Marnus Kruger & Chris O'Reilly from Harris & Trotter on Getting Crypto Companies Audit Ready
What we Discuss with Marnus Kruger & Chris O’Reilly
An external auditor is appointed to provide an independent examination of the financial statements to ensure they provide a true and fair view.
And in return provide the confidence to stakeholders that management is doing their job well.
Auditors proceed by testing the internal controls and performing substantive tests.
What substantive tests mean is that auditors have a range of assertions, such as completeness, existence, valuation, cut-off, and occurrence that they use to develop their audit procedures.
To help us understand how to get companies having crypto on their balance sheet audit ready, I spoke with Marnus Kruger & Chris OReilly, Technical Accounting Manager and Lead Finance Engineer at Harris & Trotter.
Harris & Trotter, which provides accounting, audit, and taxation services, has made a name for itself in the digital assets space.
Today it serves around 450 companies including the likes of 1inch, Wintermute, The Sandbox, Blockchain.com, Bitfury, P2P, and Mercuryo.
In this episode, we will take each of the financial assertions to provide you with an understanding of how to be ready when auditors come knocking at your door.
Shownotes
- Episode intro (00:37)
- Marnus & Chris’s story of how they got into blockchain (3:02)
- Criteria for accepting an audit engagement (6:48)
- Verifying ownership of crypto (9:02)
- Valuation of crypto and choosing cut-off time (14:34)
- Recoverability of assets from DeFi protocols (18:49)
- Thank you to our sponsor Cryptoworth (20:50)
- Completeness of on-chain transactions (22:25)
- Good practices for wallet hygiene (27:12)
- Tests of controls for crypto (28:51)
- Harris & Trotter crypto accounting services (33:54)
- Audit readiness with Harris & Trotter (35:03)
- Thank you to our sponsor Convoy Finance (36:45)
- Signature matching tool to verify ownership (38:14)
- Live proof of stablecoin reserves tool (40:26)
- Do auditors rely on crypto sub-ledgers like Cryptio, Cryptoworth, Tres Finance, etc (41:44)
- Upskilling accountants & auditors for crypto (44:55)
- Closing thoughts (47:42)
[00:00:00] Umar: Welcome to The Accountant Quits, brought to you by Cryptoworth, a crypto accounting solution to help you automate your crypto bookkeeping. And Convoy Finance, a crypto accounting firm specializing to provide digital assets, bookkeeping and tax support. On this podcast, we discuss how blockchain will impact the accounting profession and how accountants should prepare themselves for the future of work.
[00:00:24] Umar: My name is Umar, your host, and even if some might refer to me as the accountant gone rogue, my job is to provide you with the blockchain knowledge you need that will be relevant for the accounting industry as a whole.
[00:00:37] Umar: Welcome to Episode 53. After focusing on the Crypto Accounting Academy I launched in the past weeks and a very successful first cohort, I'm back to recording podcasts.
[00:00:47] Umar: And today I'm focusing on one of my favorite topics, which is external audits. An external auditor is appointed to provide an independent examination of the financial statements to ensure they provide a true and fair view and in return provide the confidence to stakeholders that management is doing their job well.
[00:01:08] Umar: Auditors don't provide you absolute assurance, but rather reasonable assurance that your financial statements are not materially mistaken. Given I've been both an auditor and accountant, I thought it's really interesting for you the listener to understand the approach of the external auditor to provide their audit opinion.
[00:01:27] Umar: Auditors proceed by testing the internal controls and performing substantive tests. What a substantive test actually means is that auditors have a range of assertions, such as completeness, existence, valuation, cutoff, and occurrence that they use to develop their audit procedures. For example, if an auditor wants to test for completeness of your bank accounts, they would send a bank confirmation letter directly to the bank.
[00:01:57] Umar: To help us understand how to get companies having crypto on their balance sheet audit ready, I have the pleasure to be speaking with Marnus Kruger and Chris O'Reilly from Harris and Trotter.
[00:02:09] Umar: Harris and Trotter provides accounting, audit and taxation services and has made a name for itself in the digital assets space. Today it serves around 450 companies, including the likes of 1inch, Wintermute, The Sandbox, Blockchain.com, Bitfury, and P2P.
[00:02:29] Umar: In this episode today, we will take each of the financial assertions to provide you an understanding of how to be ready when auditors come knocking at your door.
[00:02:39] Umar: Marnus and Chris, welcome, and thanks for making the time to be here.
[00:02:43] Marnus: Very happy to be here. Thanks Umar.
[00:02:44] Chris: Thanks Umar.
[00:02:46] Umar: To start, I always like to ask my guests a little bit about their personal background and how did they learn about blockchain? How did they get into blockchain rather? And also to tell us a bit about your roles respectively at Harris and Trotter.
[00:03:02] Marnus: I'll kick off. As you mentioned, I'm a Technical Audit Manager at Harris and Trotter.
[00:03:06] Marnus: Key there is audit and that is where my background is. So I qualified as a Chartered Accountant in South Africa and then came across to you, the UK, um, specifically in London, where I joined, call it a top five, very much in the financial services industry. But when I was working in South Africa, one of the partners that I worked with, he was always very in touch.
