AUDITING Crypto’s blind spots
How auditors ensure blockchain’s promise of transparency doesn’t obscure vulnerabilities.
As digital assets continue to enter mainstream finance, auditors have an important role to play at the intersection of blockchain technology and financial reporting. While companies guarantee transparency through public ledgers, that transparency doesn’t reveal critical information stakeholders need for decision-making.�
The following fictional scenario, inspired by real audit challenges in the digital asset space, illustrates how auditors bring accountability to even the most decentralized environments, helping investors navigate an evolving industry that poses unique risks. We talked to real public company auditors for insights into how they conduct audits in the digital asset ecosystem, building on their long-standing skills in professional skepticism, risk assessment and testing.�
XaroVault Financial, a publicly traded fintech company, markets itself as the ultimate “one-stop shop” for digital assets, promising customers seamless crypto trading and ironclad custody services. The company boasts blockchain transparency and cutting-edge security, attracting millions of customers—from retail investors to institutional clients—who entrust billions in digital assets to their platform. However, behind the glossy marketing, a critical vulnerability lurks in XaroVault’s private key management practices—a weakness that could put customer crypto assets at risk.
As companies custody billions in digital assets for customers using new and complex technologies, external auditors continue to play a critical role in enhancing transparency and protecting capital markets and investors. Companies like XaroVault might promise transparency, but that doesn’t mean without risk. In fact, engaging in the digital asset ecosystem can introduce new and different risks that auditors have to consider.
“Auditing a crypto business is like auditing a bank, a tech startup and a commodities exchange all at once,” says Ryan Hurley, a partner and national director of asset management for RSM US. “The risks come from every direction.”
Part 1:
Why Technology Isn’t Enough
XaroVault’s rise was fueled by its claim that blockchain made its operations transparent. However, the auditors approached such claims with professional skepticism, understanding that blockchain transparency cannot reveal off-chain information, controls and internal processes that protect customer crypto assets and support reliable financial reporting.
“Blockchain transparency doesn’t equal complete financial transparency,” explains Sara Krople, a partner at public accounting and auditing firm Crowe LLP. “The technology doesn’t show whether assets are encumbered or misreported.”
The auditors performed procedures to understand XaroVault’s approach to digital asset custody and evaluate related risks of material misstatement to the company’s financial statements. They learned that XaroVault commingled customer digital assets into a shared address on the blockchain, a practice called omnibus custody, rather than maintaining separate addresses for each individual customer.
In an omnibus custody model, the blockchain shows total assets stored in the address, but has no record of exactly who owns what within it. This practice makes the company’s internal books the main record of individual customer holdings. If those records are wrong or manipulated, the true ownership or value of assets may be obscured, exactly the kind of risk of material misstatement auditors look for when planning and performing their audit.
Why It Matters
Auditors play a critical role in understanding and assessing risk across emerging technologies and evolving business models, enabling them to tailor their approach to the specific facts and circumstances of a company.
Part 2:
Finding Hidden Vulnerabilities
Since customer crypto assets were a major component of the company’s finances, the audit team needed to understand and test internal controls over the custody process. A key aspect of the custody process is the safeguarding of “private keys”—the digital passwords that control access to crypto assets. Anyone with access to a private key can move the associated crypto assets, making robust security controls essential.
“Managing private keys is absolutely critical in the crypto world,” Krople says. “We look at how companies create these digital keys, where they store them and who has access to them.”
To store private keys, XaroVault used a mix of “hot” wallets connected to the internet for daily trading and “cold” storage wallets kept offline for enhanced security.
The auditors dug further into XaroVault’s private key management practices, evaluating its controls to protect private keys. Through detailed testing, they discovered a critical vulnerability—too many individuals, including former employees, retained access to critical private key information. This excessive access created an environment that could allow unauthorized parties to steal or misuse customer crypto assets.
Unlike traditional banking, where transactions can often be reversed, blockchain transactions are permanent. “If someone has your private key, then you no longer have those assets,” Krople says. “Your assets are gone.”
The audit team’s finding revealed a fundamental disconnect between XaroVault’s public promises of transparency and security and the reality of its internal controls. The company lacked adequate safeguards to prevent theft, loss or misuse of customer crypto assets.
Why It Matters
Auditors do more than just check the numbers—they review controls in key processes relevant to financial reporting to strengthen trust and transparency and ensure financial integrity. In the case of XaroVault, the auditors combined their understanding of traditional internal control principles with knowledge of digital asset technology to identify how conventional control frameworks needed to be adapted for crypto custody operations.
“Auditing a crypto business is like auditing a bank, a tech startup and a commodities exchange all at once. The risks come from every direction.”
