Part 2: Does Your Block Need a SOC? - A Handy Guide to Understanding SOC 1 and SOC 2 Audits for Crypto Companies
Continuing the casual, but informative read for technical and non-technical executives on the role of third-party assurance over SOC reporting for blockchains and crypto.
Part II of this series will apply SOC and third-party assurance concepts to blockchain and digital assets use cases. In Part III, we will go beyond SOC and take a look at other third-party assurance mechanisms that are highly relevant to blockchain and digital assets use cases.
I. SOC 1 & 2 in a Distributed Ledger and dApp World
From Satoshi’s genesis block to the advent of dApps [1], the blockchain and crypto ecosystem places great importance on a few “core values:” trustless and peer-to-peer transactions, privacy and anonymity, and perhaps most importantly, distribution of power—in governance and in validation of transactions. Laudable, really. From the witches’ brew of distributed networking, cryptographic algorithms and a trustless consensus protocol, Bitcoin was born. What has followed has been a modern-day gold rush; miners seeking spoils, projects raising eye-popping amounts of capital without the need for the venture capital establishment (ICOs [2] and STOs), and retail investors chasing 1000% returns.
What is certainly true is that the trustless peer-to-peer crypto economy is not without the need for trusted advisors, trusted intermediaries and third-party assurance. Yes, there are many scenarios in which the protocol, the hash power of the network, and the underlying cryptographic algorithms provide the trust. However, there are many instances in which SOC reporting for crypto and blockchain (and some other standards covered in Part 3) are not only appropriate, but essential.
Here are a few: crypto funds, asset-backed tokens, crypto accounting solutions, private blockchain platforms and permissioned blockchain consortiums, node hosting and staking providers, and, of course, custodial wallet providers and exchanges. in each of these use cases.And here is the rationale of why SOC and third-party assurance is important in each of these use cases.
A. SOC Reports for Crypto Funds
For digital assets under management, fund subscribers may demand assurance over the business process and IT General Controls in place to ensure that investor contributions are properly managed, properly segregated, accounts are periodically reconciled, that investor reporting is complete and accurate, and that the IT environment adequately addresses risks presented by improper logical access, physical access, change management, etc. The Network Firm has performed SOC attestations over crypto funds and understands the unique aspects presented by management of digital assets.
B. SOC Reports for Asset-backed Tokens
“Asset-backed tokens” is an umbrella term that covers a number of different stablecoins and similar crypto creations. Most easily understood are fiat-backed stablecoins, which are tokens issued (“minted”) on a given public blockchain collateralized or backed 1:1 by a fiat currency such as the US Dollar, Great British Pound, or Japanese Yen. The more complex crypto creations are those tokens that are “pegged” to another currency (digital or fiat), pegged to a “basket” of securities or other assets, or “collateralized” by debt obligations or other financial instruments.
So, in this sometimes murky but dynamic and interesting space, there are a number of instances where trusted intermediaries, fiduciaries, oracles and auditors will play a key role in reinforcing user confidence with SOC reports for blockchain and crypto. Here are just a few examples:
1. Centralized Fiat-backed Tokens:
Purchasers and holders of tokens collateralized by off-chain [3] assets will need third party assurance over the quality of collateral, the underlying income streams, the risk profiles of collateral, etc.
We saw a unique opportunity to solve this assurance problem using the blockchain technology itself, so we developed the TrustExplorer technology. While this tech is extensible to other use cases, it stands alone as the first-ever stablecoin assurance platform in the market.
Traditional vehicles for third-party assurance in the asset backed stablecoin space include (1) Agreed Upon Procedures (AUP) Reports, (2) Reviews, and (3) Examination Opinions (AT-C 205), with AUP being your lowest level of “assurance,” and an examination opinion being the highest. We have also started to see movement of trust companies and money services businesses (MSB) that support stablecoin collateral toward SOC 1 and SOC 2 reporting to provide their token-issuing customers assurance over the internal controls governing the trust accounting processes and systems. The need for third-party assurance grows when thinking about asset-backed tokens that are loosely tied to a basked of fiat currencies and/or other financial instruments. If the Libra project every materializes, third-party assurance over the basket of collateral will be very important to the trust and stability of the ecosystem. In late September 2019, Libra released information on the planned contents and weighing of their basket.