[00:03:32] Marnus: And in the know around crypto and blockchain specifically, and he on a weekly basis would have discussions with us trying to upskill us trying to make us aware of where the world is going. And as a Chartered Accountant, you need to remain up to date and also kind of stay in the loop. And the way that I kind of fell in this rabbit hole was I was working on a particular client where it wasn't necessarily blockchain or crypto related.
[00:04:05] Marnus: But it was a very data heavy client. And we look to automate our testing as much as we could. And what we then did was we worked a lot with data analysts and data scientists and thought of ways how we could automate the revenue testing to give the assurance that you spoke of. And you, you very correctly said that we as auditors don't give absolute assurance, we give reasonable assurance.
[00:04:30] Marnus: And the fantastic thing about blockchain is. All your transactions are recorded and they cannot be modified, which kind of leads you down the pathway of not reasonable assurance anymore, but absolute assurance. And when we did our testing on a specific client and we were able to automate our testing, we were on one of the line items able to say, we've got absolute assurance over this balance, which gives you as an auditor a really good feeling knowing that you've gone and looked at every single transaction.
[00:05:03] Marnus: And not on a sample based approach, for example, when you have reasonable assurance. And that really sparked my interest, not necessarily in kind of crypto or blockchain, but thinking of how you can gain absolute assurance. And that's, that is where blockchain plays a part, is how you can kind of pull that into your companies to have absolute assurance.
[00:05:28] Marnus: And that's kind of how it's led me into this space.
[00:05:33] Chris: Yeah. For me, I'm towards the end of my career building, becoming a qualified Chartered Accountant, but my job title is Lead Finance Engineer. So that is involved with the software development and the programming of tools to build tools that gain this absolute assurance basically, because the way that like crypto and blockchain works is.
[00:05:58] Chris: Like Marnus said, data is all public and we can basically build tools that can get most of the data relative to that client's operations. So like an example would be, imagine like a huge payment processor for centralized crypto exchanges. We would be, we could build a tool that would be able to gain comfort over 100 percent of the fees that they charge, those exchanges and those customers.
[00:06:28] Chris: And then that is an example of us gaining absolute assurance and being able to like building a tool and then doing that. So I'm essentially responsible for heading up these. The technical side of these tools for the firm and like automating audit testing and other internal processes.
[00:06:47] Umar: All right. I want to start the episode with on how you actually accept a new client and the kind of preconditions you need.
[00:06:56] Umar: So given the inherent complexities associated with having crypto on the balance sheet, there are these preconditions for the auditor to assess before you accept an engagement. These could range from, first of all, the auditor needs to have the right expertise to audit that client, the need to bring in maybe other professionals with the risk associated with the engagement.
[00:07:17] Umar: Could you tell us a bit of those, what are those key factors that auditors in general need to assess before accepting engagement when clients have like, crypto on their balance sheet?
[00:07:27] Marnus: I think one of the key points you mentioned there is that specialized knowledge. And that is where I think you'll see a lot of audit firms turn away crypto clients is because they internally know they don't have that crypto knowledge. And that is where at Harris and Trotter we specialize. We've got a dedicated digital assets team, and that's kind of the first barrier you need to get over is do you have the skills and the competence to take on that client.
[00:07:57] Marnus: From there it then looks at specifically the client itself. You'd want to do your KYC checks on them, make sure that you know it's a valid company, its source of funding is above board, then taking it a step further. Looking at one of the internal processes that they've got when it comes to the crypto transactions.
[00:08:16] Marnus: It's as much as we need the experience to deal with crypto. So does the client. If the internal, you know, processes and controls looks terrible, you know, it's going to be very difficult to get the assurance that you need. How are they insured? And we'll talk about this at some point. I'm sure completeness of transactions, completeness of wallets, what's their wallet management policy?
[00:08:40] Marnus: Are they making use of any crypto sub ledgers, for example, that helps them account for their, for their crypto. So you'll have your normal client acceptance procedures, as we would refer to them with this top of or top on of how do they deal with the crypto from their perspective.
[00:09:02] Umar: Perfect. I want to start speaking about assertions and for people listening who are not, who don't really understand what assertions are, think of it as a framework that auditors would use to approach their audit, like to devise their audit procedures.
[00:09:16] Umar: Essentially, assertions are claims that establish whether or not financial statements are true and fairly represented in the process of auditing. I want to start with how you assert ownership of crypto. Basically, how do you know for sure that your client actually owns that crypto? So companies choosing to hold digital assets, they can choose to either self custody or have third party custody.
[00:09:41] Umar: Also, even at custodians or these exchanges, these companies don't always maintain segregated addresses for each customer. Like everything is commingled into one address.
[00:09:53] Umar: So let's start first with self custody. What are the key questions to consider for the auditors to ensure private key storage and safeguarding?
[00:10:04] Chris: So the key thing with self-custody is that individuals at the client will have personal access over the funds, right? That could be one to end number of individuals and a key risk with that is who actually has access to those keys. And whoever has access to those keys can basically make decisions with the funds that the company has, right?
[00:10:31] Chris: So like a key, a key risk mitigation that we would recommend is the use of multi signature wallets, where there needs to be levels of approval for what funds can be spent, basically. So you could see something like a Gnosis Safe, where say there's a company with three directors, they have two Gnosis Safes that holds all the company's treasury.