— Ryan Hurley, Partner, National Director, Asset Management, RSM US
Part 3:
Building stronger defenses
When auditors presented their concerns to XaroVault management, additional investigation revealed the full scope of the company’s control weaknesses. XaroVault had implemented basic security measures but lacked comprehensive private key governance protocols. Following the audit findings, the company implemented private key security enhancements, including multisignature address requirements, private key “sharding” (which splits keys across multiple secure locations) and strict access controls with regular reviews and monitoring.
“Companies are building in additional layers of controls to fortify crypto security,” Hurley says. “For example, multisignature wallets require multiple parties to approve transactions above certain amounts, similar to traditional check signing authorization.”
This evolution in private key management reflects a broader recognition that digital asset custody requires robust internal controls, not just sophisticated technological solutions. Enhanced private key management practices not only provide better protection for crypto assets but also puts clearer policies and controls in place, leading to greater accountability.
Why It Matters
Auditors don’t just identify problems; their findings lead to long-term improvements at the companies they audit. Through their procedures to validate control weakness remediation, auditors evaluate whether technological innovation is paired with sound risk management practices.
Part 4:
SETTING EXPECTATIONS
As companies increasingly get involved with digital assets, auditors are making sure they have the right skills—in accounting, auditing and technology—to audit companies participating in this space. This includes growing auditors’ skills and investing in new technology to enhance audit procedures. In the case of XaroVault, the audit team combined auditors who knew accounting standards with experts in blockchain technology.
“The space is evolving very quickly,” Hurley says. “To keep up, auditors need to involve a lot of people from the technology side of the house—and have a deep intellectual curiosity about how the technology works.”
As the digital asset ecosystem continues to evolve, it’s also important for investors to understand the scope of audits and other services in the digital asset ecosystem. While audits strengthen confidence in the information investors rely on, they don’t remove inherent risks in investment. The auditor’s role is to provide an opinion on whether a company’s financial statements fairly reflect its financial performance in line with established accounting principles.
For investors evaluating companies like the fictional XaroVault, the fundamentals remain paramount. “Look beyond the marketing and evaluate the governance practices, the transparency, the disclosures,” Krople says. “Does the company obtain independent audits?”
Why It Matters
External auditors have an independent role, separate from company management, and report directly to the audit committee, providing investors, boards, policymakers and the public with an objective, third-party check on a company’s financial statements. This independence is invaluable to bringing trust to the rapidly evolving digital asset ecosystem.�
�
XaroVault’s experience illustrates how auditors serve as essential bridges between blockchain innovation and investor protection, ensuring that technological promises don’t obscure the basic requirements for financial accountability. Independent audits remain the foundation for trust in our capital markets, building confidence in innovation that moves our economy forward.
Related Content
High Audit Quality Supports Strong Capital Markets
Fighting Financial Reporting Fraud Takes a Village
Tackling the Sustainability Data Challenge
Auditors can enhance market trust and safeguard financial integrity.
Learn More
Custom Content from WSJ is a unit of The Wall Street Journal Advertising Department. The Wall Street Journal news organization was not involved in the creation of this content.
READ NEXT
Beyond the Balance Sheet
Related Content
High Audit Quality Supports Strong Capital Markets
— Jennifer Kosar, Assurance AI Leader, PwC US
“As AI adoption widens, governance becomes more complex—and without clear accountability, risks grow.”
— Sara Krople, Partner, Crowe LLP
“Managing private keys is absolutely critical �in the crypto world.”
Since customer crypto assets were a major component of the company’s finances, the audit team needed to understand and test internal controls over the custody process. A key aspect of the custody process is the safeguarding of “private keys”—the digital passwords that control access to crypto assets. Anyone with access to a private key can move the associated crypto assets, making robust security controls essential.
“Managing private keys is absolutely critical in the crypto world,” Kropple says. “We look at how companies create these digital keys, where they store them and who has access to them.”
To store private keys, XaroVault used a mix of “hot” wallets connected to the internet for daily trading and “cold” storage wallets kept offline for enhanced security.
When auditors presented their concerns to XaroVault management, additional investigation revealed the full scope of the company’s control weaknesses. XaroVault had implemented basic security measures but lacked comprehensive private key governance protocols. Following the audit findings, the company implemented private key security enhancements, including multisignature address requirements, private key “sharding” (which splits keys across multiple secure locations) and strict access controls with regular reviews and monitoring.
“Companies are building in additional layers of controls to fortify crypto security,” Hurley says. “For example, multisignature wallets require multiple parties to approve transactions above certain amounts, similar to traditional check signing authorization.”
