David Byrd from EY on Internal Controls for Digital Assets

[00:00:00] Umar: Welcome to The Accountant Quits, brought to you by Harris and Trotter Digital Assets, a UK based firm specializing in accounting, tax, audit, and advisory services for digital assets serving clients worldwide. 

[00:00:14] Umar: With a clientele of close to 600 crypto native projects, Harris & Trotter is now offering a scholarship and job guarantee to students of the Crypto Accounting Academy, and you can learn more at theaccountandquits.com/scholarships, or keep listening to this episode where I share who is eligible and how to apply. 

[00:00:33] Umar: And the Web3Finance Club, a community of Web3 CFOs sharing best practices on web3 operations. 

[00:00:42] Umar: On this podcast, we discuss how blockchain will impact the accounting profession and how accountants should prepare themselves for the future of work.

[00:00:51] Umar: My name is Umar, your host, and even if some might refer to me as the accountant gone rogue, my job is to provide you with the blockchain knowledge you need that will be relevant for the accounting industry as a whole.

Episode 71 - Intro

[00:01:04] Umar: Welcome to Episode 71 

[00:01:07] Umar: When it comes to internal controls, management is responsible for designing, implementing, and maintaining effective internal controls. Auditors on the other hand, would test for the operating effectiveness of these controls. Many auditors today lack the specialized expertise needed to provide assurance for companies holding digital assets.

[00:01:29] Umar: But if we were rooting for cryptocurrencies to become mainstream auditors will have to quickly come to grips with how to provide assurance for digital assets.

[00:01:39] Umar: Blockchain has the potential to allow auditors to have absolute assurance over onchain transactions, which is an enormous leap forward from the limiting sample based approach currently used. To help us understand the knowledge gap, today I have the pleasure to be speaking with David Byrd, a Partner and the Blockchain Strategy Leader at EY US.

[00:02:01] Umar: EY US have audited public companies like Robinhood, Bakkt, Block and have partnered with L2s like Polygon to offer blockchain services, including EYOps Chain and EY Blockchain Analyzer. 

[00:02:15] Umar: In this episode today, you will learn the challenges specific to auditing digital assets, how auditors prove ownership for centralized versus self custody, test of controls for digital assets, the relevance of SOC reports from exchanges and subledgers, and much more.

[00:02:34] Umar: David, welcome and thanks for taking the time to be here. 

[00:02:37] David: I really appreciate you having me on. It's a pleasure and I can't wait to get into the discussion. 

David’s story into blockchain

[00:02:43] Umar: So to start, can you share a bit more about your background, how you became interested with blockchain and the story of how you started servicing your first clients who had digital assets at Ernst & Young?

[00:02:56] David: Sure! Yeah, I love to recount the origin story for the space. Yeah, you know, I came up in EY through our audit practice based here in San Francisco. And in the early days. Some of our earliest clients in this were asset managers. This was quite a while ago and, you know, in the beginning, it was pretty simple relative to what we see today.

[00:03:19] David: In the beginning, it was largely just sitting on a hill, a mountain, perhaps of Bitcoin, and so then thinking about, okay, from an audit perspective what do we need to do, to obtain that sufficient appropriate audit evidence know, for this financial statement audit of the client. And then over the years, as the space grew we noticed that there were more and more enterprises getting into this, not just

[00:03:44] David: investment managers, but also exchanges, mining companies you name it, both in the, what we would now say today as crypto native, but also in the sort of work for digital spaces and markets getting into space. So it's been a great journey. It's not been me alone. I've been surrounded by some terrific talent.

[00:04:03] David: And now have , a great team surrounding me, not just in the US, but trying to stay coordinated globally, because you often hear it said, right, that, you know, blockchain, sort of like the Internet, don't necessarily respect geographic boundaries. Like, it's around the world. you do want to serve enterprises audit, tax, you name it, in this space, it really is a global phenomenon.

[00:04:25] David: It's been good to stay connected with all those two. 

Client acceptance and the challenges specific to digital assets

[00:04:27] Umar: Perfect. Thanks for sharing, David. I'd like to start the conversation with client acceptance and the challenges specific to digital assets. So when accepting a new client, auditors have a client acceptance process to ensure they have the adequate knowledge and experience with digital assets.

[00:04:46] Umar: Now, Digital assets. It is a novel asset class. And I mentioned in the intro, it's a small subset of auditors today that have this in house specialized knowledge to audit digital assets. So let's say there's an auditor listening, contemplating to expand their services for digital assets. What would you say are the main challenges specific to digital assets?

[00:05:10] David: Got it! Yeah. Well, specific with the sort of client onboarding. Yeah, you know, I would say that there's a couple things that may be worth calling out. One is that, from a firm perspective, and I think this is the case in many other audit firms out there. We have a general client acceptance process to go through, right, where you're checking to understand who runs this company or organization what does it do, is it compliant with, you know, laws and regulations, where relevant , all that sort of stuff.

[00:05:43] David: And know, you asked for what specific digital asset companies and activities in this space, but I would say something that has been specific to this area is that often the startups in this space, you know, they struggle with just some of the usual stuff, right? The challenge is that especially if you're a digital asset company and you suddenly find yourself in control of what is effectively customer deposits, then the bar for controls around that and compliance specific to that is significant. It can sometimes appear like the level of a bank. That have worked on these topics for many years. So when trying to on board a new client in this space certainly if they are in possession of customer assets that bar could be tough to clear.

[00:06:30] David: Just the usual bar of all the boxes you need to check, but a number of them do it quite well. Now, when when you think about, okay, well, but we're not talking about just any company. We're talking about digital asset companies. Yeah, because of the nature of this space. Like you were saying, what asset class, this domain, this novel tech stack.

