A Look Into How Cryptocurrencies Will Be Audited
Crypto Related Guidelines In Japan: A Recap
With the enactment of the amended Payment Services Act in April 2017, Virtual Currency Exchange (VCE) Service Providers will now be subject to financial statements audits and segregation of funds audits.
Because comparability of financial statements is considered one of the key qualities of accounting, financial statements are prepared according to accounting standards and other guidance to ensure consistency across different companies.
In order to maintain consistent audit quality, audits are also performed according to audit standards and other guidance.
However, no such accounting or auditing standard/guidance regarding crypto existed up until recently.
This would have led to varying practices in accounting and needless to say, auditing for cryptos and to address this issue:
- on May 31, 2017, the “Practical Guidance Regarding the Agreed Upon Procedures Over the Segregation of Customer Assets at Virtual Currency Exchange Service Providers” (Segregation of Funds AUP Guidance)
- on March 14, 2018, the “Tentative Practical Solution on the Accounting for Virtual Currencies under the Payment Services Act” (PITF38)
And finally, on June 29, 2018, the “Practical Guidelines for Financial Statements Audits of Virtual Currency Exchange Service Providers” (Financial Statement Audit Guidance) was released.
We now have a series of guidelines that can be used to prepare financial statements and perform audits for crypto-related businesses.
See the table below for a recap of crypto-related accounting/auditing guidelines that have already been released in Japan.
For someone like me who’s been involved in the accounting/auditing profession for over 10 years, this is truly remarkable.
In the past few decades, the rules of accounting and auditing have been changing dramatically.
Unfortunately, these changes were not led by Japan, rather they were mainly led by the US and certain European countries.
The reality was (at least in my eyes) that accounting standards that were determined as USGAAP and IFRS were being imported into Japan with a few adjustments to make it “suitable” for Japan.
Same goes for the auditing standards.
However, things seem to be different for cryptocurrencies.
As far as I’m aware, the US has not yet officially released any crypto related accounting and auditing guidelines, which pretty much puts Japan in front with a wide lead.
The Financial Statement Audit Guidance that was just released provides CPAs and audit firms (auditors) with guidelines when performing financial statement audits of VCE service providers.
The auditors will be performing their audits based on these guidelines so for the VCE service providers, the same guidelines will act as a useful guide when building up their organization and preparing for the audit.
By reading through the Financial Statement Audit Guidance and trying to predict what the audits of VCE service providers are going to be like, I will try to present the following:
- to the VCE service providers, information that is useful in building up their organization and preparing for the audit
- to the customers of VCE service providers, a peek into what goes on behind the scenes and how audits will be performed over their funds
I won’t be going into general audit topics and will be focusing on those that are specifically related with crypto.
An actual copy of the Financial Statement Audit Guidance can be downloaded from the JICPA link below.
Let’s start from the beginning of the document and work our way down.
The article ended up being rather long so if you’re just interested in the actual audit testwork, you can skip down to 4. Audit Procedures in Response to Assessed Risks.
I Scope of this Guidance
1. Scope (para 1-4)
(1) Audit Regulations Applicable to VCE Service Providers (para 5)
(2) Characteristics of Financial Statement Audits of VCE Service Providers (para 6-9)
3. Definitions (para 10)
Para 3 states: “all virtual currencies applicable under the Payment Services Act are in scope for financial statements audits of VCE service providers that are performed according to this guidance”.
Currently, the accounting standards (PITF38) do not give any guidance on how to treat ICOs that are done by the company itself or its affiliates (self ICOs).
However, under the Financial Statement Audit Guidance, cryptos that are issued from self ICOs are considered cryptocurrencies, and therefore will be subject to financial statement audits.
If you’ve done an ICO or are planning to do one, it is very important that you discuss beforehand with the auditor.
When there’s no clear accounting guidance to fall back on, a company will need to build up their accounting position by referencing related accounting standards and also by going back to basic accounting principles.
The responsibility of preparing financial statements lies with the company so the company should first prepare a position paper or whitepaper (yes, we call position papers whitepapers in the accounting world) that logically outlines the company’s accounting position and present that to the auditors as a basis for discussion.
Because there’s no clear accounting guidance, the auditor won’t be able to give you a Yes or No answer on the spot.
So, the timing to bring this up should not be right before the ICO, it should be done well before that to avoid any surprises.
Para 4 states that the document outlines how the guidance should be used alongside other auditing standards and that it is not requiring anything new that the auditing standards previously did not require.
What this means is that though cryptos are new, the audit itself will be performed according to the existing audit framework.
Para 9 outlines the objective of a financial statement audit, reminding us that the objective of a financial statement audit is to express and opinion on the reasonableness of the financial statements and that it does not provide any assurance regarding the blockchain itself
Para 9 is also pretty deep; it touches on 51% attacks (malicious miners taking over the blockchain by accumulating more than half of the network hashing power).
Just a few days ago, monacoin, BitcoinGold, and ZenCash were under 51% attacks that caused a loss in funds.
51% attacks are not just theoretically possible, they are real-life risks that need to be considered when setting up controls and processes (ex. increase the number of required confirmations for deposits).
(Appendix 1) Understanding the VCE service provider
Appendix 1 provides information on how a VCE service provider operates.
I thought that it was very well laid out; even an auditor that isn’t fond of cryptos should be able to understand the basics of how the business operates.
My personal favorite is the third one that talks about agent operations.
It goes pretty deep and mentions white label solutions (OEM of trading software) and the linking of domestic trading pools with foreign trading pools.
I could feel the enthusiasm and passion of the person writing these guidelines.
The forth one regarding the handling of cryptos, talks about wallets.
While admitting the convenience to the user provided by the use of hot wallets, the guidance assumes that hot wallets are used in conjunction with cold wallets.
I presume that keeping the allocation between hot wallets and cold wallets at a predetermined ratio is how it is mostly done in practice.
But after the Coincheck Nem incident, my prediction is that more companies will be increasing their allocation to cold wallets.
The mega US crypto exchange, Coinbase is reported to store more than 98% of customer funds offline and the remaining 2% that is stored online is protected by insurance.
Convenience and security are always at a trade-off.
The sensitive act of balancing the two by maximizing security without impairing customer convenience too much is required by both the company and the auditor.
II Audit Considerations
1. Entering an Audit Contract (para 11-13)
2. Selecting Audit Team Members (para 14)
Para 11-13 lays out the preconditions (that are unique to crypto) that have to be met in order to perform audits.
If an auditor determines that these preconditions aren’t met, the auditor may decide that they are unable to enter into an audit contract.
The company will have to build up the organization so that the preconditions are met and that the company has a strong foundation and is ready to be audited.
My prediction is that the auditor will be focused on what type of cryptos the VCE service provider is going to be handling, especially if there are any privacy coins and if the company has done any ICOs.
The auditor may decide that the risk is relatively high, just by the existence of these topics.
In the table below, I have summarized the factors an auditor has to consider (unique to crypto) when entering into an audit contract.
Please use it to facilitate communication with the auditor when negotiating an audit contract.
Most of the items on the list should be things that have been already documented when applying for the VCE service provider license with the FSA.
Please note that the items on the list are examples and are not all-inclusive; they should be adjusted according to specific circumstances.
Audit Preparation Questionnaire