You are reading an excerpt from our free but shortened abridged report! While still packed with incredible research and data, for just $20/month you can upgrade to our FULL library of 50+ reports (including this one) and complete industry-leading analysis on the top crypto assets.
Becoming a Premium member means enjoying all the perks of a Basic membership PLUS:
- Full-length CORE Reports: More technical, in-depth research, actionable insights, and potential market alpha for serious crypto users
- Early access to future CORE ratings: Being early is sometimes just as important as being right!
- Premium Member CORE+ Reports: Coverage on the top issues pertaining to crypto users like bridge security, layer two solutions, DeFi plays, and more
- CORE report Audio playback: Don’t want to read? No problem! Listen on the go.
Audits
TradFi Custody and Audits
The concept of custody for digital assets, especially managed or third-party custody, is still largely misunderstood and under-explored. In traditional finance, a custodian institution is responsible for safeguarding a client's securities, such as stocks or bonds, and preventing loss or theft. This typically involves managing electronic or physical records that are administered by financial services firms, which are connected to the centralized depositary, clearance, and settlement systems.
A complex web of legal, regulatory, and industry conventions has developed to govern traditional custody, providing large pension funds with the confidence that their assets are securely held by banks and other managers. These assets are visible for accounting purposes and can be traded when necessary. However, the same level of understanding and confidence in digital asset custody has not yet been established.

Audits vs. Attestations vs. PoR
A bank's financials are audited through a systematic and comprehensive process conducted by external auditors to evaluate the bank's financial records, internal controls, and compliance with applicable laws and regulations. The objective of a bank audit is to express an opinion on the accuracy and fairness of the bank's financial statements, ensuring that they are free from material misstatement and are prepared in accordance with the relevant accounting standards.
The auditing process loosely follows the following steps:
- Planning and risk assessment: Auditors begin by obtaining an understanding of the bank's business, operations, and environment. They assess the inherent and control risks associated with the bank's various activities, such as lending, investments, and deposits. Based on this assessment, they develop an audit plan outlining the scope, objectives, and procedures to be performed.
- Internal control evaluation: Auditors review and assess the bank's internal control systems, which include policies, procedures, and processes designed to safeguard assets, ensure accurate financial reporting, and promote operational efficiency. They evaluate the effectiveness of these controls in mitigating risks and identify any weaknesses that may lead to errors or fraud.
- Substantive testing: This phase involves testing the bank's financial transactions, balances, and disclosures to verify their accuracy and completeness. Auditors use various techniques, such as vouching, tracing, analytical procedures, and confirmations, to gather sufficient audit evidence. They may also examine specific areas of concern, such as loan loss provisions, investment valuations, and regulatory compliance.
- Audit documentation: Throughout the audit process, auditors maintain detailed workpapers documenting the procedures performed, evidence obtained, and conclusions reached. These workpapers serve as a basis for the audit opinion and are subject to review by regulators and peer reviewers.
- Reporting and communication: Upon completing the audit, auditors prepare a report outlining their findings, conclusions, and opinion on the bank's financial statements. This report is usually presented to the bank's board of directors or audit committee, who are responsible for overseeing the bank's financial reporting process. Auditors may also communicate any significant control deficiencies, non-compliance issues, or other matters that require management's attention.
The idea of having an audit that provides certainty on a daily or weekly basis to customers, the government, or the public regarding a custodial institution’s assets is currently nonexistent in traditional audit practices. Financial statement audits are costly, time-consuming, infrequent, and cover a broader range of topics than reserve management. They usually involve sampling rather than examining all client assets. Because of this, there are various forms of third-party assurance available depending on the level of assurance required and the intended audience.
A formal audit and an attestation are both assurance services provided by certified public accountants (CPAs) or other qualified professionals. A CPA auditor can provide an Agreed-Upon Procedures attestation engagement, which can provide a high level of assurance to specific users of a digital asset platform. However, there are key differences between the two.
- Formal audit: A formal audit is a comprehensive examination of an organization's financial statements. It covers all aspects of the financial reporting process, including the accuracy and completeness of financial transactions, the effectiveness of internal controls, and compliance with relevant accounting standards and regulations.
