A Roadmap to Start Auditing Crypto Exchanges

Financial auditing is already a complex task, demanding specialized skills and expertise to assess a company’s complete set of books and records. When it comes to crypto companies, these challenges multiply exponentially. Need to verify asset balances? There’s no bank confirmation for that. Trying to validate transaction details? They’re on the blockchain, good luck! Does your client hold assets on behalf of others? Congratulations, audit risk has been raised!

In this case study, we’ll explore key audit procedures for evaluating the financial statements of a crypto exchange. We’ll cover existence, ownership, and other critical financial statement assertions, using a simplified balance sheet and income statement to illustrate key audit steps.

Of course, every audit is unique, and reporting requirements vary. While this guide isn’t a one-size-fits-all blueprint, it highlights essential considerations for auditors navigating the complexities of crypto companies.

Satoshi Exchange: Your Audit Client!

Your audit client, Satoshi Exchange, is a U.S.-based company undergoing a financial audit as part of its money transmitter licensing process across various states.

During the scoping process, Satoshi Exchange provided draft financials, revealing that they hold assets in custody on behalf of customers, introducing an added layer of complexity. Additionally, the exchange facilitates transactions in stablecoins. Its core business involves operating a trading platform where users buy and sell bitcoin for stablecoins, with the company earning a portion of each transaction as Trading Revenue. Satoshi Exchange is wholly owned by its founder, who has provided the initial capital investment.

The Company’s (Simplified) Financials are as follows:

Balance Sheet

Income Statement

The Audit Before the Audit: Client Acceptance

In the crypto industry, many companies seek an audit to enhance their credibility with investors, regulators, and the public. However, not all are truly prepared. Some are in the early stages of fundraising, have immature operations and financial reporting, or may not be acting in good faith.

Given these risks, client acceptance is a critical step in the audit process. While specific procedures vary by firm, the fundamental approach typically includes:

• Inquiring and performing an internet search related to any negative history such as fraud or non-compliance. Results may call for the need for additional background checks on key executives and management.
• Reviewing the company’s prepared financials
• Assessing whether the company has the operational and financial maturity to complete an audit

A strong client acceptance process helps auditors mitigate risk and ensures that engagements align with professional and regulatory standards.

To learn more about how smaller firms can start to audit digital assets, check out my episode on  Audit & Attestation Tools for Digital Assets on The Accountant Quits.

Getting Started: Risk Assessment & Planning

The audit process typically begins with Planning & Risk Assessment, which involves walkthroughs, inspections of company policies, accounting positions, and terms of use. Once the auditor has reviewed draft financials and gained a thorough understanding of the company’s operations, they assess risks across key areas. This risk assessment determines the audit scope and sample selection requirements. Auditors should look to identify risks that could impact financial reporting, compliance, or operational effectiveness. Typically this identification is done in 3 main categories:

• Inherent risks: Risks that exist due to the nature of the business or industry.
• Control risks: Risks arising from weaknesses in internal controls.
• Fraud risks: The potential for intentional misstatement or misconduct.

Once they’ve assessed these areas they can then move to assess their likelihood and impact by classifying them as high, medium, or low risk. 

High-Risk Areas

• Customer Safeguarded Bitcoin (Assets): Holding customer assets presents a significant risk, particularly for bearer assets like crypto, where the risk of misappropriation (or loss) due to fraud or error is heightened. Additionally, customer and company funds are often partially commingled, as revenue is not always swept to corporate treasury wallets after each transaction. Given these complexities, auditors typically classify this as a high-risk area.
• Customer Safeguarded Bitcoin (Liabilities): The corresponding liability, the company’s obligation to fulfill customer redemptions, also carries risk. The auditor must ensure liabilities are not understated and that the company has sufficient reserves to meet obligations.
• Trading Revenue: Revenue is inherently a high-risk area, especially for exchanges. Since trading activity is recorded on an internal ledger rather than the blockchain, there is a risk of manipulation or fabricated transactions to overstate revenue and appear to be in a stronger financial position.

Medium-Risk Areas

• Company Stablecoins & Bitcoin: While lower risk than customer-held assets, company-owned crypto still poses challenges. Risks include incomplete wallet inventories and transaction histories, as well as potential commingling of corporate and customer funds. 
  
