CASE III (FTX) - A RUN ON THE (CRYPTO) BANK?

1. Definition of assurance service engagements and identify how accountant engagements on proof
of reserve reports meet this definition (Module A).

Assurance Service Engagements:

Generally offered by audit firms or accountants, assurance services are expert services meant to
enhance the context or caliber of data for decision-makers. An assurance engagement is one in which a
practitioner expresses a conclusion designed to raise the level of confidence of the intended users aside
from the responsible party regarding the outcome of the evaluation or measurement of a subject matter
in relation to criteria (WebsiteNI & Preston, 2022).
Application to Proof of Reserves Reports:
PwC defines Proof of Reserves (henceforth referred to as “PoR”) as under (Mingard & Stolzenberg,
n.d.):
Proof of Reserves is the result of a set of procedures, usually conducted by an independent
third-party, to provide transparency on the digital assets held on addresses controlled by a
custodian or exchange.
Accordingly, we may argue that the assurance services definition is met by accountants' work on PoR
reports for crypto-currency exchanges. In these engagements, the accountants assess the
documentation that the exchanges give to confirm the existence and ownership of the digital assets
that are purportedly held on behalf of customers. Essentially, the PoR report tests the existence
assertion of the management over crypto assets, further qualifying it as an attestation engagement
(Wade, 2023). Through this process, stakeholders are assured of the exchange's capacity to meet its
obligations to its customers by evaluating the veracity and correctness of the exchange's assertions
regarding its reserves.
Despite being categorized as an assurance or attestation service, the PoR reporting has several flaws
and weaknesses. For instance:
1) No customer-wise segregation of assets: Although the exchange is the custodian of crypto
assets, it has no legal obligation to segregate assets, customer-wise. This means that the PoR
report doesn't tell customers that the assets they may believe are theirs actually are theirs.
Hence, in the case of a bankruptcy filing, these assets could become part of the bankruptcy
estate, instead of being returned to customers (Vigna, 2022).
2) Single snapshot in time: The PoR report only offers a single snapshot of the existence of
assets, not a live accounting of balances overtime. These balances may fluctuate in a matter of
minutes or even seconds, given the nature of crypto assets and their transactions (Wade, 2023),
(PCAOB, 2023).

1
 3) Only on-chain assets are reported: The PoR reports only show the “on-chain assets” of the
custodian; it does not track where those assets come from. If the company borrowed those
assets only for audit purposes, the auditors usually cannot track. (Wade, 2023), (PCAOB,
2023).
4) No uniform standards: There are no uniform and standard procedures for preparing PoR
reports. It is usually based on “agreed-upon procedures” between the auditor and the
management of client (PCAOB, 2023). This calls into question the quality of such procedures
and prevents results from being comparable across the industry (Mingard & Stolzenberg, n.d.).
Due to these limitations, PCAOB has warned the investors that they must exercise extreme caution
when relying on PoR reports to conclude that there are sufficient assets to meet customer liabilities
(Steinhardt, 2023).
Difference of opinion as to whether PoR engagement counts as an assurance service:
Mazars, a renowned accountancy firm based in France, which has conducted crypto audits in past but
seized to do so in the aftermath of FTX collapse, stated its opinion that a PoR report may not
constitute an assurance opinion (Hollerith, 2022):
Proof of Reserves Reports are performed in accordance with Reporting Standards relevant to
an Agreed Upon Procedures report. They do not constitute either an assurance or an audit
opinion on subject matter. Instead they report limited findings based on the agreed procedures
performed on the subject matter at a historical point in time.
Although many of the accountancy firms do accept and engage in this service, we should keep in mind
the opaque and somewhat controversial nature of this assurance service, due to its inherent flaws listed
above. This difference of opinion holds certain weight for accountants to be careful while engaging in
this service, until the legislation and regulations in this area are homogenized, strengthened, and
standardized.

2. Potential reasons why cryptocurrency exchanges engaged accountants to provide assurance on

proof of reserves reports (Module A).

