Financial Reporting and Regulatory Update

Second Quarter 2022

Putting a SOC in Crypto

Crypto and blockchain are finding quick adoption in the corporate world, and that means financial executives are looking for ways to overlay some of the time tested assurance practices.

Given the emphasis on the technology underpinning crypto it should be no surprise that service organization control reports, often referred to as SOC reports, are being embraced by companies looking to develop an operational risk structure around blockchain services.
Rich Perilloux is a principal in the IT assurance group within audit and assurance at Crowe. Rich has over 20 years of experience in information technology (IT) auditing and has a Certified Information Systems Auditor (CISA) certification. 

Below is a transcript of the conversation edited for clarity and brevity. To listen to the full conversation, click on the link below.

Christopher Westfall: I thought maybe we could start off with a little bit about yourself, your background is and how you came into the specializing area or working in the area of crypto and reporting.

Rich Perilloux: I've been with Crowe for about 10 years, and prior to that I was with KPMG and EY. I was in industry for a while, all focusing on IT audit. That's been my background.

Being at Crowe in the last 10 years, I've spent a lot of time working on everything from external audit, IT audit, to internal audit, to consulting type work, to service organization controls (SOC) reporting. I was involved most of my career in those areas. About a year ago, I was pulled in by another partner that I work with to help drive growth and prospecting in the IT assurance team space. Obviously there's more happening as it relates to consulting and tax and audit and other areas. But my focus is IT audit and assurance, and I've specifically focused on digital assets and blockchain over the past year.

Westfall: As you understand, crypto falls in between both finance and IT. Maybe we can start off:  What is a SOC report is and what its place is in IT assurance.

Perilloux: In general, there are two primary SOC report types: SOC 1 and a SOC 2.For this discussion, we won't go into detail into the different types right now. But regardless of the type, companies that provide technology solutions and/or software-supported business services to customers use a SOC report. I would say a SOC report can provide customers of the vendor an independent third-party assessment. I think that's critical because we have clients that have obviously internal audit and they have other services, but SOC report is an AICPA product that is used for very specific situations that can provide transparency and assurance for the customers of those vendors.

I've even seen situations where, and this has happened a lot especially in the crypto space, SOC reports being used as a marketing tool. Getting a SOC report at the very beginning, not waiting for clients, customers to ask for one, but getting a SOC report at very beginning, because they want to post that on their website to say, "Hey, we have one. You can trust us."

Westfall: It's interesting when you describe it that way, because you have the vendor space and you want assurance around it. But how does that work in crypto? What relevance has SOC reporting when it comes to crypto assets?

Perilloux: That's a great question. That was my first question I had when I got into this, is how does this mesh with crypto given that crypto is on a blockchain? Most of the blockchains you hear about are permission-less and open source, right? So how do you audit that?

Well, so let me take a step back. I would say currently there's limited SOC reporting in the crypto space right now. If you took a poll of all the different SOC reports that are specifically on crypto companies, there are not very many and they're primarily private companies. It's just not a mature service at the moment in this space.

Many of them are doing a SOC report for the first time because they've never, ever had to deal with something like a SOC report. Or you're seeing situations where they have done them, but it's all been in the past year, year and a half, two years. So it's still been very, very recent. It's an area that's quickly gaining steam. Even a year ago, it was discussed internally. It was discussed with our clients. But at this point now, all of a sudden it's the hottest topic. And we're having constant conversations with companies who are asking about SOC reporting for their crypto companies. And it definitely has done somewhat of a 180.

I would say the two areas that we see it coming up in conversation when it comes to SOC reporting in this space.

One is, you have a company that directly provides digital assets or crypto assets services in some form. Okay? They do it themselves, and they're asking for a SOC report, as I mentioned, whether it's just to get ahead of the game and let their customers know they have a SOC report or one of their vendors is asking them for a SOC report. That's one situation that we see come up, and we have some existing clients as an example that, that are involved in that. And we've talked to a lot of prospects that are involved in that.

But then we also have situations where you're talking with companies, and they're not involved in digital assets or crypto assets, but they have vendors who are involved in crypto assets. And their vendors, like I said, are being asked by their audit firm many times to supply a SOC report for the vendors who supply that crypto service.

So it's, again, early in the stages, but we are seeing a lot of partnering between a client and a firm just across the board. And what I mean by that is the client's trying to understand, and many times, again, it's a new area for them. So they're trying to understand, "What is a SOC report? Why do I need one? How is this going to help me?" But you also have a situation where the firms are trying to understand, Okay, this is a new business that's probably only been around for a year or two. And there are new business processes and new technologies that we have to get... firm has to get their head around, as opposed to just coming in and kind of doing the same old thing. So I think that's where you see the impact with SOC reporting in crypto space.

