AICPA & CIMA issued nonauthoritative guidance for auditing digital assets such as cryptoassets in the areas of risk assessment, processes and controls, laws and regulations, and related parties.

The guidance was added to the free practice aid Accounting for and Auditing of Digital Assets. The AICPA created the practice aid in December 2019 with nonauthoritative guidance on accounting for digital assets and then added nonauthoritative guidance on auditing digital assets in July 2020.

The update released Tuesday complements the previously released guidance and is based on professional literature and experience from members of the AICPA & CIMA Digital Assets Working Group (DAWG) and AICPA & CIMA staff and is specific to the U.S. generally accepted auditing standards (GAAS).

“There are challenges and unique considerations when auditing an entity that holds or transacts with digital assets,” said Diana Krupica, CPA, AICPA & CIMA lead manager–Emerging Assurance Technologies, in a news release. “From performing risk assessment procedures and understanding new processes and controls to identify related parties, it is important for auditors to look through the lens of digital assets and understand exactly what audit procedures need to be performed. We hope this latest guidance will help auditors consider the potential risks unique to the digital assets environment.”

The practice aid defines digital assets broadly as digital records made using cryptography, for verification and security purposes, on a distributed ledger. Examples of digital assets include the cryptoassets bitcoin, which operates on the Bitcoin blockchain, and ether, which operates on the Ethereum blockchain.

The new material in the practice aid is divided into two main sections. The first of those, titled “Risk Assessment and Processes and Controls,” includes the following topics:

  • Understanding the Entity and Its Environment;
  • Understanding and Evaluating the Entity’s Risk Assessment Process; and
  • Understanding the Entity’s Processes and Controls.

Each area describes the individual considerations that may be important when performing risk assessment procedures, including the types of procedures that auditors may perform, or are required to perform, to identify and assess risks of material misstatement in audits of entities engaged in the digital asset ecosystem.

The second section added, titled “Laws and Regulations and Related Parties,” addresses the unique challenges and potential procedures auditors consider for both compliance with laws and regulations as well as identification, accounting, and disclosure of related parties in an audit of an entity that holds or transacts with digital assets. Because related-party transactions may reflect a risk of material misstatement due to noncompliance, these topics are considered in the same section.

AICPA & CIMA also added a “Blockchain Universal Glossary” as an appendix to the practice aid. The glossary was developed as a reference for all AICPA & CIMA blockchain and digital-assets-related content.

— Jeff Drew ( is a JofA senior editor.