  • The auditor may also consider this a higher risk after assessing the potential for fraud over these assets. (Ex: An immature company with a single wallet that multiple employees have access to.)

Low-Risk Areas

• Cash: Traditional financial auditing procedures (TradFi) are well-equipped to verify cash balances. However, if the exchange holds fiat on behalf of customers, this needs to be heavily scrutinized as well! That’s not the case here for the purposes of our case study.
• Operational Expenses: Fortunately, in this case study, the company pays expenses in cash, making them easily traceable to bank statements and supporting documentation.
• Shareholder’s Equity: The company is funded through an initial capital infusion from its founder, reducing complexity in this area.

By identifying and prioritizing risks, auditors can allocate resources effectively, ensuring a thorough and risk-adjusted audit approach.

Fieldwork and Testing:

For the purposes of our case study, we will focus on the crypto-related accounts noted in the financial statements.

Balance Sheet Testing:

Audit Procedures for the Company’s USDC and Bitcoin Holdings

The auditor should consider the following procedures when evaluating the Company’s USDC and bitcoin holdings. The Company self-custodies all of its USDC across 100 single-signature wallets on Ethereum and 500 wallets on Bitcoin. Additionally, the Company holds all customer assets in 10,000 Bitcoin addresses.

1. Completeness

To ensure the address list is complete for both company and customer funds, the auditor should consider the following:

• Obtain a comprehensive wallet list – Request that the Company provide a full list of wallets holding USDC and Bitcoin.
• Monitor for missing wallets – Throughout the engagement, remain vigilant for wallets with frequent transactions that are not included in the provided list.
• Analyze wallet flows – Examine transaction activity to detect anomalies, particularly those involving potential related-party or founder wallets.

2. Existence

To confirm that the reported USDC and Bitcoin balances exist as of the balance sheet date, the auditor should:

• Obtain a list of wallets/addresses holding USDC and bitcoin.
• Identify the block height corresponding to the balance sheet date on both the Ethereum and Bitcoin blockchains.
• Query the blockchain to retrieve balances at that block height, confirming the assets held at that point in time.
• Consider using specialized tools to efficiently extract balances from a large number of addresses.

3. Valuation

The auditor should assess the valuation of USDC and Bitcoin based on the Company’s principal market and accounting policies:

• USDC Valuation: The Company has a direct account with Circle, enabling 1:1 swaps for USD. As such, the Company has determined to value USDC at $1 per token. The auditor should review this interpretation for accuracy.
• Bitcoin Valuation: The Company’s principal market for Bitcoin is Coinbase. The auditor should evaluate whether the Bitcoin valuation aligns with the Company’s policy, considering factors such as intra-day vs. end-of-day pricing.
• In all cases, the auditor should ensure proper valuation treatment follows the relevant accounting standards such as US GAAP or IFRS.

4. Rights & Obligations

The auditor must verify that the Company has control over the wallets it claims to own. Since all wallets are single-signature addresses, the auditor may use one of the following procedures:

1. Cryptographic Signature Test:
   
   • Provide the client with a unique message (e.g., “Audit 12/31/24 Test”).
   • The client signs this message using their private key, producing a signature digest.
   • The auditor verifies the signature using cryptographic tools to confirm wallet ownership.
2. Send-to-Self Transaction:
   
   • Instruct the client to send a predetermined amount of USDC and Bitcoin to another wallet they control.
   • This transaction must occur within a predefined time frame to verify control over private keys.

Both methods demonstrate that the Company has control over the private keys for the specified addresses. The auditor may consider sampling wallets based on the assessed level of risk.

5. Presentation & Disclosure

The Company should disclose its valuation election and accounting treatment for USDC and bitcoin within the Notes to the Financial Statements, ensuring compliance with relevant financial reporting standards. Depending on the standards other information about the Company’s crypto activity and holdings may be required. 

Audit Procedures for Customer Asset Liabilities

The auditor should consider the following procedures when evaluating the liability associated with holding customer assets. In an ideal scenario, total safeguarded assets should equal total safeguarded liabilities. However, it is the auditor’s responsibility to ensure that this is indeed the case.

