An updated practice aid and how it can assist in audits of digital assets

The AICPA’s Digital Assets Working Group published the first iteration of its digital assets practice aid in late 2019. Since then, much has changed related to digital assets, and so the practice aid has evolved with timely updates.

The latest update, member-locked content published in late July, continues that evolution.

“Driving this expansion is not only the increase in digital asset popularity but the various forms of digital assets hitting the marketplace enabling entities to enter this space,” the practice aid’s introduction said.

On this episode of the JofA podcast, Kyle Sewell, CPA, a member of the Digital Assets Working Group, explains more about why the updates are important and how they can help practitioners.

As Sewell says in the episode, the practice aid is a “good starting point for folks to find answers to common questions and to obtain that baseline level of understanding of the key issues and requirements around accounting for an auditing [of] digital assets.”

What you’ll learn from this episode:

• An overview of the focus areas of the Digital Assets Working Group.
• Why the unofficial acronym for the working group has special meaning for Kyle Sewell.
• Particulars of the guidance for practitioners in the updated digital assets practice aid.
• How the practice aid can assist related to auditor responsibilities around SOC reports.   
• Sewell’s key takeaways for practitioners.

Play the episode below or read the edited transcript:

To comment on this episode or to suggest an idea for another episode, contact Neil Amato at Neil.Amato@aicpa-cima.com.

Transcript

Neil Amato: Welcome to the Journal of Accountancy podcast. This is your host, Neil Amato. On this episode, we’re going to discuss a recently released update to a digital assets practice aid. That’s all coming up after this word from our sponsor.

Amato: Welcome back to the podcast. Kyle Sewell is a CPA and an audit partner with the firm BDO. He leads BDO’s global and U.S. audit methodology for distributed ledger technology and cryptoassets. Kyle also participates in the AICPA Digital Assets Working Group. Kyle, we’re happy to have you on the podcast, welcome.

Kyle Sewell: Thanks, Neil. I appreciate the opportunity to be here.

Amato: We’re glad to have you on. First, I’m hoping you can explain a little bit about the Digital Assets Working Group, your involvement in it, and some of the topics the group is discussing.

Sewell: As you know, with the growth and adoption of digital assets, we continue to see demand for assurance-related services increase. Those market demands led to the AICPA’s launching of the Digital Assets Working Group a few years back to focus on developing accounting and auditing guidance for digital assets. The working group includes subject matter experts from global and national firms, and we operate within two sub-groups. One that deals with those accounting questions and then the other that addresses audit-related matters, and that’s the one where I spend most of my time.

As I think you’re aware, the Digital Assets Working Group published and maintains a practice aid that provides nonauthoritative guidance on a range of topics, starting with client acceptance and continuance, risk assessment and controls, to laws and regulations and related party matters.

Then, why am I here? It’s to talk about what we just released, which is a new chapter, chapter 4 that covers the key audit considerations that may be relevant when an entity uses a service organization to support its involvement in the digital asset space. Given this emerging technology, as you can imagine, many organizations don’t possess the necessary technological capabilities or competencies to transact in or safeguard or even account for digital assets themselves. Hence, why they turn to service organizations to perform those functions. And that’s why we devoted the time to this topic.

Amato: That’s great. Now I did notice in one of your emails and also in typing out Digital Assets Working Group that it does have the initials DAWG, “dawg.” You are from the state of Georgia, so I have to ask with football season approaching, is that something that’s near and dear to your heart?

Sewell: Go, Dawgs. Yeah, I grew up a Georgia fan. I went to the University of Georgia and so experienced a lot of the growth and pain of being a fan in the ’90s, and to where the team is today, it’s an exciting time to be a Georgia Bulldog fan.

Amato: Exactly. Pretty timely here as we record in August. You mentioned the working group recently released an update to the practice aid and the nonauthoritative guidance on how to account for an audit digital assets. Why in your mind is that guidance important?

Sewell: Well, the guidance offered by the practice aid is critical for practitioners and companies to consider, given there’s just a lack of authoritative guidance in this area. And the practice aid, like I said, it includes expert insights from industry leaders and the AICPA and focuses on equipping professionals by addressing some of the most frequently asked accounting and auditing questions that come into play when you’re dealing with digital assets.