[00:10:55] Chris: If it's a two-out-of-three-signature wallet, then two out of three of the directors have to approve every single transaction that gets spent from the wallets. And that's a key. Yeah, I would say that's like a key risk mitigation with the risks associated with self-custody and then how like the freedom that people kind of have if they have control over the private keys.
[00:11:20] Umar: And how about for third party custody.
[00:11:22] Umar: So, now, these companies are renouncing control of their private keys to a third party. How do you usually go about, and I understand you would be asking the client for an SOC report of the exchange. So what will you actually be paying attention to when reviewing the SOC report of let's say an exchange or custodian?
[00:11:43] Marnus: Yeah. So the main thing there then is the kind of the control sets with those entities, right? And that is where you need to look at the various controls that they've got in place over kind of their security, their access controls, their change management controls. It's very much looking at the, not just the controls, but the general IT control environment as well on top of the relevant access and change controls that they've got in place.
[00:12:14] Marnus: Those are kind of the key factors. It's basically the controls that you would look at from a self custody wallet perspective. It now sits with the third party and you would expect those from a self custody perspective. You would not necessarily expect those controls to be in place. You've got a lot of young, you know, startup companies.
[00:12:35] Marnus: Their focus isn't necessarily on their wallet management. But where it's the sole role of a third party provider, you'd expect those controls to be in place as mentioned. So when it comes to those SOC reports, they, they give you a very good insight into those entities and what's very good about them.
[00:12:54] Marnus: If you've got, if you get a, you get a SOC 1 and a SOC 2 report, a SOC 2 report, in essence, looks at your design and implementation of the controls and the operating effectiveness. And what those highlights as well is any, call it failures in controls and that for an audit gives you very good guidance as to where you need to go and have a look, or spend some more time around your testing.
[00:13:21] Umar: For people listening, like in the industry, is it really normal practice to get these SOC reports from exchanges? Like let's say the popular one, like the Binance, Kraken, is it easily obtainable?
[00:13:34] Marnus: With these exchanges, because you generally don't have a direct call it client relationship manager and you maybe talk to customer support, it is difficult to get those controls.
[00:13:45] Marnus: And that's why generally when it comes to your digital assets testing, you don't often follow the controls based approach. And it's very much a substantive based approach where you'll have to go, as you've said, perform test of details. So as good and well as it is that there are controls to evidence those controls is very difficult and to evidence that they run and operate throughout your entire audit period is even more difficult.
[00:14:14] Marnus: And that's why it is best practice to perform a substantive approach. But again, the great thing is when it comes to your blockchain, it is public, public information. So that does help you.
[00:14:30] Umar: Perfect. So we spoke of ownership. Let's jump to valuation. So valuing crypto is different for a few reasons. One of the first ones is that markets never close.
[00:14:42] Umar: So the key question that I mean, your clients have to be asking themselves every month is what cutoff time should they be using? Also, how do they remain consistent when you actually have different prices of the same assets on different exchanges? So whether you're accounting under IFRS or US GAAP, you need to, I mean, US GAAP is fairly new with the new fair value approach.
[00:15:06] Umar: So you need to identify the principal market, which is basically the market having the greatest volume and activity. What are some of the good practices when it comes to valuation? And would you have specific examples that you've seen clients doing wrong? I'd say
[00:15:22] Chris: On your point about the different prices on different crypto exchanges, Best practice is to use an aggregator such as CoinGecko which is a big like cryptocurrency aggregator as most of us know and what CoinGecko does it will take all the top 20 to 30 exchanges and aggregate the prices and take an average or an index as they like to call it and then that would basically mitigate the risk or smooth the results of different exchanges having different prices at different times and just another point about best practices when it comes to the order is we would be using rates if we're going to value crypto on the balance sheet at the year end at fair value, we will use the rates at the year-end.
[00:16:07] Chris: So we would get the rate from CoinGecko at the year end in the time zone of the client of what the financial statements are. And then we will basically apply that rate against the volume on their balance sheet.
[00:16:20] Chris: I don't know if you got anything to add.
[00:16:21] Marnus: Yeah, the main thing is just to be consistent. So when you do choose a specific cut-off time, it is to make sure that if you do it on a monthly basis that you are applying that consistently together with your valuation source as well.
[00:16:38] Marnus: Like Chris mentioned, an aggregator is very good practice. If you use one source consistently, that does help you from an audit perspective and just to have a clear valuation policy in place as well. What a lot of entities kind of lack in is they're very good at kind of knowing what happens in the business, but to put that on paper is another thing.
[00:17:04] Marnus: A lot of time goes into the operations, whereas when the audit comes, it's very much, not going to say hearsay, but it's kind of spoken through mouth. Whereas if upfront, you've got clear policies in place that sets out, sets out, this is how we do it, that is yeah very beneficial.
[00:17:23] Umar: Yeah. And I would assume a lot of the beginning startups won't have these proper documentation about basically the monthly financial reporting process.
[00:17:31] Umar: Where do I go and fetch the prices? How many decimal points do I use? Like things like that. The cutoff time.
[00:17:37] Marnus: Agreed.
[00:17:38] Umar: Probably they learn it once they go through an audit.
[00:17:42] Marnus: Yeah. And when, when that comes, I don't want to say it's too late, but it, you know, a lot of time that goes in calling or getting what we call audit ready and a lot of companies think, you know, we've gone through our financial year.