[00:06:48] David: Because so much of it is public networks, public blockchains. These are not tech stacks that are run by a single company or a legal entity somewhere that you could just check with quickly. They're very different. It's know, the Internet, which is this sort of public good, right?

[00:07:06] David: So there are nuanced considerations that I think every firm needs to think about when onboarding a client. Whose business operations processes financial reporting is a function, you know, sometimes directly of this public infrastructure, so we can get into it more detail, and I should probably pause here to take a breath.

[00:07:26] David: But really, that, I think, is kind of the core of some of the nuance is how can companies and auditors in their role rely on data from these public networks. 

Centralized custody v/s Self custody

[00:07:40] Umar: All right. Thanks for sharing. So I'll go a little bit more into detail on, the different assertions that auditors would typically need to get assurance on.

[00:07:49] Umar: Completeness and ownership in a bit, but okay, we can start with ownership first. I'd like to go on the case of centralized custody versus self custody. So in the case of centralized custody, David, typically, with bank balances auditors would send independent bank confirmation letters to that company's banks.

[00:08:11] Umar: They would reconcile the confirmation received against the reported amounts in the balance sheet. One could expect a similar procedure when a client, let's say, has they're using a third party exchange or a custodian to store their digital assets. But from previous conversations I've been having with Auditors, I understand.

[00:08:31] Umar: This is not a widely let's say accepted practice right now to send confirmation letters to such digital assets, exchanges, or custodians, similar to what we have with cash balances, held at banks. So I'd like to understand. So how would auditors. typically prove ownership of the digital assets when these are held with these third party custodians, exchanges, and whatnot.

[00:08:58] David: I'm so glad you led with this question, or at least early in the discussion, just because custody for this domain, as I know you know, for digital assets, crypto, web3, and all the rest, it's all about custody. You know, who holds these things. And the fact that like you were sort of distinguishing. Not everything is sitting at some centralized custodian somewhere.

[00:09:19] David: That's the, that's one of the virtues of web3, right? Is that, you know, ownership can be, you know, can be held not just by traditional intermediaries the companies themselves can hold them. So I would say that certainly

[00:09:35] David: initially there was not as frequent or recognizable confirmation of both existence and rights and obligations or sort of control of these assets just by sending a confirm to someone because of course, being so new be the frontier of financial technology.

[00:09:53] David: There just weren't such entities. Or there weren't entities that really checked the usual boxes that you'd see. You mentioned sending a cash confirm to the bank, right? Confirm your client from that audit perspective has what they report their financials. Yeah. So in the beginning, there just weren't any of those but now there are quite a few that are out there and quite a few that have started checking, right, all those boxes.

[00:10:17] David: I've been saying this for a few years but now it's, you know, so for instance, there are institutional digital asset custodians that will from a sort of regulatory or compliance perspective, look to make sure they're checking the boxes. Like I was saying of either qualified custodian and things like that.

[00:10:35] David: They will themselves have an auditor, right? And most importantly for the audit of a company whose assets are held at a custodian. They will have a SOC 1 –Type II or equivalent report right? And know, you had mentioned before that so much of this discussion is around controls and internal controls, and that's what SOC looks at.

[00:10:58] There are happily now much more traditional procedures that can be done if you're a company that's holding assets at your third party custodians, but the challenge even if they exist, and maybe this is what you're getting to, you just let me know, is that in this space, these are assets that, depending on your business model, you know, won't just sit under a mountain somewhere.

[00:11:22] David: You put them to work, you do things with them, you stake them, right? know, you're participating in all sorts of you know, decentralized applications. It's tough for a business to keep all of her assets at a third party custodian if they want to do things with them. Now, a lot of custodians have started to accommodate those better, right?

[00:11:39] David: Oh, we can stake it for you or we can help you participate in governance or we can do this, that or the other thing. But on all the blockchains and all the assets you want, It's tough. So right now we do see from that audit perspective a blend, you know, a blend from both the sort of use of assets at custodians, but then also self custody to enable those other challenges.

Good practices around storage of private keys

[00:11:59] Umar: Got it. Speaking about self custody businesses today. They would typically use multi signature wallets, like a Safe or MPC wallets, like a Fireblocks as opposed to individuals who would use like a single key signature wallet, like a Metamask, right, to control the movement of their funds.

[00:12:19] Umar: So I understand auditors would need to obtain an understanding of the different safeguards that company has put in place for the storage, for transaction initiation, authorization with those multisigs or MPC wallets. So let's start with storage and security of the physical location of those private keys.

[00:12:42] Umar: I want to ask you from what you've observed, like during the audits, what are some good practices around storage of the private keys?

[00:12:51] David: Sure.And do you mean, I'll just ask a clarifying question, sort of good practices that management or the company that is the audit client can do around that or good practices on the audit side?

[00:13:04] David: There are both, but probably, I'm thinking you're probably thinking the former. 

[00:13:07] Umar: Yeah, that's right. 

[00:13:09] David: Yeah you know, there are lots and it depends on like you were just describing well, what type of wallet are we looking at here? What type of, you know, custody solution or self custody solution do auditors often see at clients and what do we regard as best practices?

[00:13:25] David: Well, so first of the types you listed multisig circumstance or like a multi party computation in MPC circumstance. Yeah, those are absolutely safeguards that we witness clients or really anyone ought to have in place around this because of the bare nature of digital assets. That is, once they are no longer within your control, once they're in someone else's wallet, there's no sort of higher authority you can appeal to, to get them back, right?

[00:13:52] David: So that just makes the controls around safeguarding of these assets even more important. Hence you know, multi signature or MPC or other things that require several people or entities to sign off before, you know, a movement can occur some sort of activity. These are examples of preventive controls, right?

