1. An emerging challenge in financial reporting & controls
Crypto Assets
Presented by:
Vinod Kashyap
Simran Diwedi
55th World Continuous Reporting & Auditing Symposium
Indian Institute of Management, Vishakhapatnam, India
January 9 – 10, 2023
2. Outline
o Preamble
o Financial Reporting
o Risk Assessment
o Internal Controls
o Q & A
2
55th World Continuous Auditing & Reporting Symposium 2
4. 1/9/2023 4
Crypto Assets
A crypto asset is a digital representation of value or contractual rights created,
transferred and stored on some type of distributed ledger technology (DLT) network
(e.g. blockchain) and authenticated through cryptography.
55th World Continuous Auditing & Reporting Symposium
5. 5
Types of Crypto Assets
Cryptocurrency Asset-backed token Utility token Security token
Cryptocurrencies are
digital tokens or coins
based on blockchain
technology e. g. Bitcoin,
Ethereum, Litecoin,
Dogecoin etc.
Asset-backed tokens are
digital token based on
blockchain technology
that derives its value from
something that doesn’t
exist on the blockchain
but instead is a
representation of
ownership of a physical
asset e.g. gold or oil
Utility tokens are digital
tokens based on
blockchain technology
that provide users with
access to a product or
service and they derive
their value from that right.
Security tokens are digital
tokens based on
blockchain technology
that are similar in nature
of traditional securities.
They can provide an
economic stake in a legal
entity.
55th World Continuous Auditing & Reporting Symposium
1/9/2023 5
6. 6
Types of Crypto Assets Cont..
Stable Coins
Non-fungible
tokens (NFTs)
Protocol tokens
These tokens are pegged
to the value of an asset,
such as the US dollar, and
are intended to minimize
price volatility.
These tokens represent
unique digital assets, such
as art, collectibles, or
virtual real estate. They
are often built on top of
blockchain platforms like
Ethereum.
These tokens are used to
incentivize participation in
a decentralized network
and are typically
necessary for
participating in the
network's governance and
decision-making
processes.
55th World Continuous Auditing & Reporting Symposium
1/9/2023 6
7. 7
Centralized Vs. Distributed Ledger
Centralized Ledger
Relies on a trusted third party, requires reconciliation.
.
Distributed Ledger
Relies on a trusted third party, requires reconciliation.
.
55th World Continuous Auditing & Reporting Symposium
1/9/2023
8. Immutability
Distribution
Decentralization Tokenization
Encryption
Source : Gartner
A complete blockchain incorporates all
five elements to authenticate users,
validate transactions and record that
information to the ledger in a way that
can not be corrupted by a single
participant or changed after the fact.
Five Key Elements of Blockchain
55th World Continuous Auditing & Reporting Symposium
1/9/2023 8
10. 1/9/2023 10
Accounting Cryptocurrency Transactions: IFRS
IAS 38 “Intangible Assets”
Cryptocurrencies meet the definition of an intangible
assets, so generally IAS 38 “Intangible Assets” will
apply.
IAS 2 “Inventories”
If an entity holds cryptocurrencies for sale in the
ordinary course of business, then IAS 2 “Inventories”
will apply.
2019 IFRS IC Agenda Decision
55th World Continuous Auditing & Reporting Symposium
11. 1/9/2023 11
IFRS: Further Guidance Required
IFRS IC Agenda Decision 2019 is for holding of cryptocurrencies and the companies will need guidance
on the following areas: -
1. Accounting for the issuers of cryptocurrencies
2. Accounting of crypto liabilities
3. The scope of IFRS IC Agenda Decision 2019 is limited with no obligation/claim on the issuer e.g.,
cryptocurrencies. Accounting of cryptocurrencies with an obligation/claim on the issuer e.g., Security
Token, Utility token will need guidance
4. When crypto-assets are non-financial assets held as an investment implication of roll-out of CBDC or
Stable Coins pegged to Fiat Currencies on the definition of cash or cash equivalents (IAS 7 – Statement
of Cash Flows)
55th World Continuous Auditing & Reporting Symposium
12. 1/9/2023 12
Accounting Cryptocurrency Transactions: Ind AS
55th World Continuous Auditing & Reporting Symposium
No Guidance
Ind AS 38 “Intangible Assets”
Cryptocurrencies meet the definition of an intangible
assets, so generally IAS 38 “Intangible Assets” will
apply.
