In a Spotlight article released this week, the Public Company Accounting Oversight Board highlighted considerations for auditors and audit committees of companies transacting in or holding cryptoassets. Auditing such assets can involve a number of challenges. As the Spotlight notes, each company’s involvement with cryptoassets may be multifaceted given the myriad of transactions that might involve a cryptoasset, such as “earning a fee, or ‘reward,’ for validating new blocks on a blockchain . . . , purchasing goods or services in exchange for cryptoassets, exchanging one cryptoasset for another, or selling cryptoassets for a fiat currency, such as the US dollar.” Other transactions might involve “providing trading services to third parties or acting as an intermediary, such as between a customer and a trading platform or mining operation.”
For auditors dealing with cryptoassets in their audits, the Spotlight focuses on selected auditor responsibilities under PCAOB standards, including establishing policies and procedures for whether to accept or continue a client engagement, planning an audit engagement with appropriate specialized skill or knowledge, and conducting a proper audit risk assessment. The Spotlight narrows in on each of these responsibilities and offers potential checklist considerations at the audit firm and audit engagement level. The risk assessment step is highlighted as particularly critical, as it informs the design and performance of the audit engagement.
For audit committees, the Spotlight offers the following set of sample questions that an audit committee might consider asking its auditor in instances where a company or audit committee member may be new to cryptoassets:
- What is the experience of the engagement partner and other senior engagement team members with cryptoassets? Would the firm be able to supplement the engagement team’s expertise if necessary (e.g., by engaging relevant specialists)?
- What is the auditor’s understanding of the technology underlying the issuer’s cryptoasset-related activities?
- Are specialized technology-based audit tools needed to identify, assess, and respond to risks of material misstatement?
- What is the auditor’s understanding of the legal and regulatory (including Know Your Customer and Anti-Money Laundering) implications of the issuer’s cryptoasset-related activities?
- How does the audit firm monitor auditor independence considerations associated with audit engagements involving cryptoassets (e.g., monitoring whether its staff invests in cryptoassets)?
- What policies and procedures does the audit firm have regarding conducting and monitoring audit engagements involving cryptoassets, including considering the risks associated with performing such audits?