[00:14:14] David: So that is in the universe of internal controls or just controls in general, you could say, well, there's controls that prevent things that you do not want happening from happening. And then there's the detective controls, right? Like detecting that. Oh, wow, something just happened that we did not want, right?

[00:14:30] David: So these sort of wallets and the safeguards around them are examples of prevent controls, right? What's going to stop, you know, someone from getting access to these that shouldn't be. I would say a poor practice, you know, just to find a contrast is, you know, what we'd see years and years ago where there was one person at the client and they set up the company solution.

[00:14:53] David: The wallet and it only required them to transact or move or safeguard these over time. That's obviously a total absence of real prevent controls, right? So I would say That's what I see. I'm trying to think if there's any sort of more detailed best practices around the safeguarding of, you know, the private keys or related cryptographic information for digital assets, I would say, as far as best practices go documenting these controls. We find clients in this space to be very security oriented. Sometimes nuclear secret grade securities have been put in place. But what we don't always see. Is having people that work in the financial reporting part of the company understand what those controls are, have documented them, and then of course have this regime that you had talked about in the beginning around the testing of these controls.

[00:15:52] David: Have they been designed appropriately, right? Are they operating effectively over the period in question and continue, right? So, that's often a challenge. So I would say another best practice is not only having had the controls in place. Well, it's kind of 1000 forms. So there's not one specific set of controls that everyone has to have.

[00:16:13] David: After all, their business models vary. Maybe you need access to these more regularly. Maybe you don't. And your control environment can look differently. So whatever the environment hopefully you've been thoughtful about what the relevant controls are, you've documented them and you've got this sort of like design and testing regime. 

Harris & Trotter Scholarship & Job Guarantee Program

[00:16:28] Umar: Before we continue, we'll take a quick commercial break from our sponsor. 

[00:16:33] Umar: If you're like me and have clocked some serious hours at a Big4, BDO or other big name accounting firm, you know the drill, rigorous training and a rock solid work methodology. But here's the thing, while a lot of these firms speak about blockchain, in practice, just a handful get the nuts and bolts of accounting and auditing for digital assets.

[00:16:56] Umar: One of those firms is Harris and Trotter. Since 2017, Harris and Trotter has been growing into a well respected leader in the web3 space. Currently, Harris and Trotter offers audit, accounting, tax, and advisory services to close to 600 crypto native projects. 

[00:17:15] Umar: And here's something cool. Every single of their Digital Assets Partner is under 35. With some making partner status in as little as 12 months.

[00:17:27] Umar: Their drive, fueled by the vision of their CEO Nicholas Newman, knows no limits. And Nicholas has personally reached out to me with an incredible offer for the students of our Crypto Accounting Academy. He's offering scholarships and a guaranteed job placement with Harris and Trotter.

[00:17:46] Umar: Yes, you heard that right. So how do you get in on this? 

[00:17:49] Umar: First off, you need to be based in the UK because you'll be joining their team at their London headquarters. Plus, you should be enrolled in either one of the ACCA, ICAEW, CIMA or SAICA programs. And of course, you need to have a genuine interest in crypto and the wider web3 ecosystem.

[00:18:10] Umar: To enroll in the program, you will be required to complete the seven week Crypto Accounting Academy, and upon completion, you will start your journey with the Harris & Trotter Digital Assets team in London. Are you ready to apply? Head over to theaccountantquits.com/scholarships, fill out the application form and I'll personally be in touch.

How auditors test for completeness and accuracy of data on blockchains

[00:18:32] Umar: All right. So next I'd like to touch on test of controls. So in some cases, substantive procedures alone may not provide sufficient audit evidence and authors would have to test for the operating effectiveness of controls. We've just touched on safeguarding.

[00:18:51] Umar: I'd like the listeners to also understand the different controls they can put in place to extract transactions from the blockchain. Now, there are different ways for a company to do that. The first one, they can host their own node. So they can have the in house infrastructure to obtain information directly from the blockchain.

[00:19:11] Umar: But of course, most companies won't do this. This is logistically and financially not viable. They can use block explorers, of course. They can use tools like subledgers. Now, not all block explorers are built alike, right? And the reliability of the blockchain itself can pose some additional risks. I want to ask you if you can walk us through how an auditor would generally test for completeness and accuracy of data

[00:19:39] Umar: from like these blockchains, would you guys at EY be hosting your own nodes, let's say? 

[00:19:45] David: Blockchains, absolutely. And you've packed a lot into the question and prompt there. Really important considerations. And you know, partly around, controls reliance versus substantive testing.

[00:19:58] David: You've also got in there, how auditors obtain information from the blockchains involved in smart contracts for their client's activity. How do you know that's completely accurate, right? What are examples of that source of information? Is it running your own node? Is it relying on a third party to run that node?

[00:20:15] David: Is it these block explorers that we've seen, right, that are out there? Really good stuff. And I'll first have a shout out to just a great industry publication that continues to get better which, I was just looking at again this morning, which is the AICPA's Practice Aid. Well, specifically I believe they call it the Accounting for Auditing of Digital Asset Practice Aid. So, that's great because what the AICPA has done as an industry group got together and spoken to accountants and auditors, you know, at a number of the firms and just trying to compile what these are.

[00:20:50] David: They've got a whole section on considerations from an audit perspective. If you're relying on block explorers, right? It's just wonderful to see because often you only get that information in discussions like this. So just jumping quickly and I know we only have so much time.

[00:21:04] David: It's a challenge because you might be tempted to just rely on a block explorer and they're great. They do a terrific job in many cases, but there are specific challenges around that. For instance, often there's disclaimers in the block explorer about like, hey we're not promising everything here is completely inaccurate, right?

