About the Panelists
Brandon Brown, CPA, CISA, managing director of the risk and financial advisory group at Deloitte & Touche LLP; Jeremy Goss, CPA, audit partner, banking and financial services, at Grant Thornton LLP; Jagruit Solanki, CPA, CGMA, assurance partner in the technology and blockchain services group at Aprio; and Amy Steele, CPA, audit and assurance partner at Deloitte & Touche LLP, were the panelists. Ami Beers, CPA, CGMA, senior director of assurance and advisory innovation at the AICPA, moderated the panel. The following is an edited and condensed summary of the panel discussion. The views expressed are the panelists’ own personal views and not necessarily those of their employers or those employers’ boards, management, or staff.
Beers opened the panel by having Steele, who is chair of the AICPA’s digital assets working group, explain its mission. Steele said that the group aims to “create nonauthoritative accounting and audit guidance for digital assets and then hopefully provide some answers and a framework for how to deal with them from both an accounting and an audit standpoint.” To that end, the working group is split into accounting and audit subgroups, the latter of which Steele also chairs.
“We are working at this point in time to develop nonauthoritative guidance on these challenging topics,” Steele said. “For each of our topics, we will be releasing papers that walk through a framework, starting first with the U.S. GAAS requirements, the unique risks as relates to digital assets, and then hopefully answers and procedures that an auditor could perform to respond to those risks.”
Steele then spoke on the specific topics, which the subgroup has split in two. The first batch contains fundamental concepts auditors need to be thinking about going into an engagement that involves digital assets, such as the skill sets of the auditors and management, the potential risks of material misstatement involved, the processes and controls that are needed to mitigate those risks, and the particular challenges the pseudo-anonymity of digital asset transactions and the potential for illegal acts by counterparties pose to auditors’ responsibilities. The second, she said, contains audit assertions, completeness, valuation, existence, rights, and obligations, as well as IT risks.
Discussing the accounting subgroup, Steele said that its guiding principles are “very similar” but noted that its papers will take “more of a Q&A structure.” The accounting subgroup’s first batch of topics includes nonspecialized industry topics, such as the classification and measurement of digital assets, while the second batch focuses on more specialized guidance for entities such as investment companies and broker-dealers, and such topics as hard forks, airdrops, and fair value considerations.
Steele again stressed that the guidance will be nonauthoritative. “We are working with U.S. GAAS and U.S. GAAP, but there are regulations outside of U.S. GAAP and U.S. GAAS that folks will need to consider,” she added.
Next, Beers turned to Brown, who is part of the AICPA’s System and Organization Controls (SOC) working group for digital assets, to explain that group’s mission. Brown said that there is a growing number of companies that provide digital asset–related services for entities that hold those assets, and that his group’s mission is to provide guidance to auditors of those entities.
Accounting for Digital Assets
Beers then asked Solanki to expand on the topic of considerations when accounting for digital assets. “The biggest question,” Solanki said, “is what type of entity you are. Are you an exchange? Are you a custodian? Are you a payment processing company?” Second, she said, is whether the entity is a custodian or owner of the digital assets. The definition of “control” for digital assets will be important here, as it will determine whether a corresponding liability for the asset needs to be recorded. Solanki cited Accounting Standards Codification (ASC) Topic 606, “Revenue Recognition,” and ASC Topic 842, “Leases,” as two standards that define control, saying that the issue ultimately goes to the nature and purpose of the asset.
Solanki said that the easiest digital assets to value will be cryptocurrencies like Bitcoin that have an active trading market. “It gets challenging when you’re talking about illiquid assets,” she said, giving an example of tokens given out as a marketing incentive. “There could be significant management judgment involved, pretty much like a level 2 or level 3 type security, and there might be significant discounts attached.”
Solanki also said that one of the main challenges in accounting for digital assets is adjusting their cost basis when recording them on the balance sheet as indefinite-lived intangible assets. “You have to define when impairment really triggers in this digital asset space, given the extreme volatility, and once you define that, you have to constantly monitor if there’s an impairment trigger,” she said. “The biggest issue that I have seen with our clients is tracking those assets. There’s not a whole lot of great software out there that can automate that process, and it can be a reconciliation nightmare.”
Considerations for Auditors
With regard to audit engagements in this field, Goss said the existing standards will be the foundation. “A lot of it is going to be very, very similar to what we do now in client acceptance and continuance,” he said. “We’re going to look at management integrity. We’re going to do background checks, those sorts of things that we would do with any client.” The unusual nature of digital assets will require auditors to have a strong understanding of an entity’s changing business strategy. Skill sets will be “super important, just like in any space,” Goss said, noting that audit teams and management will both need cybersecurity experts.
The biggest challenge, Goss said, will be determining auditability. “If you have a mature market,” he explained, “auditability usually isn’t that big of an issue. However, in this space, we find ourselves getting into situations where the company has transactions that substantial procedures alone may not be sufficient to audit.” He gave the hypothetical example of a company that set up its own internal cryptocurrency exchange. Such a system would have no external records to audit. “In that kind of case, internal control becomes extremely important. That’s one of the things that we really want to understand before we take on that client.”
Steele warned against overconfidence about valuing this new asset class. “Can I get audit evidence to support that the company truly owns that digital asset and they have the private key? In these scenarios, we do very heavy acceptance and continuance to understand whether this is a company we want to be engaged with,” she said. Brown added that entities may also be subject to the SEC’s interpretation of whether digital assets are securities.
