PCAOB warns about limitations on crypto proof of reserve reports

The Public Company Accounting Oversight Board issued an advisory Wednesday warning investors to exercise caution when it comes to the so-called "proof of reserve" reports that some cryptocurrency companies have been touting.

The warning comes after a number of auditing firms have already stopped providing this limited form of assurance after the collapse of high-profile crypto companies like FTX. Several companies have publicized such audits, including Binance, Crypto.com, Kraken and KuCoin. A few auditing firms like Armanino and Prager Metis offered this type of assurance in the past, at least until their former client FTX's collapse last November. Mazars, which provided proof of reserves audits for Binance, Crypto.com and Kraken, has also reportedly halted such work (see story).

The PCAOB's recently established Office of the Investor Advocate is now warning investors against relying on such reports. "Proof of reserve reports are inherently limited, and customers should exercise extreme caution when relying on them to conclude that there are sufficient assets to meet customer liabilities," it said.

PCAOB logo - office - NEW 2022

It's aware of some service providers, including PCAOB-registered audit firms, issuing proof of reserve reports to certain crypto exchanges and stablecoin issuers. In the reports they try to reassure their customers' concerns about the type of reserve holdings or the safety and availability of their digital assets in case some or all the customers decide to withdraw their assets, for example, if there's a run on a crypto exchange or stablecoin issuer.

The office is concerned that investors and others may place undue reliance on proof of reserve reports, which don't fall within the PCAOB's oversight authority. 

"Importantly, investors should note that PoR engagements are not audits and, consequently, the related reports do not provide any meaningful assurance to investors or the public," said the alert. "As a general matter, these PoR Reports purport to provide an asset verification for an asset type at a particular moment in time, subject to significant limitations based on the procedures performed. For example, the procedures undertaken likely do not address the crypto entity's liabilities, the rights and obligations of the digital asset holders, or whether the assets have been borrowed by the crypto entity to make it appear they have sufficient collateral or 'reserves' in excess of customer demands. For this reason, if the assets were borrowed by the crypto entity at the time of the PoR engagement, investors would not know based on the PoR Report. Also, because PoR Reports concern digital assets at one point in time they do not provide any assurance about whether the assets were used, lent, or otherwise became unavailable to customers following issuance of the PoR Report. Moreover, PoR Reports also provide no assurance regarding the effectiveness of internal controls or of governance of the crypto entity."

The PCAOB stressed that proof of reserve engagements are not the same as a true audit or more rigorous, and they're not conducted in accordance with PCAOB auditing standards. There's also a lack of uniformity in the service providers that handle such engagements. Some engagements are performed by accounting firms, but others are performed by nonaccountant assurance providers. Crypto company executives also have discretion on whether the results of proof of reserve reports are made public, including the extent and format of the information provided.

Whether the engagements aim to provide reasonable assurance, limited assurance, or no assurance, they're not subject to PCAOB auditing standards and the engagements aren't subject to PCAOB inspections. The reports don't provide assurance that the reserves will be adequate as of the date of the report, in the future, or that customer assets will be protected.

For "agreed-upon procedures," crypto executives, not the provider of the proof of reserve report, decides on the procedures to be performed by the third party when conducting the engagement. The report includes only some factual findings on the outcome of the procedures that were performed, and there's no representation about whether those procedures are sufficient. These types of reports don't express an opinion on the adequacy of the reserves , the financial stability of the crypto company or the validity of management's assertions.

"Proof of reserve reports are inherently limited, and customers should exercise extreme caution when relying on them to conclude that there are sufficient assets to meet customer liabilities," warned the alert.

For reprint and licensing requests for this article, click here.
Audit PCAOB Cryptocurrency Audit standards
MORE FROM ACCOUNTING TODAY