A Look Into How Cryptocurrencies Will Be Audited
Crypto Related Guidelines In Japan: A Recap
With the enactment of the amended Payment Services Act in April 2017, Virtual Currency Exchange (VCE) Service Providers will now be subject to financial statements audits and segregation of funds audits.
Because comparability of financial statements is considered one of the key qualities of accounting, financial statements are prepared according to accounting standards and other guidance to ensure consistency across different companies.
In order to maintain consistent audit quality, audits are also performed according to audit standards and other guidance.
However, no such accounting or auditing standard/guidance regarding crypto existed up until recently.
This would have led to varying practices in accounting and needless to say, auditing for cryptos and to address this issue:
- on May 31, 2017, the “Practical Guidance Regarding the Agreed Upon Procedures Over the Segregation of Customer Assets at Virtual Currency Exchange Service Providers” (Segregation of Funds AUP Guidance)
- on March 14, 2018, the “Tentative Practical Solution on the Accounting for Virtual Currencies under the Payment Services Act” (PITF38)
were issued.
And finally, on June 29, 2018, the “Practical Guidelines for Financial Statements Audits of Virtual Currency Exchange Service Providers” (Financial Statement Audit Guidance) was released.
We now have a series of guidelines that can be used to prepare financial statements and perform audits for crypto-related businesses.
See the table below for a recap of crypto-related accounting/auditing guidelines that have already been released in Japan.
General | Accounting | Audit | Tax | Overview (sections related with accounting and auditing) | |
Date | FSA/Cabinet Office | ASBJ | JICPA | NTA | |
2016/6/3 Released (2017/4/1 Enacted) | Amended Payment Services Act | Customer funds and company funds must be segregated. The segregation of funds must be periodically audited by CPAs or audit firms (segregation of funds audit). An audit report by a CPA or an audit firm is required to be included in the annual report that is submitted to the Prime Minister by VCE service providers. | |||
2017/3/24 Released (2017/4/1 Enacted) | Cabinet Office Order | Customer funds and company funds must be segregated. The segregation of funds must be periodlically audited by CPAs or audit firms (segregation of funds audit). The annual report that is submitted to the Prime Minister by the VCE service providers requires and audit report by a CPA or an audit firm. | |||
2017/3/27 Exposure Draft (2017/5/31 Released) | Segregation of Funds AUP Guidance | Provides guidance when performing the segregation of funds audit | |||
2017/12/1 Released | Calculation Method Regarding Crypto Related Income (Information) | Provides guidance on how to calculate gains and losses when submitting individual tax returns | |||
2018/2/15 Exposure Draft (2018/3/14 Released) | PITF38 | Provides guidance on the accounting treatment of cryptos | |||
2018/3/23 Exposure Draft (2018/6/29 released) | Financial Statement Audit Guidance | Provides guidance when performing financial statement audits of VCE service providers |
For someone like me who’s been involved in the accounting/auditing profession for over 10 years, this is truly remarkable.
In the past few decades, the rules of accounting and auditing have been changing dramatically.
Unfortunately, these changes were not led by Japan, rather they were mainly led by the US and certain European countries.
The reality was (at least in my eyes) that accounting standards that were determined as USGAAP and IFRS were being imported into Japan with a few adjustments to make it “suitable” for Japan.
Same goes for the auditing standards.
However, things seem to be different for cryptocurrencies.
As far as I’m aware, the US has not yet officially released any crypto related accounting and auditing guidelines, which pretty much puts Japan in front with a wide lead.
The Financial Statement Audit Guidance that was just released provides CPAs and audit firms (auditors) with guidelines when performing financial statement audits of VCE service providers.
The auditors will be performing their audits based on these guidelines so for the VCE service providers, the same guidelines will act as a useful guide when building up their organization and preparing for the audit.
By reading through the Financial Statement Audit Guidance and trying to predict what the audits of VCE service providers are going to be like, I will try to present the following:
- to the VCE service providers, information that is useful in building up their organization and preparing for the audit
- to the customers of VCE service providers, a peek into what goes on behind the scenes and how audits will be performed over their funds
I won’t be going into general audit topics and will be focusing on those that are specifically related with crypto.