Ind AS 2 “Inventories”
If an entity holds cryptocurrencies for sale in the
ordinary course of business, then IAS 2 “Inventories”
will apply.
Implementing 2019 IFRS IC Agenda Decision
14. 1/9/2023 14
Globally Recognized Frameworks
55th World Continuous Auditing & Reporting Symposium
Internal Control Frameworks
• Internal Control Integrated Framework (COSO), USA, 2013
• Guidance on Control (CoCo), The Canadian ICA, 1995
• Internal Control : Revised Guide for the Directors on the Combined Code (Turnbull), The Institute of CA England & Wales,
2005
• COBIT 5, IT Governance, Institute, USA
Governance Frameworks
• Report of the Committee on the Financial Aspects of Corporate Governance (Cadbury), England, 1992
• King Committee of Corporate Governance, Institute of Directors, South Africa, 2002 and Updated in 2010
Enterprise Risk Management Frameworks
• Australia/Newzeland Standard Risk Management, Australia/Newzeland, 1995
• COSO, USA, 2013
• ISO 31000, International Organization for Standardization (ISO), Switzerland, 2009
15. 1/9/2023 15
Globally Recognized Frameworks Cont..
55th World Continuous Auditing & Reporting Symposium
Others
• Basel Accord, 1988 and Basel II and III, 2005 & 2011
Auditing Standards
• ISA – 315 (Revised 2019) “Identifying and Assessing the Risk of Material Misstatement”, IAASB
• SA – 315 “Identifying and Assessing the Risk of Material Misstatement through Understanding the Entity’s Environment”,
ICAI, India
16. Control Environment
1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
Source : COSO
Risk Assessment
6. Specifies suitable objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change
Control Activities
Information &
Communication
Monitoring Activities
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
13. Uses relevant information
14. Communicates internally
15. Communicates externally
16. Conducts ongoing and/or separate evaluations
17. valuates and communicates deficiencies
COSO 2013 Framework
55th World Continuous Auditing & Reporting Symposium
1/9/2023 16
17. 1/9/2023 17
ISA 315 (Revised 2019)
“Identifying and Assessing the Risk of Material Misstatement”
55th World Continuous Auditing & Reporting Symposium
• Issued by IAASB
• Deals with the auditor’s responsibility to identify and assess the risks of
material misstatement in the financial statements.
• Misstatement due to fraud or error
• Risks in financial statements taken as a whole
• Inherent risks and control risks
• Incorporates Information Technology (IT) Controls
• Effective for audits of financial statements for periods beginning on or after
15th December 2021.
18. 1/9/2023 18
55th World Continuous Auditing & Reporting Symposium
SA 315 - “Identifying and Assessing the Risk of Material Misstatement Through
Understanding The Entity and It’s Environment”
• Issued by ICAI
• Deals with the auditor’s responsibility to identify and assess the risks of
material misstatement in the financial statements
• Misstatement due to fraud or error
• Risks in financial statements taken as a whole
• Information Technology (IT) risks are not adequately addressed
• Lacks Information Technology (IT) Controls
• Needs revision
19. 02
03
01 Trading
Platforms
01
Custodians
02
Wallet
Providers
03
Trading Platforms enable users to buy, sell, hold and exchange
crypto-assets and traditional “fiat” currencies, generate and
manage the cryptographic keys that are needed to use, sell or
transfer the crypto-assets on the blockchains they support.
Includes Centralized & Decentralized Trading Platforms.
Custodians hold crypto-assets on behalf of users such as hedge
funds, asset managers and other entities.
Wallet Providers specialize in designing and operating
cryptographic key management solutions to help protect highly
sensitive private keys associated with public blockchain
addresses from theft or destruction.
Crypto Assets Ecosystem
1/9/2023 55th World Continuous Auditing & Reporting Symposium 19
20. 20
Risks of Material Misstatement
What can go wrong ?
