Key Points
- A blockchain record is not, by itself, sufficient appropriate audit evidence under ISA 500 because it confirms occurrence but rarely confirms valuation or rights and obligations.
- The auditor must understand the consensus mechanism, permission structure, smart contract logic, and data flow to the general ledger before designing substantive procedures.
- Over 60% of crypto-asset holding entities in the PCAOB's 2023 inspection observations had deficiencies in the audit of digital asset valuations.
- Treating an on-chain record as equivalent to a third-party confirmation without corroborating the completeness of off-chain transactions creates a coverage gap.
What is Blockchain Audit Considerations?
When an entity uses a blockchain to record or settle transactions, the auditor's evidence base shifts. ISA 315.25 requires the auditor to understand the entity's information system, including how transactions are initiated, recorded, processed, and reported. For a blockchain-dependent entity, that means mapping which transactions flow through the distributed ledger and which remain off-chain, then confirming how the two reconcile in the general ledger.
ISA 500.7 requires evidence that is both sufficient and appropriate. A public blockchain provides an immutable, timestamped record of a transaction's occurrence. That record is reliable for the assertion of occurrence. It does not confirm valuation (fair value requires an external pricing source) or rights and obligations (on-chain custody does not always equal legal ownership). Completeness is also unaddressed because the entity may hold assets across multiple wallets or chains. The auditor designs procedures addressing each assertion separately.
Where an entity relies on a smart contract to execute transactions automatically, ISA 315.26 requires the auditor to understand the IT general controls around that process: how the contract was deployed, who can modify it, whether an independent code review was performed, and whether testing of controls covers the automated execution.
Worked example
Client: German electronics manufacturer, FY2025, revenue €310M, IFRS reporter. Schäfer accepts Bitcoin and Ether for 12% of B2B component sales. The entity holds crypto assets valued at €4.8M at year-end across two custodial wallets and one self-hosted wallet. Schäfer also uses a private blockchain for supply chain tracking with four Tier 1 suppliers.
Step 1 — Understand the IT environment
The engagement team maps all blockchain touchpoints. Crypto-asset sales flow through a third-party payment processor that converts to euro within 48 hours; unsettled amounts at year-end sit in a custodial wallet. The self-hosted wallet holds a long-term Bitcoin position. The private supply chain ledger records goods-received confirmations that feed into Schäfer's ERP for inventory recognition.
Documentation note: record the entity's blockchain architecture, distinguishing custodial from self-hosted wallets and on-chain from off-chain settlement. Map the interface between the private supply chain ledger and the ERP system. Reference ISA 315.25.
Step 2 — Assess assertions and design procedures
For crypto assets (€4.8M), the team identifies four relevant assertions. Existence is tested by obtaining on-chain wallet balances at 31 December 2025 and reconciling to custodial statements. Valuation is tested by comparing the carrying amount to quoted prices on two active exchanges at 23:59 CET on 31 December. Rights and obligations are tested by verifying private key control (self-hosted wallet) and reviewing custodial agreement terms. Completeness is addressed by obtaining a management representation that all wallets have been disclosed, corroborated by a blockchain analytics scan for addresses linked to the entity's known wallets.
Documentation note: for each assertion, record the procedure performed, the evidence source, and the conclusion. Cross-reference the valuation test to the pricing data (exchange, timestamp, price per unit). Reference ISA 500.7–9.
Step 3 — Evaluate supply chain ledger entries
The private blockchain records 14,200 goods-received transactions during FY2025. The team samples 45 transactions and traces each from the on-chain record to the ERP inventory receipt, purchase order, and supplier invoice. Three transactions show a timing difference where the on-chain confirmation precedes the ERP booking by four to six business days. Investigation attributes the delay to manual ERP entry, not a blockchain control deficiency.
Documentation note: document the sample selection basis, reconciliation results, timing differences, and the conclusion. Reference ISA 500.9 on evaluating relevance and reliability of information used as audit evidence.
Conclusion: the procedures produce assertion-level evidence for each blockchain-related balance, defensible because no single on-chain record was treated as sufficient for all assertions and each evidence gap was closed with a separate corroborating procedure.
Why it matters in practice
The PCAOB's 2023 inspection observations on audits of entities with significant crypto-asset holdings identified deficiencies in valuation testing. Teams accepted exchange-quoted prices without evaluating whether the exchange constituted an active market or whether the holding was large enough to move the quoted price on disposal. ISA 540.13 requires the auditor to evaluate the method, assumptions, and data used in an accounting estimate; fair-valuing a thinly traded token demands the same rigour as valuing a Level 2 financial instrument.
Teams frequently treat a blockchain wallet balance as equivalent to a bank confirmation under ISA 505. A bank confirmation provides evidence of existence, rights, and obligations from an independent third party. A self-hosted wallet balance confirms existence of the token at an address but says nothing about legal ownership or encumbrances. Auditors who rely on wallet balances alone without verifying the custodial or legal arrangement leave the rights assertion untested.
Blockchain record vs. bank confirmation
| Dimension | Blockchain record (on-chain data) | Bank confirmation (ISA 505) |
|---|---|---|
| Source | Distributed ledger maintained by network validators | Direct written response from a financial institution |
| Independence from the entity | High for public blockchains; lower for private or permissioned chains | High (independent third party with its own records) |
| Assertions addressed directly | Existence, occurrence | Existence, rights and obligations, completeness (for disclosed accounts) |
| Assertions requiring supplementary evidence | Valuation, rights and obligations, completeness | Valuation (for instruments held at fair value) |
| Timeliness | Real-time, queryable at any point | Point-in-time, typically requested at or near the reporting date |
A blockchain record confirms that a transaction occurred and that a balance exists at an address. It does not convey the legal context of a bank confirmation. Treat on-chain data as one evidence source within a broader procedure set.
Related terms
Frequently asked questions
How do I audit crypto assets held in a self-hosted wallet?
Confirm the wallet balance on-chain at the reporting date using a blockchain explorer. Then verify that the entity controls the private key (observe a test transaction or review the key management protocol). ISA 500.9 requires the auditor to consider the relevance and reliability of the evidence source. On-chain data is reliable for existence, but rights depend on demonstrating exclusive control of the key.
Does blockchain data count as a third-party confirmation under ISA 505?
Not directly. ISA 505.2 defines an external confirmation as audit evidence obtained as a direct written response from a third party. A public blockchain is a distributed ledger maintained by network participants, not a response directed to the auditor. The data can serve as corroborating evidence under ISA 500, but it does not replace a confirmation from a custodian or counterparty where rights and obligations are at issue.
When should I involve an IT specialist on a blockchain-related engagement?
If the entity uses smart contracts or a private blockchain and the team lacks the competence to understand the consensus mechanism or evaluate the code, engage an IT specialist. ISA 620.7 applies when expertise outside accounting and auditing is needed to obtain sufficient appropriate evidence.