Preparing an audit with digital assets

gm web3 accountants - hope you are having a rug-pull-free day! 😅

Finance teams play a crucial role in every business from enabling quick, decisive management decisions to ensuring compliance with reporting and legal requirements. One critical aspect that often goes overlooked is making financial data readily available for external audits. This not only bolsters public and stakeholder confidence but also underscores the transparency and integrity of the business's operations and performance.

Ever faced the panic of a looming audit, scrambling to gather and verify financial data? We've all been there. But what if I told you there’s a way to transform this stressful scenario into a seamless process? By following a few key practices, your finance team can ensure they remain auditable, efficient, and always ready to inspire confidence.

Let's dive into the essential strategies every finance team needs to master.

In the first of this 2-part series on audit, we will be focusing on the need and means to be audit-ready for a web3 company.

Deliverables Expected from Auditors 📝

An audit is an independent examination and evaluation of the financial statements of an organisation. Therefore, we as the finance team need to have supporting documentation made available to auditors for them to make fair assessments to conclude and agree with the company’s financial statements.

There are the more basic deliverables that would be necessary for the audit to be conducted which most would expect such as:

• Trial Balance, 
• General Ledger, 
• Bank Statements, 
• Reconciliation Reports (Wallet listings and balance reconciliations between on-chain data and general ledger/sub-ledger data), 
• Invoices and Receipts, 
• Payroll Records, 
• Tax Returns and Payments, and 
• Fixed Assets Registers.

The data kept by the finance team should be verifiable and re-performable when the auditor wishes to perform their substantive procedures. For example, a transaction from Etherscan only shows the sender address, recipient address, token sent, amount of token sent, and the date of the transaction.

However, this does not provide the full story for audit purposes as it does not explain the nature of the receipt for the receiving company. 

Good documentation, either through a manual system, accounting software, or crypto sub-ledger, should include a sales invoice and contract showing the customer, the nature of the services, and the payment details.

This way, when the auditor seeks to gain assurance over revenue, they can select this transaction to test from the general ledger or the provided wallet listing. The finance team will have easy-to-trace supporting documentation to justify the receipt of funds.

⚠️ It is important to note, however, that a good external audit will assess the business as a whole and so would also expect to be provided with information to evaluate:

Internal Controls and Procedures

Document and demonstrate the implementation and effectiveness of internal controls across all financial processes, including segregation of duties, authorisation protocols, and reconciliation practices.

Compliance

Gather all relevant legal and regulatory documents, along with evidence of adherence, such as audit trails, compliance checklists, and reports from compliance officers.

Risk Assessment

Prepare a comprehensive analysis of financial and operational risks, highlighting how these risks are managed and mitigated, with supporting evidence of periodic reviews and updates.

Management’s Judgments and Estimates

Compile detailed justifications and the basis for significant accounting estimates and judgments.
The reason for these to be thoroughly thought out and documented for review would be that the decisions and judgments made could have a material impact on the financial statements of a company. For instance, according to Microstrategy’s latest accounts (Pg 85), the FASB update ASU- 2023-08 would have a material impact on the financial statements. 

Presentation and Disclosures

Ensure that all financial statements and notes are complete, accurate, and prepared in accordance with applicable accounting standards.

Web3 Specific Deliverables ⛓️

Naturally, the auditors need to gain assurance over the crypto operations of the business. Therefore, some of the below items would be required by auditors:

Transaction Ledgers for Blockchain 

Transaction ledgers from the blockchain, detailing all token transactions. This could be in the form of downloads from block explorers or from sub-ledgers like TRES, Cryptoworth, Bitwave, Cryptio, Consola Finance, or Breezing. It is important to ensure these reports are complete and accurate (more on this in Part 2 - Audit Procedures for digital assets).

Token balance valuations 

Support of the costing methodology used to record assets and/or the year-end valuation recorded which should be reconciled to the financial statements. It is important to make use of a reliable pricing source for tokens such as Coingecko or Coinmarketcap when assessing the year-end valuation of the crypto balances.

Digital Wallet Records

Detailed records of all digital wallets and their balances, including public and private key management policies.

Smart Contract Audits

Reports and findings from the audits of smart contracts used by the company.

Token Distribution Records

Documentation of the issuance, allocation, and current holdings of tokens, including details on vesting periods and conditions for investors. These could include SAFTs and SAFEs documentation and analysis. 

‍Risk Management Documentation

Documentation of risk assessments and management strategies, especially regarding digital asset security and continuance controls.

Key Practices to Remain Auditable ✨

Implement Robust Internal Controls

Implement multi-signature wallets for significant transactions and restrict access to critical financial systems based on roles. This ensures that no single person has unilateral control over the company's funds.

Another key aspect to consider is the use of service organisations who value internal controls as much as you. 

A Service Organization Control (SOC) report is a third-party audit report that provides an independent assessment of a service organisation's internal controls. These reports help to ensure customers that the service organisation has the necessary controls in place to manage and protect data.

There are three types of SOC reports:

• SOC 1: Focuses on internal controls over financial reporting.
• SOC 2: Addresses controls related to security, availability, processing integrity, confidentiality, and privacy.
• SOC 3: Similar to SOC 2 but intended for a general audience and provides a high-level overview of the system’s security and availability.

One would expect to have SOC 1 & SOC 2 reports from the most reputable crypto sub-ledgers in the industry to ensure the product's reliability. 

Maintain Detailed Documentation

Maintain detailed documentation for all financial transactions, including the purpose, participants, and approval workflow. Store this documentation in a secure, distributed file system for easy access and reference for relevant employees. 

Regular Reconciliation and Monitoring

Reconcile blockchain transactions with internal accounting records periodically. This helps in identifying discrepancies early and ensures data consistency. A useful tool to use is monitoring dashboards that provide insights into financial metrics and transaction flows. Tools like Chainalysis or Dune can be used to monitor on-chain activity. 

Stay Updated with Regulatory Compliance

Use compliance management professionals or software to keep track of relevant regulations and ensure the company is adhering to them. This would provide insight into new regulatory changes relevant to the company such as MiCA.

Educate and Train Staff

Finance teams can conduct regular training sessions for staff on compliance, security practices, and new regulatory requirements such as IFRS and US GAAP update sessions. It is advised to encourage and support staff to obtain relevant certifications by joining the next cohort in the Crypto Accounting Academy.

Conclusion

Following these practices can transform the stressful scenario of a looming external audit into a seamless process. With a better understanding of the deliverables required by external auditors and adopting good practices, you can improve the likelihood of an unqualified audit report at year-end.

In ‘Part 2 - Audit Procedures for Digital Assets’, we cover the assertions and substantive procedures.