The Institute of Internal Auditors presents all things internal audit tech. In this episode, Dana Lawrence and Dal la Rubin Tanja discuss the complexities of auditing cryptocurrency in blockchain. They explore the unique challenges and opportunities these technologies offer internal auditors and share practical guidance for navigating this evolving landscape. Reuben, I am so excited to have this conversation with you. How are you doing today?
I'm good. Thank you, Donna. And it's my pleasure to be here. So let's kick things off. What inspired your interest in, in exploring cryptocurrency with regards to internal audit? It's fascinating, uh, but also a bit overwhelming, uh, especially for internal auditors. I have seen organizations diving into blockchain, crypto, and even decentralized finance, uh, as they try to innovate and stay ahead.
Uh, but with all this innovation comes a ton of new risks and, uh, complexities that are not part of traditional auditing frameworks, right? Yeah. Uh, for example, things like decentralized systems, uh, smart contracts and, uh, volatility of, uh, cryptocurrencies create challenges, uh, that require us as auditors to think differently. So, on top of that, the regulatory landscape, uh, around crypto is also continuously evolving. And so there's so much to keep up with, uh, these days.
What are some of the challenges you see internal auditors facing when they're assessing activities related to digital assets, blockchain, cryptocurrency, et cetera? There are a lot of challenges still, Donna. I mean, I mean, it's, it's, it's, uh, the moment the technology becomes, uh, huge. Like, you know, the, this also comes together, uh, which is also huge in, in, in most cases.
So the world of digital asset is so unique, uh, that it present some pretty distinct, uh, challenges for internal auditor. So maybe I can point out few of them. The key ones, uh, first itself is to understand the technology itself, right? Um, can, it can be a hurdle. Blockchain and cryptocurrencies, uh, operate very differently from traditional financial systems. Uh, so auditors need to grasp how they work to effectively evaluate risk and controls.
Um, and it's not always easy to translate, uh, technical concepts like smart contracts or even decentralized finance, uh, into audit terms. Uh, then on top of then that there is a challenge of regulatory uncertainty, as I mentioned before. So digital assets are still relatively new, and the rules governing them very widely across, uh, regions, and they're constantly changing.
Uh, I mean, as internal auditors, we need to keep up with this evolving landscape to ensure, I mean, invidia's case, our clients stay compliant. And, and that's not small task. And on top of that, as you know, Europe has its own regulatory framework, which is very new, and it's called markets Crypto Asset Regulation. And, um, the other jurisdictions like uk, us, Canada, Australia, Singapore, each other key financial markets are still figuring out how, what is the best course of action.
Um, so you need to keep it, keep up with it, at least in your jurisdiction. Uh, I would say as, as internal auditors, another one I would say is cybersecurity. Um, I mean, digital assets are prime target for hackers. Uh, incidents like stolen private keys or compromised wallets can lead to massive losses. Um, and auditors have to evaluate whether there are good security measures are in place to protect these assets. And that often involves, uh, understanding highly technical safeguards.
And then on after that, the valuation comes into play, which is also tricky. Uh, the cryptocurrencies are very volatile, and it makes it hard to assign a consistent value to them. There's a still debate ongoing, how to classify it from the accounting perspective. Then there's a challenge on the controls and, uh, governance. Uh, many organizations are still figuring out how to integrate digital assets into the operations, and auditors often find gaps in processes, policies, and controls.
So I think staying curious, adaptable, maybe open to learning is, uh, important for internal auditors just to ensure these they can tackle these challenges. Mm-hmm. Yeah, it seems like there are a lot of challenges, but it also could be a great opportunity for internal auditors who really thrive on new technology and learning new information. So I think it, it could also be a cool opportunity career-wise. I wanna circle back to cybersecurity.
Do you have any specific tips or auditing procedures that we can keep in mind, specifically thinking about cybersecurity controls with digital assets? So, Donna, uh, cyber security, as I said, like it's a massive concern when it comes to digital assets because mm-hmm. They're such a high value targets for hackers because of the value associated with cryptocurrencies, right?
