Nuance Matters: Understanding Proof of Reserves within the Spectrum of Audit and Attestation Standards
Introduction
Proof of Reserves detractors make hasty generalizations to conclude that auditor-assisted proof of reserves attest reporting is misleading or lacks any significant value to intended users of such reporting. Most of the misunderstanding and obfuscation that abounds is the result of improper comparisons between Proof of Reserves and financial statement audits, namely being so simplistic as to say, “proof of reserves is not a financial statement audit; therefore, it has no value.” It is more complicated than that. And, as Proof of Reserves continues to gain interest, application, and the mandate of consumers, lawmakers and regulators, understanding Proof of Reserves’ place in a larger picture of capital markets-related, third-party assurance will be important for those that oversee service providers (regulators) and those that participate in digital assets markets using service providers (customers).
Proof of Reserves is an important attestation vehicle that is a complementary addition to financial statement audits and other third-party assurance reporting, not a stand-alone replacement or substitute. Here, we detail the prima facia authenticity of this claim with detailed exploration and comparisons between financial statement audits and Proof of Reserves attestations. All with a goal to further your expert understanding of why both are important, not why one is “better” than the other.
The Attest and Assurance Landscape
Enter Proof of Reserves
Goals matter. Context matters. Among the earliest known goals of accounting was the proper recording of taxes owed (to kings and later governments). Taxation still makes up a large part of the accounting profession today as governments and provincial taxing authorities, globally, promulgate accounting and reporting requirements to properly account for taxes owed on income, investments and commerce. In addition to collection of taxes, there are many other goals of accounting and audit which are driven by management, investors, regulators, and other market participants. Without detailing the long, rich history of the accounting profession and the evolution of best practices and standards over 150+ years of modern accounting, the state of play today is that accountants and CPAs have multiple tools, standards, generally accepted accounting principles, and best practices to help their employers or their clients reach their goals.
Proof of Reserves is the newest advancement in accounting and attestation. The PoR process enables management to leverage cryptography to provide a “crowd sourced” check on their customer liabilities, public-private key technology to prove control of assets on a decentralized ledger, and these procedures can be rolled together into industry-standard Agreed Upon Procedures reports.
Picking the Right Attestation Tools
Just like cars are not good tools for lake excursions, and boats aren’t great tools for road trips, some accounting, audit or attest tools might not be fit for a specified purpose (or end goal). Founders of private companies that have a goal (or mandate) to offer their private investors reasonably complete and accurate visibility into the financial performance, balance sheet and cash position of their company, would choose first to hire a qualified accountant to create financial statements, and secondarily to engage an independent third-party auditor to audit those financial statements. However, those founders would not choose to offer their investors an independent attestation related to Internal Control Over Financial Reporting (ICOFR). Why? ICOFR reports can be a very valuable attestation to gain additional comfort over the accounting controls at the business, and are relevant to the overall completeness and accuracy of financial statements, but they are not audited financials. They aren’t the right tool to achieve the goal.
Similarly, that private company offering its customers audited financials to provide their customers assurance that the technology they sell is secure, available, and protects confidential information of the customer wouldn’t make any sense. Rather, a SOC 2 Report would be the appropriate tool for the job (a SOC 2 is independent accountant’s attestation report providing a reasonable assurance opinion of the auditor that the company’s controls were suitably designed and/or operated effectively to meet the AICPA’s SOC 2 criteria).
There are many more examples, but here is a view of important, common third-party attestation and assurance tools that digital assets service providers (private companies) use to meet management, investor, customer, and regulator expectations.
Next, we take a broad view of US and international standards that apply to financial statements and other financial or business-related subject matter.
US Domestic Attestation and Assurance Standards for Private Companies
When seeking to understand attestation vehicles, in the context of Proof of Reserves, it is helpful to first understand third-party attestation for private companies more generally. There are just three main tools in the kit.
(1) See AT-C 105 (2) See SSAE No. 18 (3) See AT-C 205 (4) See AT-C 215 (5) See AT-C 210
As seen above, examination engagements with an independent auditor that result in an opinion over financial statements are certainly different than an agreed upon procedures engagement with an independent auditor that results in a report on procedures and results of those procedures.
