SOC Report Reliance for a Crypto Custodian: Helpful, Not Sufficient

When crypto sits with a third-party custodian, the instinct is "the custodian has a SOC report, so we're covered." A SOC 1 Type 2 report does help — it covers controls relevant to financial reporting. But SOC reports often inadequately address the crypto-specific controls that matter most: private-key custody and commingling. This guide is why the report is one input, not the answer, hedged, as the auditor's judgement.

TL;DR

• A SOC report describes a service organization's controls + an independent assessment; for a custodian an audit relies on, the SOC 1 Type 2 (controls relevant to financial reporting, tested over a period) is generally the relevant one — SOC 2 = security/availability.
• Cannot be relied on alone: SOC reports for digital-asset custodians often inadequately address crypto-specific controls (key generation/storage, commingling) → auditor gathers more.
• A clean SOC opinion ≠ key-custody/commingling covered — read scope and exceptions carefully.
• Pair with on-chain corroboration + the entity's own controls; identify complementary user-entity controls.
• The SOC report improves efficiency, not a substitute for the auditor's evidence/judgement. Not audit advice.

What a SOC report is

A Service Organization Control report describes a service organization's controls and an independent assessment. For an audit relying on a crypto custodian, the SOC 1 Type 2 — controls relevant to user entities' ICFR, tested over a period — is generally relevant; SOC 2 focuses on security/availability/trust criteria. Which report and how used is an auditor judgement under the applicable standards.

Reliance is not automatic

Generally not on its own. SOC reports for digital-asset custodians often inadequately address crypto-specific controls — private-key generation/storage, commingling of client assets — so the auditor typically gathers additional information about the custodian's ICFR and may perform further procedures. The SOC report is one input that can improve audit efficiency, not a substitute for overall evidence and judgement.

Why crypto-specific controls are the gap

The risks that matter most for digital assets — control of private keys, segregation of client assets, irreversible movement/loss — are not always in scope or adequately tested in a general SOC report designed for traditional service organizations. A clean SOC opinion does not automatically cover key-custody/commingling — reading the report's scope and exceptions carefully is essential, and the assessment is the auditor's (consistent with proof-of-reserves vs audit).

What to give the auditor

Typically the custodian's current SOC 1 Type 2 (and any complementary user-entity controls it specifies), plus independent corroboration (on-chain confirmation of held balances) and evidence of the entity's own controls. Providing the SOC report alone and expecting it to close the audit is the misconception. Entity supplies the evidence; sufficiency conclusion is the auditor's.

Complementary user-entity controls

SOC 1 reports commonly assume the user entity operates certain complementary controls for the service organization's controls to be effective; if the entity does not operate them, reliance is undermined. Identifying and confirming them is part of using a SOC report properly — an auditor-confirmed point, not an assumption.

Practical guidance

1. Get the SOC 1 Type 2 (financial-reporting controls) — not just SOC 2.
2. Don't rely on it alone — crypto-specific controls are often the gap.
3. Read scope and exceptions — a clean opinion ≠ key-custody covered.
4. Add on-chain corroboration + the entity's own controls.
5. Identify and operate complementary user-entity controls.
6. Reliance is the auditor's judgement — standard-specific; not audit advice.

How vendor tools support custodian reliance

Cryptio and Bitwave provide on-chain confirmation of custodied balances that corroborates alongside a SOC report. The tool supplies corroboration; whether SOC reliance plus corroboration is sufficient is the auditor's judgement.

How Wag3s helps

Wag3s Ledger reconciles custodied balances to on-chain data with an audit trail, providing independent corroboration to sit alongside the custodian's SOC 1 Type 2 — while the reliance assessment and sufficiency conclusion stay the auditor's. See the Ledger product page.

Further reading

• Proof of Reserves vs Audit
• Blockchain as Audit Evidence
• Auditing Crypto Existence & Ownership
• Auditing Crypto Completeness
• MiCA Crypto Custody for Treasury
• Crypto Audit Readiness

Sources

• A SOC report describes a service organization's controls + independent assessment; for a custodian an audit relies on, SOC 1 Type 2 (controls relevant to financial reporting, tested over a period) is generally relevant vs SOC 2 (security/availability) — auditor judgement which/how used
• SOC reports for digital-asset custodians often inadequately address crypto-specific controls (private-key generation/storage, commingling) — generally cannot be relied on alone; auditor gathers additional information and may perform further procedures
• A clean SOC opinion does not automatically cover key-custody/commingling; reading scope and exceptions is essential; pair with on-chain corroboration and the entity's own controls
• SOC 1 commonly assumes complementary user-entity controls (if not operated, reliance undermined) — identifying/confirming them is part of proper use; the SOC report improves efficiency but is not a substitute for the auditor's evidence and judgement; not audit advice