It might sound odd at first to talk about “certification” or “compliance” when it comes to anything blockchain-related. After all, the whole ethos of blockchain is that it is decentralized. Trust arises not from association with some authority, but rather it emerges from the nature of a cryptographically secure distributed ledger.
All that is true of the blockchain itself. But what about the ecosystem of cryptocurrency exchanges, funds, brokerages, trading platforms, wallets and all other service providers that has grown up around the cryptocurrencies themselves? By their very nature, these business processes store sensitive information, including (often) customers’ private keys to their cryptocurrency holdings. Coming out of an eventful year of large-scale cryptocurrency hacks, scams and thefts, consumers are no longer willing to take the words of businesses that their digital assets will be secure.
Enter: Systems and Organization Controls, or “SOC,” reporting. SOC is shorthand for a type of examination whose standards are set by the American Institute of Certified Public Accountants (AICPA). To get more specific, there are actually several kinds of SOC audits, although the two we are concerned with here are SOC 1 and SOC 2:
— A SOC 1 examination evaluates the internal controls over financial reporting at a service organization to help ensure that those controls are effective for producing financial reporting that is fair and accurate. Public and private companies alike often require SOC1 reports from vendors that are managing key processes that may impact their financial reporting. Such reports may be needed both for internal compliance and external audit purposes.
— SOC 2 report reports are, in the words of AICPA, “intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.”
Clients and customers of crypto-based businesses may be interested in either one or both kinds of SOC reporting, depending on the services they provide. The general point is that in today’s Wild-West-like crypto landscape, AICPA, being a respected third party can bring order and trust and help clients distinguish between legitimate service providers and scammers or opportunists. Given that context, it should be easy to see how SOC reporting might be valuable for a variety of cryptocurrency-related businesses. For instance:
— SOC 1 examination for a crypto exchange or trading platform would demonstrate to clients that transactions executed on the exchange or trading platform are properly secured and segregated and that trade information provided to traders or investors are complete, accurate, and timely. Likewise, a SOC 2 examination builds client confidence that the fund has taken proper steps to secure their IT infrastructure against internal and external threats.
— In 2021, SOC 2 is quickly becoming a requirement for most digital asset custodians. A SOC 2 examination demonstrates to clients that crypto custodians, who often hold large amounts of cryptocurrencies for institutional investors, such as hedge funds, understand the stakes.
In short, blockchain-based businesses cannot rely on the inherent security of the blockchain alone to protect the assets they manage or support. These businesses must be aware of their role in keeping their and their customers’ holdings secure and be constantly vigilant against ever-evolving threats. With its emphasis on rigor and transparency, SOC examinations and reporting are powerful tools to reduce risk and help customers rest at ease.
BPM's Information Technology Audit and Compliance Group assists clients is well-situated to provide robust SOC 1 and SOC 2 to the crypto industry assessing, managing and amending information technology risks within their organization. While other firms kept their distance from blockchain technology, BPM was one of the first to cater to these businesses’ evolving accounting, audit and consulting needs. With our hand-selected team of professionals, each of whom holds public accounting and/or industry credentials, BPM offers the resources, expertise and global capability of a Big Four accounting firm together with the responsiveness and accessibility of a local partner.