The PCAOB, and the SEC, can do so much more to rein in auditors giving false assurance about crypto
A crypto CEO delivered a speech and FTX Trading, the offshore firm, posted its creditor list. Some Senators wrote a letter warning auditors are in deep and the PCAOB, and SEC, need to act now.
On January 19, I spoke to more than 200 people in a webinar sponsored by the Chicago Chapter of ISACA in conjunction with several other chapters and also some IIA chapters. ISACA is an international professional association focused on IT governance and the IIA is the international association of internal auditors. I discussed the involvement of external auditors and other audit and security professionals in the FTX fiasco. The title of the webinar was, "The Past, Present, and Future of Ethics in an Ethically Challenged Environment".
I repeated the presentation via zoom, with a few tweaks, for graduate accounting students at Ohio State University and the University of Hawaii Manoa, this past week.
In just two weeks, the presentation is already outdated because there is more to say about the involvement of the Big 4 accounting firms in crypto and about regulators' and Congressional reaction to it.
Hint: Both are growing.
For your consideration: You Want Crypto Regulation? I’ll Give You Crypto Regulation
Maybe Congress should separate custody from exchange, the way it severed Wall Street from commercial banking nearly a century ago.
This piece is part of CoinDesk’s Policy Week. By Marc Hochstein
We already knew that Prager Metis LLP and Armanino LLP provided clean audit opinions as of December 31, 2021 and 2020, to FTX Trading, the offshore business, and FTX US. We also knew that PwC and Deloitte were providing advisory services to FTX — but not exactly what — based on reporting by Forbes.
Just last week Edgar W. Mosley II, Managing Director of Alvarez & Marsal North America, LLC, the court approved Financial Advisors of FTX Trading, the offshore business and the corporation named as the debtors in these cases, provided a list of creditors with the bankruptcy court in Delaware.
It's a long list, 115 pages, and that's even though it did not include details on customers.
There are a lot of banks, brokers, clearing firms, and exchanges on the list, including many audited by the Big 4 firms. It's not clear what their interest in FTX Trading, the offshore unregulated exchange and broker-dealer is, and whether that exposure should have been flagged by their auditor as a material risk.
We also now have a better idea of the full extent of the activity that additional Big 4 and other audit firms were providing to FTX Trading, the offshore business, and that in particular in the case of Armanino LLP, Prager Metis LLP, Deloitte, and PwC, they were still creditors at the time of the bankruptcy.
In the Armanino LLP engagement, all the work was done by California offices who apparently billed FTX Trading, in the Bahamas, for an audit delivered for the US business. In Prager Metis' case, the bills for the audit of the Bahamas-based FTX Trading came from New York and New Jersey. Deloitte's New York office is the only one listed on the FTX Trading creditors list, but for PwC two offices are listed - New York and London.
Two more firms we didn’t previously know about apparently got in on the game. BDO did work out of Australia and Houston. And EY was busy with FTX Trading, the offshore firm, from New York, Seoul, and Vienna.
Recall that PwC audits Tesla which has dabbled in owning crypto assets, EY audits Block (Square) which posts more revenue from buying and selling Bitcoin than from its payment devices now, and KPMG audits Microstrategy, which is essentially a Bitcoin hedge fund that Deloitte advises.
Deloitte is also the external auditor of record for Coinbase, the public exchange, broker-dealer, pseudo unregulated bank, custodian, and firm that has two dormant SEC registered broker dealers.
Circle CEO CEO Jeremy Allaire announced some changes on January 17 at the World Economic Forum at Davos, a little more than a month after the withdrawal of Circle's request for SEC registration, thereby quashing its IPO/merger with the Bob Diamond/David Schamis SPAC Concord Acquisition. In its first annual "State of the USDC Economy" report Allaire mentioned:
Circle, which holds the USDC reserve, has been audited by Grant Thornton, a leading public accounting firm. The audits for 2019, 2020, and 2021 (to U.S. public company standards) have been filed publicly with the U.S. Securities
and Exchange Commission (SEC). Going forward, Circle will be audited by Deloitte.
