The Challenges of Auditing Crypto: Grant Thornton Edition

Even as they have gained traction as investment instruments, cryptocurrencies still have several problem areas in their ecosystem. The transparency of blockchain transactions is negated by their complexity and nascence of the underlying technology. For investment firms and financial services companies, new technologies can be problematic because they affect trust and compliance.

Chicago-based accounting firm Grant Thornton recently announced that it has audited more than $10 billion in cryptoassets – covering more than 40 different cryptocurrencies across 100 million addresses, during the first three months of this year. That amount represents the total sum of audited cryptocurrencies from clients that hold coins in either their own name or for trading purposes, says Markus Veith, a leader in Grant Thornton’s Digital Assets Practice.

The firm started on its crypto journey four years ago. “It was a measured risk,” says Veith, of the firm’s move into cryptocurrencies. In the absence of established accounting standards for cryptocurrencies, the firm has customized best practices from existing GAAP standards. It also regularly consults and shares best practices with other accounting firms.

The list of cryptocurrencies audited by Grant Thornton is diverse and includes established and high-profile names, such as Bitcoin and Ethereum, and crypto like Dogecoin, considered by some to be a joke cryptocurrency. Veith says that the choice of coins was driven by client demand. Because each crypto has unique characteristics and use case, Veith’s team developed more than a dozen ways to test them.

The Challenges of Cryptocurrency Auditing  

Cryptocurrency audits can be challenging, given the nature of blockchain technology. Within a typical audit, bank statements and balance amounts can be trusted to reflect an accurate account picture at a certain point in time.

But blockchains are decentralized and their technology is still under development. Johnny Lee, national practice leader at Forensic Technology Solutions at Grant Thornton, outlines two specific problems with the technology.

The first one is that blockchain explorers, which list all transactions pertaining to addresses for a given coin, do not exist for all cryptocurrencies. The second problem with crypto auditing is that explorers also do not always satisfy conditions required for an audit. “The explorers themselves are such new and untested technology that we cannot rely on them to confirm asset ownership tests,” says Lee.

As an example, he points to Bitcoin’s blockchain explorer which, he says, cannot display the balance for a given address at a specific point in time. “To arrive at that balance, you need to recreate transactional history for that address all the way back to the Genesis block (the first block ever mined using Bitcoin),” he says. Further, available data needs to be parsed with custom data elements to create connections for an audit trail.

“Even in those instances, the answer cannot be provided at scale,” says Lee. This is because a simple database query on a blockchain explorer is not sufficient to generate results. Both Veith and Lee point of Ripple’s network of independent nodes as a “monster” and a great example of the complexities for cryptocurrency auditing.

Another problem pertaining to crypto audits is the pseudonymous nature of cryptocurrencies. Blockchain addresses mask identities for crypto owners, making the audit process more difficult and time-consuming. While it is possible to trace crypto owners through their addresses (the FBI has done it in the past), pseudonymous addresses “stymie” the process due to the challenging architecture, says Lee. Privacy coins, which are completely anonymous, further complicate the process of identifying coin ownership.   

Forensic Nodes: A Possible Solution?  

Grant Thornton has developed forensic nodes and other proprietary technology to seek out answers to these questions. Lee says the nodes enable the firm to “interrogate” a ledger in the manner of a normal accounting ledger used for auditing. He did not provide details regarding a typical forensic node’s composition but indicated that they consist of entire blockchains or log files for a cryptocurrency. His team runs the firm’s proprietary technology to reconcile entries. For privacy coins, they go through a series of different steps to arrive at key data conclusions relating to audits.