Bitcoin Advisory is currently under construction, please subscribe to our monthly newsletter for updates.
The use of bitcoins by an entity changes the risks of material misstatement. To identify and assess these risks you must understand the Bitcoin environment, the entity's use of bitcoins, and its internal controls. This assessment forms the basis of future substantive audit testing.
The procedures you should use for assessing the risks associated with bitcoin transactions are the same as for all assertions:
The challenge is that the performance of these procedures can differ significantly from methods used with legacy cash systems. This page clarifies the risk assessment procedures for bitcoin-using audit clients.
- Inquiries of entity personnel
- Analytical procedures
- Observation and inspection
The Bitcoin protocol, network, and software present unique external risk factors for firms that only use bitcoins as a form of payment as well as for firms that hold and trade bitcoins or use the blockchain. The wider Bitcoin ecosystem the firm operates within is also a source of external risk factors. External risk factors unrelated to the Bitcoin network or the use of bitcoins fall outside of the scope of this analysis.
Entities operating within the Bitcoin industry have significantly different business models which give rise to unique risks of material misstatements. This section identifies three specific industry segments and the external factors which may increase or lower the risk of a material misstatement.
Business risk is outside of the scope of this section as it does not relate to Bitcoin.
Internal control is designed, implemented, and maintained to address identified business risks that threaten the achievement of any of the entity's objectives that concern:
The way in which internal control is designed, implemented, and maintained varies with an entity's size and complexity. Internal control, no matter how effective, can provide an entity with only reasonable assurance about achieving the entity's financial reporting objectives.
- the reliability of the entity's financial reporting,
- the effectiveness and efficiency of its operations, and
- its compliance with applicable laws and regulations
The division does not necessarily reflect how an entity designs, implements, and maintains internal control or how it may classify any particular component. Auditors may use different terminology or frameworks to describe the various aspects of internal control and their effect on the audit other than those used in this section, provided that all the components described in this section are addressed.
IS includes the related business processes relevant to financial reporting and communication. Generally, IT benefits an entity's internal control by enabling an entity to:
- consistently apply predefined business rules and perform com- plex calculations in processing large volumes of transactions or data;
- enhance the timeliness, availability, and accuracy of information; facilitate the additional analysis of information;
- enhance the ability to monitor the performance of the entity's ac- tivities and its policies and procedures;
- reduce the risk that controls will be circumvented; and
- enhance the ability to achieve effective segregation of duties by implementing security controls in applications, databases, and op- erating systems
IT also poses specific risks to an entity's internal control, including, for example:
- reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both.
- unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of trans- actions. Particular risks may arise when multiple users access a common database. the possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties, thereby breaking down segregation of duties.
- unauthorized changes to data in master files.
- unauthorized changes to systems or programs.
- failure to make necessary changes to systems or programs. inappropriate manual intervention.
- potential loss of data or inability to access data as required.
Controls in a manual system may include such procedures as approvals and reviews of transactions and reconciliations and follow- up of reconciling items. Alternatively, an entity may use automated procedures to initiate, authorize, record, process, and report transactions, in which case records in electronic format replace paper documents.
Manual elements in internal control may be more suitable when judgment and discretion are required, such as for the following circumstances:
- Large, unusual, or nonrecurring transactions
- Circumstances in which errors are difficult to define, anticipate, or predict
- Changing circumstances that require a control response outside the scope of an existing automated control
- Monitoring of the effectiveness of automated controls