[00:17:57] Marnus: We are now ready for the auditors is to come in and they come in and they pick holes in kind of what you provide them. And then it's very much back to the audited entity to go and kind of get themselves in a place where they can then actually say we are now ready for you to come in. So I guess learning there is, before you think you're ready, have someone come in with that accounting experience, have them come and do a review of your policies, your procedures in place, especially around your crypto accounting, make sure you know that your balance is checked out, before that goes to the auditor, because when they do come, the last thing you want is kind of have them quote you on what they expect that what it's going to look like.
[00:18:41] Marnus: And then it's not what it looks like. And then your fee just you know, multiplies.
[00:18:48] Umar: Yeah. Speaking about valuation now with DeFi protocols. So companies choosing to participate in DeFi protocols, they would supply like crypto in return for interest income. So I'll just give an example. Let's say I've got Ethereum and I choose to provide liquidity to a liquidity pool, let's say on Compound.
[00:19:08] Umar: And I would receive cETH in return, which basically represents like a claim on my assets. What are the other tests that you would perform to ensure like the recoverability of my assets from such DeFi protocols?
[00:19:23] Marnus: Yeah, the main thing there is we've spoken about, you've mentioned assertions and you've spoken about recoverability, which talks to the valuation assertion, but there's a step before that, which talks to the existence.
[00:19:36] Marnus: Do you have an actual claim first off? And that's where you go to that cETH that you've mentioned. Does the entity have that cETH? And then there's the additional step then of the valuation on top of it is you'll need to go and have a look at where you have provided liquidity.
[00:19:57] Marnus: You'll need to go and have a look at the smart contract code just to make sure that those operate as stated and a very easy recoverability test for you could be is it's going to it's very similar to call it the assessing of the recoverability of the data you can go off historical data. Have they been making their payments? Yes or no? Have you been getting that interest that the smart contract states that you're going to get? Or post year end after year end as that interest come in.
[00:20:25] Marnus: Some companies are, not going to say it's fortunate or unfortunate, but they leave their audits to quite late. So it's very easy to verify the post year end transactions because of the timing of when the audit starts. And you can actually then test for recoverability by looking at what has happened post your year end as well.
[00:20:44] Marnus: There's no better, better evidence than actuals, if I can put it that way.
[00:20:50] Umar: Before we continue, we'll take a quick commercial break from our sponsor. Whenever you use cryptocurrencies in your business, the framework for your bookkeeping is a combination of traditional and crypto native accounting softwares.
[00:21:03] Umar: Like any traditional business, you will need a traditional accounting solution like QuickBooks, Xero, Oracle NetSuite, SAP being used as your main ledger. And a specialized crypto accounting software to be used as a subledger, which would extract process and feed in transactions from the blockchain into your main ledger.
[00:21:25] Umar: Cryptoworth is an accounting software built for crypto and integrates with a 100 plus blockchains, 50 plus exchanges and over 700 DeFi protocols. It allows you to convert the blockchain transactions from wallets, exchanges and custodians into your accounting software to facilitate your reporting, audits and tax filings.
[00:21:48] Umar: Moreover, it provides you with a dedicated DeFi and NFT tracking dashboard. Cryptoworth works with web3 industry leaders such as Aave, Axie Infinity, Celo, Moonbeam, Request Finance, amongst others. If you're looking to scale your business using crypto, you need to start automating your crypto bookkeeping and stop using spreadsheets.
[00:22:12] Umar: Right now, Cryptoworth is offering you access to their platform for free for 30 days. Visit theaccountantquits.com/sponsorships to claim this special offer today.
[00:22:25] Umar: All right, so we spoke about ownership, valuation, you touched on existence, so next we have to speak about completeness. One of the main challenges with aggregating data from block explorers is ensuring the accuracy and consistency of that data.
[00:22:41] Umar: Now there are different approaches on how you would have like 100 percent completeness. So would Harris and Trotter be running their own nodes, let's say, and indexing the data themselves instead of relying on other third party providers, like the popular ones being Etherscan.
[00:22:57] Umar: And in the case you're not, are there additional data reconciliation exercises that you would do basically at your end to ensure the data is complete?
[00:23:08] Chris: Yes so for node providers, , we connect to third party node providers such as Moralis is a big one that we use, Infura, Alchemy. Those are for the, let's say less popular than Ethereum chains, such as like your Layer-2s and your side chains.
[00:23:26] Chris: And then we have like nodes in progress to use our own nodes basically. But what we'll do, completeness is probably one of the highest risk areas, right? It's the most difficult to audit what's not there, than what is there. So a big thing with like, yeah, like the blockchain is public and open, but there's a, it's like a huge database, for example, right?
[00:23:51] Chris: So it's like kind of difficult to be able to spot what, who's who, like what wallet belongs to our client, for example. So like one of the things we'll do is we'll run counterparty analysis tests basically on the data that the client has provided us to ensure that counterparties that they are interacting with are basically not their own wallets.
[00:24:13] Chris: Does that make sense? So at the start of an audit, they'll give us a wallet listing on Ethereum, for example, and then we'll run algorithms over those wallets and ensure that the counterparties that they're interacting with are not theirs. So certain tests we would do on that is, are they sending and receiving from these counterparties?