[00:21:23] David: It's like, oh, no, we kind of need it to be right. Or the information the explorer provides you access to might not span the entire period that you're what you need information for what happened three years ago, right? Or what was the balance on this blockchain then? Is that available? Is it conveniently exported?

[00:21:40] David: Understandably, these platforms are publicly available and somewhat limited. And so there are challenges there, but there's great considerations in that Practice Aid and other places about how to try to document that. Maybe you could do some testing around that data, right?

[00:21:55] David: But I would say the best source of information, and I guess this isn't just my view, is to go to the source of truth as we say in the space, right? The relevant blockchain. No. You just can't get any closer to the truth about what happened on the blockchain than that, right? Well, how do you do that?

[00:22:13] David: Should you run your own node? Sometimes these are inexpensive, sometimes these are quite costly, sometimes these can take forever to sync if you don't already have one up and running, right? And so, what you need to do if you're doing that is you just need to make sure that your node is in consensus with the rest of the network, right?

[00:22:30] David: It does no good if you've got a node that's out of consensus or out of data. Or whatnot, right? So that check is what you need to do to make sure that you have that information. Now, you might not want to run this yourself for the reasons you mentioned, because it might be too costly. There are node as a service providers that will do this for you, but probably more conveniently you know, lower costs, things like that.

[00:22:55] David: That's fine. You could certainly use them. But again, one thing that you want to check is that the information you're getting is complete and accurate. Well, how do you do that? Well, one way is that if they're just providing you direct access to their node, Then you can check yourself whether that node is actually in consensus with the network, right?

[00:23:15] David: And so if it is, great. Then you know you're as close as anyone could ever be to that information. Now it is worth saying that if you're using a third party to get node information and you're not interacting directly with the node. Instead, they have extracted all the relevant blockchain data.

[00:23:34] David: They've indexed it, right? And they provide it in a very conveniently accessible, you know, database. That's convenient. But now the question is, how do you know? Right. The transfer of information from the node to that new database is it didn't miss something or didn't, you know, make something incorrect.

[00:23:52] David: So that's something that they can do as a service provider to either offer a SOC report. They can specifically speak to that. If they don't, Then you need to do some testing, right? You need to test yourself whether this is basically be relied upon that doesn't come in a bunch of forms, you know, sample tests, things like that but definitely some important considerations.

[00:24:12] David: But again, to summarize, you've got block explorers, which are very convenient to get access to, but probably have the most questions around, can I rely on this information? Right. Often you might triangulate information from several block explorers at the same time, if they're available as evidence that you're actually getting to, you know, reliable information. Two is , you use a node vendor get access to that.

[00:24:36] David: And then three, of course, is you run the node yourself, which can be a process. Hopefully that canvases some of this stuff, but you let me know. I know there was a lot in there you were interested in.

[00:24:46] Umar: No I think you covered and summarized it at the end pretty well. Follow up question was sometimes we have these new blockchains coming up all the time. I want to ask you, how would an auditor go about from more exotic blockchain, but I believe the answer is: it's the same, either they choose to host the node in house themselves, or they find these third party providers.

[00:25:07] Umar: Companies like Alchemy, Kaiko, or Moralis, that' s like services they provide.

[00:25:12] Umar: Yeah, so I think we've touched on that. 

Thanks to our sponsor Web3 Finance Club

[00:25:15] Umar: Before we continue, we'll take a quick commercial break from our sponsor. Working in Web3 can transform your career, be financially rewarding, and surround you with a vibrant community. But as you're very much aware, this space requires rethinking a lot of the old models of how we work. For example, as the leader in a web3 organization, it's up to you to figure out the most cost effective way to offramp the company's crypto, or what's the most efficient setup to mass pay your contractors in crypto.

[00:25:46] Umar: Getting your organization to run on crypto is daunting if you're alone. That's why Request Finance, the industry leader in crypto invoicing, payroll and expenses, has curated a community of Web3 CFOs to share best practices around web3 financial operations. With CFOs from leading projects like Aave, The Sandbox, Binance, Consensys, and many more.

[00:26:10] Umar: Joining this community will allow you to network and fast track getting your organization compliant in crypto. And you know what? I'm also responsible for accepting new members and growing the web3 CFO club. So if you're a web3 business founder, CEO, CFO, or in charge of financial operations, You can join this exclusive community today by filling up an application form at theaccountantquits.com/web3CFO

[00:26:39] Umar: Subject to a screening check, you will then start interacting with high profile Web3CFOs, get access to members only benefits like webinars, resources, and invitations to physical meetups. Join the club today, and let's win web3 financial operations together.

How not having a SOC 2  Type 2 report will affect your audit process

[00:26:57] Umar: Next, I'd like to speak about SOC reports. Finally, the important topic of SOC reports. At the client acceptance stage, you guys will have to understand whether the entity, your client, is using a service organization

[00:27:13] Umar: and whether they've obtained like these SOC reports.

[00:27:16] Umar: So as a refresher for the listeners SOC Stands for System and Organizations Controls Report and Let's say briefly, they provide assurance over the IT controls at that service organization. For our discussion today, I want to focus on SOC reports from these custodians that we mentioned before or exchanges and the sub-ledgers.

[00:27:41] Umar: So starting with the latter, the sub-ledgers. I'm currently compiling a library of Web3 accounting and finance tools. Currently, I've counted 14 sub-ledgers, so it is a very competitive industry. And I've noted most of them, they have a SOC 2 –Type II report. So I want to ask you what information will the auditors typically be verifying for that crypto subledger?

[00:28:07] Umar: And maybe what happens if the subledger does not have this SOC report? How will that affect your audit? 