An actual copy of the Financial Statement Audit Guidance can be downloaded from the JICPA link below.
Download the Financial Statement Audit Guidance
Let’s start from the beginning of the document and work our way down.
The article ended up being rather long so if you’re just interested in the actual audit testwork, you can skip down to 4. Audit Procedures in Response to Assessed Risks.
I Scope of this Guidance
1. Scope (para 1-4)
2. Background
(1) Audit Regulations Applicable to VCE Service Providers (para 5)
(2) Characteristics of Financial Statement Audits of VCE Service Providers (para 6-9)
3. Definitions (para 10)
Point!
Para 3 states: “all virtual currencies applicable under the Payment Services Act are in scope for financial statements audits of VCE service providers that are performed according to this guidance”.
Currently, the accounting standards (PITF38) do not give any guidance on how to treat ICOs that are done by the company itself or its affiliates (self ICOs).
However, under the Financial Statement Audit Guidance, cryptos that are issued from self ICOs are considered cryptocurrencies, and therefore will be subject to financial statement audits.
If you’ve done an ICO or are planning to do one, it is very important that you discuss beforehand with the auditor.
When there’s no clear accounting guidance to fall back on, a company will need to build up their accounting position by referencing related accounting standards and also by going back to basic accounting principles.
The responsibility of preparing financial statements lies with the company so the company should first prepare a position paper or whitepaper (yes, we call position papers whitepapers in the accounting world) that logically outlines the company’s accounting position and present that to the auditors as a basis for discussion.
Because there’s no clear accounting guidance, the auditor won’t be able to give you a Yes or No answer on the spot.
So, the timing to bring this up should not be right before the ICO, it should be done well before that to avoid any surprises.
Point!
Para 4 states that the document outlines how the guidance should be used alongside other auditing standards and that it is not requiring anything new that the auditing standards previously did not require.
What this means is that though cryptos are new, the audit itself will be performed according to the existing audit framework.
Point!
Para 9 outlines the objective of a financial statement audit, reminding us that the objective of a financial statement audit is to express and opinion on the reasonableness of the financial statements and that it does not provide any assurance regarding the blockchain itself
Para 9 is also pretty deep; it touches on 51% attacks (malicious miners taking over the blockchain by accumulating more than half of the network hashing power).
Just a few days ago, monacoin, BitcoinGold, and ZenCash were under 51% attacks that caused a loss in funds.
reddit article
forum.bitcoingold.org article
zencash.com article
51% attacks are not just theoretically possible, they are real-life risks that need to be considered when setting up controls and processes (ex. increase the number of required confirmations for deposits).
Point!
(Appendix 1) Understanding the VCE service provider
Appendix 1 provides information on how a VCE service provider operates.
I thought that it was very well laid out; even an auditor that isn’t fond of cryptos should be able to understand the basics of how the business operates.
My personal favorite is the third one that talks about agent operations.
It goes pretty deep and mentions white label solutions (OEM of trading software) and the linking of domestic trading pools with foreign trading pools.
I could feel the enthusiasm and passion of the person writing these guidelines.
The forth one regarding the handling of cryptos, talks about wallets.
While admitting the convenience to the user provided by the use of hot wallets, the guidance assumes that hot wallets are used in conjunction with cold wallets.
I presume that keeping the allocation between hot wallets and cold wallets at a predetermined ratio is how it is mostly done in practice.
But after the Coincheck Nem incident, my prediction is that more companies will be increasing their allocation to cold wallets.
The mega US crypto exchange, Coinbase is reported to store more than 98% of customer funds offline and the remaining 2% that is stored online is protected by insurance.
Convenience and security are always at a trade-off.
The sensitive act of balancing the two by maximizing security without impairing customer convenience too much is required by both the company and the auditor.
II Audit Considerations
1. Entering an Audit Contract (para 11-13)
2. Selecting Audit Team Members (para 14)
Point!