[00:24:31] Chris: What's the volume of those incomings and outgoings over, I guess, genesis of the wallet? And if, if they're receiving and sending, then there's a good chance that It could be theirs because if it was a supplier, why would they be receiving? And if it was a customer, why would they be sending on a regular basis?
[00:24:50] Chris: So yeah, that helps with the completeness aspect.
[00:24:53] Umar: If I take a specific example for bank account, so usually, like with bank accounts, auditors would be sending bank confirmation letters at year end. But in the case of self custodial wallets, where it's so easy to just create like a wallet, how would the auditor ensure completeness of all wallet addresses?
[00:25:12] Umar: Like maybe I have some tokens lying there in a wallet that I forgot to account in my financials. How would you check for completeness there?
[00:25:21] Marnus: Like Chris mentioned, it's very difficult to audit what's not there or what you don't know of what the audit entity doesn't know of. What you'll have to do is you'll look at the wallet management policy of that entity that will generally give you a good idea of how well, they keep track of their own wallets, and I guess it's not just communication with the finance team when you request for a list of wallets, it's actually going to the owners.
[00:25:50] Marnus: Running those lists by them, running them through the, running it through the development team, those that actually do set up the wallets. So it's very much relying not on one source, but making sure that those who are more in the know of the wallets that should be there, are those people that you do communicate with.
[00:26:10] Umar: Okay. So it's very important for clients to have a wallet management policy. Every time they create a new wallet, this has to be documented.
[00:26:19] Marnus: Yes, exactly. It's exactly that. And it's kind of having that document from step one who has the ability or the rights to set up those wallets, what happens with the keys of that and then having that treasury function as well that stipulates how your payment processes then work within those wallets.
[00:26:40] Chris: Just to add on the wallet management policy, it, we see it as best practice, right. So if there's a client that hasn't got that implemented and they've come to us for getting audit ready, that's one of the first things that we will recommend is that wallet management policy. Who has the ownership of the private keys to be able to generate new wallets.
[00:27:00] Chris: If it was something like an X-pub on Bitcoin, for example. We basically, you'd have to document that wallet management policy and have it implemented as soon as possible, in our opinion,
[00:27:12] Umar: Just staying on the topic of wallet management policy. Speaking about wallet hygiene, what are some of the good practices that you see, for example, should clients be maintaining, like, let's say just one wallet for inflows and outflows?
[00:27:28] Umar: Should different wallets be created for different revenue items or expenses items? Or at the end of the day, are those like way too many wallets? Because you could have like, end up with 100, 200 wallets on your balance sheet.
[00:27:41] Marnus: It's very much twofold in the sense that yes, you do end up with numerous wallets and it could be hundreds and hundreds, thousands of thousands, but if you've got a very good wallet management policy in place where you say we create this wallet for a specific reason, and you're able to track that.
[00:28:01] Marnus: That is good practice. If you set up a wallet for a specific reason, call it Revenue Stream 1, Revenue Stream 2, Revenue Stream 3, and we pay expenses out of these specific wallets and not co mingle purposes for wallets because that's kind of, that's when things get messy as well, from an operational perspective, but from an audit perspective as well.
[00:28:24] Marnus: So if you are in a in a management position, like Chris mentioned, that is one of the first things we recommend you get sorted out is that wallet management policy, but it is then very much having a specific purpose for setting up that wallet. And if you've got that in place, that it's a very good foundation to ensure then the completeness of your wallets.
[00:28:50] Umar: All right. Next I want to speak about risk assessment. So the auditor has the responsibility to obtain an understanding of the entity's risk assessment process and identify and assess the business risk relevant to the financial statements. So the client's management, they would implement internal controls and the auditors, they would come to test for the operating effectiveness of those controls.
[00:29:16] Umar: So we spoke of private key safeguarding, crypto asset valuation, completeness of on chain transactions. What are some of the other risk considerations that auditors may need to take into account as part of their audits? Maybe you could give us specific examples of these tests of controls.
[00:29:35] Marnus: Yeah, as we've mentioned earlier, it's highly unlikely that you'll go down a test of controls route.
[00:29:41] Marnus: What you will, however, do is when, as part of your planning procedures, we call or we perform something or we call a systems walkthrough and what we will then do as part of the digital assets balance, we'll have a meeting with the audited entity and we'll ask them, please take us from initiating a crypto transaction all the way through to reporting it, please take a step by step how you go from point A to point Z.
[00:30:12] Marnus: What we'll then do is we'll document any controls, if there are any, in a template, and then we will decide whether those controls we want to rely on. And if we want to rely on those controls from a testing perspective, we would then go and test the operating effectiveness.
[00:30:31] Marnus: So it's not necessarily that you always test the operating effectiveness of controls. It will come down to whether you want to rely on those controls. And the tricky thing is, evidence in controls, especially in companies that are relatively new, where they may not have that internal control framework set up or formally set up yet.
[00:30:52] Marnus: The way that we assess risk is on an assertion by assertion basis. So we'll then run through the assertions relevant to, we'll take digital assets again, and we'll look at the what could go wrong on each assertion and where we do think, where we do see things go wrong is very much in the reporting side of things where it's very much up in the air at the moment as to how you classify your intangible or your, your digital assets.
[00:31:23] Marnus: It could be intangible assets. It could be inventory. There's arguments for for other standards as well, but it is then when you fall within one of the standards, how do you make those standards applicable to your digital assets that you're reporting on. And that is where we've seen some pitfalls.
