Why Crypto Audits Are Different
Traditional financial statement audits rely on external confirmation from banks, counterparties, and custodians. For crypto assets, there is no bank to confirm balances — the auditor must verify asset existence directly on the blockchain. This requires technical skills most auditors lack: reading blockchain explorers, understanding wallet structures (HD wallets, multisig), and assessing smart contract risks.
Custody risk is the most critical audit area for crypto businesses. Who controls private keys? Are keys properly secured? Are there hot wallet / cold wallet splits? For exchange businesses, customer asset segregation is paramount — auditors must verify that exchange assets (proprietary) are not commingled with customer assets (liabilities). The FTX collapse in 2022 demonstrated what happens when this segregation breaks down.
DeFi adds another layer of complexity: assets locked in smart contracts may not be directly verifiable through standard blockchain explorers. Auditors must assess whether smart contract positions represent assets or contingent assets, whether liquidity pool positions are properly valued, and whether protocol risks (smart contract hacks, rug pulls) require disclosure or provision.
Financial Statement Audit
A financial statement audit provides an independent opinion on whether your financial statements give a true and fair view under IFRS or US GAAP. For crypto businesses, the key audit areas are: completeness of crypto asset balances, accuracy of fair value measurements, proper classification of crypto under the applicable standard, and adequacy of disclosures about risks and uncertainties.
Under IFRS, crypto assets are typically classified as intangible assets under IAS 38 (cost-less-impairment model for most entities, or revaluation model if an active market exists). Under US GAAP post-FASB ASU 2023-08, qualifying crypto assets are measured at fair value through net income. Auditors must assess whether the entity has applied the correct model and whether fair value measurements are supportable.
We prepare a comprehensive audit-ready package before the auditor's fieldwork begins: trial balance reconciled to blockchain data, crypto asset roll-forward schedule, fair value support documentation (price source, hierarchy level, methodology), and custody documentation. This typically reduces audit fees by 30–50% compared to going in unprepared.
Proof of Reserves Audit
A Proof of Reserves (PoR) audit is a cryptographic attestation that an exchange or custodian holds sufficient assets to cover all customer balances. Using Merkle tree methodology, the auditor can verify total assets match total customer liabilities without revealing individual customer balances. Each customer receives a unique cryptographic proof they can independently verify on-chain.
The Merkle tree construction works as follows: each customer account is a leaf node containing (hashed customer ID, asset balance). Leaf hashes are combined pairwise up the tree to produce a root hash that represents all customer balances. The auditor signs the root hash after verifying: (1) total exchange wallet balances on-chain equal or exceed total customer liabilities, and (2) the Merkle tree is correctly constructed with no negative balances or phantom accounts.
Industry Note: Proof of Reserves audits are increasingly required or expected by regulators following the FTX collapse. Exchanges in Singapore (MAS), Dubai (VARA), and EU (MiCA) are seeing PoR requirements introduced. Binance, OKX, Kraken, and most major exchanges now publish monthly PoR reports. We help prepare your exchange data for PoR attestation by specialist auditors.
VASP Regulatory Audit
Most VASP licensing frameworks require licensed entities to submit annual audited financial statements to their regulator, alongside an AML/CFT compliance audit. The financial audit confirms the entity is solvent, meets minimum capital requirements, and has adequate financial controls. The AML/CFT audit assesses compliance with the jurisdiction's AML obligations.
We prepare VASP regulatory audit packages specifically formatted to each regulator's requirements: Lithuania (FCIS), Estonia (FIU), Malta (MFSA), Cyprus (CySEC), UK (FCA), Singapore (MAS), UAE (VARA, CBUAE), and Cayman (CIMA). Each has different filing deadlines, financial statement formats, and supplementary schedule requirements.
| Jurisdiction | Filing Deadline | Audit Required | Special Requirements |
|---|---|---|---|
| EU (MiCA CASPs) | 4 months after year-end | Yes (ISA) | Capital adequacy schedule |
| UK FCA | 4 months after year-end | Yes (ISAs UK) | CASS audit for client money |
| Singapore MAS | 5 months after year-end | Yes (Singapore SAS) | Operational risk disclosure |
| Dubai VARA | 3 months after year-end | Yes | PoR attestation |
| Cayman CIMA | 6 months after year-end | Yes (IFRS) | Fund: auditor pre-approval |
Our Audit Support Services
We act as your audit preparation and coordination team — we don't conduct the audit ourselves (that requires an independent external auditor), but we ensure you are fully prepared before the auditor's fieldwork begins, which dramatically reduces time and cost.
- Crypto asset roll-forward schedule (opening, additions, disposals, revaluations, closing)
- Blockchain verification packages — on-chain evidence for each wallet balance
- Exchange balance confirmation coordination — liaising with exchanges on behalf of auditors
- Fair value support documentation — price sources, hierarchy levels, methodology memos
- Custody documentation — private key controls, multisig arrangements, custodian agreements
- DeFi position analysis — protocol descriptions, smart contract addresses, valuation methodology
- Auditor selection support — connecting you with the right audit firm for your jurisdiction and size
- Audit query management — responding to auditor information requests on your behalf