Para 11-13 lays out the preconditions (that are unique to crypto) that have to be met in order to perform audits.
If an auditor determines that these preconditions aren’t met, the auditor may decide that they are unable to enter into an audit contract.
The company will have to build up the organization so that the preconditions are met and that the company has a strong foundation and is ready to be audited.
My prediction is that the auditor will be focused on what type of cryptos the VCE service provider is going to be handling, especially if there are any privacy coins and if the company has done any ICOs.
The auditor may decide that the risk is relatively high, just by the existence of these topics.
In the table below, I have summarized the factors an auditor has to consider (unique to crypto) when entering into an audit contract.
Please use it to facilitate communication with the auditor when negotiating an audit contract.
Most of the items on the list should be things that have been already documented when applying for the VCE service provider license with the FSA.
Please note that the items on the list are examples and are not all-inclusive; they should be adjusted according to specific circumstances.
Audit Preparation Questionnaire
Check item | Response |
Status regarding VCE service provider license | License obtained YYMMDD |
The types of crypto the company will be handling and their technological characteristics, services that the company will be providing and how they will be deployed | Summarize in the crypto summary table below |
Competency and expertise of management | Provide background of the management team: CEO: CFO: COO: CIO: |
The structure of the organization (including IT systems) and how it is implemented and structured to ensure accurate financial reporting | Summarize applications, systems and IT environment that is related to financial reporting Summarize the structure of the finance/accounting and IT department Summarize the status of internal controls including IT controls |
Monitoring and inspection performed by the internal control department, the effectiveness of the internal audit department | Summarize how monitoring is performed within the company and the involvement of internal audit |
How the accounting records related to crypto are maintained | Summarize how accounting records such as the customer subledger are processed and maintained within the system. It is useful to have narratives and flowcharts. |
How the book balance is reconciled with the blockchain balance | Summarize how the book balance is reconciled with the balance on the blockchain Summarize the process by which discrepancies between balances are reconciled. |
How system risk and cyber security risks are addressed | Summarize how system risks and cyber security risks are addressed. In case of large audit firms, it is typical that a different team (from the team that's performing the financial statement audit) performs the IT audit. |
How transactions are confirmed and how data is stored and reported (for suspicious transactions) in order to comply with the "Act on Prevention of Transfer of Criminal Proceeds" | Summarize the processes in place |
How the "Guidelines on Anti Money Laundering and Combating and Financing of Terrorism" is being implemented | Summarize the processes in place |
How information is provided to customeres when transacting and upon contract | Summarize the processes in place |
How information is provided to customers upon deposits of fiat and cryptos | Summarize the processes in place |
Processes, procedures and systems that are in place to protect users | Summarize the processes, procedures and systems in place |
Crypto Summary
Updated: YYMMDD
Name of coin | Ticker | Technological characteristics | Type of service | Issuer | Level of privacy | Wallet | Private Key | Reconciliation with the Blockchain | Does an active market exist? | Market to be used for yearend valuation | |
1 | Bitcoin | BTC | https://bitcoin.org/bitcoin.pdf | Trading of underlying, margin, futures, lending, automatic savings | NA | Low (transparent transactions only) | Hot:Cold ratio 1:9 Re-balance daily at 6 PM | Multisig 2 of 3 | Daily at 6PM, reconcile the book BTC balance with the balance on the blockchain | Yes (Determined based on trade volume on CMC, OCFX and the company's own exchange) | Own exchange (Determined based on trade volume on CMC, OCFX and the company's exchange) |
2 | |||||||||||
3 |
3. Understanding the Entity and Its Environment and Assessing of Risks of Material Misstatement (para 15-16)
Point!
Para 15-16 lays out the risks that the auditor needs to consider.
From the company’s perspective, it will be in their interest to continuously monitor these risks and be able to respond to requests from the auditor in order to facilitate a smooth audit.
In the table below, I have summarized the risks that the auditor would need to consider.
Please note again that the items on the list are general and should be adjusted according to specific circumstances.