Assertions that may be
affected
The entity chooses a crypto exchange that doesn’t have effective controls over the
transactions it enters on behalf of the entity or over the balance of crypto currency
maintained in the entity’s books of accounts.
Accuracy, valuation, completeness,
existence, cut-off, occurrence, rights
(ownership)
55th World Continuous Auditing & Reporting Symposium
1/9/2023 20
Source : CPA Canada
The entity has a crypto currency wallet that has not been accounted for. Completeness
The entity looses the Private key and therefore can no longer access the related
cryptocurrency.
Right (Ownership)
An unauthorised person accesses the Private Key of entity and steals
cryptocurrency.
Existence, Right (Ownership)
The entity misrepresents the ownership of a Private Key and therefore of related
crypto currency.
Existence, Occurrence, Right
(Ownership)
An unauthorized person obtains access to the Private Key and steals the entity’s
crypto currency..
Existence, Right (Ownership)
21. 21
Risks of Material Misstatement Cont..
What can go wrong ?
Assertions that may be
affected
The entity misrepresented the ownership of Private Key and therefore of related
crypto currency.
55th World Continuous Auditing & Reporting Symposium
1/9/2023 21
Source : CPA Canada
The entity sends crypto currency to a wrong address and crypto currency can not
be recovered now.
Rights (Ownership)
The entity looses the Private key and therefore can no longer access the related
cryptocurrency.
Right (Ownership)
The entity enters into records a transaction with a related party that can not be
identified now because of anonymity of transactions.
Accuracy, Valuation, Completeness
There are significant delay in processing crypto currency transactions at the end of
the period.
Cut-off
Existence, Right (Ownership)
22. 1/9/2023
Blockchain Technology Risks
Disrupting blockchain
Changing past transactions
Immutability can be broken
Unencrypted protocol
Out-of-date view of network
Not optimally distributed
Majority of Nodes don’t participate
Immutability of Blockchain can be broken by subverting
the properties of blockchain implementations,
networking and consensus protocols.
There is currently no way to implement Sybil cost in
permissionless blockchain like Bitcoin or Ethereum
without implementing a “Trusted Third Party”
Result in lowering the percentage of hasherate
necessary to execute a standard 51% attack.
The standard protocol for coordination within
blockchain mining pools, Stratum, is unencrypted and
effectively, unauthenticated.
The vast majority of Bitcoin nodes don’t seem to
participate in mining.
The no of entities required to disrupt blockchain is
low e.g. , 4 for Bitcoin, 2 for Ethereum
Every widely used blockchain has a privileged set of
entities that can modify the semantics of the
blockchain to potentially change past transactions.
22
22
Source : Trail of Bits
55th World Continuous Auditing & Reporting Symposium
24. 1/9/2023 24
55th World Continuous Auditing & Reporting Symposium
FTX – Lack of Internal Controls
25. 1/9/2023 25
55th World Continuous Auditing & Reporting Symposium
Beware Crypto Billionaires Boasting of Audits
26. 1/9/2023
All figures in
financial
statement are
accurate and
based on proper
valuation.
Accuracy & Valuation
Financial statement
include every item
that should be
included.
Completeness
Assets, liabilities
and shareholder
equity balances
appearing in the
financial
statement exist.
Existence
Transactions have
been compiled into
the correct
reporting period.
Cut Off
Information
recorded in the
financial
statements
actually occurred
during the year.
Occurrence
The entity is entitled
to the assets it is
reporting and is
reporting all its
obligations as
liabilities.
Rights & Obligations
Financial Statement Assertions
26
55th World Continuous Auditing & Reporting Symposium
27. 27
Risks and Controls
Topic Risks
Assertions
impacted
Controls
Cryptographic
Key Management
Compromise or loss of keys Existence
Rights (ownership)
Controls over secure key
generation, storage, usage and
retirement
55th World Continuous Auditing & Reporting Symposium
1/9/2023 27
Custody The service organization doesn’t
maintain sufficient custody of crypto
assets to satisfy customers deposits.
As a result they are unable to fulfil
customer obligations.
Accuracy
Existence
Rights (ownership)
Reconciliation between crypto
assets on blockchain and books &
records.
