#1: Seed & Private Key Security
Do you self custody your cryptoassets? Your auditor wants to see your internal controls as it relates to both master seed and private key security.
Master Seed Key
The master seed is typically a 12 - 24 sequence of words that are more memorable than a string of numbers and letters.
Your private and public key pairs are generated from this master seed. Thus you can backup and recreate your wallet should it be lost or destroyed and your auditor will want to evaluate your "business continuity and disaster recovery plan".
If you printed your master seed or its stored digitally in any format, consider it to be compromised. Your auditor would want to evaluate the type of access controls (e.g physical and logical) to your master seed.
Memorizing your master seed has also been referred to as a "brainwallet". For an interesting story of how brainwallets have been used, see this New York Times article that chronicles a fascinating story of how Venezuelans think of creative ways to cross the border without being stripped of their valuables by corrupt Venezuelan military personnel.
Unlike your master seed, your private key consists of string of numbers and letters, for example: KzRrXXSr9v2HYKEiPR3bNs1FdnBguFabaHwscWYgvWbtHwxqYuT7 which is generated from your master seed.
So you can think of your master seed as the private key to all your private keys.
You use your private key to sign transactions (e.g. sending crypto from one public key address to another) and messages.
Hardware wallets like the Trezor or Ledger will never reveal your private key and is locked in the device. These types of wallets are known as Hierarchical Deterministic Wallets or "HD Wallets" as the private and public keys are "determined" from the master seed key.
Your auditor needs to know about the type of wallets being used and how your private keys are being stored and protected.
Registered hedge funds, asset managers, endowments, pension funds and the like that from a regulatory standard point can't self custody and must make use of qualified custodians.
For some time, this was one of the primary road blocks for institutional capital to enter the this new asset class. Thankfully, institutional-grade crypto custody solutions have arrived. A few examples include BitGo, Coinbase, Gemini and Fidelity.
The custodian will control the private key and therefore access to the cryptoassets. Thus the auditor will want to see how their client has evaluated the security controls of their custodian.
An auditor would want to evaluate the controls in place to ensure an entity is selecting and applying an appropriate accounting policy.
These controls should include determining the value, the cost basis, recognition and measurement of gains and losses, impairment and disclosures of cryptoassets to name a few.
For example, if investment company accounting is deemed applicable (typically for funds with investments measured at fair value, the auditor will want to evaluate the entities selection of a principal (or most advantageous) market, whether that market provides relevant and reliable price and volume information (no fake volumes!) and the level in the fair value hierarchy.
Join our mailing list to receive the latest news and updates from Andre.