Risks that require assessment | How the company responds to such risks |
Risk of not complying with regulations (including foreign ones if applicable) | Summarize how changes in applicable regulations (such as the Payment Services Act, Cabinet Office Order and Guidelines, New York BitLicense, Foreign Exchange and Foreign Trade Act) are identified, addressed and how completeness is ensured. |
Risk of not complying with accounting standards and disclosure rules applicable to VCE service providers | Summarize how changes/additions in accounting standards (such as the PITF38) are identified, addressed and how completeness is ensured. |
Risk of inconsistencies between external systems such as third-party exchanges that the company's own exchange is connected to and inconsistencies between the company's operational activity and its internal accounting system | Summarize how these inconsistencies are monitored and prevented. |
Risk of unknowingly participating in financing terrorism or money laundering due to lack of procedures over confirmation of transactions (confirmation of transactions, preservation of transaction data, reporting of suspicious transactions under the "Act on Prevention of Transfer of Criminal Proceeds") | Summarize how these activities are monitored and prevented. |
Risk of overstating revenue Risk of overstating revenue by disguising internal transactions as transactions with third-parties by using hidden addresses | Summarize how these activities are monitored and prevented. |
Risk of overstating revenue Risk of overstating revenue when funds are not properly segregated and customer funds are recorded as the company funds. | Summarize how these activities are monitored and prevented. |
Risk over the existence of cryptos Risk of cryptos being stolen by external hackers taking possession of private keys etc. | Summarize how these activities are monitored and prevented. |
Risk over the existence of cryptos Risk of cryptos being stolen by insiders | Summarize how these activities are monitored and prevented. |
Risk over the existence of cryptos Risk of losing possession of funds through lost private keys | Summarize how these activities are monitored and prevented. |
Risk of not being able to track transactions when using blockchains with high privacy features | Summarize how such situations are monitored and prevented. |
Risk over the existence and valuation of cryptos Risk of unanticipated fluctuations in price and quantity due to hard forks of the chain | Summarize how such situations are monitored and evaluated. |
Risk over the valuation of cryptos (price volatility and liquidity risk) When a crypto is traded at multiple exchanges, the spread between the prices at the various exchanges could be wide due to the difference in trading volume. This could lead to a risk that the market price used at year end is manipulated. In addition, when a company uses the price of its own exchange as the market price at year end, there is a risk that the valuation of a low liquidity crypto could be effected by the trading volume. | Summarize how such risk are mitigated. |
(1) Understanding the Entity’s Internal Control (para 17-22)
Point!
Para 17 requires the auditor to understand the internal control of the VCE service provider.
The guidance assumes that there will be internal controls that are unique to crypto.
I recommend preparing a list of relevant controls (RCM: Risk Control Matrix) that can be presented to the auditor.
The RCM should include controls such as those in the table below.
The table below includes abstract explanations of the controls but when actually preparing an RCM, the details of a control should be clearly documented including information regarding who, when, what and how of the control.