Uh, so recently I read an article, it was even in one of the I, which stated that 2.2 billion, uh, worth of that is in US dollars worth of cryptocurrency was stolen from various platforms in 2024. So I'm, I'm, I'm saying like a very recent number. So it's a key concern. I can point out some key risks, uh, maybe and, and, and, and how as internal audits we can tackle, tackle them. First, there is the risk of unauthorized access to wallets or private keys.
Uh, for example, if someone gains access to these keys, they essentially control the digital assets, right? So, um, and there is no way to reverse transaction on the blockchain. I mean, that is the beauty of the blockchain. And, and, and of course, that is the con, uh, part of the blockchain as well.
And, uh, auditors should prioritize assessing how pre private keys are generated, stored and access, uh, are they kept insecure, encrypted wallets, uh, or multisignature wallets in use, for example, and where multiple approvals are required for transaction like that. Um, and another big risk is phishing attacks. I mean, it's, it's there in the industry for sometime. Uh, hackers often trickle trick employees into giving up credentials or access.
Auditors should review the organization's training programs to ensure, uh, employees are educated on these threats and, uh, assess incident response plans for handling phishing attempt. There is a risk of compromise platforms as well, like exchanges or custodial services.
So, for example, if an organization use a third party provider to manage these assets, uh, I think auditors need to evaluate the due diligence performed on those providers, whether they're reputable, do they have strong security certifications, whether they have right protocols in place. And also, I can think of, for example, network security as well. Uh, digital assets are managed in environments, uh, where a breach could expose them to theft.
Audit procedures here can include, like, for example, testing firewalls, uh, intrusion detection systems and monitoring controls to ensure anomalies are quickly identified and addressed. I mean, there are the things which you can do. For example, review access logs, uh, test the effectiveness of encryption protocols, verify u usual, some of the usual, uh, it controls like backup and recovery processes, even the incident response capabilities.
So, uh, the moment the technology comes into play, there are a lot of things that needs to be done around, uh, to ensure that you're confident about the internal controls around the processes. Well, you've absolutely offered us some strong tips there.
One thing that I think about is, anytime I am performing an audit, I do a, a risk assessment for planning to understand the scope, and then starting with the scope of services, you can apply some of those, uh, cybersecurity best practices to make sure that you know, you're, you have appropriate coverage. Let's pivot slightly and think about the evolving regulatory landscape.
Depending on where you are in the world, you might have very different regulations governing what you can and can't do with regards to digital assets. In your opinion, how can we stay on top of the changes, the differences, and help our organizations stay in line with emerging regulations? And I'm gonna specifically call out Mika. So what are your thoughts? I'm glad you brought this up, Donna.
I mean, this is a very, uh, it's something which is close to my profession, and we are continuously following this space. Uh, and I can speak from Mecca, which is, uh, Europe's specific regulation. And, uh, it's relevant to Malta, uh, where I'm based and countries hub for crypto businesses within the eu, uh, for last few years.
Uh, for those less familiar, uh, Mika, which is the markets in crypto assets regulation, uh, is a comprehensive regulatory framework introduced by the European Union, with the intention of bringing clarity and consistency to the crypto sector. It's designed to cover everything from crypto asset issuers to service providers with the aim of fostering innovation, uh, while also ensuring investor protection and market integrity. So that's the basically whole idea about this.
So, under me, for example, the crypto businesses operating in Malta and also even other new states, uh, will need to comply with, uh, some strict requirements such as licensing, uh, for crypto asset service providers. Uh, there should be enhanced transparency around white papers, port of issuers and, and robust governance frameworks as well. There are also specific provisions for consumer protection and market market abuse prevention as well.
From internal auditor's perspective, I think Mika introduces a new layer of compliance. That's much, that must be one into the, they are traditional internal audit plans. Uh, I think staying informed is critical. Uh, and, and, and one way to do this is to maybe engage directly with resources provided by the local regulator, uh, in, in case of multi's, going to be multi financial services authority, who will oversee the meca implementation locally.
