets are used in conjunction with cold wallets.
I presume that keeping the allocation between hot wallets and cold wallets at a predetermined ratio is how it is mostly done in practice.
But after the Coincheck Nem incident, my prediction is that more companies will be increasing their allocation to cold wallets.
The mega US crypto exchange, Coinbase is reported to store more than 98% of customer funds offline and the remaining 2% that is stored online is protected by insurance.
Convenience and security are always at a trade-off.
The sensitive act of balancing the two by maximizing security without impairing customer convenience too much is required by both the company and the auditor.
II Audit Considerations
1. Entering an Audit Contract (para 11-13)
2. Selecting Audit Team Members (para 14)
Para 11-13 lays out the preconditions (that are unique to crypto) that have to be met in order to perform audits.
If an auditor determines that these preconditions aren’t met, the auditor may decide that they are unable to enter into an audit contract.
The company will have to build up the organization so that the preconditions are met and that the company has a strong foundation and is ready to be audited.
My prediction is that the auditor will be focused on what type of cryptos the VCE service provider is going to be handling, especially if there are any privacy coins and if the company has done any ICOs.
The auditor may decide that the risk is relatively high, just by the existence of these topics.
In the table below, I have summarized the factors an auditor has to consider (unique to crypto) when entering into an audit contract.
Please use it to facilitate communication with the auditor when negotiating an audit contract.
Most of the items on the list should be things that have been already documented when applying for the VCE service provider license with the FSA.
Please note that the items on the list are examples and are not all-inclusive; they should be adjusted according to specific circumstances.
Audit Preparation Questionnaire
3. Understanding the Entity and Its Environment and Assessing of Risks of Material Misstatement (para 15-16)
Para 15-16 lays out the risks that the auditor needs to consider.
From the company’s perspective, it will be in their interest to continuously monitor these risks and be able to respond to requests from the auditor in order to facilitate a smooth audit.
In the table below, I have summarized the risks that the auditor would need to consider.
Please note again that the items on the list are general and should be adjusted according to specific circumstances.
(1) Understanding the Entity’s Internal Control (para 17-22)
Para 17 requires the auditor to understand the internal control of the VCE service provider.
The guidance assumes that there will be internal controls that are unique to crypto.
I recommend preparing a list of relevant controls (RCM: Risk Control Matrix) that can be presented to the auditor.
The RCM should include controls such as those in the table below.
The table below includes abstract explanations of the controls but when actually preparing an RCM, the details of a control should be clearly documented including information regarding who, when, what and how of the control.
Para 20 requires the auditor to understand the IT systems that are being used by the company.
This is because in most cases, the operations of a VCE service provider are executed using IT.
Therefore, it would be useful to summarize the functions of the applications being used and how they are administered and managed.
If the administration/management of IT systems is being outsourced, it is important to inquire beforehand if the service provider is able to provide a SOC1 Type2 Report.
(2) Risks That Require Special Audit Consideration (Para 23)
Based on the auditor’s assessment of the risks and understanding of the entity’s internal control, the auditor determines whether there is a significant risk.
When performing financial statement audits, the auditor would adjust the level of testwork to be performed on certain areas depending on the risk.
This is called the Risk Approach.
In areas that the auditor determines there is a significant risk, the auditor will perform detailed testwork over such areas.
I will introduce examples of some of the testwork that will likely be performed over such high-risk areas in the following section, 3. Audit Procedures in Response to Assessed Risks.
From the perspective of the company, it is important to keep operations robust, especially in these areas.
Generally speaking, the auditor would identify significant risks in the following areas:
1) Revenue recognition
2) Existence of cryptos
3) Valuation of cryptos
4．Audit Procedures in Response to Assessed Risks (Para 24)
(1) Consideration When Testing the Effectiveness of Internal Controls (para 25)
(2) Consideration When Performing Substantive Testing (Test of Details) (para 26-27)
As mentioned above in the comment on para 23, the auditor will perform detailed testwork over areas that have significant risks.
Generally speaking, in the case of VCE service providers, the auditor would most likely make the assessment that significant risks exist in at least the following areas:
1) Revenue recognition
2) Existence of cryptos
3) Valuation of cryptos
Based on Appendix 3 -5, I have summarized below examples of audit testwork that could be expected for each risk.
I hope it is useful when the company prepares information and defines report formats.
Report Data Export Template
Financial statement audits by auditors were things that only large companies (listed companies and large companies under the Companies Act) had to worry about.
Because of the amendment in regulations surrounding crypto, it is my prediction that many VCE service providers will be undergoing audits for the first time.
What is going to be important in order to avoid surprises and disagreements with the auditor is to start discussions regarding accounting treatments and audit approach with the auditor well in advance.
I plan on writing more on crypto audits in the future, hoping to familiarize the concept of auditing with the crypto world and vice versa.