Internal Control | Control Description (example) |
Controls related with the generation of addresses and private keys | Document the details of controls that ensure all addresses and private keys generated by the company are recorded in respective databases in a way that it is distinguishable between company use and customer use ones. |
Controls related with the registration of users into the system including user ID confirmation when opening accounts (examples of information that is entered into the system: User ID, bank account, deposit address) | Document the details of controls that prevent actions such as unknowingly participating in financing of terrorism and money laundering. Document the details of controls that prevent interaction with anti-social forces (such as controls to prevent having any relationship with anti social-forces, controls that resolve any relationships with such parties and controls to address any unreasonable demands from such forces). |
Controls related with the segregation of customer funds | The internal rules clearly state the methods of segregating customer funds and is reflected in the contract with the customer. Company funds and customer funds are clearly segregated according to the methods outlined above and customer funds are readily identifiable. The status of the segregation of funds is properly verified. |
Controls related with the reconciliation of customer crypto deposits and withdrawals with the blockchain | On a daily basis, the balance of customer crypto funds in the system is reconciled with the balance on the blockchain. If the actual balance is less than the balance in the system, discrepancies are investigated and addressed within 5 business days from the day the difference was identified. |
Controls related with the segregation of funds (fiat) | When managing customer funds according to the method stated in Cabinet Office Order para 20-1-1, the balance maintained in the system by the company is reconciled with bank records on a daily basis. If the actual balance is less than the balance in the system, discrepancies are investigated and addressed within 2 business days. or When managing customer funds according to the method stated in Cabinet Office Order para 20-1-2, funds are managed based on contracts that meet the requirements of Cabinet Office Order 21-1. |
Controls related with the management and storage of private keys | The storage location of the private keys that control the company funds are segregated from those that control the customer funds. Private keys are managed in cold storage not connected to the internet as much as possible to the extent that does not impair customer convenience. |
Controls related to the transfer of cryptos | Document the details of controls over the transfer of cryptos, for example, from hot wallets to cold wallets. |
Controls over the delivery of transaction and balance reports to customers | Document the details of controls over such processes. |
Controls over the adjustment or return of funds for erroneous deposits from customers/noncustomers | Document the details of controls over such processes. |
Controls over how fair value information of crypto is obtained on a timely basis and how the balance sheet date fair value is determined and approved | Document the details of controls over such processes. |
If management of cryptos is outsourced to third parties, controls in place to confirm that sufficient controls are in place at the third party at a level that would be anticipated if the company were to manage the cryptos on their own | Document the details of controls over such processes. (One way of confirming the status of controls is through a SOC1 Type2 Report. I recommend asking the third party beforehand if they have plans to obtain a SOC1 Type2 Report.) |
Controls over accounting records that ensure accurate reflection of the company's operations and management of customer funds, reflection of results from segregation of funds audits and controls that ensure records are properly retained | Accounting records are prescribed in internal rules and such rules are disseminated through training sessions etc. Regarding the segregation of funds (fiat), the customer ledger shows deposits and withdrawals along with the balance. Regarding the segregation of funds (crypto), the customer ledger is maintained based on a system that displays balance information by capturing flow data from the blockchain. The customer crypto balance data for each customer is recoverable even in instances where the data backups are damaged. Customer balance information is reviewed for accuracy by someone outside of the department preparing the data. |
Controls over how price and liquidity risks are managed when holding a crypto position | Document the details of controls over such processes. |
Controls over access security to prevent the execution of unapproved transactions, fraudulent use of private keys, manipulation of records etc. | Document the details of controls over such processes. |
Point!
Para 20 requires the auditor to understand the IT systems that are being used by the company.
This is because in most cases, the operations of a VCE service provider are executed using IT.
Therefore, it would be useful to summarize the functions of the applications being used and how they are administered and managed.
If the administration/management of IT systems is being outsourced, it is important to inquire beforehand if the service provider is able to provide a SOC1 Type2 Report.
Operation | Name of Application | Development (Internal/External) | Management/Administration policy |
Trading and exchanging of crypto | |||
Book keeping/accounting | |||
Confirmation of crypto transactions and balances (Systems that submit transactions to the blockchain, systems that retrieve transaction and balance data, systems that enable the monitoring of transaction and balance data etc.) | |||
Access and security that ensures segregation of duties |
(2) Risks That Require Special Audit Consideration (Para 23)
Point!
Based on the auditor’s assessment of the risks and understanding of the entity’s internal control, the auditor determines whether there is a significant risk.
When performing financial statement audits, the auditor would adjust the level of testwork to be performed on certain areas depending on the risk.
This is called the Risk Approach.
In areas that the auditor determines there is a significant risk, the auditor will perform detailed testwork over such areas.
I will introduce examples of some of the testwork that will likely be performed over such high-risk areas in the following section, 3. Audit Procedures in Response to Assessed Risks.
From the perspective of the company, it is important to keep operations robust, especially in these areas.
Generally speaking, the auditor would identify significant risks in the following areas:
1) Revenue recognition
2) Existence of cryptos
3) Valuation of cryptos
4.Audit Procedures in Response to Assessed Risks (Para 24)
(1) Consideration When Testing the Effectiveness of Internal Controls (para 25)
(2) Consideration When Performing Substantive Testing (Test of Details) (para 26-27)
Point!