I think it’s also important to remind people that the guidance is grounded in our professional standards and in accounting literature. Chapter 4 of the practice aid addresses a number of considerations that may be relevant when service organizations are involved. It focuses on the key challenges surrounding system and organization control reports, more commonly known as SOC reports, and includes guidance around assessing whether a SOC report is sufficient for the needs of the audit that I think will be very helpful to the profession.

That said, I think it’s important to remind users of the practice aid that the questions, the examples, and other considerations included in the practice aid shouldn’t be considered exhaustive. It’s absolutely critical for users to stay informed and consider the implications or the effects of any new developments or changes in the digital asset ecosystem on this guidance. As new accounting literature and guidance gets published by standard-setters and regulators, the working group will update the practice aid to ensure it aligns with that guidance.

Amato: Let’s focus some on that topic of SOC reports, which I think a lot of our audience knows about, but perhaps for people who don’t know, you can explain first. Briefly, what are SOC reports and when are they relevant, and also how [can] the practice aid assist related to auditor responsibilities around SOC reports?

Sewell: Maybe I’ll start with when service organizations are relevant and then why the working group focused on this topic. First, it’s not uncommon for entities that transact or invest in digital assets to engage with various third parties to support their control environment. Whether it’s a trading platform that executes a client’s transactions, a custodian that holds their cryptoassets, or perhaps a wallet services provider.

In determining whether that third party should be considered a service organization depends on how the entity interacts with them and whether those services are relevant to the user entity’s internal controls over financial reporting, otherwise known as ICFR. When they meet that definition of a service organization, that’s when practitioners perform procedures to understand which controls are relevant to the audit. And those procedures may include obtaining and reading a SOC report that addresses the controls at the service organization that may be relevant.

The second thing I’d say that while there’s nothing unique in terms of the professional standards and auditor requirements to understand the entity’s ICFR and how they use third-party services in their operations, the AICPA working group focused on this topic. It just continues to be an area of challenge for auditors when those services involve a client’s digital assets, investments, or transactions. And when you compare the players in this space to traditional third-party service providers, think like a payroll processor or a traditional asset custodian, they’re generally not that simple. Oftentimes these third-party service providers lack sophistication, obviously lack regulation, and just have less mature control environments.

We also see many instances where those third parties don’t have SOC reports. When management of a company relies on that service organization to store and secure their cryptocurrency or to execute and report transactions, they’re doing that without any assurance from an external auditor that’s opined on controls relevant to those services. That’s just a little bit about the importance of why we focused on this topic.

Amato: That’s a little bit about SOC reports and when they are relevant. I’m hoping you can talk next about how the practice aid can assist related to auditor responsibilities around SOC reports.

Sewell: Sure. First, it’s an important reminder that although the risks, the controls, and the various forms of evidence in terms of how auditors audit in the digital asset ecosystem are different and present unique challenges, our role as auditors and our responsibility with regards to executing audits remains unchanged, and that includes our responsibilities around SOC reports. I think the practice aid does a really good job explaining what those responsibilities are under the professional standards. I’ll also mention that we see many instances where relevant service organizations don’t provide SOC reports, and thus give no assurance on their controls.

However, we also see issues when SOC reports are available, yet the level of assurance provided by those reports may be insufficient. Some examples here is when the SOC report may be incomplete, where it may not have all the controls that we would expect to see. It may not cover an appropriate time period for the audit. Then there could be questions around the reliability of the SOC report due to questions regarding the service auditor’s competence in this area. The practice aid walks through many of these considerations that auditors need to pay attention to when reviewing and evaluating the assurances or the lack thereof offered by these SOC reports.

Amato: You’ve previewed this, I guess, my next question, but what would you say are the unique considerations for auditors in this space? For example, what are some of the services that companies may outsource that could affect the audit?

Sewell: Maybe I’ll start by saying that given the complexity of the underlying technology and the risks that it presents, auditors often find themselves in situations where a combination of testing the entity’s internal controls — including those covered by the SOC reports — and substantive testing procedures are required to respond to the specific risks of material misstatement, and that’s something that is unique to this space in terms of the importance of internal controls.