International Attestation and Assurance Standards for Private Companies
Internationally, practitioners apply multiple attestation and assurance standards, based on their locale (or that of the client). The prevailing international standards are the International Financial Reporting Standards (IFRS). The IFRS Foundation is a not-for-profit, public interest organization established to develop high-quality, understandable, enforceable and globally accepted accounting standards. The Standards are developed by the IFRS Foundation’s standard-setting board, the International Accounting Standards Board (IASB). IFR Standards have historically been developed by looking to US reporting standards and are therefore very similar. As an additional layer, multiple jurisdictions have adopted IFRS and then applied their own local changes and guidance, Hong Kong being a prominent example (HKIFRS).
Again, international attestation standards are largely harmonized with US reporting standards for private companies, and thus Agreed Upon Procedures attest reporting under IFRS is also available to practitioners and management. International AUP standards can and have been used to produce Proof of Reserves attestation reporting.
US Domestic Attestation and Assurance Standards for Public Companies
There are commonalities between private company reporting standards and those applicable to SEC reporting companies (publicly traded companies). Of course, we can’t do a full treatise here, but a general understanding is helpful to contextualize how proof of reserves attestation reporting could be issued by an SEC registrant. Unlike the AICPA standards diagramed above, which offer three basic “tools” under the larger “attestation standards” umbrella, the public company reporting standards, issued and overseen by the Public Company Accounting Oversight Board (PCAOB), bifurcate “Auditing Standards” and “Attestation Standards.” The Sarbanes-Oxley Act of 2002, as amended, directs the PCAOB to establish, by rule, auditing and related professional practice standards for registered public accounting firms to follow in the preparation of audit reports for public companies, other issuers and broker-dealers.
The following attestation standards have been adopted by the PCAOB and approved by the Securities and Exchange Commission: AT No. 1: Examination Engagements Regarding Compliance Reports of Brokers and Dealers; and, AT No. 2: Review Engagements Regarding Exemption Reports of Brokers and Dealers.
Additionally, the in April 2003, the PCAOB adopted certain preexisting standards as its interim standards. (See PCAOB Attestation Standards) “Interim Attestation Standards” consist of the AICPA's Auditing Standards Board's Statements on Standards for Attestation Engagements, related interpretations, and statements of position as in existence on April 16, 2003, to the extent not superseded or amended by the Board. Therefore, attestation standards from the AICPA are available to management of public issuers, as well as practitioners that are registered with the PCAOB, serving public clients, and meeting the associated requirements in the acceptance and performance of such engagements. Specifically, the PCAOB Interim Attestation Standards cover:
Attest Engagements (AT 101)
Agreed-Upon Procedures Engagements (AT 201)
Financial Forecasts and Projections (AT 301)
Reporting on Pro Forma Financial Information (AT 401)
Compliance Attestation (AT 601)
Management's Discussion and Analysis (AT 701)
Narrowing in on AUP engagements, there are some nuanced differences between what a PCAOB registered auditor would need to do in the performance of an AUP engagement with a public client vs. what that auditor would need to do in the performance of an engagement with a private company client. As an example, in the performance of an AUP engagement for a private company, “[t]he restriction [of reports] to specified parties may or may not include parties that have agreed to the procedures and acknowledged that the procedures performed are appropriate for their purposes.” Therefore, an auditor can perform Agreed Upon Procedures that have been specified for management without obtaining the written agreement of all specified parties (say, customers) regarding the sufficiency of the procedures.
However, the public attestations standards as modified are more stringent and require that: “[t]o satisfy the requirements that the practitioner and the specified parties agree upon the procedures performed or to be performed and that the specified parties take responsibility for the sufficiency of the agreed-upon procedures for their purposes, ordinarily the practitioner should communicate directly with and obtain affirmative acknowledgment from each of the specified parties.” This requirement of course provides a potentially unworkable hurdle for a PoR AUP case, where the specified parties include millions of customers. In any case, there are exceptions that a public auditor could document, such as obtaining an affirmative acknowledgement from a representative sample of those customers. That hurdle jumped, the differences between the AICPA’s AUP attestation standards and those adopted and modified by the PCAOB are largely immaterial.
Therefore, in the context of a public company that custodies customer’s crypto assets, there is good reason that management could choose to offer auditor-assisted proof of Reserves attestation reporting to customers on a frequent cadence, in addition to their quarterly and annual financial statement filing requirements. In fact, for reasons we explore below, the idea that such reporting would be in conflict or somehow detract from the traditional public company financial reporting lacks merit because there are multiple areas of insight that Proof of Reserves can offer over and above what can be parsed from a company’s public filings (if the reader has sufficient experience and understanding to analyze public company financial reporting, and yes, also a sufficient understanding of procedures and findings in an AUP report on Proof of Reserves to reach their own conclusion).