As Beers turned the topic specifically in the direction of auditor skill sets, Steele said that auditors will need “a deep understanding of what is a ‘digital asset.’” She added that the working group specifically chose that term instead of “cryptoasset” to keep the definition broad. “As technology continues to evolve, any item can be digitized and traded on a particular blockchain,” Steele explained. The mechanics of transactions will also be important, she said: “To get sufficient appropriate audit evidence, we need to understand the transaction flow from point A to B. What are the risks related to that particular digital asset and that particular blockchain?”
Solanki said that the easiest digital assets to value will be cryptocurrencies like Bitcoin that have an active trading market. “It gets challenging when you’re talking about illiquid assets.”
Steele also reiterated that existing professional standards can provide a starting point, albeit one that comes with its own challenges. She identified the five biggest challenges as proving the digital asset’s existence, determining the client’s rights and obligations, valuation in the highly volatile digital space, internal controls, and illegal acts of related parties.
SOC Reports and Engagements
Beers then turned to Brown to cover how blockchain is affecting SOC engagements. Brown first cited some hypothetical cases that might require SOC reports, such as custodian arrangements and scenarios where companies are using digital assets to manage their supply chains, or to streamline settlement of foreign exchange.
One challenge is that the guidance for SOC examinations, according to Brown, “leaves a lot of professional judgment to the service auditors.” Brown looks for areas of similarity, such as between being a custodian for a digital asset and being one for more traditional assets, and “apply those same control objectives, to the extent that they’re relevant.” In addition, he said, protecting the security of the private key to the blockchain is important. Insufficient understanding of cryptography, he said, is a significant risk. “The risks of losing a private key can be catastrophic. This is the sort of thing that makes the newspapers too often.”
In response to Beers’s question about what user auditors look for from SOC reports, Goss said that he looks for exactly the things Brown identified as challenges, as well as the five listed by Steele as challenges for audit reports. Steele added that “it’s important, anytime we’re auditing an entity that’s using a custodian, to understand that custodian, what their experience is, and what the protections are, because the protections may be different than what we’re used to for traditional asset classes with traditional custodians.” Solanki noted that, in blockchain company audits that Aprio handles, “the financial statement audit team is heavily involved with our IT assurance auditing, working together hand in hand from day one.”
Wider Applications of Blockchain
Beers then asked the panel about implementation of blockchain beyond digital currency. Steele said that a recent Deloitte survey showed significant investment in blockchain, with “a lot of focus on use cases outside of the bitcoin, such as supply chain, digital identity, and food traceability.” The technology has yet to see mainstream adoption for support of internal controls, which Steele said “will really impact us as auditors.”
Brown opined that wider blockchain use is competing with traditional databases, which he said “have solved the problem reasonably well.” Goss agreed, saying that, while public blockchains excel at creating trust between disparate parties and being resilient to cyberattacks, “if those two things, trust and resiliency, aren’t the biggest issues, [a traditional database] can do a much better job typically.”
Asked about the implications on financial reporting and internal controls, Brown noted that records on a public blockchain are not controlled by a specific party. “If you’re thinking about what service organization and whose control to evaluate to understand that public ledger, there really isn’t one.” Solanki added that, because data entered into a blockchain is permanent, the raw information going into the system is very important for auditors.
Steele brought up the issue of private blockchains set up for parties to conduct transactions with each other, which she said would “have shared risks across the parties, and with shared risk comes shared responsibility.” She also agreed with Solanki’s point about inputs, saying, “We know that garbage in is going to be garbage out, but blockchain puts even more power into that. I think that’s going to have a profound impact on financial reporting.”
Steele then turned to internal controls, saying, “We typically think of internal controls as they exist within the particular entity, and maybe a service organization, but with blockchain, those internal controls are now shared cross-organization, and that’s just mind-blowing.” Asked what the role of the auditor is in this situation, Brown noted blockchain’s “consensus mechanism,” by which all participants must reach a consensus on the data before it can be added to the blockchain.
“Understanding the technology is critical,” Steele said. “Everybody gets excited about blockchain … but really think about where it makes sense and where it doesn’t.”
“Understanding the technology is critical,” Steele said. “Everybody gets excited about blockchain … but really think about where it makes sense and where it doesn’t,” she said. “There are situations where we have multiple parties writing the same data, and so it makes sense to enter into a blockchain to be able to process that in a more efficient and effective manner. Have those discussions upfront.”
As Beers opened the panel up to the audience, a question came in about treating digital assets as financial instruments, specifically how level 3 valuation would work with them and how impairment would be determined. Solanki replied that, while there is no authoritative guidance on digital assets as financial instruments, the existing asset definitions do contain useful information. “At a high level,” she said, “the definition of a financial instrument includes questions like, ‘Is there a contractual obligation? Is the digital asset backed by some sort of legal tender or government authority?’ The answer to all of that today is no.” On impairment, Solanki said that it would be done in the same manner as for an intangible asset, although this would require constantly monitoring the asset’s carrying value versus fair value.
Asked for closing thoughts, Steele said, “Blockchain is here to stay, so it’s important that everybody think through the unique aspects and risks and how we’re all going to respond to it as a profession.” Brown added, “Sometimes the understanding of the technology doesn’t exist in the parts of the organization that do attestation services, but they may exist elsewhere within the organization, so look for that experience and pull it in.”