Bitcoin Proof Of Reserves As Part Of An Audit

If you have been active in bitcoin for any length of time, then you have likely either lost money in an exchange failure or you know someone who has. The pervasiveness of meltdowns among bitcoin startups has created considerable demand from stakeholders for outside assurance that funds entrusted to them are safe and sound. In response, several technical procedures have been developed (example here) to allow an independent, trustless means of confirming that customer liabilities are backed by digital assets on hand. While this procedure is commonly referred to as an “audit,” it is not the same.

Keeping It Simple

In itself, the procedure commonly known as “proof of reserves” performed by non-accountants does not meet Generally Accepted Auditing Standards (GAAS) and would be unacceptable for most conventional uses (e.g. SEC, BitLicense or other regulatory filings, stakeholder information requirements, etc.). The GAAS framework is available here for those interested. However, proof of reserves does have a place as a component of an overall risk-based plan in a conventional audit.

The technical solution employed by Kraken and others has the advantage of being automated and directly verifiable by customers, but it is likely to be too complicated (read: expensive) for use by many accountants. Additionally, some exchanges may lack the technical sophistication to implement Kraken’s proof of reserves model in their own software. Finally, the fact that the code itself is controlled by the client may raise internal control risk to the point that the auditor is unable to use it for testing.

Starting from the assumption that independent auditors are both competent and trustworthy, bitcoin reserves can be confirmed as part of an audit with a much simpler series of tests. This suggested procedure has the advantage of being easily understood and carried out by non-technical accountants, which should result in a lower cost audit.

Ensure Liabilities Don’t Exceed Assets

Compare customer account records provided by the client and wallet address balances provided by the client to confirm that the company has sufficient reserves on hand. The balances in these addresses can be independently confirmed by checking the Blockchain (using the Blockchain Explorer at blockchain.info, for example). If the amount of bitcoins in the company’s declared wallet addresses meets or exceeds the sum of the amounts declared by the company for customer liabilities, then management’s claim of adequate reserves is presumed accurate.

A series of test transactions can be used to confirm ownership of the wallet addresses claimed by the company. For example, directing the client to transfer a fraction of a bitcoin between various addresses at a certain time would show that the client is in control of that address. Bitcoin’s digital signing protocol can also be used to prove ownership of the various addresses. For balances held at third party exchanges, we have seen success using the standard AICPA form for response based confirmations.

Ensure Customer Balances are Properly Stated

Advise all customers that an audit is in progress and that “proof of solvency” will occur during a window of time in the near future. Randomly selected customers should be contacted directly to independently confirm their balances by mail or e-mail. If e-mail is used, additional controls should be implemented to ensure that “sock puppet” addresses are not used by the client to deceive the auditor. These customers must be advised of the procedure in advance, be willing to confirm their name and address and have that information included in the auditor’s work papers. Testing should continue until a critical mass of customers provides confirmation. A non-response usually cannot be interpreted as acceptance.

Many of the early exchanges operated without the requirement to confirm customer identities. However, regulatory involvement since the summer of 2013 has pushed the industry toward adoption of robust “know your customer” procedures as part of their overall anti-money laundering policies. While many bitcoiners still jealously guard their privacy, our experience has shown that the vast majority of exchange customers are happy to participate in a professionally conducted audit. Nevertheless, testing should allow and adjust for a certain amount of opt-outs and non-responses.

Though this step does not provide customers with the technical capability to independently confirm that their balance was included in the test, we believe that forcing customers to provide positive confirmation at the time of the audit provides a more reliable means of detecting misstatements than merely inviting them to do so because non-responses in the latter case are automatically and improperly interpreted as acceptance.

Investigate Material Discrepancies

A material discrepancy is an amount that could call into question the accuracy of the solvency assertion. This would be determined on a case by case basis as part of audit materiality. In reality, most customers are likely to use the client’s own website to check their balance before confirming it to the auditor. However, a few highly involved customers may claim that their exchange balance differs from their independent records by some amount. Audit materiality will determine whether these cases require further investigation. If the errors are few or of an immaterial amount, then they don’t necessarily require a response by the auditor.

Independent confirmation of exchange reserves is only a small part of a financial statement audit, but an important one. We believe that audits are essential to the proper functioning of the marketplace. Sophisticated, code based approaches have a place, but aren’t always practical or affordable. This simple procedure shows how auditors can employ conventional testing methods with bitcoin clients.