Comparing Proof of Reserve Attestations and Financial Statement Audits
Why Compare?
Consider first that there is no need to “compare” these two attestation vehicles for the purpose of determining if one should “win out” over the other. They are not competing approaches to transparency. Anyone that proffers Proof of Reserves as a replacement for other best practices, financial, or security-related reporting should not be trusted. Rather, financial audits for private crypto service providers are an important attestation vehicle that enable investor transparency and regulatory compliance; and Proof of Reserves attestations offer yet more transparency into custodial operations, segregation, and the makeup of reserves to meet customer liabilities.
Solvency
Importantly, a Proof of Reserves attestation properly planned and performed does not include company liabilities that are not direct customer liabilities. In this way, one could think of a Proof of Reserves attestation as a narrow focus on a section of the larger balance sheet. Thus, Proof of Reserves, whether self-attested by management or auditor-assisted, should never be considered by practitioners, customers or others as a measure of the company’s financial solvency. Indeed, under US private company attestation standards, no auditor can opine on “solvency” while meeting the attestation standards. While this term is commonly used casually by the lay person, even audited financial statement reports do not include an opinion from the auditor on “solvency.” An opinion may include a note about “going concern” if the financials as audited indicate the business may no longer be able to meet expenses or other obligations in the future.
Legal Rights to Crypto Held by a Platform
On a related topic, whether customers have legal rights to the return of digital assets deposited with an exchange or other digital asset custodian is typically governed by the terms of service between the platform provider and the customer. In the case of auditor-assisted Proof of Reserves attestations to date, testing or disclosing such legal terms and conditions has not been included in the attest providers scope (any may not be subject matter than can be included). In any case, this is an important area of consideration for management and customers when assessing a proof of reserves program or the resulting reporting and an area for improvement in overall disclosure, whether through attest or by management directly in connection with attest reporting.
Background
After the collapse of FTX.com, the previously obscure set of procedures colloquially known as “Proof of Reserves” took the digital asset world by storm. National, TradFi media discussed Proof of Reserves, and commentators opined on whether Proof of Reserves mandates by regulators could have provided an early warning signal about the fraudulent and/or meagre asset management of FTX.com, BlockFi, Celsius, Voyager and the like. Industry veterans had to say, “we told you so…,” with one advocate of PoR, Nic Carter of Castle Island Ventures, renewing his long-repeated refrain: “If there’s a single thing I could do to better this industry, it would be to convince every custodial service provider in the cryptocurrency space to adopt a routine Proof of Reserve program.”
The call for more transparency, interestingly, wasn’t unanimous. The PCAOB, which is charged with among other things, investor protection, issued an investor alert. A seeming minority of other commentators echoed that Proof of Reserves “provides no meaningful assurance to investors or the public” and proof of reserves “fall short of a full audit.” As detailed above, the attest landscape has many available tools, none of which CPAs and practitioners refer to as “full audits.” Knowledgeable observers of the digital assets space couldn’t help that notice each of the large, failed exchanges and crypto lenders of 2022 all had audited financial statements for one or more years, with Voyager being notable as its equity was traded on the Toronto Stock Exchange (TSX) and was also a US FinCen registered Money Services Business and traded on US OTC markets.
And now, in 2023, even those outside of crypto watched the failure and receivership of multibillion dollar banks, all with financial statements audits and significant regulatory oversight. While both the 2022 failures of audited exchanges/lenders in the crypto space as well as lenders in the traditional banking sector are complicated, but mismanagement of customers assets (and interest rate and/or counterparty risk that threatens those assets) is a theme that ties these TradFi and digital assets failures together. So, is proving reserves frequently to customers (even fractional reserve models where a portion of the assets are loan receivables), and educating all participants on how to understand such offers of proof worthwhile?
In a recent informal survey, 80% of respondents answered, “yes.”
The Self-Attestation Wave
Back to late 2022. Some of the top global, off-shore exchanges began executing self-attestations to prove to their customer base that they were trustworthy; those that didn’t searched for auditors that would assist. Meanwhile, a few existing CPA firms had been early applying Proof of Reserves reporting (with most of the larger CPA firms focused on attest reports over collateral reserves, such as in the case of USD-backed stablecoins). Yet more of the large CPA firms were assessing Proof of Reserves attestation engagements, given the high demand for the service.
As noted, most detractions conflate and compare Proof of Reserves attestations to a Full Financial Statement Audit. Most PoR proponents acknowledge the subject matter and scope are significantly different between the two attestation vehicles, and that disclosures regarding that scope are incredibly important for users of the report to have proper context from which to draw their own conclusions.