[00:28:14] David: Oh, yeah. Well, my favorite topics. And it might sound like it'd be sarcastic, but no, I it is some of my favorites because

[00:28:21] David: solving this, right? Being able to you know, operate in this environment in a way that your financial reporting is properly done and your auditors obviously approves of that then just unlocks so much.

[00:28:36] David: And having your assets either at a third party custodian, like you mentioned, or relying on others to just help you get that blockchain data relevant to your activity. And of course, pricing data and other things like that. relevant to both accounting and tax. That's what the subledgers, as we've described them, they go by many different descriptions have done.

[00:28:58] David: It's a delight for me to see know, there be quite a few of them now. Obviously there's, like you said, competition, just like there are at accounting firms. But yeah let's start with them. SOC reports enable companies to have confidence that the vendor or service provider they're using.

[00:29:17] David: Is well run, well controlled depending on the type of report , is providing them with information relevant to financial reporting. It's, that's accurate and complete. And so you mentioned, you know, SOC 1 and SOC 2. And usually you do see both Custodians and the subledgers getting a SOC 2 first.

[00:29:37] David: It just controls for a lot of things, a lot of the trust principles that you might think, like, data integrity, things like that.

[00:29:44] David: Auditors, though happy that clients are using a vendor that has a SOC 2, Type 2, even better, right? It means that both the controls are designed properly and operating effectively over the period.

[00:29:59] David: That's not the type of SOC they need, right? Alone, right? Really what they're looking for is a SOC1, right? Type2, same sort of thing, right? You get both design and operating effectiveness. But the SOC1 was basically designed for auditors of clients, right? And here's how it works.

[00:30:19] David: An auditor has a client, and they're looking at their financial reporting. Well, to the extent the client is relying on this third party, in this case, we're talking about subledgers, for, you know, data information relevant to financial reporting, how do you know that information can be relied upon, right?

[00:30:34] David: Well, the SOC 1 is designed exactly for that. It is a report over the controls of, you know, data relevant for financial reporting for their users. That's what it is, right? And like, that's what auditors need. And it's tough to get a good SOC 1 –Type II that has a scope that covers everything your clients and their auditors need.

[00:30:56] David: It takes time. These reports, they usually have to mature in an industry. Don't blame certainly startups in this space for not having SOC reports that you see at large global banks, right, that have been working on these things for a long time. They start and the scope expands. I will quickly say, though, that for sub-ledgers in particular, or the SOC that you want, which is a SOC 1 –Type 2 the type of control you're looking for from that audit side and management for that purpose.

[00:31:23] David: Is going to be reconciliation controls between, you know the books, the records and the blockchain themselves, right? That's what you're looking for. So if you ever do get a SOC1 you hope it's a Type 2. You hope it's you've got a clean opinion because sometimes. Sometimes, you know, some controls fail, right?

[00:31:43] David: Scroll down and look for, and these are restricted use reports, so you, not everyone has access to them but scroll down and look for those reconciliation controls between, you know, the information being provided to your client and the blockchains themselves. That's what you need. 

[00:31:58] Umar: So if you've obtained, like, let's say, just a SOC 2 –Type 1 report, you would still have to perform maybe additional testing because right now you've not obtained like, assurance whether these controls are effective, right?

[00:32:12] Umar: You just obtained assurance like they've been designed, they've been implemented, but they're not really operating effectively.

[00:32:18] David: Thank you for the follow up, because I remember now that you were saying, what do you do? So what do you just if they don't have a great SOC 1 –Type 2, you're just, you know, stuck? No.

[00:32:28] David: There are other things you can do, right? Even if you were to take a controls reliance approach, this is from an audit perspective. I'm going to rely on controls. I'm not going to do all that substantive testing. You're still required to do some substantive testing, right? It's not like you could just ignore that, right?

[00:32:43] David: But you could certainly get efficiencies for relying on controls. So if you can't rely on controls, either on the management side, that is , the audit client side, the company in this space, or rely on related controls that are covered by a SOC, right? Well, then you're back to substantive testing, right?

[00:32:59] David: Like, that's where we all started in this space. We're all very familiar with that. It's not necessarily the cheapest approach because it's a lot of testing. You know, what does substantive testing mean? It just means you are directly testing the either balances or the transactions or the other relevant information relevant for financial reporting.

[00:33:17] David: And, you know, you'll be doing that anyway to some extent, but it just means you'll be doing more of it. So the SOCs can really provide efficiencies. They can on the sub-ledgers, they can, save costs from their users and their users auditors, but that's the approach.

[00:33:30] David: You just switch to more substantive testing. 

Understanding Audit Readiness For Crypto

[00:33:32] Umar: Sometimes these web3 startups, David. They are innovating a lot, right? And they are, let's say neglecting like, let's say, the back office bookkeeping. So they've not really maintained appropriate records for their transactions. They've not implemented all these processes and controls we've been speaking about.

[00:33:52] Umar: And they're expecting the auditor to come in and help them a bit. Right. So there is a new service called audit readiness for digital assets, whereby the auditor would come to help the entity set up those appropriate controls. For example, let's say having a wallet management policy. I want to ask you if you could walk us through such a scenario.

[00:34:13] Umar: Let's say there's a new client engagement and the questions you would typically ask that client, which would help you to arrive at the conclusion that they need to be engaged first for this audit readiness service. And then later we'll tackle external audit. 

[00:34:28] David: You know, good point on audit readiness as to think from the audit and some of the sub-ledgers.