Libra announced that 50% percent of the basket will be in U.S. dollar, with the remaining portion in the euro, the yen, the British pound and the Singapore dollar, with 18 percent, 14 percent, 11 percent, and seven percent, respectively.
In this case, there are a few key areas in which users and ecosystem participants will need assurance. First, transparency to governance. Second, transparency to the basket of assets backing the token supply. If Libra is meant to achieve a stable purchasing power, it would seem necessary that the asset weighting be flexible and responsive to inflation of currencies in the basket.
2. Security Tokens
There are myriad potential applications of blockchain and tokenization tech to the outdated world of public and private securities. In the private securities market alone, there are many ripe opportunities for tokenization. And indeed, the leading tokenization platforms are seeing deal volume pick up. In tokenization of private placement securities such as ownership of real estate, private company shares, funds, etc. the need for audit and assurance is not alleviated by the tokenization event itself.
Below are two key areas where the market will demand assurance.
General Financial Performance — Many private placements under SEC Reg D include a financial audit requirement, even where it is not strictly necessary because it makes the investment more attractive. We expect this trend to continue and perhaps increase in tokenized offerings.
Tokenization Platforms — The leading tokenization platforms are a mix of talent and tech. While each of the current leaders in the space offers their solution in a slightly different way, there is a software component which facilitates the offering and ongoing management of the offering. In this case, investors, especially non-retail investors, will likely demand SOC 1 and SOC 2 reporting for crypto and blockchain from these platforms. Such audit reporting would provide investors, and their financial statement auditors, the necessary level of assurance over data integrity and key reporting.
C. SOC Reports for Crypto Accounting Firms & Crypto Tax Solutions
All current crypto accounting and tax software offerings are offered as SaaS; therefore, assurance over the security and availability of the platform, as well as the controls over the confidential data therein, will be key considerations for “user entities” (SOC speak for “customers”). However, there are also a number of unique considerations for crypto accounting solutions. As most of these offerings have integrations to third-party exchanges, custodial and non-custodial wallets, the key consideration for customers will be how they can rely on the technology and automated controls that allow blockchain data to be translated and made useable to the application. And moreover, what if any controls are in place to ensure that integrations to third-party exchange data deliver reliably complete and accurate data. Implementing protocols to prepare your business for a crypto audit and Proof of Reserves report will help ensure that you meet the necessary standards required by crypto auditors, reinforcing the integrity of your system.
Crypto accounting sub-ledgers also rely on third-party sources of data to automatically apply pricing/valuation to certain transactions. We expect that this will cause a trickle-down of assurance demands where crypto accounting and tax solution providers will demand more transparency to methodology, controls, and data integrity from their third-party data providers.
If you are offering a crypto accounting solution, the answer is clear. Yes. Your block needs a SOC. If your company offers a crypto tax solution, you may see the demand coming from your enterprise customers.
D. SOC Reports for Private Blockchain Platforms and Permissioned Blockchain Consortiums
Permissioned or “private” blockchains may have a potent ability to solve many enterprise problems, not limited to increasing the efficiency of supply chains, providing transparency to the provenance of materials used in manufacturing, and providing trusted identity. Indeed, some of the largest enterprises in the world have experimented with blockchain solutions, and there are multiple successful implementations.
A number of the existing implementations feature a consortium of enterprises, not just a single enterprise. In a blockchain consortium, the need for third-party assurance is relatively clear; SOC 1 and SOC 2 reporting are an apt vehicle for additional trust and assurance among a consortium of private blockchain participants. However, the use of SOC reporting for crypto and blockchain to deliver such assurance may require some adaptation of the current standard, or at least a novel approach by the auditor.
Specifically, SOC 1 and 2 reporting standards for crypto and blockchain rely on a clear demarcation between the Service Organizations and User Entities, where the Service Organization has taken over an outsourced function for the user entity. Contrast, a blockchain consortium where participants have not outsourced a function to their cohorts, but rather changed the way that they trust, transact and record transactions among the members.
