Auditing Crypto: The Existence and Rights Assertions

In a normal audit, existence of cash is a bank confirmation. In a crypto audit, "we own this" is the hardest thing to prove — a blockchain balance shows an address holds tokens, not that the company controls it. This guide is how existence and rights are actually evidenced, and why an explorer screenshot is not an answer.

TL;DR

• Existence + rights and obligations are the crypto audit's hard assertions: a public-address balance is not ownership.
• Ownership = control of the private keys or a valid contractual claim on a custodian.
• The AICPA digital-assets practice aid (non-authoritative) describes procedures: explorer confirmation, hardware-wallet inspection, custody verification, third-party confirmation, and key-control evidence (signed message / controlled transaction).
• Authoritative basis = the applicable auditing standards (US: SAS 145 risk assessment, SAS 143 estimates) — the practice aid applies them, it does not replace them.
• Custody changes the evidence: self-custody → key control; third-party → custodian relationship + confirmation.
• An explorer screenshot is not control evidence.

Why ownership is the hard part

For most assets, existence and rights are routine. For crypto they are the crux, because:

• a blockchain explorer proves an address holds tokens, not that the entity controls that address;
• anyone can display any address as "theirs";
• control is bearer-like — whoever holds the keys controls the asset.

So an auditor cannot accept a displayed balance as ownership. The assertion to satisfy is control: the entity can move the assets (keys) or has an enforceable claim on them (custodian).

The procedures (per the AICPA practice aid)

The AICPA "Accounting for and Auditing of Digital Assets" practice aid — explicitly non-authoritative — sets out procedures auditors use to apply the authoritative standards to crypto:

• Confirm on-chain balances via blockchain explorers (a starting point, not proof of control);
• Inspect hardware wallets and key-management arrangements;
• Verify custody arrangements for custodied assets;
• Obtain third-party confirmations (custodians, counterparties);
• Test key control — for example a verifiable signed message from the address, or a controlled micro-transaction, linking the address to the entity.

These apply the risk-assessment standard (SAS 145 — understanding the entity and assessing risks) and the estimates standard (SAS 143) to the crypto context. The practice aid is the how; the standards are the requirement.

Self-custody vs third-party custody

In both cases the auditor must connect the position to the entity's rights. An explorer balance (self-custody) or a custodian statement (third-party) is necessary but not sufficient on its own.

The weak procedure to avoid

The recurring weakness is accepting an explorer screenshot or a self-prepared balance list as evidence of ownership. It evidences neither control nor rights. A defensible file pairs the on-chain position with control evidence (signature/controlled movement or custodian confirmation) and ties the address set to the reconciled ledger and the audit trail. This is also the substance behind the proof-of-reserves vs audit distinction.

Practical guidance

1. Maintain a complete, owned wallet inventory linked to the books — completeness first.
2. Hold key-control evidence ready — signing capability or a controlled-transaction protocol per address.
3. For custodied assets, keep the contract and confirmations and any service-auditor report.
4. Do not rely on explorer screenshots as ownership evidence.
5. Document the address-to-entity linkage so existence and rights are testable.
6. Treat the AICPA practice aid as the application guide, the auditing standards as the requirement.

How vendor tools support the existence assertion

Cryptio and Bitwave maintain the owned-wallet inventory, link addresses to the ledger, and retain the reconciliation evidence auditors test for existence and rights. Confirm the tool can produce a complete address set tied to the books and support control evidence (not just explorer balances) — the inventory's completeness and the address-to-records linkage are the audit-critical features.

How Wag3s helps

Wag3s Ledger maintains a complete owned-wallet inventory linked to the accounting records across chains, retains the reconciliation and control-evidence trail, and structures custody arrangements so the existence and rights assertions are testable rather than asserted from an explorer view. See the Ledger product page and the Wag3s for accountants page.

Further reading

• Crypto Audit Readiness
• Proof of Reserves vs a Financial-Statement Audit
• Auditing Crypto Fair Value
• Crypto Audit Trail and Piste d'Audit Fiable
• Multi-Chain Reconciliation
• The FEC for Crypto in France

Sources

• AICPA — Accounting for and Auditing of Digital Assets practice aid (non-authoritative), addressing existence, rights and obligations, and valuation — AICPA & CIMA
• Authoritative basis: applicable auditing standards — SAS 145 (risk assessment / understanding the entity), SAS 143 (auditing accounting estimates)
• Existence/ownership procedures: explorer confirmation, hardware-wallet inspection, custody verification, third-party confirmation, key-control evidence