[00:34:37] David: Like you said have begun wonderfully to roll out functionality, other helpful guidance. Or industry practices around how you get even ready for your audit. And even if you have an audit and a relevant auditor, you know, how do you continue to improve that, right? So audit readiness is a massive part of this industry, we ourselves offer it. Other accounting firms offer it. Because often if a client comes to you and says, Hey, Okay. I need an audit. Yes. You know, like, okay, can I get one? Well, they're just often not ready for that yet. What does it mean to be ready for an audit? Well, that's the things you were talking about, right?

[00:35:19] David: Having management have a function specifically around financial reporting. So you have the finance function, you have, you know, accounting support, you have people that look at the tax and all the rest, right? So That needs to be in place. You have to have people that actually know what they're doing that are going to work with you a lot to make that happen.

[00:35:37] David: You have to have processes, policies, right? It's quite a lot. Certainly, if you have your ambitions to go public in various jurisdictions. Yeah. There was something you mentioned that I'll just throw a little clarification on, what you said, well, sometimes, and I might have gotten this a little wrong, but you said, sometimes the auditors can offer audit readiness services. It's the same company that is, in some instances, an auditor can alternatively offer audit readiness, services, right?

[00:36:06] David: But depending on the nature of the audit readiness itself, it might be a, conflict of interest. They might not be sufficiently independent to then at the same time or shortly thereafter be the auditor. So you have to, of course, always track that. Audit readiness looks like the following: you come in, you do a review, you do a sort of diagnostic you jump on the phone and you meet with all the relevant stakeholders, of the company and you find out. What are your operations?

[00:36:32] David: What are your processes? Do you have any controls? You know, let's just walk through all that stuff and get a sense for what it is. And then, of course, the firm that's offering the audit readiness has the target in mind. They know what auditors are going to be looking for. And so then they'll say, all right, here's where we are.

[00:36:49] David: You're here. This is where you need to be on all these areas. Here's, you know, these are gaps need to close. So then at that point, the company could say, great, you're hired! Can you fix all this stuff? Well the answer is: Yes! Sure! But I can't also be your auditor at the same time, especially if that remediation involves work that are designing processes that feed directly into financial reporting.

[00:37:14] David: Can't do that. But the company could go out and hire someone else. then close those gaps. They could even hire a company and perhaps after a sufficient amount of time, other auditors have come in. Then later the one that offered the readiness would be sufficiently clear to then offer.

[00:37:30] David: You always have to evaluate these and work with your independence people. That's basically it. The readiness solution. Companies, if they aren't ready for an audit or certainly aren't ready for an audit of the public company level. That's okay. You can get there. Right. And so you can gauge the services to help you do.

Independence threat of Audit Readiness

[00:37:46] Umar: So you mentioned the independence threat there.Let's say, like the company, they've been just initiating transactions, let's say from a wallet, but nothing has been documented, right? You would not really help them to come up with these processes and policies in place. If you are helping them, then I guess then there would be a self review threat and it would have to be another auditor. But if you're just advising them and they themselves have to implement these policies, then I think it's okay.

[00:38:16] David: Yeah. So what part of this is still independent and what part is not independent? And the answer is you could do a permissible audit readiness initial review where the auditor or potential auditor, right?

[00:38:32] David: Is going to just observe. They're not designing anything. They're just saying like, okay, you know, you let me know how things work just as auditor would. Hey, I need to know how you operate, right? And then they'll say, by the way that's not sufficient, like what you're doing there, not going to cut it.

[00:38:49] David: Now what you need, the bar is over here. And so here's the gap. So you can be, it can be a permissible service that is consistent with independence of the client to offer that it's if you were to tell them specifically, like, and by the way, you designed this differently, you got to do that thing.

[00:39:06] David: And here I'll help you do it. 

Digital assets services provided by EY US and the internal tooling developed for crypto companies

[00:39:07] Umar: Now, EY has been at the forefront of blockchain innovation for many years. You guys have partnered with Polygon for the development of new tools. You guys organized the Global Blockchain Summit. I mentioned you've audited renowned public companies like Robinhood, Block, Bakkt. I want to ask you if you could walk us through some of the digital assets services provided by EY US, because that's where you're based and the internal tooling you've developed specifically for crypto.

[00:39:39] David: Sure. Happy to! Thank you for the accolades. Hard won over many years. I do sit in the US but it might be helpful to learn that I've also recently taken on some of the global coordination on the same topics, blockchain assurance, you know, audits, you know, extended assurance, SOC reports, things like that.

[00:40:00] David: So I do stay very well connected to my colleagues around the world. But I would say that, when you think about services generally to this space what are firms able to offer and what are we able to offer? There's the audits which we've spoken of quite a bit. There's related SOC reports, right, that you can come to us on both the readiness side and on the actual execution of that engagement, right?

[00:40:21] David: There's tax services, right, that you think, oh, of course, yeah, accounting firms are going to offer that sort of thing. But then you get just a bewildering variety of other services that we do a lot of. Consulting captures a lot of that. Now, consulting comes in many forms, right? Consulting on what strategy?

[00:40:38] David: Are you talking about just how to improve a process, or we're looking at sort of compliance considerations. You know, how about whether or not maybe you have retail customers, and you need a robust AML KYC program, as they say these are areas that, we can help clients with. I think diligence, right?

[00:40:56] David: Kind of sounds familiar to audits, but that's where in, you know, M&A activity where there's going to be a transaction, and often EY will be engaged to all for either buy side or sell side services. That is buy side services would be diligence of the target.

[00:41:13] David: These are always interesting engagements 'cause they're they look very familiar to an audit, but they're much faster paced and targeted for the needs of that transaction. So I think those are some of the main areas. I'm sure I'm forgetting a few, but the goal here. Is that this ecosystem, the digital asset ecosystem, which now is not just in what we call the crypto natives or some, you know, former startups for now, you know that all they do is operate digital assets, but also in the traditional side.