1) Building Trust with Users: In the realm of crypto-currencies, which is unpredictable and sometimes
opaque, trust is an essential resource for exchanges. Exchanges aim to build and maintain trust among
users by demonstrating transparency and accountability in their operations by engaging reputable
accountants to provide assurance on their proof of reserves. Despite acknowledging limitations of PoR
reporting, PCAOB has still advised the crypto exchanges to issue PoR reports to reassure their
customers:
Crypto entities may engage a service provider to issue a PoR Report in an attempt to reassure
customers in response to widespread concerns about, for example, the type of reserve
holdings, or the safety and availability of customers’ digital assets in the event that some or all
the customers decide to withdraw their assets

2
2) Competitive Advantage: Exchanges that can provide verified PoR reports may differentiate
themselves in a cutthroat market, attracting users who prioritize security and transparency.
3) Regulatory Compliance and Preparation: Even though the legal landscape governing crypto-
currency exchanges continues to evolve, engaging in such assurance practices can help exchanges get
ready for anticipated regulatory requirements as well as demonstrate their commitment to best
practices in financial reporting and security.
4) Risk Management: Exchanges may identify and address potential risks in their custody of digital
assets by going through external assurance on their PoR. This helps them avoid problems that could
cause financial instability or operational breakdown.
5) Restoring Confidence Post-Scandals: Exchanges may look for assurance services in the wake of
well-publicized mishaps or scandals in the cryptocurrency space, like the demise of FTX, as a means
to restore confidence among existing and potential users by proving their stability and reliability.

3. Potential reasons why the demise of FTX may have affected firms’ perceptions of engagement
risk and willingness to provide assurance on proof of reserves reports (Chapter 3).

Crypto-currencies are still a bit of a novelty for audit and assurance firms, because of their digital,
anonymous, and extremely complicated and technical nature. Hence, the inherent risks in this market
are higher than usual, especially when coupled with the fact that there is still little regulatory oversight
on crypto markets.
FTX collapse not only shattered investor confidence in crypto-currencies but also pushed the audit and
assurance service providers on a backfooting, where they are more reluctant and unwilling to accept
clients from this industry. Soon after the collapse of FTX, a major France-based accountancy firm,
Mazars, paused all its work with crypto firms including, Crypto.com, KuCoin, and Binance, and
deleted all crypto reports from its website (Hollerith, 2022).
Mazar’s decision came a day after the audit firm, Armanino, which was in charge of FTX’s PoR
reports terminated its crypto audits, reportedly due to pressure from the firm’s non-crypto clients, who
were concerned about being associated with Armanino, in the wake of scandal. This highlights the
potential reputational risks for audit and assurance firms (Patrick, 2022).
Below we discuss some of the reasons why audit firms’ perception of engagement risk and their
willingness to engage in assurance on PoR reports might be affected after the demise of FTX:
1) High risk of material misstatement:
The risk of material misstatements in accounts of crypto-currency firms are higher because of
the volatility of crypto-currency prices. Crypto-assets have the potential to be over- or
understated because they lack tangible value – contrary to traditional securities. This makes
most crypto-assets highly speculative, and makes them susceptible to manipulation or fraud
(ESMA, 2022). Moreover, the high privacy and secrecy levels in blockchain may inhibit access
to audit evidence. All these factors increase the probability that overrides by top management
may go unnoticed, increasing risk of material misstatement at the end (ICAEW, 2022).
3
 During the trial of FTX, many executives, customers, and investors testified that the
founder/CEO of FTX directed employees to spend customer deposits for non-business
purposes and to make material misstatements regarding FTX's solvency and relationship with
its sister concern, Alameda Research (Reiff, 2023).
The wrongdoings of FTX unfolded during the trial may likely deter the audit firms from
accepting crypto-currency clients, atleast for some time as they will likely deem it more
appropriate to be on the safe and cautious side.
2) Concerns about effectiveness of PoR reporting:
Due to the inherent limitations of PoR reporting (listed under the first question), some firms are
wary of whether the PoR reporting even constitutes an assurance service or not. Mazars is one
such example. The collapse of FTX and the widespread criticism on the effectiveness of PoR
reporting that followed has visibly affected the perception of firms and may deter them from
accepting engagements of PoR reporting, until the regulations are strengthened.
3) Governance issues:
Many crypto-currency firms are led by young generation of technical and IT professionals,
who usually do not possess sufficient experience of corporate governance and financial
management. The new CEO at FTX, appointed after the scandal broke, cited poor management
practices and inexperienced leadership as the cause of FTX collapse. He stated before the
Congress (Land & Chiacu, 2022):
The FTX group's collapse appears to stem from absolute concentration of control in
the hands of a small group of grossly inexperienced, non-sophisticated individuals.
Keeping in view these factors, audit firms may see FTX’s failure as indicative of a broader
issue within the crypto-currency market related to insufficient corporate governance structures.
Since audit firms rely on strong governance to ensure reliable financial reporting, the absence
of such structures increases the perceived risk for assurance engagements.
4) Reputational risk for audit firms:
FTX was only one in a series of market failures and meltdowns in crypto-currency market,
since 2020. In the past few years, several other major crypto-currency firms have faced
significant failures and collapses, for one reason or the other. Some of the prominent failures
are:
a) Celsius Network: This crypto lender was severely impacted by the collapse of
terraUSD and Luna, leading to massive withdrawals by investors and a subsequent
bankruptcy filing in July 2022. The company faced a $1.2 billion shortfall on its
balance sheet (Clarke, 2022).
b) Voyager Digital: After the crypto hedge fund Three Arrows Capital (3AC) defaulted
on a significant loan, Voyager Digital filed for bankruptcy in July 2022. The firm had
extended a sizable loan to 3AC without security, leading to substantial financial losses
when 3AC defaulted (Clarke, 2022).

