Auditing Digital Assets: Risks, Controls and Evidence

Auditing Digital Assets: Risks, Controls and Evidence

Digital assets are appearing in more audit files every year — corporate treasuries holding bitcoin, funds with token exposure, and crypto-asset service providers now authorised under the EU's MiCA regime and subject to statutory audit. The underlying technology changes how evidence is obtained, but it does not change the auditor's responsibilities: the ISAs apply in full, and the central challenge is designing procedures that actually address the assertions. This article sets out the key risks, the controls auditors should expect to see, and the evidence techniques that work, for auditors in the UK and Ireland approaching digital asset engagements.

Risk Assessment: Why Digital Assets Raise the Stakes

At the planning stage, digital assets typically elevate several components of audit risk:

• Existence and rights — a blockchain address proves that assets exist at that address; it does not prove the entity controls the private key, or that it controls it exclusively. Holding the key is the crypto equivalent of bearer ownership, and fabricating apparent ownership is a known fraud pattern.
• Custody and counterparty risk — assets held with third-party custodians or exchanges expose the entity to the custodian's solvency and control environment. Several high-profile exchange failures began as audit-style questions about segregation of client assets.
• Valuation — prices vary across venues, liquidity differs wildly by token, and thinly traded assets may need Level 2 or 3 fair value techniques under IFRS 13.
• Completeness — management may control wallets the auditor has not been told about; conversely, undisclosed liabilities can arise from staking, lending and derivative positions.
• Classification and accounting policy — the IAS 38/IAS 2 framework under IFRS involves judgement, and tokens with contractual rights (such as redeemable stablecoins) may be financial instruments.
• Fraud and cyber risk — irreversible transactions, pseudonymous counterparties and the involvement of related parties through unhosted wallets all heighten fraud risk under ISA 240.
• Laws and regulations — under ISA 250, the auditor considers MiCA authorisation status for EU-facing clients, AML registration, and tax reporting obligations such as CARF.

Competence and Acceptance: Should You Take the Engagement?

Professional bodies, including ICAEW in its guidance on auditing cryptocurrencies, emphasise that firms should not accept digital asset engagements without adequate competence. Acceptance and continuance procedures should consider whether the team understands the specific blockchains and custody arrangements involved, whether an auditor's expert is needed (ISA 620) for cryptographic or valuation matters, and whether the client's own governance is mature enough to be auditable at all. A client that cannot demonstrate basic key management is not just high risk — it may be unauditable in practice.

Controls Auditors Should Expect to See

Where digital assets are material, the auditor will want to understand and often test controls including:

• Key management — documented key generation ceremonies, hardware security modules or cold storage, encrypted backups, and tested recovery procedures.
• Segregation of duties — multi-signature or multi-party approval so that no single individual can move assets unilaterally; separate initiation, approval and recording roles.
• Wallet whitelisting and transaction limits — controls over destination addresses and value thresholds, with test transactions before large transfers.
• Reconciliations — regular reconciliation of the general ledger to on-chain balances and custodian statements, with documented break investigation. For CASPs, MiCA's client asset segregation requirements make these reconciliations a regulatory expectation as well as a control.
• Custodian oversight — due diligence on third-party custodians, contractual terms on segregation and insolvency, and review of service organisation assurance reports (ISAE 3402 / SOC 1 type reports) under ISA 402.

Evidence: What Actually Works

The distinctive feature of digital asset audits is that some of the best evidence is cryptographic rather than documentary:

• On-chain verification — agree reported balances to the blockchain using independent block explorers or node software. Use more than one explorer (or run a node) rather than relying on a single untested source, and capture balances at the reporting date block height.
• Proof of control — the strongest evidence that the entity controls an address is a signed-message test: the auditor supplies unpredictable text, and the client signs it with the private key for the relevant address, proving control without moving funds. Alternatives include observed micro-transfers to and from the address at the auditor's direction. Perform these at or close to the reporting date, because control can be transferred instantly.
• Custodian confirmations — external confirmations under ISA 505 from regulated custodians, evaluated alongside the custodian's assurance reports and the auditor's assessment of the custodian's reliability. A confirmation from an unregulated offshore exchange may carry little evidential weight.
• Valuation testing — corroborate prices against the principal market, test the reasonableness of pricing sources, and challenge fair value hierarchy classification for illiquid tokens.
• Completeness procedures — analytical review of fiat on-ramps and off-ramps through bank statements, review of exchange account statements and API exports, blockchain analytics to trace flows from known addresses, and written representations regarding the completeness of disclosed wallets (recognising representations alone are weak evidence).
• Cut-off — blockchain timestamps give precise transaction timing, but pending transactions, exchange internal ledgers (which are off-chain) and staking lock-ups all complicate cut-off and need specific attention.

One scenario deserves particular care: assets held on a centralised exchange in an omnibus arrangement. Here the client typically has no on-chain address of its own — it has a contractual claim against the exchange, recorded only on the exchange's internal ledger. On-chain procedures cannot verify such a balance, because the exchange's wallets commingle many customers' assets. The evidence available is the exchange's statement, an external confirmation, and assurance over the exchange's own control environment — and the auditor must consider whether that package is sufficient, or whether the right answer is to treat the balance as a receivable-like exposure with heightened counterparty risk, reflected in classification, disclosure and possibly the audit opinion. Several enforcement cases internationally have turned on auditors accepting exchange screenshots as if they were bank confirmations; they are not.

Reporting and Documentation Considerations

Digital asset balances frequently drive key audit matters in listed-entity reports, particularly around existence, control of private keys and valuation. Going concern assessments should consider crypto market volatility and, for regulated clients, the consequences of losing MiCA authorisation. Documentation should make the link between identified risks and procedures explicit — regulators reviewing files in this area look hard at whether the team understood the technology or merely collected screenshots. Where the engagement relied on an expert, ISA 620 evaluation of their competence and work must be on file.

Building Audit Competence in Digital Assets

Audit teams do not need to become cryptographers, but they do need enough fluency to design responsive procedures and challenge management. Structured learning is the efficient route: focused CPD courses covering blockchain fundamentals, custody models and audit evidence techniques will equip seniors and managers to scope these engagements properly, and the topic now features in the audit papers of the ACCA qualification for those building towards sign-off responsibility.

Study with Learnsignal

Digital asset audits demand new evidence techniques layered onto familiar ISA requirements — and firms that build the capability early will win the work as MiCA-authorised clients enter the audit market. Learnsignal's flexible online CPD courses help qualified auditors and accountants develop practical digital assets expertise around their existing workload. Strengthen your audit toolkit for the engagements arriving now.