Background

Customer liabilities typically appear as user account balances on an exchange’s internal ledger. Unlike an on-chain balance, a user’s account balance is a ledger entry within the exchange’s database, which is displayed when a customer logs in. This creates a significant reliance on information produced by the entity (IPE).

To ensure the integrity of liability reporting, the auditor should gain a thorough understanding of the database architecture, including:

• How liability data is compiled from underlying data lakes, tables, and extraction logic.
• The methods and scripts used to generate reports.

1. Completeness

The auditor must ensure that the reported liabilities are complete. The key risk is that the exchange understates liabilities, either intentionally or inadvertently. To mitigate this risk, the auditor should:

• Obtain a comprehensive report detailing all customer liabilities, ideally broken down by customer account.
• Validate the logic, scripts, and methods used to compile liability balances.
• Ensure that the extracted liability balances are both complete and accurate, either by using custom queries or leveraging standardized (“canned”) reports from the system.
• Recommend the development of canned reports to ensure liability balance data can be consistently produced for future audits and retrieved at any point during the fiscal year.
• The auditor could perform analytical procedures related to customer balances by month and review and inquire of any anomalies in the data. 

2. Existence & Accuracy

To confirm that liabilities exist, the auditor should:

• Select a sample of customer accounts and verify that inflows, outflows, and transaction activity reconcile with the reported ending balances.
• Conduct "pin down" testing, ensuring that the recorded inflows and outflows for specific customer accounts align with on-chain transactions.
• The auditor could consider “confirmation-like” procedures with customers of the exchange. However, response rates are likely to be low, so supplemental procedures would likely still be required.

3. Valuation

Consistent with the asset-side procedures, the auditor should:

• Assess the valuation of USDC and Bitcoin liabilities based on the Company’s principal market and accounting policies.
• Ensure that liability valuation methodologies align with those used for corresponding assets.

4. Rights & Obligations

The auditor must understand the exchange’s specific obligations to customers and incorporate these findings into the test plan. Key procedures include:

• Reviewing the terms of service to determine the exchange’s contractual obligations to users.
• Identifying any clauses related to lending, rehypothecation, or non-1:1 asset backing, may impact whether the exchange is required to maintain full reserves for customer liabilities at all times.
• Confirm that the assets held on behalf of customers are in like-kind as the associated customer liability, and not held in other assets that may subject the exchange to valuation in prices that may affect their ability to honor customer redemptions.

5. Presentation & Disclosure

In line with financial reporting standards and Company policy, the exchange should:

• Clearly disclose its approach to liability recognition within the Notes to the Financial Statements.
• Define the nature of the liability and justify its classification and disclosure treatment.

Income Statement Testing:

Audit Procedures for Trading Fee Revenue at the Exchange

The auditor should consider the following procedures when evaluating revenue earned from trading fees at the Exchange. The Company generates all its revenue from trading activity, accruing fees within its internal database for each transaction.

Background

Similar to customer liability balances, trading fees are typically recorded as revenue (that accrues with each trade) on the exchange’s internal ledger. Since this information is entirely produced by the entity (IPE), the auditor must obtain a thorough understanding of the database architecture, including:

• How revenue data is compiled from underlying data lakes, tables, and extraction logic.
• The methods and scripts used to calculate and report trading fee revenue.

1. Completeness

The auditor must ensure that the revenue accrual data is complete, as the key risk is the overstatement of revenue, potentially inflating reported earnings and assets. To address this, the auditor should:

• Obtain a comprehensive report detailing all revenue transactions, ideally with trade-specific details, including:
  
  • Customer accounts
  • Assets traded
  • Fee amounts (and corresponding asset type)
  • Trade timestamps
• Validate the logic, scripts, and methods used to compile revenue data.
• Ensure that revenue calculations are accurate and complete, using either custom queries or standardized (“canned”) reports from the system.
• Recommend the development of canned reports to allow revenue data to be retrieved for any given period, facilitating both current and future audits.
• The auditor should consider performing a reconciliation of revenues earned compared to inflows to Company treasury wallets.

2. Occurrence

To confirm that revenue transactions actually occurred, the auditor should:

• Select a sample of revenue transactions and verify the associated trade details actually took place.
• Assess the risk of fictitious trading activity, ensuring that revenue is not being artificially inflated through non-genuine trades.