[00:31:41] Marnus: Another difficulty is looking at your cash flow statement and how you present those when it comes to digital assets, which is at the moment not seen as cash. So how do you strip those out of your cash flow movements and report on your cash flow statement? We've we've had some some interesting debates around that and getting the audited entity ready on that.
[00:32:06] Marnus: It's then like you've mentioned earlier, it's the completeness of the wallets as well. Making sure that what you report is accurate and complete, because generally from an asset balance, your risk is generally overstatement, but just given the inherent risk, it's very difficult to keep control of or keep track of all your wallets.
[00:32:31] Marnus: So that is where completeness becomes a risk as well. And where you then. report on a fair value basis, it is ensuring that your fair value is correct and that you are consistently applying your fair values to your relevant tokens. But it's very much taking it assertion by assertion and designing responses to address the risks that you've identified.
[00:32:57] Umar: Great. I'm actually really enjoying this episode. It's reminiscent of my past time as an auditor.
[00:33:05] Marnus: I hope it's not bringing back bad memories. PTSD kicking in.
[00:33:11] Umar: I think it's the perfect time now to speak a bit about Harris and Trotter. So if people have never heard of Harris and Trotter, so Harris and Trotter, you guys are one of the leaders for digital assets accounting, audit, advisory, and taxation.
[00:33:25] Umar: Some of your clients include Wintermute, The Sandbox, 1inch, Bitfury, Blockchain.com and P2P. I mentioned those in the introduction. We often hear about Big Four, Big Five, or even Big Six. Probably soon enough we'll be hearing about Big Seven with Harris and Trotter being included in that list. Could you tell us a bit about how you help some of these clients I mentioned on a monthly basis with the accounting or with the audit? Because we're speaking about audit.
[00:33:56] Chris: I'll do the accounts and Marnus can do the audit side. So with the accounting side, given what we've been speaking about, inherent complexity of keeping track of blockchain transactions and all your crypto, Harris and Trotter will come in and assist, if there is a finance team, the finance team, or if there is no finance team of the client, we will essentially act as the finance team on the reporting and preparation of the financial statement side on a monthly basis.
[00:34:22] Chris: So we will assist in the monthly closes of the company's reporting that goes to management. So management can make their decisions based on the numbers that they have achieved in the month. We'll also assist in things like payroll. If they need to pay their suppliers or contractors, we can set that up for clients.
[00:34:43] Chris: So essentially on the accounting and bookkeeping side, we would act as like the CFO kind of, it's like a CFO role, right, where we come in and be the finance team, especially for those early stage clients that don't have per se, finance teams per se.
[00:35:03] Marnus: And then leading on from that is then the external audit that follows that.
[00:35:08] Marnus: But what Harris and Trotter then also, another service we provide is what we call audit readiness. That is then, it could be that Harris and Trotter does not act as the finance function. You believe, you know, you're a fantastic finance team that, you know, you don't need external help. You then contact Harris and Trotter for an external audit.
[00:35:29] Marnus: We say, you know, we've had a look at some of your transactions. You could potentially be missing X amount of wallets, or we don't potentially think that you're audit ready yet. Would you, you know, want an audit ready service. And what that entails is Harris and Trotter coming in, looking at your policies and procedures in place.
[00:35:50] Marnus: If they are not setting up that function for you, getting you to that stage where your crypto accounting is all in order for when the external audit occurs. Just key to that I will mention that is handled by two very separate teams from one another to ensure that there is no self review where the team that performs the audit readiness is the team that performs the external audit.
[00:36:15] Marnus: We are very much separated from one another. The teams are not allowed to interact. Just to to maintain that ethical ethical standard. Then the additional service we do provide is the external audit where we will come in in that traditional function and like we've been speaking about perform the audit, delivering an audit opinion on whether the financial statements do, you know, present a true and fair view of what's been happening in, in the entity.
[00:36:45] Umar: Before we continue, we'll take a quick commercial break from our sponsor. The blockchain industry is still in its nascency, and so are the accounting guidelines that govern accounting for crypto. But the accounting equation is universal, and accounting principles are timeless. The only difference now is the addition of blockchain technology with the accountants having to understand how to reconcile activities from block explorers on different chains and understand the token flows for each type of crypto activity to account for them in their chart of accounts.
[00:37:17] Umar: If you want your crypto startup, DAO, or protocol to have compliant financials for your accounting, fundraising, audit, and tax requirements, hiring an accounting firm with the right crypto knowledge early to lay down the right foundations might save you hours and money in the long run as you scale.
[00:37:34] Umar: Convoy Financial is a crypto native firm of accountants specializing to provide digital asset bookkeeping and tax support to crypto clients. Whether you've just bootstrapped or at the seed or series C stage, Convoy Financial has you covered for crypto accounting and finance operations. Their services range from Fractional CFO and advisory services, crypto subledger implementation, fundraising advisory, payroll, and monthly and yearly accounting and filing of your financials.
[00:38:06] Umar: Book a consultation call with Convoy Financial today by visiting theaccountantquits.com/sponsorships.
[00:38:13] Umar: I want to speak a bit about the tools you guys have developed internally. So one of the tools that I've heard of is called a signature matching tool, basically to test for wallet ownership.