[00:41:44] David: There's a lot of needs, and it's good to be able to offer needs to enable this ecosystem to grow responsibly right in the right way and mature as any industry would. So it's been a lot of fun to help develop these. 

Auditing Robinhood and the proof of reserve post FTX meltdown

[00:41:59] Umar: And because you do audit Robinhood, I want to touch on the proof of reserve that became even more popular after the FTX meltdown.

[00:42:08] Umar: So for listeners who are not really familiar with what a proof of reserve even means, could you quickly explain to us what that means. 

[00:42:17] David: Well, can try. only joke at the beginning just because proof of reserves as the expression has been used is not born out of the audit field or profession or traditional frameworks.

[00:42:29] David: It's certainly something that has developed. You might even say it's a bit of a misnomer. You know, typically when you look at firms that offer reports to investors or other stakeholders around financial reporting or, you know, whether their customer deposits exist or control, things like this.

[00:42:50] David: It's usually not a proof. You know, they're usually, you obtain you know, sufficient appropriate, reasonable assurance that these things are the case, right. And then reserves is a term that's been, you know, borrowed from banks in a certain way. But when you think about cryptocurrency exchanges or others, you know, that hold customer deposits, they don't do so on a reserve, like a fractional reserve basis.

[00:43:15] David: They have to have all of those assets, right? And so I I'll just point out a few clarifications in that expression. I would say that on proof of reserves specifically as that expression is used I think that it evolved in the absence of exchanges and others that even had a traditional financial statement audit.

[00:43:35] David: So if you had that, and that was widely known, then. You know, a financial statement audit does the sort of procedures that the market has come to expect from a proof of reserves report, namely they actually perform procedures to get confidence that the client's assets that they report both for themselves and the customers exists and are controlled and are properly valued.

[00:43:59] David: So like These are things that a financial statement audit does not only that but the audit has a much more comprehensive evaluation of what the company's doing. What about contracts they've engaged in that might have pledged assets as collateral for something else, right? Like, you wouldn't necessarily review that if you were looking at one of these sort of like, you know, proofs preserved reports necessarily.

[00:44:22] David: Now, the institutions that have been offering these reports. They certainly know, and they're sharing that, but I would say there is a big difference between a financial statement audit, certainly one that's at the level of a public company that relies on, you know, controls and these more nuanced proof of reserve reports.

[00:44:38] David: I will say that they could be hopefully added to a foundation of financial statement audit. And, an examination of the relevant internal controls. If you had that in place and then you had a more low latency you know, report that reviewed customer deposits and whether those were correctly, you know, controlled for and stated that could be helpful. 

Real world blockchain use cases that EY US helps its clients with

[00:45:02] Umar: Yeah, very clear. Now, I also want to ask you at EY, whether you've noted some real world blockchain use cases that, yeah, EY has been helping its client with that you find were interesting, that you could share, of course. 

[00:45:17] David: Yeah, real world use cases buckets in general. Well, I like to think that digital assets are part of the wide real world.

[00:45:25] David: And so these are all very real to me, but I know what you mean. Real in the sense that, you know, sometimes it's said RWAs, you know, real world assets and how do we get blockchains to connect with, information and track activity of things that are outside the blockchain.

[00:45:42] David: So I'd like to say that this is certainly a vision that EY has long had in trying to make this possible. Blockchains are great at tracking blockchain data, yes, but could these virtues of, reliable information, certainly historically be used to track things outside of the blockchain.

[00:46:00] David: And there have been many efforts in many cases. Well, take one, Stablecoins, right? They're tracking things outside of the blockchain, right? So you have tokens that are supposed to be pegged to, or backed by in some cases, assets like Fiat, perhaps it's gold, perhaps it's other things, right? That do that.

[00:46:19] David: And there's been real, robust cross progress around making sure that they track this accurately, right. And completely and are controlled for. So for instance, the AICPA recently released this year, a sort of framework. For the criteria that could be used for attestations of tokens that are backed by things, you know, outside the blockchain obviously, fiat was most in mind, but I If listeners hear your question, they might think, wow, could you get the blockchain to track cars or people or, things in a supply chain, right?

[00:46:56] David: That would be great. It's just that, it's nice to pause and take a moment to appreciate the success that we've had for one use case, which is just tracking, right? Things that are pegged to the value Fiat.

How Web3 auditors & accountants can upskill 

[00:47:09] Umar: Perfect. There's another topic, which is close to my heart, which is how to upskill auditors, accountants in general for crypto. I alluded to that knowledge gap in the beginning of our conversation today. So for auditors who want to start offering like digital asset services, I've been speaking with auditors who are looking at the technology who sees the potential, but unfortunately they don't have the necessary expertise in house.

[00:47:36] Umar: Some of them, what they do is they would partner with larger audit firms that do have the expertise. They would outsource, let's say the testing for the digital assets and they would do the remaining. For the digital assets, there would be regular meetings whereby the digital assets auditor, let's say, they would explain what they've done.

[00:47:57] Umar: And I believe with time, then they can fully take on that engagement themselves, right? When they've learned how to do it. Where would you say, accountants, auditors in general, who are curious, let's say, about digital assets? Where should they start to learn?

[00:48:13] David: Great question, because the space really needs auditors that are able to properly offer these services, not just in the U.S., but elsewhere. If you look at certain, you know, jurisdictions, and they would like to provide a sort of regulatory framework that accommodates the specific needs of , companies that operate in the crypto Web3 Digital Assets space. Often in those regulations, they will say, Oh, and you also need a Financial Statement Audit.