However, Proof of Reserves attestation benefit from 6 or more advantages. We dive into those advantages below.
Six Important Distinctions
Custodial (customer) Asset Testing:
While many customers of exchanges would assume that a financial statement audit conducted over an exchange’s financial reports would necessarily include testing of the custodial asset holdings and corresponding customer liabilities, that would generally be a mis-assessment. In fact, management can account for custodial assets and corresponding liabilities “off balance sheet,” and historically, many have. This accounting approach has been available under both management and practitioner interpretations of Generally Accepted Accounting Principles (GAAP). If management has chosen this accounting policy, and an independent auditor is engaged to audit the balance sheet and income statement of that company, it is left to auditor judgement as to whether to test custodial assets and liabilities, and if so, to what level. Therefore, in the context of a private company the spirit of proof of reserves is not a necessary condition.
In March of 2022, the SEC Staff proposed Staff Accounting Bulletin 121 (SAB-121). This interpretive guidance, which applies generally to public companies that hold digital assets on behalf of customers, would among other things, require that custodial assets and the corresponding customer liabilities be recorded “on balance sheet,” and thus be within the scope of an annual financial statement audit and quarterly reporting requirements. While industry participants are still seeking clarity on SAB-121’s implementation, the general spirit of the guidance is helpful to the industry and to consumers. However, the vast majority of assets under custodial management are managed by private companies, the financial reports of which will effectively never be seen by the retail customers they serve. Professional services firms like PwC have, through their own interpretation, advised that private reporting companies adopt SAB-121 even though they are not strictly required to under GAAP.
In the above section mentioning the disastrously failed companies of 2022, you may have asked yourself the question, “so, how did they ‘pass’ an audit.” Now, you can consider the likelihood that these, mostly private companies, recorded their custodial assets off balance sheet and therefore faced little or no scrutiny of those liabilities in their annual financial statement audits.
2. Customer Verification:
As part of a Proof of Reserve, especially an auditor-assisted Proof of Reserves attestation engagement, the service provider (CPA) collects from management a list of all customer liabilities by asset type and amount, and then uses cryptography to create a Merkle Tree (or cryptographic seal on the data). The CPA (and/or management) can then publicize this Merkle Tree at the time the attest report is issued and include the root hash of the Merkle Tree in the attestation report; management can notify customers of the platform to use a Merkle Tree verification tool to confirm their account, asset types and proper amount of each asset type, was included within the liabilities list produced by management. While the Merkle Tree allows any user to “find their path to the root” it also offers the benefit of privacy, as any single customer can prove their inclusion in the total liabilities list without knowing or exposing the data of any other customer. Thus, the Merkle Tree (or other cryptographic process with similar outcomes) acts as both a procedure within the attest report, as well as a post-reporting check on the procedures performed as part of the attest reporting process.
Utilizing Merkle Trees for customer verification (inclusion in liabilities reported at the point-in-time of the Proof of Reserves) is an incredible advent. While the Merkle Tree is old cryptography from the 1980’s, this new application of the Merkle Tree is a potential boon to accounting, auditing, and customer trust. There is also no reason that it can’t be applied in traditional finance use cases. But why is cryptographic customer verification a big deal?
For the history of accounting and auditing to date, auditors use a few rudimentary tools to “gain comfort” or test “completeness and accuracy” of information produced by management in a financial audit or other attest engagement. Basically, we gain an understanding of what transactions are recorded and how; which IT system records and reports them; sometimes test controls over that IT or reporting system; observe management export data; test the scripts used the query the reports; and then apply a few procedures to spot check whether the list is complete (includes all records that the auditor expects it to) and accurate (correctly includes one/more records that the auditor knows to be true). In the past decade, “analytical procedures” have been added to the toolkit, and auditors now supplement or even replace procedures noted above by analyzing large data sets produced by management. In an “accuracy” procedure, an auditor will often use a “confirm” from a third-party, which could be a bank, financial partner or customer. However, when the number of customers is large, there is no case where an auditor tests (“confirms”) 100% of customer accounts (assets or liabilities).
So, why is cryptographic customer verification through crowdsourcing a big deal? Because, if a large number of customers participate in checking that they were included in management’s export of customer liabilities, the chance that management has “cheated” or under-reported those liabilities becomes statistically insignificant. If properly applied, cryptographic customer verification could result in better audits, better attest engagements, reduction of material misstatements, a strong disincentive against fraudulent reporting and an overall benefit to consumers, who can actively participate in the financial transparency process.