4
 c) Three Arrows Capital (3AC): This crypto hedge fund went bankrupt following the
collapse of terraUSD and Luna, which erased billions in investor value. The fund's
failure was due to major directional trades and borrowing from over 20 institutions
(Clarke, 2022).
d) Core Scientific Inc: One of the largest publicly traded crypto mining companies in the
U.S., Core Scientific filed for Chapter 11 bankruptcy in 2023 due to falling bitcoin
prices, increasing energy costs, and unpaid debts from another bankrupt crypto lender,
Celsius Network (Reuters, 2023).
e) BlockFi: This crypto lender went bankrupt after the FTX collapse, citing a liquidity
crisis due to substantial exposure to FTX. BlockFi had previously relied on a credit
facility from FTX to stay afloat following the bankruptcies of other crypto lenders like
Voyager Digital and Celsius Network (Reuters, 2023).
The collapse of FTX and many other major crypto firms in recent years highlight the inherent
volatility and risks associated with the crypto-currency market. Accounting firms may perceive
a higher reputational risk if they associate with crypto-currency firms, which is fair and
understandable.
Moreover, the inherent anonymity of crypto-assets also increases their potential for fraud.
Audit firms who are mindful of potential money laundering and related party transaction frauds
may be pushed further away from accepting the crypto clients. When a high risk of fraud is
present in an entire market, the corresponding exposure to reputational risks may deter the
firms from engaging with these clients.
5) Legal Risks:
Given the legal challenges and financial turmoil surrounding FTX's collapse, accounting firms
may be wary of the potential legal repercussions of providing assurance services in this sector.
Armanino, the auditor of FTX, was included among the accused parties in the class-action
lawsuit against FTX. It was alleged that the auditor failed to take notice of irregularities at FTX
during the audit, and failed to fulfill its obligations to make sure FTX was not taking part in
illegal activities (Patrick, 2022).
The potential exposure to lawsuits owing to association with this highly risky and volatile
market is arguably one of the strong reasons deterring the firms from accepting engagements of
crypto clients.
6) Complexity and Technical Challenges:
Ensuring the existence and ownership of digital assets requires specific technical expertise,
which might not be available or sufficiently developed in all accounting firms, especially in
small and medium sized firms.

4. Differences in audit requirements for issuers and non-issuers (Chapter 12 and Module I).

5
The audit requirements for issuer and non-issuer companies differ in the following ways:
1) Regulatory oversight by SEC:
Issuers: Issuers are governed by the Securities and Exchange Commission (SEC), and it is
mandatory for them to issue audited financial statements. SEC rules require issuer company to
file annual reports on Form 10-K and quarterly reports on Form 10-Q with the SEC on an
ongoing basis (SEC, 2024).
Non-issuers: Non-issuers are generally not regulated by SEC, unless they are involved in
issuing of securities. Accordingly, they are not required by law to have their financial
statements audited. However, state laws, and other regulations may impose audit requirements
in certain circumstances. Audits of non-issuer companies may also be required by lending
banks, bonding companies, insurance companies or preferences by private company owners
who want to enhance the credibility of their company to attract investments.
Both private and public firms are required to follow GAAP, or “generally accepted accounting
principles”.
2) Applicable laws and standards:
Issuers: The audit of issuers is conducted under Auditing Standards set by the Public
Company Accounting Oversight Board (PCAOB), not just auditing standards but all PCAOB
standards. Issuer companies must comply with the Sarbanes-Oxley Act (SOX) of 2002, which
aims for investor protection through enhanced transparency and integrity of public companies.
Non-issuers: Non-issuer companies are required to follow standards set by the AICPA
Auditing Standard Board’s Statements on Auditing Standards (SAS). SOX 2002 is not
applicable to non-issuer companies.
If both standards are followed by an auditor of a non-issuer: It is noteworthy to mention that
the auditors in the case of non-issuers may choose to comply with both auditing standards. In
Feb 2004, the AICPA in response to various queries raised by auditors and their clients,
distributed a letter to managing partners of audit firms advising that the auditor of a non-issuer
may also follow the PCAOB standards in addition to the AICPA standards. The letter also
discusses how to report on an audit of a non-issuer when both standards are followed (CPA
Letter, 2004).
PCAOB has clarified that where the auditor of a non-issuer is legally required, or where it
voluntarily agrees to perform an engagement in accordance with PCAOB standards, then the
auditor may mention that they are complying with only the auditing standards of the PCAOB
and not all of the PCAOB's standards (Lumb, 2004).
When reporting on Critical Audit Matters (CAM) and dual-compliance is maintained, the
auditor should follow the requirements of PCAOB standards regarding the determination and
reporting of CAMs (Afterman, 2019).
3) Integrated audit:

