The Key Considerations for Auditing Digital Assets and Cryptocurrencies

Introduction

With the rapid rise and adoption of digital assets and cryptocurrencies, the accounting and auditing landscape faces new challenges. Digital assets, which include cryptocurrencies like Bitcoin, Ethereum, and other blockchain-based tokens, present unique considerations for auditors due to their novel nature and the complexities involved in their transactions. This article explores key considerations for auditing digital assets and cryptocurrencies, citing relevant accounting guidance,  and identifying significant auditing risks that need to be assesses and addressed.

Accounting Guidance

U.S. Financial Accounting Standards Board

On December 13, 2023, the U.S. Financial Accounting Standards Board (FASB) issued Accounting Standards Update (ASU) 2023-08—Intangibles—Goodwill And Other—Crypto Assets (Subtopic 350-60): Accounting For And Disclosure Of Crypto Assets.^[1]  This ASU provides detailed guidance on the accounting for and disclosure of digital assets and offers a framework for companies to classify and measure their holdings of digital assets. The ASU is effective for all entities for fiscal years beginning after December 15, 2024, including interim periods within those fiscal years. Early adoption is permitted for both interim and annual financial statements that have not yet been issued (or made available for issuance).

The guidance in the ASU applies to all assets that meet all the following criteria^[2]:

• Meet the definition of intangible asset as defined in the FASB Accounting Standards Codification
• Do not provide the asset holder with enforceable rights to or claims on underlying goods, services, or other assets
• Are created or reside on a distributed ledger based on blockchain or similar technology
• Are secured through cryptography
• Are fungible
• Are not created or issued by the reporting entity or its related parties.

The ASU requires that an entity measure crypto assets that are within the scope of the guidance at fair value each reporting period with changes in fair value recognized in net income. The amendments also require that an entity provide disclosures about significant holdings, contractual sale restrictions, and changes during the reporting period.

It should also be noted that the AICPA has published a (recently) updated and useful, nonauthoritative practice aid providing  guidance on how to account for and audit digital assets, Accounting for and Auditing of Digital Assets.^[3]

International Financial Reporting Standards (IFRS)

The IFRS Interpretations Committee discussed the treatment of digital assets in June 2019 and concluded that cryptocurrencies do not meet the definition of cash or a financial asset, and thus digital assets should be accounted for as intangible assets under IAS 38, “Intangible Assets.” If the digital assets are held for trading (i.e., sale), they could be classified as inventory under IAS 2, “Inventories.”^[4]

Auditing Risks

Auditing digital assets and cryptocurrencies involves assessing several risks including client acceptance and continuance, related party transactions, the use of a service organizations, and risks affecting multiple assertions, most notably those concerning existence, valuation, and ownership (i.e., “rights”).

Risk of Existence

The risk of existence refers to whether the digital assets reported on the balance sheet actually exist. Auditors must verify the authenticity and completeness of digital assets holdings. Given the virtual nature of these assets, existence verification poses unique challenges.

• Blockchain Verification: Public blockchain transactions are transparent and can be traced using blockchain explorers. Auditors can verify transactions and balances against the blockchain ledger, but will need to consider the relevance and reliability of information obtained from a blockchain explorer.
• Cold Storage and Wallets: Verifying assets in cold storage or hardware and software wallets requires physical inspection and access verification. Multi-signature wallets add complexity, as they require multiple keys for transaction authorization.
• Custodial Solutions: Many companies offer various types of custodial solutions which present unique audit considerations. Some solutions will include digital assets in comingled accounts, while others will provide segregated solutions.

Risk of Valuation

Digital assets are highly volatile, with their market values subject to significant fluctuation. Auditors must ensure that the valuation methods used are appropriate and reflect fair value.

• Market Price Verification: Auditors should check multiple cryptocurrency exchanges to determine the fair value at the reporting date. The chosen exchange rate should reflect an active and orderly market.  Further, auditors should implement procedures to evaluate the client’s choice of principal market, especially when a client uses a “pricing aggregator” for valuation because such entities do not provide a price at which transactions may be made (i.e., they are not a market or exchange).
• Impairment Testing: For digital assets classified as intangible assets and carried at cost less impairment, impairment testing is critical. Unless carried at fair value, auditors must evaluate whether declines in market value are temporary or indicative of a permanent impairment.
• Level of Fair Value Hierarchy: Valuing digital assets may involve assessing their place within the fair value hierarchy. Often, cryptocurrencies are considered to be Level 1 assets (quoted prices in active markets), but for less liquid assets or those with trading restrictions, Level 2 or 3 classification may be required.

Risk of Ownership

Determining ownership of digital assets can be complex due to the anonymity and pseudonymity features of blockchain transactions. Auditors need to establish whether the entity claiming ownership has legal rights to the digital assets, as well as considering the timing of procedures to provide appropriate audit evidence.

• Legal Title: Auditors should review legal documents and agreements to verify ownership claims. This includes agreements with custodians and counterparties.
• Private Keys: Ownership of digital assets is tied to control over private keys. Auditors need to verify that the entity has exclusive control over the private keys associated with the reported digital assets, or whether a receivable with a third party may exist instead.
• Third-Party Confirmations: Independent confirmations from custodians or service providers can help verify ownership and control over digital assets.

Internal Controls and Governance

Effective internal controls and robust governance frameworks are vital to managing risks associated with digital assets. Auditors should evaluate the entity’s internal control environment, including:

• Custody and Safekeeping: Entities should have strong custody arrangements, including secure storage solutions and access controls for private keys. If the custodian has a SOC 1 or ISAE 3402, Type 2 engagement performed, the auditor should request a copy and assess the controls at the service organization as part of documenting the design and implementation of controls of the entity (including the user entity controls documented in the service organization report).
• Transaction Authorization: Procedures for authorizing and recording digital asset transactions must be clearly defined and consistently applied.

Cybersecurity Considerations

Cybersecurity is a critical concern when auditing digital assets. The risk of hacking, fraud, and cyberattacks necessitates that auditors assess the entity’s cybersecurity measures, including:

• Network Security: Measures to protect against unauthorized access, malware, and phishing attacks.
• Incident Response: Protocols for detecting and responding to security breaches.
• Third-Party Security: Security measures employed by third-party service providers, such as exchanges and custodians, must be assessed.

Conclusion

Auditing digital assets and cryptocurrencies requires a comprehensive understanding of their unique risks and challenges. Auditors must remain vigilant in verifying existence, ensuring accurate valuation, and confirming ownership. As the landscape of the digital asset ecosystem continues to evolve, so too must the methodologies and approaches employed by auditors (including using technology tools).

This article was previously published in the Accounting and Business – ACCA April 2025 issue.