As mentioned above in the comment on para 23, the auditor will perform detailed testwork over areas that have significant risks.
Generally speaking, in the case of VCE service providers, the auditor would most likely make the assessment that significant risks exist in at least the following areas:
1) Revenue recognition
2) Existence of cryptos
3) Valuation of cryptos
Based on Appendix 3 -5, I have summarized below examples of audit testwork that could be expected for each risk.
I hope it is useful when the company prepares information and defines report formats.
Risk | Example of Audit Testwork | Comment by the author |
1) Revenue recognition | Reconcile the general ledger with the subledger (company crypto account and customer crypto account) | - |
1) Revenue recognition | Reconcile company account and customer account with the block chain for cryptos, and with deposit/withdrawal data for fiat. When the price of a crypto is going up, there is an incentive to understate customer crypto and overstate gains from marking to market the company's crypto. There is also a risk of concealing losses from the company's crypto by reclassifying the company's crypto to fictitious customer accounts. Therefore, the movements in customer funds and company funds should be reconciled with records from the blockchain and fiat deposit/withdrawal data (pay extra attention to transactions occurring before and after the year end as they are considered high risk). | From an accounting perspective, cryptos held at year end will be marked to market. An asset and a corresponding liability will be recognized for customer crypto so there is no PL effect from marking to market. For the company's crypto, only an asset is recognized so the mark to market at year end has a direct effect on the PL. When the price of crypto is going up, there is an incentive to overstate the balance of the company's crypto (and understate the customers' crypto) as it leads to more gains. On the other hand, when the price of crypto is going down, this leads to less gains so there is an incentive to overstate the balance of customer crypto (and understate the company's crypto). The point here is to have the system set up so that it can generate reports that could be used to ensure that no such fraudulent reclassification of funds has occurred. Example) Fiat: Deposit/withdrawal data (bank statements etc.) Customer master data Deposit/withdrawal data in the system Trade/withdrawal request data Trade data Accounting records Crypto: Deposit/withdrawal data (including tx id that could be used to identify on the blockchain) Customer master data Trade/withdrawal request data Trade data For information purposes, I summarized the information that I thought was useful to have on the reports from an audit perspective in the templates below. |
1) Revenue recognition | If cryptos are held by a third party, confirm balances with the third party | If cryptos are held at a third party, investigate beforehand what kind of information the third party is able to provide and discuss with the auditor well in advance what kind of audit procedures will be necessary. |
1) Revenue recognition | Evaluate the reasonableness of the transaction price of crypto transactions with a third party. | It is crucial that audit evidence such as contracts are retained to substantiate the terms and conditions of the transaction. |
1) Revenue recognition | Verify the existence of transactions by checking the transaction data with the customer master data and ID evidence (such as copy of driver's license) | As mentioned 3 rows above, the point here is to set up the system so that reports could be generated in a way that consistencies across the data is easily verifiable. |
1) Revenue recognition | Ensure that monthly transaction and balance reports are being sent to customers. Verify whether there are any questionable transactions (lack of existence etc.) by reviewing inquiries from customers (complaint reports). | Anticipating that such audit procedures will be performed, the company should file inquiries from customers, document measures taken by the company along with any findings and conclusions reached to facilitate the auditor's review. |
1) Revenue recognition | Perform analysis over all crypto transaction data (ex. data maintained by the VCE service provider, data from the blockchain etc.) by user ID or a specific time period to identify any unusual transactions. If there are any unusual transactions, investigate the reason for the transactions. If needed, verify the existence of the transactions by, for example, checking the user ID in the transaction, ID evidence, customer master data, account data and blockchain data. Examples of unusual transactions include the following: 1. frequent and significant deposits/withdrawals to a specific address (could be a hidden address) 2. frequent and significant deposits/withdrawals by a specific user (could be a fictitious account or accomplice) 3. account with a significant balance but with no logins for a long period of time (could be a fictitious user) 4. transaction status of accounts held by related parties 5. Significant deposits/withdrawals before and after the balance sheet date | As mentioned 5 rows above, the point here is to set up the system so that reports could be generated in a way that consistencies across the data is easily verifiable. Related with 4. on the left, the company should maintain an updated list of related parties (affiliates, officers, relative of officers etc.) and whether they have an account or not |