6
 Issuers: An integrated audit, required for issuers, examines both the financial statements and
the effectiveness of the company’s internal controls over financial reporting. The integrated
audit is made mandatory in terms of Section 404(b) of SOX 2002.
Exemption from audit of ICFR: The smaller issuer companies (with less than $75 million in
public float) are exempted from compliance with Section 404(b) of the SOX 2002.
Non-issuers: Non-issuers are not subject to integrated audit requirement, meaning their audits
generally focus only on the financial statements, unless voluntarily opted by private company
owner.
4) Audit committees:
Issuers: Issuers must have independent audit committees under the provisions of SOX 2002.
The audit committee oversees important aspects of the auditing process, including the selection
and supervision of the external auditor. The purpose of this requirement is to enhance the
accountability and governance of public companies.
Non-issuers: The requirement of having an audit committee is not mandatory for non-issuers.
5) Transparency and disclosure:
Due to their public nature, issuers are required to provide extensive disclosures in their
financial reports to ensure transparency for investors, a requirement that is less stringent for
non-issuers.
In addition to the requirements of filing of Form 10-K, Form 10-Q, and audit of ICFR, the
following disclosure requirements apply in the case of issuer companies:
1) Current Reports (Form 8-K): Reports on major events that shareholders should be aware
of.
2) Proxy Statements: Details on matters to be voted on during shareholder meetings.
3) Executive Compensation: Disclosure of salaries, bonuses, and other compensation for
high-level executives.
4) Related Party Transactions: Disclosure of transactions between the company and its
executives, directors, or significant shareholders.
6) Auditor reporting:
Issuers: For issuers, auditors must provide a report on both the financial statements and
internal controls in accordance with PCAOB standards.
Non-issuers: For non-issuers, the auditor’s report is generally limited to the financial
statements, and is prepared in accordance with AICPA standards.
7) Registration with PCAOB:
Issuer: A public accounting firm needs to be registered with the PCAOB in order to perform
an audit of an issuer, in terms of Section 102 of the SOX 2002.

7
 Non-issuer: A public accounting firm need not be registered with the PCAOB in order to
perform an audit of a non-issuer, even if the audit is performed in accordance with PCAOB
standards.
5. Potential limitations of a financial statement audit that is not conducted as part of an integrated
audit (Module I).

These are some of the limitations of a financial statement audit that is not conducted as part of an
integrated audit.
1) Limited scope can be an issue: There is more focus on verifying the accuracy of the financial
statements which limits adequate assessment of the effectiveness of internal controls hence
fails to uncover deficiencies in controls.
2) Fraud may not be easy to detect: Without integrated auditing, fraud risks may not be
adequately evaluated. This means fraud prevention measures might not be strong enough to
catch problems early, as seen with FTX's "sloppy accounting" issues.
3) Inadequate assurance on asset holdings is another limitation: Just checking financial
statements may not give enough confidence about the exchange's digital asset holdings. This
was evident in FTX's case where proof of reserve reports were not effectively reviewed.
4) Missed opportunity for internal control Improvement: Integrated audits often look at
making operations better. Without this, weaknesses in how things are done might be missed,
leading to future problems.
5) Lack of Holistic risk assessment: Integrated audits consider all risks, not just financial ones.
Without this, risks specific to crypto-currency exchanges, like cybersecurity and regulatory
compliance, might be overlooked.
6) Limited transparency and accountability are another issue: Integrated audits promote
transparency and accountability by looking at governance and risk management practices.
Without them, there's less clarity on internal controls and governance, which can harm investor
trust and lead to failures like FTX's bankruptcy.