Therefore, cryptographic customer verification should be embraced by digital asset market participants, and even traditional finance and banks. Consider that long-forgotten case of one of the largest banks in the US that fraudulently opened accounts and credit lines without customer knowledge, at the direction of management, and for their own financial gain and the case becomes crystal clear.
3. The Potential for 100% Coverage:
Typically, during a financial statement audit, the auditor will determine “materiality” and “in-scope accounts” relevant to the engagement. Auditors may or may not include all digital assets within the scope of the financial statement audit. And as noted above, under GAAP, its possible that 100% of the custodial assets are “out of scope” in a financial statement audit for a private company. Even assuming the custodial assets and corresponding customer liabilities are recorded on the balance sheet, auditors typically test the total account balance using a “sampling approach.” In practice, this means that instead of testing 100% of the assets in scope, an auditor might test between 20-50% of the assets.
To be clear, in the context of a Proof of Reserves attestation, there are two considerations for asset coverage: (1) what assets and blockchains is it feasible to include in scope, and (2) for management’s chosen scope (say Bitcoin and Ether), does the CPA test 100% of all the custodial wallets needed to reach a 1:1 reserve against management’s stated Bitcoin and Ether liabilities owed to customers.
For the first consideration, a criticism of the auditor assisted Proof of Reserves attestation reports issued to date has been that they do not cover “100%” of assets offered on the platform (i.e. they only include Bitcoin and Ether). This criticism is fair, but it also needs to be balanced with the reality of testing the “long tail” of assets, potentially hundreds, held across many blockchains and the limitations presented to the auditor in hosting nodes, developing digital signature tools for asset ownership/control verification, etc. Additionally, while many of the auditor assisted Proof of Reserves attestation reports issued to date do not include the long tail, they do include coverage that makes up 70-80% of the total value in custody.
For the second consideration, one incredible strength of the auditor assisted Proof of Reserves attestation is that, for in scope assets/liabilities, the CPA tests all of the wallets needed to reach a 1:1 reserve against management’s stated Bitcoin and Ether liabilities owed to customers. Those that have performed audits or other attest engagements over financial subject matter know what an undertaking this can be. As noted above, 100% testing is a significant departure from the traditional audit approach and one that departs in the direction of more trust, more certainty (less room for a material misstatement) and more transparency.
4. Public Availability:
For 99% of companies, across all industries, customers will never have access to audited financial statements or accompanying financial disclosures as they are only made available investors, regulators, and a limited set of vendors such as financial institution partners. The same is true for digital asset companies in the US and globally. This is because, most digital asset and other companies are private companies or “private reporting entities.”
Said a different way, while financial statement audit requirements for US Money Services Business, provide a layer of consumer protection and management oversight, the window shades are only pulled back annually, and when the shades are pulled back customer still can’t see in. Therefore, the status quo for MSBs that custody digital assets for customers offers some measure of protection, but little to no transparency, and arguably very little deterrent to fraud and mismanagement. This was made painfully clear during the collapse of audited MSB service providers in 2022, which held billions of dollars worth of customer funds, an undetermined amount of which are still locked in bankruptcy proceedings. The call for more transparency is democratic, organic and is developing perhaps faster than standard setters appreciate.
In fact, this desire for transparency and accountability to the customer tells the genesis story of Proof of Reserves, which was first proposed by a Bitcoin Core developer, Greg Maxwell, as a “check on the evil exchange” post Mt. Gox. In contrast to private financials, audited or not, Proof of Reserves attestation reporting provides independent reporting, under long-tested and useful standards, and opens frequent and useful transparency to customers of a digital asset exchange. While financial reporting answers many questions about the financial health and performance of a private or public company, for customers of an exchange, they really want to know: even if this exchange were to fail as a business, can they make good on the assets I have parked with them? Therefore, this customer-available attest reporting, fueled by customer participation and verification, provides a window into only the information that the customer cares most about, “is my money there?” Importantly, this approach allows business operators to provide the business confidentiality they need, while providing the customer with the information they deserve.
5. Detail of Disclosure:
Disclosure is a cornerstone of all good financial markets and standards regimes globally. In fact, one could argue that the disclosure requirements for SEC registrants in the US is perhaps the most important part as it demands uniform production of financial, market and other data upon which analysts and investors can compare the position of companies within industries and across industries.