From audit perspective, uh, there can be several things which can be done, uh, for example, to map the organization's activities to meca requirements. I'm, I'm referring to MIC A, it can contain regulation and then assess governance structures. For example, in Mica's case, uh, it, it, it emphasizes accountability. So auditors should ensure roles and responsibilities for compliance are clearly defined. Then, um, test the reporting mechanisms.
Um, for example, in case of mica, it requires ongoing reporting to regulators. So auditors should evaluate whether these processes are robust, accurate, and timely. And also on top of that, there is, uh, risk management framework, right? So I think Mika demands that risk associated with crypto activities like operational market and cybersecurity risks, uh, are promptly identified and mitigated. But I would say generally all internal auditors should ensure that that proper risk manage frameworks.
I mean, at the end of the day, um, a regulation gives guidelines for an operating framework, uh, which means the regulator has already considered certain risk aspects. So it makes intel auditors life a bit more easier because now we will now have a framework to operate within. So do you have any other tips to offer auditors to prepare the organizations for compliance with upcoming regulations? Definitely, I mean, it's, it's a critical topic as well. It's related to what we just spoke.
Uh, I mean, preparation is key, not just from the compliance perspective, but also to position the organization as a credible player in the digital asset space. Uh, I think the first step, the auditors can consider a readiness assessment, for example. So this means evaluating the company's current operations, uh, policies and controls against the requirements set by the regulation.
For example, under, uh, crypto asset service providers will need licensing, as I said, like, and there should be proper governance structures, and there should be transparent disclosures, so auditors can evaluate whether these are in place.
I think on top of that, the auditors, internal auditors should also encourage the organization to establish and enhance the existing regulatory compliance framework to ensure they're in line with the, the expectations of the, uh, new regulatory requirements, and also to focus on data and reporting capabilities. Cybersecurity also ties into regulatory compliance, or auditors should ensure that digital asset custody and transaction processes are secure.
For example, ika places emphasis on consumer protection, which includes safeguarding assets from unauthorized access or loss. I think another key area I would say is maybe staff training and awareness. These regulation introduce new requirements, and maybe not all employees are not familiar with, uh, so it's important to ensure that staff, uh, particularly the, those involved in compliance, uh, and maybe risk management to ensure that they know the, the what, what's, what's coming on their way.
I would also say auditors should emphasize the importance of engaging with regulators maybe early. Um, so it's about building a relationship, uh, with the local regulator, uh, so they can gain some clarity on expectations, especially in areas where the regulation may be still evolving. So it's about turning compliance from a tick box exercise and maybe to convert into a strategic advantage for the organization's wider benefit. I would say.
I love that with more and more people being interested in digital assets, potentially investing in cryptocurrency or, or other things ad exchanges or otherwise, we have seen some pretty epic failures, whether it's a hack or fraud or collapses of major exchanges.
And I think back in 2022 is when the IA first started demonstrating leadership around this topic and asking the question, why is there not, why is it not a requirement to have some sort of control testing or robust internal audit function at a large crypto exchange that has the ability to impact so many people if there is broader mismanagement? So the, I a recently has made some legislative proposals emphasizing that need, the need for stronger corporate governance at cryptocurrency exchanges.
In your opinion, how can we effectively advocate for governance enhancements within the industry or within these specific organizations? That's really relevant and very timely question, Donna. I mean, especially with the increased scrutiny on cryptocurrency exchanges in recent years, the, the IAS proposal, I mean, came soon after the collapse of a cryptocurrency exchange, right?
Um, I think first and foremost, uh, I would say internal auditors need to highlight the value of good governance to leadership and the board. Um, I think probably that's what even IA is trying to do here. Um, and, uh, I mean, strong corporate governance is not just about compliance. Um, it's about building trust, um, mitigating risks, and, uh, creating a sustainable framework for growth.