Record Keeping The user entity records crypto-assets
or crypto-asset transactions that are
inaccurate, do not exist, are
incomplete or for which they do not
maintain sufficient recordkeeping
controls, including controls that
address off-chain transactions.
Accuracy
Completeness
Existence
Cut Off
Occurrence
Rights (ownership)
Controls over sales & purchases of
crypto-assets between the user
entity and customers e.g.,
automatic recording of transactions.
Controls over the appropriate
maintenance of customer balances,
including tracking movements in
those balances.
Financial Statements of Entities Engaging Third Party for Executing Transactions, Providing Wallet , Holding Crypto Assets
Source : CPA Canada
28. 28
Risks and Controls Cont..
Topic Risks
Assertions
impacted
Controls
55th World Continuous Auditing & Reporting Symposium
1/9/2023 28
Customer
Statements
The user entity relies on customer
statements provided by the service
organization which are incomplete
or inaccurate.
Accuracy
Completeness
Existence
Cut Off
Occurrence
Rights (ownership)
The service organization has
controls over whether the customer
statements provided to the user
entity are complete and accurate.
Validation of
customers
interaction
Accuracy
Existence
The service organization’s
customers receive an automated
notification when a transaction is
processed or a change is made to
their account which includes contact
details to report suspicious or
unauthorized transactions.
Due to the risk associated with
changes to customer accounts,
customers lose funds or are unaware
of changes made to their account.
Withdrawal of
funds
The service organization does not
identify instances where customers
withdraw funds beyond their current
balance.
Accuracy
Existence
Before performing the transaction,
the service organization performs
an automated validation to confirm
that the customer account has
sufficient funds.
Source : CPA Canada
Financial Statements of Entities Engaging Third Party for Executing Transactions, Providing Wallet , Holding Crypto Assets
29. 29
Risks and Controls Cont..
Topic Risks
Assertions
impacted
Controls
55th World Continuous Auditing & Reporting Symposium
1/9/2023 29
Comingling of
funds
The user entity does not have
appropriate controls over
commingling of funds.
Accuracy
Existence
Rights (ownership)
The service organization has
controls to appropriately segregate
each customer’s crypto-assets from
the other customers’ and their own
holdings.
Customer account
opening
The service organization does not
comply with Know Your Customer
protocols.
Existence
Rights (ownership)
The service organization has
controls over the registration of
customers, including identity
verification procedures when they
open the account.
Order execution The service organization does not
have effective controls for
processing orders.
Accuracy
Occurrence
Existence
The service organization has
controls to ensure open trades
and/or orders are processed
completely, accurately and on a
timely basis when the appropriate
triggering event occurs.
Source : CPA Canada
Financial Statements of Entities Engaging Third Party for Executing Transactions, Providing Wallet , Holding Crypto Assets
30. 30
Risks and Controls Cont..
Topic Risks
Assertions
impacted
Controls
55th World Continuous Auditing & Reporting Symposium
1/9/2023 30
Consensus
mechanism and
protocols
Undetected failure in the
consensus mechanisms.
Existence
Rights (ownership)
The service organization has
monitoring controls to confirm
there is no manipulation of the
distributed ledger.
Source : CPA Canada
Financial Statements of Entities Engaging Third Party for Executing Transactions, Providing Wallet , Holding Crypto Assets
31. 1/9/2023
Risk Assessment and Controls: Further Guidance Required
31
02 03
06 05
04
01
Financial Statements of crypto
assets trading platforms,
custodians, and wallet providers
Financial Statements of other
entities
Financial Statements of entities
that validate transactions on
blockchain (minors)
Financial Statements of entities
that engage in Smart Contracts
Financial Statements of entities
that issue ICO and ITO
Financial Statements of entities
having material crypto balances:
(a) Engaging Third Party
(b) Others
55th World Continuous Auditing & Reporting Symposium 31
32. 1/9/2023
Conclusion
32
1. Further guidance on accounting of crypto assets under IFRS other those covered in IFRS Agenda 2019 is required.
2. Further guidance on controls in financial statements of different types of entities dealing in crypto assets is required.
55th World Continuous Auditing & Reporting Symposium 32
33. “No matter how complex things are,
basically everything is simple.”
Questions