2) Existence of crypto | Reconcile the general ledger with the subledger (company crypto account and customer crypto account) | - |
2) Existence of crypto | Reconcile own account and customer account with the block chain. Take extra precaution regarding transactions that occurred before and after the balance sheet date as they are considered high risk. | I am expecting that the way the auditor goes about this procedure would depend on the auditor. There could be a case where the auditor would use their own full node and block-explorer and there could also be cases where they would use a block-explorer provided by a third-party. I have heard that Ernst and Young has an audit tool, "Blockchain Analyzer", that can be used for multiple types of crypto including Bitcoin and Ether. When using third party block-explorers, my assumption is that depending on the circumstance, the auditor would use a combination of different block-explorers to get comfort over the reasonableness of the results. |
2) Existence of crypto | Obtain a list of balances and corresponding addresses maintained by the VCE service provider. Generally speaking, the owner of an address can not be determined by just looking at the address. However, owning crypto or taking custody of a customer's crypto would mean that the corresponding private keys would be under the control of that person. Therefore, perform the following procedures to ensure that the VCE service provider has control of the private keys of the corresponding addresses: 1) Use digital signature functions. For example, have the VCE service provider sign a message with the private key and verify the signature with the public key 2) Have the VCE service provider send a small transaction or message from the addresses under their control and check to see if they are accepted by the network | In order to confirm control over a private key of an address that has a balance as of the balance sheet date, the procedures 1) or 2) to the left will have to be performed at a date sometime before the balance sheet date. When taking method 1), an example of the actual procedure could be the following: (in the case of Bitcoin, single-sig) 1.Sign a message specified by the auditor with the private key at a point in time before the balance sheet date as instructed by the auditor The message specified by the auditor could be something like the following: 2.Provide the auditor the address and the generated signature 3.By combining the address and signature along with the specified message, the auditor would at the least, be able to confirm that the company does in fact control the private key that corresponds to a specific address, from the time procedure 1. was performed. This requires careful and close coordination with the auditor so it is important to discuss the details of the procedure with the auditor well in advance. |
2) Existence of crypto | If cryptos are held by a third-party, confirm balances with the third-party | If cryptos are held by a third-party, investigate beforehand what kind of information the third-party is able to provide and discuss with the auditor well in advance what kind of audit procedures will be necessary. |
2) Existence of crypto | Ensure that monthly transaction and balance reports are being sent to customers. Verify whether there are any questionable transactions (lack of existence etc.) by reviewing inquiries from customers (complaint reports). | Anticipating that such audit procedures will be performed, the company should file inquiries from customers, document measures taken by the company along with any findings and conclusions reached to facilitate the auditor's review. |
2) Existence of crypto | In case of hard forks, verify that the change in price and quantity is recorded appropriately. | The system would have to be programed so that balance movements due to hard forks and airdrops are verifiable. |
2) Existence of crypto | Confirm whether there were any subsequent events that occurred after the balance sheet date (and before the audit report date) that may raise doubts about the existence of cryptos. Perform additional procedures over existence if determined necessary. | Even after most of the audit procedures are completed, an audit continues in the background until the audit report is issued. Internal controls to identify unusual transactions occurring after the balance sheet date and determine whether they need to be reflected in the financial statements will need to be implemented. |
3) Valuation of crypto | Reconcile the general ledger with the subledger (company crypto account and customer crypto account) | - |