3. Accuracy & Valuation

The auditor should verify that:

• Trading fees are calculated correctly and match the exchange’s published fee schedule or any custom contracts with clients.
• The numerical units of digital assets earned as fees are properly valued at the time revenue was recognized.

4. Cutoff

The auditor must ensure that:

• Revenue transactions are recorded in the correct reporting period and were actually incurred during the audit period.

5. Classification

The auditor should review the different types of revenue accrued to determine if they are truly trading-related or if other revenue streams exist, such as:

• Withdrawal fees
• Market maker incentives
• Other non-trading revenue categories

6. Presentation & Disclosure

In line with financial reporting standards and Company policy, the exchange should:

• Disclose its revenue recognition policies within the Notes to the Financial Statements.
• Clearly define the nature of trading fee revenue and any other revenue categories, ensuring proper classification and disclosure.

Additional Audit Considerations

1. Gains/Losses

Crypto on the balance sheet, including those earned as trading revenue, may require revaluation at the measurement date. This process can be particularly complex if the exchange accrues fees hundreds or thousands of times per day. The auditor should:

• Assess the Company’s valuation methodology to ensure compliance with relevant accounting standards.
• Evaluate how frequently assets are revalued and whether the approach aligns with market conditions and reporting requirements.

2. Commingled Corporate and Customer Assets

As part of exchange operations, corporate and customer assets may be held in the same digital asset wallets. This occurs because, when the exchange accrues fees, it does not immediately move crypto on-chain instead, the transaction is recorded as a ledger entry. Periodically, the exchange may sweep earned funds into a separate corporate wallet.

The auditor should:

• Ensure that commingled assets are properly accounted for and that customer funds are not mistakenly classified as corporate assets.
• Verify that the exchange is not double-counting customer assets as corporate funds when reporting balances.

3. Rescission of SAB 121

With the rescission of SAB 121, public companies in the U.S. are no longer required to record a liability and corresponding asset of crypto held for customers on their balance sheets. The auditor should:

• Determine whether customer balances should be disclosed in a footnote or accounted for using other financial reporting mechanisms, depending on jurisdictional and regulatory requirements.
• Assess contingent liability risks related to the custody of customer assets and ensure proper disclosure in the financial statements.
• Regardless of reporting requirements, customer asset and liability balances are a key focus for auditors, as they represent a critical operational risk and directly impact the company's ability to continue as a going concern.

4. Fraud Considerations

Given the complexity of exchange operations and the prevalence of fraudulent activity in the industry, auditors should exercise heightened scrutiny. The auditor should:

• Enhance fraud risk assessments to ensure audit procedures address potential misstatements or misconduct.
• Consider implementing forensic audit techniques where necessary.
  
  • For example, the auditor may consider inspecting wallet balances before and after the balance sheet to mitigate the risk of “window dressing” asset balances as of the period end.

Other Areas to Watch For

1. Statement of Cash Flows

• Stablecoins are typically not classified as cash and should not be treated as cash activities in the statement of cash flows.
• The auditor should ensure that stablecoin transactions are properly categorized under non-cash investing or financing activities as appropriate.

2. Multi-Signature Addresses

Multi-signature addresses can complicate the process of proving ownership of digital assets. The auditor should:

• Recognize that traditional cryptographic signature verification may not be feasible for multi-signature wallets.
• When possible, use the "send-to-self" method to verify control over assets, provided appropriate audit tools are available.

Conclusion

Auditing cryptocurrency presents unique challenges, requiring specialized knowledge, a strong risk assessment approach, and the right tooling to navigate the complexities of blockchain-based financial systems. However, the opportunities in this space are equally significant. Crypto clients provide dynamic, intellectually engaging work that positions auditors at the forefront of an increasingly digital financial landscape. As the industry continues to evolve, equipping yourself with the right expertise and technology will not only enhance audit quality but also future-proof your career.

For those seeking robust audit tooling, LedgerLens offers purpose-built solutions to streamline crypto asset verification. Additionally, The Network Firm is available to provide expert guidance, ensuring you have the support needed to effectively audit digital asset clients.

To help you get started LedgerLens, visit our deals page and take advantage of an exclusive The Accountant Quits offer - 12,000 consumption credits and savings of up to $1,199.