I mentioned some of the services that companies typically outsource that would affect the audit, including obtaining custodial services or wallet services. Maybe I’ll highlight a few of the key considerations that auditors need to be aware of when evaluating the sufficiency and appropriateness of audit evidence that may be obtained from the SOC reports in these situations.

One of the items auditors would be evaluating is whether the SOC report includes all the necessary control objectives, and whether the report contained any qualifications regarding any identified deficiencies. Some examples of what auditors may be looking for: When an organization uses, say, at third-party custodian, they need to understand the risks involved with the service providers’ method of storage for private keys, whether they use cold storage or hot storage, and whether that SOC report appropriately addresses controls over the safeguarding of private keys.

Another issue that can arise when a custodian maintains custody of digital assets within commingled public addresses that also hold the digital assets of other depositors and customers. This is a big one that limits an auditor’s ability to inspect an entity’s specific cryptoassets held by the custodian on the blockchain itself, because these commingled or omnibus addresses don’t represent only the user entity’s holdings. This would be a situation where, as I just mentioned, substantive procedures alone are not sufficient and auditors would need to evaluate whether the custodian’s SOC report includes evidence about the effectiveness of the controls that account for and reconcile all those customer account deposits to the commingled public addresses.

Maintaining effective controls along with proper regulatory oversight over something as simple as reconciling customer accounts to these commingled public addresses could go a long way to reducing financial-statement fraud in this area. Then that begs the question, well, what do you do when the control objectives in the SOC report don’t address the identified risks of material misstatement or, say, when material events such as the creation of new wallets occur after the period covered by the SOC report?

That’s when auditors may seek to determine whether the scope of the service auditor’s report can be adjusted, or they may need to perform additional audit procedures at the service organization to obtain evidence to further support their understanding of the relevant controls. I’ll just add another plug here — I haven’t delineated between — there are different types of SOC reports, and we’re predominantly focused on SOC-1 reports that focus on ICFR, but there are SOC-2 type reports. The practices also includes guidance on whether the scope of a SOC-2 report, which again doesn’t explicitly focused on ICFR, may provide any relevant information or evidence to support the audits.

Amato: One way listeners can find out more on this topic is to take a look at the practice aid. That practice aid is member-specific content. We will share a link to that document in the show notes for this episode. Kyle, in summary, what are some of the key takeaways about the practice aid related to digital assets?

Sewell: I’m going to end where I started by saying that basic audit requirements haven’t fundamentally changed, including how we treat service organizations, but given the dynamic nature of this technology and with the digital asset markets still being in the early innings, just being, say, a little over a decade old, the nature of the risks and the controls relevant to this space will continue to evolve.

We see new use cases every day, new tokens, and we’ve seen standard-setters and regulators reacting with the FASB issuing a proposed accounting standards this year, along with the SEC’s SAB 121 that was released last year. But given how young the crypto markets are, providing new and updated guidance to the profession is critical to ensure that practitioners are positioned to effectively support audits in this area. I think the AICPA practice aid is a good starting point for folks to find answers to common questions and to obtain that baseline level of understanding of the key issues and requirements around accounting for and auditing digital assets.

That said, I mentioned it’s not exhaustive or prescriptive. There’s no standard approach or template to executing audits in the space, and so auditors still need to reflect and understand the entity’s underlying business, including its role in the digital asset ecosystem in order to be able to perform in appropriate audit. Then before I let you go, the last thing I’ll highlight — which is critical and a common theme throughout the practice aid — is just the importance of internal controls. This is certainly true as we continue to see companies transform their businesses through the use of automation and digitization solutions, including the use of blockchain technology.

And with these transformations, internal controls really take a front seat on audits around areas like safeguarding digital assets, transaction monitoring and reporting, and the types of controls that we discuss in this practice aid related to third parties that hold your digital assets.

Amato: I think that’s great insight into the practice aid and what it offers. Kyle, thank you for your insight as well. We appreciate you being on the podcast.

Sewell: Appreciate it, Neil. Go, Dawgs.