Despite warnings from the SEC, the Big 4 are pushing into more crypto not less.
On Dec 20 I wrote here at The Dig:
Messages about the mess that are these non-audits, delivered via media and private comments, do lead regulators to whisper in the ears of the heads of some audit firms.
Two days later, on Dec 22, the WSJ published an interview with SEC Chief Accountant Paul Munter:
•SEC Heightening Scrutiny of Auditors’ Crypto Work
•Regulator concerned about cryptocurrency companies overstating audit firms’ narrow reports
The Securities and Exchange Commission is stepping up scrutiny of the work that audit firms are doing for cryptocurrency companies, concerned that investors may be getting a false sense of reassurance from the firms’ reports, a senior official at the regulator said.
“We’re warning investors to be very wary of some of the claims that are being made by crypto companies,” Paul Munter, the SEC’s acting chief accountant, said in an interview.
Increased scrutiny has led at least one audit firm to drop crypto clients, in some cases soon after producing reports on the companies’ assets and liabilities. Crypto companies are eager to get the blessing of an auditor to reassure their skittish clients.
The Wall Street watchdog is looking closely at how crypto companies are portraying their reports from audit firms, according to Mr. Munter. Many of these companies are closely held or based offshore, and so unlikely to fall within the regulator’s remit. The SEC is effectively sending a warning to audit firms, which don’t want to run afoul of their regulator, as well as putting investors on alert.
The regulator is worried particularly about so-called proof-of-reserves reports, which aim to show that the crypto company has sufficient assets to cover customers’ funds. Companies have rushed to produce these reports in recent weeks, using the credibility of audit firms to try to reassure customers spooked by the collapse of crypto exchange FTX.
I spoke to the ISACA group last week and to OSU and U of Hawaii this week about how the acceptance of these clients and engagements may violate the standards on client engagement acceptance and continuance, especially for the smaller firms like Armanino, Prager Metis, BDO, and the firms like Mazars that took on agreed-upon procedures report engagements to provide re-assurance that stablecoins were backed and customer funds were safe. At least the smaller firms knew enough to back down when the SEC brandished its Swiss Army knife.
But the Big 4 firms forge boldly ahead.
Former SEC Chief Accountant Lynn Turner picked up on this theme after a conversation with me this week. He sent out a copy of a letter that Sens. Elizabeth Warren and Ron Wyden sent to PCAOB Chair Erica Williams on Jan 25 to his select email list.
Turner made this warning:
The attached letter, article below, and FTX fiasco, highlight the importance of audit quality controls related to acceptance of new and continuing audit engagements. It appears the firms may once again be chasing new business and ignoring the grave risks that come with some of those engagements.
This article also notes serious problems with crypto firms and in this instance, only 14% could get regulatory approval.
It is worth noting both Big 4, medium, and small sized firms are playing in this space. If auditors want to associate with such firms, then they have only to look in the mirror for the responsible party when they get burned badly, as two firms have with the FTX fiasco. Another firm that agreed to do an agreed upon procedures engagement for the capital of a crypto firm, which procedures are established by management, eventually chose to resign due to the very negative press and risks, but only after they had first agreed to do it.
Based on my experience, when one audit firm resigns from the audit of a company, most frequently another one stands nearby ready to accept new business. As chief accountant, I found statistics in this regard reflected poorly on the quality controls of the firms.
The attached letter highlights important issues, but is wrong about one thing. CPA firms that register with the PCAOB as a result of their audits of "issuers" - public companies - do not have to apply PCAOB standards to audits of non-issuers. Perhaps this is something for Congress to consider but SOX currently does not require that. But it does appear the PCAOB needs to get ahead of the issues auditors confront when auditing companies in the Crypto Industry.
I told Turner that it is not entirely accurate that the PCAOB has no obligation to inspect audits of non-issuers. The Warren/Wyden letter barely addresses the PCAOB's mandate to inspect the auditors of broker-dealers, whether public or private.