[00:38:25] Umar: It's called, I mean, people can access it at chainaudit.co/sign. Could you tell us a little bit more about this tool, how it's used, and maybe some of the other tools that you're currently developing in house?
[00:38:38] Chris: Yeah, so the signature matching tool, as you said, is used for proving ownership of a cryptocurrency wallet, externally owned account.
[00:38:49] Chris: Basically, like traditionally in crypto, to prove ownership, you would get your client to send a microtransaction from one of their wallets, if they got multiple wallets, to another one of their wallets, and then back to the same wallet to prove that they own both wallets, right? So obviously that costs gas on networks on networks, like Ethereum and Bitcoin, for example.
[00:39:10] Chris: So what we did is we built a signature matching tool that basically negates the need for spending gas. But it also cryptographically proves that an individual has control over the private key of the wallet. So what we will do, like, say I was trying to prove that you own your wallet, Umar, I will give you a random message, like let's just say today's date and then Umar, I'll give you that message.
[00:39:36] Chris: You have to then sign that message with your private key and that would generate a hash. And then we can cross reference that hash with the message that we've given you, the random code, and then it should generate a match, right? We need to cross reference it and it proves that the hash that you generated has been generated with the private key, based on the public key as in your wallet address.
[00:40:00] Chris: And then that proves that that cryptographically proves that you have ownership control and ownership of the private key and it doesn't cost anything. So like, imagine like a client that's got thousands of wallets and they need to prove every single wallet.
[00:40:15] Chris: They're going to be spending gas on every single, like thousands of transactions just to prove ownership. So that's like a massive value add that we, that the signature management tool that we've developed provides.
[00:40:26] Chris: Other tools that we're developing, well, we've already gone live with live proof of reserves for stablecoins and other tokenized commodities and real world assets with Chainlink.
[00:40:40] Chris: In conjunction with Chainlink. So imagine a stable coin that is backed one to one by a fiat currency. We will basically prove on a live basis that the stable coin has the sufficient fiat or other commodities backing this stable coin on chain basically. Big thing that we've been doing is like I said earlier, which is big part of my role is the automation of processes, internal processes that we provide our clients will like on audits, like gaining absolute assurance over an entire balance like revenue, like I mentioned earlier, like that's incredibly valuable from the perspective of an audit.
[00:41:22] Chris: And the fact that the only way you're able to do that, like, without taking up so much resources is by building automated tools such as scripts and other programs that can basically go and do the testing and get that absolute assurance.
[00:41:39] Chris: So yeah, those are the main things that we've gotten on the roadmap.
[00:41:44] Umar: All right, staying on the topic of tools, I want to speak a bit about crypto sub ledgers. The listeners should be familiar because we've had Bitwave, Cryptio, CryptoWorth and Tres Finance previously on the show. Just as a refresher, if you guys have not listened to these episodes, so these companies I just mentioned, they basically provide the operating system to extract, categorize, and process the on-chain data from your wallets, exchanges, custodians, basically into your accounting software.
[00:42:17] Umar: They're often referred to as subledgers. If there's one tool that I think companies using crypto must be using, like it is a crypto subledger. And I want to ask you, how would basically that help the auditor on the amount of time that you would spend on the engagement? Let's say if the crypto accounting solution is able to provide you with a SOC report, would you then save more time on, let's say, performing reconciliation exercises for the completeness of on-chain transactions?
[00:42:49] Marnus: The tools are really good from an internal finance perspective. The role as the auditor is to come and provide external assurance. And I think we've mentioned earlier that when it comes to your, your data, those are public, public knowledge. So we should have the ability to go and pull the data off the blockchain ourselves.
[00:43:12] Marnus: And that just gives us an added level of assurance, knowing that we've done work kind of from the ledger rather than within an accounting system. Again, that speaks more towards the controls or the internal controls in place in the entity and how they handle their crypto accounting. So that speaks to their competence, but we still need to provide an external view of it.
[00:43:38] Marnus: You could have really good systems in place, but there is that level of substantive testing that still needs to be done on our side. The thing about those crypto accounting softwares as well is it's very good. They go and they label and they tag your transactions, but it's then on the external audit to ensure that how they classify those transactions are accurate as well, because you may have various classifications for entries. So it's good to keep track of all the internal crypto transactions. But again, external auditors role is come and do, an independent test of those.
[00:44:17] Umar: Okay. So no auditor would actually be relying on like crypto accounting solutions. I mean, it would limit a bit their independence, right on providing an audit opinion.
[00:44:29] Marnus: Correct. If, I mean, if, if you get read access to those crypto softwares, it gives you a, it could give you some assistance in accessing specific transactions, how, how they've been labeled, how they've been tagged, kind of giving you an understanding of the transaction, but you won't take it as audit evidence.
[00:44:49] Umar: Okay. Very interesting. There's not so much time left. I want to speak a bit. There's just two topics left. The first one is how do we upskill auditors for when it comes to auditing and so that's something I've been trying to work on lately. I've launched a course on Crypto Accounting. We cover a little, there is one module on auditing, but it's more like a comprehensive course on crypto accounting.
[00:45:13] Umar: Probably like every week or two, I hear about Harris and Trotter, like on LinkedIn, they've recruited like new accountants and auditors. How do you guys basically work to upskill accountants and auditors who've never worked in crypto accounting and who come to Harris and Trotter and now want to do basically digital assets audit.