I think by emphasizing the reputation and financial benefits, uh, of good governance, I mean, auditors can position these improvements as strategic priorities, uh, not just like, uh, regulatory obligations. I would say. Uh, I think then possibly internal auditors, uh, can start by evaluating the current governance framework within the exchanges or even, even even any organization.
This means assessing key areas like the composition, independence of the board, uh, the adequacy of oversight mechanisms, and the clarity of roles and responsibilities. I think risk management frameworks are also very critical. Um, they should assess whether the organization has robust processes, uh, in place to identify, uh, measure and, uh, mitigate risks, especially those unique to crypto exchanges.
So essentially, this will either come from a wide organization wide, uh, risk register, or even the independent risk assessment of the, uh, internal auditor in Malta. I mean, uh, I'm just giving Malta as an example here.
Um, as soon as the operating licenses are granted for payment institutions, um, this can be, regardless of whether crypto is involved or not, um, an internal audit should be carried out on the governance structure and risk management processes within the first 12 months of operation is even the regulatory. So, uh, picky about it. And, and they want, uh, uh, there should be like an internal audit done within that first 12 months.
Uh, so, so there's like a, a, a very, uh, specific focus on this area. I mean, we should not forget that, that the internal auditors role is not limited to the assurance role, right? So it's beyond, and internal auditors can always wear advisory hats, so they can act as educators and advocates of governance as well, um, which is essentially what IE is trying to do in wider scale.
Well, I appreciate your insight on that, and it's always difficult to have incidents like these, like I know we're alluding to the cryptocurrency exchange collapse of 2022 with regards to FTX, which, you know, it's very tough for a lot of people, even if they hopefully get their money back years later, years later.
But I do think the silver lining is when we're speaking to organizations we're working with, we can show clearly, you know, we can point to what risks actually can end up happening and what, what outcomes can occur if we don't have that correct risk management. So I think the silver lining is, we have a clear example in talking points, so we can better inform our stakeholders, Definitely.
Okay, let's think about how do we equip internal auditors to today with the technical knowledge they need around blockchain, around digital assets so they can do their work effectively. Because this is something I've also been very curious and passionate about for the last couple years, trying to sift through all things digital assets and figure out what is applicable to the world I operate in.
This is something not just you, Dan, I'm in many internal audit that auditors are curious about, because it's true that blockchain and crypto platforms are quite technical, uh, and it can be seen daunting for auditors who came from a more traditional background, right? So traditionally, I mean, if you see the industry, you will find more accountants, uh, who is coming into internal audit, uh, than more people who are like techno technically advanced or technical experts.
Uh, but the good news, um, is, is that while auditors don't need to become blockchain experts, uh, they do need to have, uh, some basic understanding how these technologies work to effectively assess digital asset, uh, operations. Think of it this way, for example, auditors should be like translators. Uh, they don't need to be coders or developers, uh, but they need enough knowledge to understand the risks and, uh, controls that are unique to digital assets.
Uh, for example, they should know how transactions are recorded on the blockchain, how wallet work, and what smart contracts are. This foundational knowledge will help, uh, auditors understand what's happening behind the scenes, uh, and uh, allow them to ask the right questions.
Uh, for instance, when reviewing the security of crypto wallets, auditors need to know the difference between hot wallet and cold wallets, which are whether it's connected to internet or not, uh, because the risk profiles are different here. Uh, similarly understanding the concept of, uh, consensus mechanisms like proof of work or proof of stake. So this can help auditors evaluate the integrity of blockchain networks.
That said, uh, I think auditors don't have to do the deep technical analysis themselves. They can work with technical experts, uh, whether that's in-house specialist or external consultants to assess specific risks. What auditors do need is the ability to identify areas that require more technical review and to communicate effectively, uh, with those experts. I mean, ultimately, auditors need enough technical knowledge to ask the right questions and make informed judgements, uh, about risks.
