When launching a private investment fund which holds digital assets (also referred to as cryptocurrencies or “crypto”) there are several different considerations that investment managers need to take into account when preparing for their audits. The most challenging issue with crypto fund audits is custody, or more simply stated, ensuring that fund investments are where they are supposed to be, which is called “existence.”
In a typical hedge fund, this is all fairly straight forward. The assets will be held at a qualified custodian such as JP Morgan, Goldman Sachs, etc. where the auditor can request confirmation that they are indeed holding the assets. Given the controls in place at each of these reputable counterparties, auditors can place reliance upon the reports received, as these qualified custodians typically will obtain a SOC 1 report from an external auditor, which focuses on the custodians’ internal control environment.
However, with crypto assets the problem is that there are not yet sufficient custodians in the market, particularly ones with SOC 1 reports that meet the standards to be considered a qualified custodian under the SEC Custody Rule. There are only a few custodians who have such a framework in place (e.g., Coinbase and Gemini).
Right now, many third-party custodians who meet the rigor of being consider a qualified custodian do not accept all tokens. In many instances, funds are forced to self-custody certain tokens using their own hard disk ledger wallets, also known as cold storage.
One of the largest areas of a crypto fund audit, which typically isn’t overly risky for a traditional hedge fund, will be custody. Auditors need to obtain comfort over the existence of the funds’ investments. To do so, the auditor will need to ascertain what the custody position is for the fund, if the fund has a custodian, and does that custodian generate any sort of report on their internal controls such as a SOC 1 report.
In the event the manager self-custodies, a number of important concerns will arise, like who has access to the cold storage? How are they protecting the private keys? What back-ups do they have in place in the event the manager misplaces the hard drive ledger, or it gets stolen? These are all items that need to be considered. Managers should have controls that address each of these questions, as a well-informed auditor will need to understand the controls and processes in place in order to mitigate these risks.
Some good news for the accounting industry was that in the summer of 2020, the AICPA published non-authoritative guidance on how to audit cryptocurrencies. This publication gave much needed relief to auditors and helped determine how auditors could mitigate audit risk in areas such as custody. The guidance didn’t have any silver bullets or one-size-fits-all approaches. However, storing your tokens with a third-party custodian with a SOC 1 and well documented controls will make for a smoother audit.
Another area which was discussed in the AICPA practice aide was valuation. As part of launching a new fund, managers should also be closely discussing with their auditors their valuation policy. There are several nuances in the crypto space.
For example, some tokens are traded on different exchanges. In the last few months there have been some significant spikes in volatility which have created spreads across different exchanges. So, coming up with a solid valuation policy to determine how the manager arrives at a fair market price for each position is critical. Otherwise, managers could be perceived to be picking one exchange over another in different scenarios, which will not sit well with auditors or regulators.
As the market capitalization of cryptocurrencies expands by the day, more and more crypto funds will enter the market and will require better reporting and accounting policies as these products will be a focus of the regulators. Developing a reasonable audit approach along with documented procedures for valuation and other operational considerations are a must for any new market participant.