8
9
References:

Afterman, A. B. (2019). Reporting Critical Audit Matters When Reporting on Audit of Non-Issuer's
Financial Statements Conducted in Accordance With U.S. GAAS and PCAOB Standards. Accounting
& Auditing Update Service, (39), 1-2. ProQuest.
http://ezp.bentley.edu/login?url=https://www.proquest.com/trade-journals/reporting-critical-audit-
matters-when-on-non/docview/2353677109/se-2

Clarke, A (2022, December 26). 7 biggest crypto collapses of 2022 the industry would like to forget,
Cointelegraph. https://cointelegraph.com/news/7-biggest-crypto-collapses-of-2022-the-industry-
would-like-to-forget

CPA Letter (2004, Feb). Guidance Issued on Performing Audits for Privately Held Companies. The
CPA Letter. 84(2), 7. http://ezp.bentley.edu/login?url=https://www.proquest.com/trade-journals/
guidance-issued-on-performing-audits-privately/docview/211145325/se-2

European Securities and Markets Authority (ESMA) (2022, Oct 4). “Crypto-assets and their risks for
financial stability. TRV Risk Analysis, ESMA, Paris.
https://www.esma.europa.eu/sites/default/files/library/esma50-165-
2251_crypto_assets_and_financial_stability.pdf

Hollerith, D. (2022, December 16). Accounting firm Mazars drops all crypto clients. Yahoo! Finance.
https://finance.yahoo.com/news/accounting-firm-mazars-drops-all-crypto-clients-including-binance-
and-cryptocom-153807881.html?guccounter=1

Lang, H., & Chiacu, D (2022, December 13). Poor management, inexperienced leaders led to FTX
collapse. Reuters. https://www.reuters.com/legal/poor-management-inexperienced-leaders-led-ftx-
collapse-new-ceo-tells-lawmakers-2022-12-13/

Lumb, J. (2004). PCAOB Provides Guidance on Audits Of Non-Issuers. PCAOB Reporter, 2.

ProQuest. http://ezp.bentley.edu/login?url=https://www.proquest.com/other-sources/pcaob-provides-
guidance-on-audits-non-issuers/docview/189721530/se-2

Mingard, J., & Stolzenberg, B. (n.d.) Does «Proof of Reserves» provide meaningful trust and
transparency? PWC. https://www.pwc.ch/en/insights/digital/does-proof-of-reserves-provide-
meaningful-trust-and-transparency.html

Patrick. (2022). 24/7 Wall St.: Another Audit Firm Halts Proof-of-Reserves Service for Crypto
Exchanges. Newstex Finance & Accounting Blogs, Newstex. ProQuest. http://ezp.bentley.edu/login?
url=https://www.proquest.com/blogs-podcasts-websites/24-7-wall-st-another-audit-firm-halts-proof/
docview/2754997647/se-2

10
Publick Company Accounting Oversight Board. (2023, March 8). Investor Advisory: Exercise
Caution With Third-Party Verification/Proof of Reserve Reports.
https://pcaobus.org/news-events/news-releases/news-release-detail/investor-advisory-exercise-
caution-with-third-party-verification-proof-of-reserve-reports

Reiff, N. (2023, November 15). The Collapse of FTX: What Went Wrong With the Crypto Exchange?
Investopedia. https://www.investopedia.com/what-went-wrong-with-ftx-6828447

Reuters (2023, January 20). Crypto's string of bankruptcies. Reuters.

https://www.reuters.com/business/finance/cryptos-string-bankruptcies-2023-01-20/

Steinhardt, S.J. (2023, March 9). PCAOB Warns Investors about Proof-of-Reserve Reports from
Crypto Companies. The Trusted Professional. https://www.nysscpa.org/news/publications/the-trusted-
professional/article/pcaob-warns-investors-about-proof-of-reserve-reports-from-crypto-companies-
030923

The Institute of Chartered Accountants in England and Wales (2022, September 12). How do we audit
cryptocurrency? ICAEW Insights. https://www.icaew.com/insights/viewpoints-on-the-news/2022/sept-
2022/how-do-we-audit-cryptocurrenc

U.S. Securities and Exchange Commission. (2024, March 5). Exchange Act Reporting and
Registration. https://www.sec.gov/education/smallbusiness/goingpublic/exchangeactreporting

Vigna, P. (2022, November 25). Here's Why Crypto 'Proof of Reserves' Isn't All It Appears to Be.
Dow Jones Institutional News. ProQuest.
http://ezp.bentley.edu/login?url=https://www.proquest.com/wire-feeds/heres-why-crypto-proof-
reserves-isnt-all-appears/docview/2740097070/se-2

Wade, J. (2023, February 28). Proof of Reserves: Could It Have Avoided the FTX Meltdown
Investopedia.com. https://www.investopedia.com/proof-of-reserves-6830204

WebsiteNI, & Preston, C. (2022, May 5). Assurance vs audit: What is the difference? FPM An AAB
Group Company. https://fpmaab.com/trending-topics/assurance-vs-audit/

11