If they feel out of their depth, they should collaborate with the technical experts, uh, who can dive into the details, which ensures the whatever the internal audit engagement that they're, that we're carrying out is, uh, both comprehensive and also credible. As digital asset technology continues to evolve, what trends should we, as internal auditors be ready for in the near future? What are you predicting for
Us? So, Donna, with how quickly cryptocurrency and blockchain technology are evolving, um, there are definitely some key trends that internal auditors need to be ready for. One trend that's already taking shape is the increased focus on regulation and compliance. We spoke about it. I mean, we're seeing governments around the world, including the EU with ika, tighten their grip on crypto space to ensure investor protection and financial stability.
So auditors will need to stay on top of these regulatory developments, not just in their local jurisdiction, uh, but I would say even globally. Uh, that's because as the cross border nature of crypto means, compliant frameworks are often usually interconnected. So it's not limited to your jurisdiction anymore. Another trend is integration with the traditional financial systems. Uh, you can see the major banks now adapting cryptocurrencies into their books, um, and it's becoming more mainstream.
So we will see, uh, more integration between the crypto world and the traditional banking and financial services. Uh, this could include everything from, uh, banks offering crypto products to crypto exchanges, and collaborating with established financial institutions. Uh, I think for auditors, this means needing to assess the risk associated with such integrations, things like counterparty risk and liquidity risk, um, which may be the risk profile will change.
So I think the internal auditor should be ready for that. Then if you think about the technology, the underlying technology, which is blockchain, uh, this adaptation is also moving into new sectors, not just financial sector. So we're already seeing blockchain being used for things like supply chain traceability, uh, digital identity management, and even, even I have seen it in voting systems. So, because, because it's, it's much more secure when it comes to voting, right?
So, uh, and for auditors, this means gaining familiarity and, uh, with how blockchain can improve operations, uh, across different industries. As we spoke earlier, I'm, I'm also seeing a rise in the importance of cybersecurity within the crypto space. Since the value goes up, they are becoming even more attractive for hackers, right? So, uh, auditors need to focus on cyber threats and the security measures.
Probably the last part is going to be a bit more, uh, unspoken, but there I see the awareness, which is the environmental impact of crypto mining and may become a bigger topic. Uh, and, uh, as proof of work mining continues to draw attention towards its energy consumption. Uh, we could see more regulations and pressures to make crypto mining more sustainable.
I think auditors should be prepared to assess an organizations environmental impact, and whether it's aligns with evolving any G standards. It's so fascinating to me how much power is used for technology in the region I live in, in the United States. There's a lot of conversation around farms being turned into data centers. Uh, it's Wild. So, No, I mean, it's, uh, it's, uh, we need to speak about it, but like, I think everybody's focused on the, the financial turnout, which is blockchain is,
and we're forgetting that part actually. Mm-hmm. When you were talking about future predictions and trends, an idea popped into my mind, and that was, do you think we'll ever get to a point in time where we can buy a cup of coffee with Bitcoin or crypto at a point of sale? Definitely. I think it's, I I think they're not so far from that.
Uh, and I'm seeing right now there are a number of payment, uh, uh, platforms, uh, licensed in across Europe where you can payments by, uh, Bitcoin, not just Bitcoin, even, even even other coins, like I can quote one of the famous one, which is a called re. Basically, if you want to pay someone instead of transferring it, it has like a fi currency. You can it as a, uh, uh, one of the coins or one of the digital assets. So it's, it's live, it's happening, it's
Happening. It's gonna come into mass scale very soon. The, the day where McDonald's or, uh, KFCO of pizzas, uh, is, is, is gonna accept cryptocurrency as a payment. It's, it's not so far away. So when I see that in the news, I'm gonna think back to this conversation on January 9th, 2025, and just laughed to myself, like we called it. Okay. Let's say you work for an organization, you're an internal auditor, and you find out that they want to adapt cryptocurrency.
Maybe they're gonna invest in it, or they're gonna create a blockchain project. What should you do as an internal auditor to help make sure that that is set up in a responsible way? Donna, this is, this really gets to the heart of how internal auditors can add value, right?