Within any financial statements, audited or not, information is presented at the aggregate level. Revenue, Current Assets, etc. However, even for the largest publicly traded crypto exchange in the US, this aggregate presentation arguably leaves much to be desired in terms of investor and customer transparency into custodial asset reserves. For example, for the Coinbase 10-K (annual audited financial statements and disclosures for the fiscal year ended December 31, 2022), we see aggregate accounts for “Customer Crypto Assets,” “Customer custodial funds,” and the corresponding liabilities presented in US Dollar denomination.
After even a cursory glance, you probably have the following questions. Which crypto assets does Coinbase actually hold? What is the breakdown of those assets in nominal number of tokens, and against which token-denominated liabilities? Are the assets “in-kind” (i.e. is Coinbase holding the same asset in custody as the client deposits/customer liability)? Are those presented assets held via self-custody, counterparties, or affiliated entities? Are the assets deployed into DeFi protocols? Are they wrapped or bridged, therefore opening up other protocol and smart contract risks? Are they assets held in like-kind to the liability type, thus avoiding the pitfalls of exchange rate risks? Are some of the customer’s crypto-denominated liabilities reserved by the exchange’s own “network” or “platform” token (not the case for Coinbase, but at issue with many other global exchanges that do have such tokens)? What level of scrutiny was applied to the numbers presented (yes, almost certainly a sampling approach)? The aggregate “big picture” view is helpful to some customers, but what about those that are interested in more?
In contrast, Proof of Reserves, attestation reports, especially those reported under a flexible Agreed Upon Procedures standards offer the business (and potential auditors) the flexibility to add procedures and findings that can present or disclose all of these pertinent details. Proof of Reserves attestations, properly planned and performed, can also arguably offer regulators and market watchdogs answers to these important questions as well.
As we detailed herein, the AUP does not carry the weight of an independent auditor’s opinion, but it does provide the opportunity for significant detail and disclosure upon which informed readers can form their own opinions and draw their own conclusions. Yes, readers need to be well-informed, but the potential for lack of confusion or mis-interpretation can and should be addressed by education and guidance, not paternalistically shielding the eyes of consumers.
While a Proof of Reserves attestation for a crypto platform or custodian has yet to be performed under examination standards (resulting in an independent accountant’s opinion), it does seem possible. Practitioners and management should note that getting to an examination standard and report would likely require work and testing over internal controls related to custody operations and custodial assets and liabilities reporting systems.
6. Proof of Reserves will Only Improve:
The historical timeline for Proof of Reserves adoption seems to indicate that the innovation will continue to be seen by regulators and customers as a useful addition to current compliance and transparency measures, if properly understood.
2013 – Proof of Reserves theorized (specifically Merkleization of liabilities and customer verification for a decentralized check on the exchange).
2013-2014 – First non-auditor assisted Proof of Reserves
2014-2019 – Low adoption and application period
2020 – First auditor assisted Proof of Reserves Attestation over a large global exchange
2021 – Digital Chamber of Commerce published “The Practitioner’s Guide to an Emerging Standard for Increasing Trust and Transparency in Digital Asset Platform Services,” with contributions from KPMG, Deloitte, IBM, Fordham Law School, Cohen & Company, Fidelity, Bittrex, Armanino, Castle Island Ventures, CoinRegTech, and TRM Labs.
2022 – Auditor assisted Proof of Reserves attestations increased, but late 2022 contagion and scare caused service providers to draw back. Platforms pursued the self-attestation approach in an attempt to quell customer concerns over reserves and market contagion.
2023 – Texas passed HB1666, the “Texas Proof of Reserves Bill.” (See overview of the bill and how companies can prepare for compliance here) Multiple new Proof of Reserves service providers enter the market to provide this much-demanded service.
As noted, the SEC and PCAOB have both issued alerts as of Q1:2023 to inform investors to proceed with caution when relying on Proof of Reserves attestations and/or self-attestations. While we agree that caution is warranted, and education and disclosure are key for any user of any attest report, it seems likely that standard setters will work to better define Proof of Reserves, issue criteria specific to auditor-assisted engagements and produce interpretations that will clarify the rules of the road for service providers. Leading this charge, the AICPA is aware and actively working on this important topic.
Conclusion
While the path to widespread acceptance of PoR is still in it’s infancy, it will be hard to ignore the substantial benefits this unique set of procedures can provide. Service providers should know that they can issue Proof of Reserves attestation reporting while complying with CPA industry attest standards and management should know that they can offer transparency to their customers through the implementation of strong internal controls, adopting an internal proof of reserves program, and when ready, engaging with a CPA to perform and auditor-assisted Proof of Reserves attestation engagement and report.