Some enterprise blockchain consortiums will have one dominant participant, (take the Walmart supply chain consortium). Others will have participants on more equal footing. In the case of a leading or dominant participant, it is likely that the dominant participant will govern access, consensus, change management and other aspects of the blockchain ecosystem. In blockchain consortiums where participants share a more equal footing, the issues of governing the ecosystem are likely to be more complex and will likely require the use of trusted intermediaries and crypto auditors.
Specific examples where crypto auditors and consultants will play a role as a trusted intermediary, perhaps through SOC reporting for blockchain and crypto, include: assurance over the existence and valuation of real-world assets represented on permissioned blockchains; testing consensus mechanisms; correction of improper ledger entries; settlement controls for private blockchains that use tokens for tracking or payment; and, more.
So, does your permissioned block need a SOC? Yes. There are many potential applications of SOC and similar audit examinations to the assurance needs of permissioned blockchain consortiums and their members.
E. SOC Reports for Node Hosting & Staking Providers
Organizations that choose to outsource node hosting to qualified service providers require assurance over the general operations, security, availability and confidentiality of those hosting services. This is a perfect fit for the SOC 2 Trust Services Principles. As discussed in Part I of this series, SOC 2’s “Security” principle is not limited to IT controls, but also covers the Organization & Management, Risk Assessment, Information and Communication aspects of the business. We see this type of reporting is going to be a key differentiator for node hosting providers in the marketplace. When more and more providers offer security and compliance reporting, it will become table stakes much the way it has become standard in other industries.
Staking as a Service providers are part node-hosters, and part crypto custodians. Here, we see the need for third-party assurance reporting as key to institutional adoption and use of staking services. And again, SOC 1 and SOC 2 do provide a reasonable vehicle to deliver such assurance to the staking customer and the staking customer’s financial auditor.
Is there a theme developing here? Yep, your block needs a SOC!
F. SOC Reports for Custodial Wallet Providers and Exchanges
Third-party assurance is necessary in custodial environments. There are some larger exchanges that have recently released news that they have completed their SOC audits, and others that we know are soon to make this announcement. Soon this will be the norm for all exchanges.
Does your virtual currency exchange (VCE) or custody solution need a SOC? If the exchange has a custodial wallet feature, then yes. Providers of “institutional grade” custody solutions will most definitely be asked for SOC 1 and/or SOC 2 reports. Decentralized exchanges are a different animal of course.
To discuss your specific situation in more detail, please use our request a meeting link to schedule a time for a complimentary introductory call.
Footnotes
[1] DApp is simply an abbreviation for “decentralized application.” Apps run on centralized servers, dApps run on decentralized network of servers or nodes (blockchains).
[2] Initial Coin Offerings (ICOs) — Generally, a blockchain project (startup group of developers, sometimes without even a basic corporate structure) collecting cryptocurrency of one type (typically BTC or ETH, which have a more stable or proven value) in exchange for the project’s token (which the ICO investor hopes will moon, of course).
[3] Clarifying that “off-chain assets” are those sit in the real world, not connected or residing on a blockchain. There are examples in the market today of tokens collateralized by baskets of other tokens (as these digital assets reside “on chain” the need for independent validation is, theoretically, reduced or eliminated.
About the Author
Noah Buxton, Esq., Director, Blockchain, Risk Assurance & Advisory, ArmaninoLLP
Noah is a certified CPA and has more than 10 years of audit, legal, IT and regulatory compliance experience. With a proven track record of leading clients through successful SOC audit reports for crypto and blockchain, Noah offers valuable insights and solutions to ensure compliance and financial integrity. Connect with The Network Firm on LinkedIn/Twitter for more expert advice.
Noah is a member of the Information Systems Audit and Control Association (ISACA), the American Institute of Certified Public Accountants (AICPA), the California Bar Association and International Association of Privacy Professionals (IAPP), as well as the Chamber of Digital Commerce (CODC). Noah is a contributing writer and member of the AICPA Blockchain for SOC Working Group, as well as the joint working group of the AICPA and ISACA focusing on controls assurance for permissioned blockchain ecosystems. Noah holds certifications for the Linux Foundation’s Hyperledger permissioned blockchain and is a Certified HITRUST CSF Practitioner.