- Attestation: An attestation engagement is more focused and specific in scope, dealing with a particular subject matter or assertion made by the organization's management. This can include a variety of financial or non-financial information, such as the effectiveness of internal controls over financial reporting, compliance with specific regulations, or the accuracy of specific performance indicators.
- Formal audit: In a formal audit, the auditor provides a high level of assurance, referred to as "reasonable assurance," that the financial statements are free from material misstatement. This is achieved through a combination of risk assessment, internal control evaluation, and substantive testing procedures.
- Attestation: In an attestation engagement, the level of assurance provided can be either "reasonable assurance" or "limited assurance," depending on the nature of the subject matter and the procedures performed. Limited assurance engagements involve less extensive procedures than reasonable assurance engagements, resulting in a lower level of assurance being provided.
Additionally, with an attestation, the report can only be shared with those parties specified for the engagement and isn't available to the general public. While this type of assurance may be sufficient for some customers, others may require a higher level of assurance provided by an independent third party. In such cases, the highest level of assurance is provided in the form of an attestation report issued by an independent CPA auditor in accordance with professional standards set by bodies, such as the AICPA.
The AICPA’s Auditing Standards Board has issued Statement on Standards for Attestation “SSAE” No. 21, Direct Examination Engagements, which allows for two types of examinations that can form the basis for reports to be issued by independent CPA auditors: assertion-based examination (amended) and direct examination (new). While the SOC 1 and SOC 2 reports issued by independent CPA auditors provide assurance over the environment of internal control of financial reporting and IT systems from which PoPR data is generated, a Direct Examination Engagement might allow for an independent CPA auditor to measure PoPR data (i.e., Merkle Tree) and report on the results.
However, it may be challenging for an independent CPA auditor to provide a report that's near real-time or more frequent than monthly or quarterly, which may or may not be sufficient for all users. The examinations are written reports that cover data as of a point in time and a historical period of time. It may not be possible to automate all of the procedures needed to support these reports’ issuance for real-time reporting. This is one instance in which dealing with cryptocurrencies and the blockchain can help.
Proof of Reserves offers a complementary solution. Proof of Reserves enables CEXs to cryptographically verify their funds in an on-chain and transparent manner. It’s more frequent, narrow in scope, and relatively inexpensive. It doesn’t necessarily require an audit firm, as BitMEX and Deribit have shown by having some of the best PoRs without audit oversight.
However, there are a few potential cost-prohibitive factors to consider. For instance, requiring exchanges to cover 100% of assets by AUM with PoR would be expensive, given that many exchanges have a long tail of smaller assets that would require a new treatment for each blockchain or L2. Instead, a high, but achievable threshold, such as 75% or 90%, could be established.
Requiring PoRs to be supervised by audit firms could also be exclusionary, as there are currently no active CPA firms that oversee PoRs. Asking exchanges to pay a significant amount of money and persuade audit firms to enter the business would disfavor smaller exchanges. Additionally, audits are at best a quarterly undertaking, while PoRs provide the best assurances when done weekly or monthly. Hence, requesting a slower cadence as required by audit firm oversight would inhibit some of the guarantees that PoR provides. Instead, a frequent PoR (perhaps monthly) with periodic audit oversight and a sunrise period for audit firms to re-enter the market could be considered.
Previously, the process of Proof of Reserves (PoR) in crypto was overseen by CPA firms, such as Armanino and Mazars. However, these firms didn't represent PoRs as “audits.” Instead, they were described as “Agreed Upon Procedures” engagements, which are defined by the AICPA as an attestation engagement where a practitioner performs specific procedures on the subject matter and reports the findings without providing an opinion or conclusion. This type of engagement is typically done for the private benefit of a third party and is a way of surfacing facts in a controlled manner and sharing them officially with that third party.
The auditor provides no assurance or opinion. Both Mazars and Armanino were careful not to characterize these engagements as audits. If there was any misrepresentation, it was on the side of the exchanges, who used the term “audit” in a more colloquial sense to refer to their PoRs. Thus, it's unfair to characterize these PoRs as “sham audits.” At present, there are no rigorous accounting standards for exchange PoRs, so it's best to describe them as a “procedure” or an “attestation” rather than an audit.