3) Valuation of crypto | For each type of crypto that the VCE service provider owns or takes custody of, determine whether there is an active market. This judgement should be made by confirming whether there is a sufficient number of transactions at the exchanges in terms of volume and frequency in order to continuously provide price information. | It is not clear what constitutes an active market so it is important to discuss with the auditor if there is a crypto with low trading volume. My assumption is that trade volume from websites such as CoinMarketCap and OCFX will also serve as a reference point when deteremining liquidity of a crypto. |
3) Valuation of crypto | For cryptos that have an active market, verify that each crypto is being valued at the market price of the exchange in which the company most actively trades in (Para 9 of PITF38) | It is important to document the factors the company considered when determining that an active market exists. |
3) Valuation of crypto | When using the trading price of its own exchange as the market price of a crypto, consider whether it meets the requirements of "fair value" stated in Para 4(6) of PITF38. Take extra care in situations such as below: 1. The price on the balance sheet date has increased significantly compared to price movements during the year 2. Transaction with a certain user is affecting the price on the balance sheet date 3. The spread between the price on the VCE service provider's own exchange and the price on the other exchanges is unusually wide 4. No transactions have occurred for an extended period of time before the balance sheet date on the VCE service provider's own exchange | In situations such as 1 - 4 on the left, it is important to document how each situation was considered in determining the fair value/market price to use on the balance sheet date. |
3) Valuation of crypto | For cryptos that do not have an active market, verify that the crypto is measured at the lower of cost or estimated disposal value (PITF38 Para 6 or 11). | When using disposal value, it is important to document the factors that were considered in calculating the amount. See the next row for factors to consider when calculating the disposal value. |
3) Valuation of crypto | Consider the reasonableness of the disposal value by reviewing how it was estimated. Especially consider the following factors: 1) the disposal value is the amount at which the crypto is certain to be sold, based on objective evidence 2) when using the price that was used in a negotiated transaction with a third-party as the amount at which the crypto is certain to be sold (PITF38 para 43), the third-party actually followed through on the transaction 3) when it is difficult to estimate the amount at which the crypto is certain to be sold, zero or a memorandum value is used as the disposal price (PITF38 para 43) | - |
3) Valuation of crypto | Consider the following regarding cryptos that are issued by the company (including affiliates) that are not within the scope of PITF38 (para 3): 1) because such crypto is not within the scope of PITF38 para 5-15, consider separately whether the accounting treatment chosen by the VCE service provider is reasonable. Consider whether the accounting treatment is appropriately disclosed when it is considered necessary for the users of the financial statements to exercise proper judgement 2) assess how the accounting treatment elected by the VCE service provider is being applied 3) consider whether additional disclosures are necessary for the users of the financial statements to excercise proper judgement. Such disclosures could include balance sheet date quantity and monetary balance for each crypto etc, which are not explicitly required under PITF38. | As mentioned towards the beginning of this article, the auditor is expected to be extra careful when auditing tokens that were issued by the company. It is important to document the consideration made by the company and start discussions with the auditor at an early stage, including disclosures on the financial statements. |
Report Data Export Template
Order Data
Account Holder | Order ID | Order Time | Order Type | Order Amount | Order Base Currency | Order Counter Currency |
Trade Data
Account Holder | Transaction ID | Order ID | Transaction Time | Transaction Type | Trade Amount | Trade Base Currency | Trade Counter Currency | Fee Currency | Fee Amount | JPY Trade Amount | JPY Fee Amount |
Deposit
Account Holder | Deposit ID | Deposit time | Deposit Amount | Deposit Currency | Deposit Fee | Deposit Fee Currency | Link to block explorer (tx id) |
Withdrawal
Account Holder | Withdrawal ID | Withdrawal request time | Withdrawal time | Withdrawal currency | Withdrawal fee | Withdrawal Fee currency | Link to block explorer (tx id) |
Summary
Financial statement audits by auditors were things that only large companies (listed companies and large companies under the Companies Act) had to worry about.
Because of the amendment in regulations surrounding crypto, it is my prediction that many VCE service providers will be undergoing audits for the first time.
What is going to be important in order to avoid surprises and disagreements with the auditor is to start discussions regarding accounting treatments and audit approach with the auditor well in advance.
I plan on writing more on crypto audits in the future, hoping to familiarize the concept of auditing with the crypto world and vice versa.