Exactly. So, uh, I think as cryptocurrency adoption grows, um, I think it's important for organization to approach it responsibly, uh, balancing the potential for innovation and, uh, profit with, uh, strong risk management practices and, and robust controls as well. Um, internal auditors have a critical role, uh, here to play in ensuring that this balance is maintained. Um, auditors should start by evaluating the company's strategic approach to crypto cryptocurrency.
What's the purpose behind adapting crypto? Like, you know, is it trading as a payment method or to offer crypto related services? Um, I think understanding the organization's goals helps, uh, auditors identify the specific risks involved. Uh, for instance, if the organization is holding crypto as an investment, uh, then auditors will need to assess the valuation process and ensure that risks like market volatility are managed properly.
If they're accepting crypto as payment, for example, then auditors must ensure that the process for converting to fiat currency is secure and transparent. So, so there are a number of things, uh, that needs to be considered, depending on how, how, how the business is gonna work. Second, I would say auditors can help design strong governance frameworks.
So this includes, as we spoke before, defining clear roles and responsibilities, uh, segregating duties, and ensuring, uh, there's a level of oversight on crypto related transactions. As I mentioned before, risk management is also crucial. So auditors can help identify the unique risk associated with cryptocurrency, such as cyber threats or even counterparty risks.
I would say auditors should emphasize the importance of monitoring and continuous improvement as well, because cryptocurrency and the whole technology is in a fast moving space, so auditors should regularly review and update controls and processes. This could mean maybe conducting periodic risk assessment.
So rather than doing it like annually, bi-annually, maybe you might need to do it like more frequently, do the risk assessment on audit and, and do audits on crypto activities, and, uh, assessing the effectiveness of cybersecurity controls. And, uh, I think being proactive and adapting to changes in the crypto landscape will ensure that the organization continues to manage risks, um, overall, I think effectively. Okay, fantastic.
One personal tip I have would be for any internal auditor, assessing whether or not your organization has a good process to review the risks of new products and services. And that's such a, a good point is when before the, the thing is rolled out, is there some sort of risk management process, and that's something you can check for as an internal auditor. What are your final tips or takeaways that you wanna share with the internal audit community? With regards to digital assets?
I think my key takeaway message, uh, for internal auditors would be this, stay informed, be adaptable, and focus on understanding the risks and the core of digital assets. Uh, the digital asset landscape is, as I said, evolving rapidly, and it can be overwhelming, but auditors play a vital role in helping companies navigate this space, uh, responsibly and securely. First, don't feel like you have to become an expert in blockchain or cryptocurrency.
Uh, you don't need to be a developer, but you do need to develop a solid understanding of the fundamental concepts, um, like I said, like how blockchain works, what are the risk associated with different types of digital assets, uh, and the regulatory environment. I think this knowledge will empower you to ask the right questions, uh, when you, when you go for meetings or when you ask the, your process owners and assess the risks, uh, appropriately. I would also say maybe embrace collaboration.
So the world of digital assets is very complex, so, and you will likely need to work closely with, uh, some technical experts and maybe the le maybe even legal advisors and even specialist. So collaboration is key to ensuring you have a holistic view of the organizations' operations and risk environment. Third, be proactive. As I said, I mean, the risk associated with digital assets, especially in areas like cybersecurity, uh, require forward thinking. Um, so don't wait issues to arise.
Um, try to implement robust controls and staying ahead of, uh, emerging risks, uh, essential for maintaining the integrity of, uh, company's operations. I think to summarize, I would say, uh, maybe stay adaptable and be curious. I think I sounded like, uh, uh, Steve Jobs. No, I love it. I've really enjoyed the conversation. Thank you so much for sharing your expertise and uh, I hope you have a wonderful 2025.
I feel like I'm gonna log off and go check my Bitcoin balances because I bought back in like 2021. Thank you, Donna. I really enjoyed, uh, this conversation and, uh, I wish should put 2025 as well. If you like this podcast, please subscribe and rate us. You can subscribe wherever you get your podcasts. You can also catch other episodes on YouTube or@theia.org. That's tia.org.