[00:45:33] Chris: I’d like to start with the main thing that we look for when we're hiring people for Harris and Trotter is a genuine interest, passion in crypto and blockchain and digital assets and everything like that. They don't have to have ample experience in digital assets, like personally, but the key thing that we're looking for is like a genuine interest and not just coming to, I don't know, like get higher paid salary or something like that.
[00:45:57] Chris: They're just here for the money. They're here because they actually want to be here and work on these types of exciting new entities in this exciting space.
[00:46:07] Marnus: Yeah, Chris has made a very good point. It is the interest that's key, but what we do very well is we work with one another. So myself and Chris will work, he's got, you know, a much stronger crypto knowledge than I do, but I come with accounting and the audit knowledge and we learn and really feed off one another. And that's the important thing is really creating an environment that's conducive to learning, whereas you won't necessarily find that elsewhere.
[00:46:39] Marnus: Where I don't want to say, you know, auditors don't enjoy what they do, but we know that when someone comes to Harris and Trotter, especially the digital assets team, they want to be there, they want to learn, but it's then providing that platform and environment, you know, that enables them to learn and grow those skills.
[00:46:58] Umar: And I can share this with the listeners. So I've had the chance to already go to Harris and Trotter's office already twice this year. So I can confirm that the team is very collaborative and just really trying to learn. So once we went for, we had Harris and Trotter regularly organizes now digital assets evening where they invite basically web3 players of the industry, and it's, yeah, it's, it's a great experience not only to, to learn, but also to meet people of, of the ecosystem. And yeah, I mean, you guys are doing fantastic job. We've already reached, the end of the episode as closing thoughts, have you, is there anything else that maybe we've not touched on that you guys would like to share today.
[00:47:42] Marnus: No, I guess just to kind of wrap everything up and tie it together is try and get your, your internal controls in place as soon as you can and don't leave it too late and try and be as comprehensive as you can think of, you know, really put some effort in to make sure that you do, you do keep track of everything in your business.
[00:48:08] Marnus: It's not something you want to take for granted. You might have the best development team out there, but when it comes to, you know, your reporting that it's just as important, especially if you want to give kind of the public out there assurance. As to what you're doing, that is what they rely on. They rely on what they can see.
[00:48:31] Marnus: And if that is your financial statements that requires an audit, you really want to make sure you are, you know, reporting on an accurate level.
[00:48:40] Chris: I'll just add on to that a bit. A big thing that a lot of people miss is they see a statutory order as like a statutory requirement, right? Obviously, when you become a particular size, like certain revenue level or employees, you have to have a statutory audit, right?
[00:48:57] Chris: That's unavoidable. But what a lot of people seem to miss is by the time they're on like a round A or round B of investment, those prospective investors are not going to invest in you unless you have statutory audited accounts. Obviously that was a bit different in 2021 because obviously massive bull market, right?
[00:49:16] Chris: But these days we're seeing a lot of companies, a lot of clients come in and they're looking for an audit or they need to get audit ready. because they're going for a round B or C raise of finance and they are just not going to be able to raise the type of finance that they require without statutory, not statutory audit, but audited financial statements with proper internal controls in place, proper accounting policies in place, and ensure that those policies are adhered to.
[00:49:46] Umar: There's the last question which I usually ask to my guests, which is, do you have any. personal quote or maybe a favorite maxim that you live by?
[00:49:58] Marnus: You know, in audit, there's a very, it's a very generic one almost. If it's not documented, it's not done. I'm sure every auditor out there knows it. But when it comes to your crypto, it's It's being consistent in what you do, but when you do it, be good at it, at least, but it's consistency. Perfect.
[00:50:18] Umar: Chris?
[00:50:20] Chris: I can't think of anything off the top of my head to be honest.
[00:50:23] Umar: All right. All right. Thanks a lot to you guys for coming in today. Like I said, I really enjoyed preparing this episode. It's been long on my mind to record an episode on auditing because of my previous experience in audit. And I hope the listeners have learned a lot. And I always think it's interesting for accountants to know what auditors are looking for, because I've been both an accountant and auditor, and I can see that after being an auditor, the way I was an accountant was completely different.
[00:50:54] Umar: Basically, everything I was doing was preparing for the audit the way I was doing my accounting. Yeah, so if people want to reach out to you and if people want to learn more about Harris and Trotter, where should they go?
[00:51:08] Marnus: We've got a website harrisandtrotter.co.uk and on there we've got a dedicated page to the digital assets that will have our email address in there should they wish to contact us.
[00:51:22] Umar: Well, thanks a lot for your time again, Marnus and Chris, and we'll speak very soon.
[00:51:26] Umar: I would like to thank everyone for listening to this episode. You will find all the links of the episode, show notes, and transcript on the website of The Accountant Quits at theaccountantquits.com. Please note that this content is for general information purposes only and is not a substitute for consultation with professional advisors.
[00:51:46] Umar: If you do know anyone who could benefit from the episode and you care about them, please do share the episode with them. All the episodes are available on Spotify, Apple Podcasts, and Google Podcasts. And by leaving us a review and rating, you will support the channel and all your fellow accountants. In order to be notified each time we release a new episode, do follow us on Instagram and LinkedIn.
[00:52:10] Umar: We hope to have you with us next time. Bye for now.