Auditing Cryptocurrency: how assurance works when value lives on-chain

Cryptocurrency audits are no longer niche. Public companies hold crypto on balance sheets, funds trade it, fintechs custody it, and some businesses accept it as a payment rail. The audit challenge is that crypto is both digital money in the eyes of users and a unique asset class in the eyes of accounting standards highly volatile, easy to move, and secured by private keys rather than traditional custody paperwork.

Start with the accounting, because it drives the audit risk

Before an auditor can test “what’s true,” they need to understand “what the client is claiming.” Under IFRS, the IFRS Interpretations Committee concluded that most cryptocurrency holdings meet the definition of an intangible asset under IAS 38 unless they’re held for sale in the ordinary course of business, where IAS 2 (Inventories) applies.

That classification decision changes how valuation, impairment, and presentation are audited. In the US, standard setters have moved differently; FASB issued guidance requiring certain crypto assets to be measured at fair value with changes in net income, which changes the audit focus toward fair value inputs and disclosure completeness.

The big audit assertions don’t change—but the evidence does

Auditing crypto still comes back to the classic assertions: existence, rights and obligations, completeness, valuation, and presentation/disclosure. What changes is how you obtain persuasive evidence.

A recurring regulator emphasis is that digital assets require strong risk assessment, deep understanding of IT controls, and robust testing over ownership and safeguarding—especially ongoing private key control.  If an organization cannot demonstrate secure key management, segregation of duties, and controlled access, then even “correct” wallet balances can be misleading because the organization may not truly control the asset.

Existence and ownership: “the wallet has coins” is not enough

A wallet balance visible on a blockchain explorer can show that assets exist at an address. The harder part is proving the client controls that address at period end (and throughout the year if there are high movements). Auditors often combine on-chain evidence with off-chain evidence: governance over wallet creation, approval trails, and demonstrations of control that do not compromise security. The goal is to prove control without turning the audit into a key-exposure event.

This is also where auditors become skeptical about temporary window-dressing. “Proof” at a moment in time can be staged, including by borrowing assets. The PCAOB has explicitly warned that many “proof of reserve” reports are inherently limited and can omit liabilities and rights/obligations—meaning they are not substitutes for a financial statement audit.

Custody risk: private keys are the new vault door

If a client self-custodies, the audit needs to understand how private keys are generated, stored, accessed, backed up, and recovered. If a third-party custodian or exchange holds the assets, the audit shifts to controls at the service organization and the legal rights to withdraw. Regulators highlight that understanding the control environment, including IT controls, is central in digital asset audits.

A practical risk is that customers’ assets and the company’s assets can be mixed in operational reality, especially at exchanges or custodial platforms. That raises sharp questions about asset ownership, liabilities to customers, and whether the entity is acting as principal or agent—issues that matter for recognition and disclosure.

Valuation: volatility turns small errors into big misstatements

Crypto valuations move fast, so auditors pay close attention to pricing sources, market depth, and fair value hierarchy inputs (when fair value is used), or impairment triggers (when cost less impairment is used under IAS 38). Under IFRS, the agenda decision direction (IAS 38 vs IAS 2) pushes management to apply consistent policies—and auditors to challenge the judgement calls and disclosures.

The fast-growing complexity: staking, lending, and DeFi

A “simple” holding is increasingly rare. Businesses stake tokens, lend/borrow them, earn yield, or engage in on-chain protocols. These introduce questions about whether the entity still controls the asset, how income is recognized, and how smart-contract risks are reflected. The AICPA’s Digital Assets practice aid (updated in recent years) highlights growing audit complexity, including crypto lending and borrowing scenarios, and offers nonauthoritative examples of procedures auditors consider.

The market confusion to address head-on: assurance is not all the same

Globally, crypto firms sometimes publish “verification,” “attestation,” or “proof-of-reserves” statements that users mistake for full audits. Regulators have pushed back on this confusion. The PCAOB cautions that PoR reports are not audits and may not address liabilities, rights and obligations, or whether assets were borrowed to appear solvent.  The SEC’s Chief Accountant office has also warned that some crypto “assurance” arrangements can be misleading because they are not as rigorous or comprehensive as a financial statement audit.

What a strong crypto audit signals to the market

A high-quality cryptocurrency audit does two things at once. It tests the numbers, and it tests the trust mechanics: custody, controls, transparency, and governance. When done well, it reduces the fear that customers and investors increasingly carry fear that assets can disappear, be rehypothecated, or be misrepresented. When done poorly (or replaced by thin “proof” reports), the market eventually prices in doubt.