Crypto Funds: 3 Internal Controls Your Auditor Wants to See

Nov 08, 2019

 #1: Seed & Private Key Security

Do you self custody your cryptoassets? Your auditor wants to see your internal controls as it relates to both master seed and private key security.

Master Seed Key

The master seed is typically a 12 - 24 sequence of words that are more memorable than a string of numbers and letters.

Your private and public key pairs are generated from this master seed. Thus you can backup and recreate your wallet should it be lost or destroyed and your auditor will want to evaluate your "business continuity and disaster recovery plan".

If you printed your master seed or its stored digitally in any format, consider it to be compromised. Your auditor would want to evaluate the type of access controls (e.g physical and logical) to your master seed.

Memorizing your master seed has also been referred to as a "brainwallet". For an interesting story of how brainwallets have been used, see this New York Times article that chronicles a fascinating story of how Venezuelans think of creative ways to cross the border without being stripped of their valuables by corrupt Venezuelan military personnel.

Private Key

Unlike your master seed, your private key consists of string of numbers and letters, for example: KzRrXXSr9v2HYKEiPR3bNs1FdnBguFabaHwscWYgvWbtHwxqYuT7 which is generated from your master seed.

So you can think of your master seed as the private key to all your private keys.

You use your private key to sign transactions (e.g. sending crypto from one public key address to another) and messages.

Hardware wallets like the Trezor or Ledger will never reveal your private key and is locked in the device. These types of wallets are known as Hierarchical Deterministic Wallets or "HD Wallets" as the private and public keys are "determined" from the master seed key.

Your auditor needs to know about the type of wallets being used and how your private keys are being stored and protected.

#2: Counterparty Risk

Registered hedge funds, asset managers, endowments, pension funds and the like that from a regulatory standard point can't self custody and must make use of qualified custodians.

For some time, this was one of the primary road blocks for institutional capital to enter the this new asset class. Thankfully, institutional-grade crypto custody solutions have arrived. A few examples include BitGo, Coinbase, Gemini and Fidelity.

The custodian will control the private key and therefore access to the cryptoassets. Thus the auditor will want to see how their client has evaluated the security controls of their custodian.

For example:

  • Their cold storage process and segregated addresses. Easier to audit if the custodian isn't lumping your bitcoin and other clients bitcoin into the same public key. This way the auditor can verify it independently on the respective blockchain.
  • Institutional grade policy controls (e.g. spending limits, multi-approval process, whitelisted addresses)
  • Comprehensive insurance in the event of hacks/theft/loss of private keys
  • SOC reports
  • [New] Have they been audited by the new CryptoCurrency Security Standard Auditor (CCSSA)? Click here for more on this new standard.

#3: Accounting Policy

An auditor would want to evaluate the controls in place to ensure an entity is selecting and applying an appropriate accounting policy.

These controls should include determining the value, the cost basis, recognition and measurement of gains and losses, impairment and disclosures of cryptoassets to name a few.

For example, if investment company accounting is deemed applicable (typically for funds with investments measured at fair value, the auditor will want to evaluate the entities selection of a principal (or most advantageous) market, whether that market provides relevant and reliable price and volume information (no fake volumes!) and the level in the fair value hierarchy.

Stay connected for the latest news and updates!

Join our mailing list to receive the latest news and updates from Andre.


50% Complete

Sign up for Andre's Free Updates

Be the first to receive Andre's training. Only positive vibes and insightful content :-)