[00:48:42] David: Oh, you also need to get a report from an independent accountant over the effective operation of your internal controls, things like that, right? Well, that's great. So long as there are Auditors that exist that will do this stuff, right? Fortunately, the answer is there's no dearth of auditors that, you know, serve this space, not only at the Big4 levels, you know, certainly, you know, we have for many years but also at, regional firms a number of shops.

[00:49:07] David: So there are lots of auditors out there and, every now and then I will hear like, oh, there, you know, auditors can't audit digital assets or crypto. Not the case. It's not the case at all. But now, if you are an accounting firm and you have an audit practice and you have a need or you have an interest in serving clients in this space, just like you were saying, there are very specific considerations and capabilities that you need to have, right, to do that.

[00:49:35] David: Well, and so now, and I don't want to sound like a broken record since I've mentioned a few other times, but as one example, Canada had a great series. I think it was, what was it? Canada CPA and others that shared publicly both accounting and audit considerations around serving this space.

[00:49:55] David: So that was a good initial, effort that I saw around the world. Very recently the AICPA has released an updated version of that practice aid around the last I was speaking of both accounting and auditing. Now this isn't for every possible accounting jurisdiction in the world, right? But the practices that are including there are just terrific. They will go down and talk about considerations relaying how do you evaluate the reliability of the data that comes from the blockchains that you might find yourself in need of because it's relevant to financial reporting. That's great material. It will discuss some of these internal controls considerations.

[00:50:36] David: It will discuss both the prevent and the tech side that you need to have. Just good stuff. So I would say that's the first free public place you can go to, to just see what considerations auditor should have in mind. But the industry tries to help. I'm always happy to take a call speak very generally around these topics because we do need auditors to serve this role if these companies are going to thrive in the space. 

[00:51:02] Umar: Perfect. Thanks. And you're right. The AICPA guide helped me a lot to understand like the different facets of, let's say, auditing digital assets and they regularly update it. So the listeners, you should check it out on the AICPA website. David, I'm looking at the time. Time has passed fast, I want to be respectful of your time. 

The 3 Main points to summarize 

[00:51:22] Umar: So the theme of the episode today was internal controls for digital assets. So I want to ask you as closing thoughts. Has there been something that maybe we have not touched on that you would like to share with the listeners or how would you summarize the episode of today?

[00:51:39] David: Well, Oh, I I think we've covered quite a bit of ground. Just really helpful in getting the message out there. I would say. That if the focus of this discussion is on anything it's nice to consider internal controls. And there's three things that I think we've hit on pretty well, but are worth emphasizing.

[00:51:59] David: One is that. Not just auditors and not just service providers and vendors, but the management of companies themselves really needs to think about, reconciliations between their books and records and the blockchains and relevant sort of smart contract data itself. But you want to be confident that things are actually represented.

[00:52:20] David: Another thing. If you're self custodying your own assets, just make sure you've got access to private keys, right? You might have had it at one time, but later, perhaps not, right? And so these things need to be carefully monitored. So think about controls related to that. And then finally, and we've hit on this pretty strong, which is now there's quite a variety of service providers.

[00:52:43] David: Both on the accounting and tax side, the sub-ledger solutions and then also on the custody side. Great. By all means, use them. But, make sure that you perform some vendor due diligence. Make sure that you had that counterparty risk management process in place so that you can rely on them in a way that your auditors and others need you to.

[00:53:04] David: So I would say those are three big areas to, to hit pretty importantly.

David - On how we can make the future of crypto better.

[00:53:08] Umar: Perfect. Thanks for sharing, David. There's a last question which I like to ask my guests before they leave on this podcast. It's like a tradition. you have any personal quote or let's say a maxim that you live by?

[00:53:19] David: Oh, I should have definitely should have prepped for this one. No, I don't. But I would say that I think success in this industry is going to rely on us all working together to figure this out. And that's one of the reasons why I've so enjoyed working in this digital asset, cryptocurrency, Web3 environment is because It reflects an ethos that I've always had of trying to build consensus and trying to engage the community to develop public goods that'll make all of our processes and activities better.

[00:53:57] David: I know that was it a pithy expression, but definitely one that I see in the community. And I also hope that we can also all reflect. 

How to reach out to David

[00:54:06] Umar: Perfect. Well, thanks a lot for coming today. I've learned a lot preparing this episode. I'm sure the listeners have as well. If let's say people, want to reach out to you, I know you're a public figure, you are speaking regularly at events, conferences.

[00:54:21] Umar: If people want to maybe meet you in person at some of the upcoming conferences that you'll be at. Yeah, how should they reach out to you? Let's say on socials. 

[00:54:31] David: Oh, absolutely. You can find me just about everywhere. I've docked myself. Right. That is one distinction that I have with some members of the community. You can always reach me by my email, which is simply: david.byrd@EY.com with a Y, right? It's the, it's that spelling. And yeah, you'll find me on LinkedIn and I'm always happy to share Telegram and other handles so you can get in touch with me all sorts of ways.

[00:54:55] Umar: Perfect. Well, thanks a lot for your time today, David, and we'll be in touch. 

[00:55:00] David: Great. Thank you. Really appreciate it.

Stay updated on everything from The Accountant Quits

[00:55:03] David: I would like to thank everyone for listening to this episode. You will find all the links of the episode, show notes, and transcript on the website of The Accountant Quits at theaccountantquits.com. Please note that this content is for general information purposes only and is not a substitute for consultation with professional advisors.

[00:55:23] David: If you do know anyone who could benefit from the episode and you care about them, please do share the episode with them. All the episodes are available on Spotify, Apple Podcasts, and Google Podcasts. And by leaving us a review and rating, you will support the channel and all your fellow accountants. In order to be notified each time we release a new episode, do follow us on Instagram and LinkedIn.

[00:55:47] David: We hope to have you with us next time. Bye for now.