Westfall: Do you see this as a natural evolution? Is this being prompted by more institutions getting into crypto and needing that sort of assurance around it?

Perilloux: I think it's a couple of things.

First of all, you hear about cryptocurrency, right? And you hear about Bitcoin, and you hear about Ethereum and exchanges, and the buying and selling and so forth. The reality is this is a new technology. And while you have all of what I just mentioned happening, and there's a financial services aspect to it, companies are trying to figure out what they can do with this new technology. And we have clients, and you can just read in the news, there are situations where you have these groups of companies that are trying to move their data back and forth through each other, using some level of blockchain technology, as opposed to the more typical technology that's used over the internet.

Institutions are absolutely getting into it.  Software vendors are really pouring into this space because they're seeing somewhat of new real estate, right? They're seeing the ability to create new applications and new software, as an example, to pull data off of a specific blockchain, but also software that is going to perform some level of an analysis and reporting and other functionality, and APIs that may connect to some other of their existing systems. So you definitely see a whole new group of companies out there. I mean, just chain analysis, they're involved in AML, but it's pulling data directly off the blockchain. That's brand new software. So you absolutely have software vendors. You also have the custodians. These are the crypto wallet services. So it's really some new software for that. And then you have exchanges, which are right at the marketplaces for buying and selling. And then on top of that, Chris, you have companies that are doing all three at the same time. But so, and they just keep adding more services to it.

Westfall: SOC reporting and this process is pretty understood in the traditional sort of IT assurance space, but what are the nuances when it comes to applying SOC reporting to crypto assets and vendors?

Perilloux: There are a couple of things. I would say first is SOC reports are not going to cover... And this gets back to your point earlier. SOC reports are not going to necessarily cover the specific blockchain, right? The blockchain is always going to be a carve-out. And again, the reason why, for the listeners, the reason why is that you have a blockchain which is, again, permission-less, open source, and there's no company, there's no organization that is centrally managing and is responsible for that blockchain. So therefore, how can that blockchain have an audit? So what you'll see is, in the SOC report, you'll see the software that company has developed, whatever it may be, whether it's the ability to pull data off of the blockchain wallets, whatever it is. You're going to see that software, but then it's going to say, "Hey, blockchain X, Y, Z or probably any of the blockchains are carved out." That is something that you'll typically see.

Something that's also very nuanced is blockchain technology, this is important, has created new businesses and new business processes for existing businesses. So, and why it's important is because you have a whole new group of auditors like me doing SOC reporting on potentially new types of services and new software that didn't exist even a year ago. So it goes back to there's still a bit of a learning curve, right? You have to understand the technology, and you also have to understand the business to know if the scope of that report, the work you're doing, is appropriate.

Westfall: What advice do you have for a company considering obtaining a SOC report that already works in the space?

Perilloux:  First of all, confirm that everyone agrees on the scope. And I'd mentioned that, but the reason why it's important is I'd said earlier that you have some of these companies that are doing a lot of different service lines all at the same time.

And SOC reports are meant to provide assurance over a specific set of business processes and technologies. But if you have a company or organization that's doing one service and then a new or another service, maybe it's related to digital assets or crypto assets, but it's still two separate services.

You really want to make sure that everyone agrees on what the scope is. I had a situation where one prospect said, "We'd like you to do a SOC report for all of our services. And is that possible?" But that's no different from another large software organization saying, "We would like you to do a SOC report on all 15 of our SaaS solutions at the same time." Well, in reality, what's going to happen is you'll have a SOC report for each typically. So I think you'll see a bit of that. But the multiple solutions and having the scope, I think that's the key area.

Westfall: So what about the opposite side? What advice do you have for a company that's relying on a SOC report from one of these vendors that's involved in crypto? What do they need to look out for?

Perilloux: A couple of things there. First of all, well, I guess ironically, the answer is almost the same. It's looking at scope. So, if a company needs to obtain a SOC report from one of their vendors, they should understand... And I've seen this actually, especially in the past year, Chris, I've seen this, where they'll get a SOC report and they'll say, "I have a SOC report over vendor X." And then you read the SOC report and it's very limited to one specific area of the business of what they're doing. Now, no one's denying that's the case, but when you're talking to the vendor, they're not necessarily opening up, saying, "Yes, this is a very limited report just to this one area." They just say, "Hey, this is the report on X, Y, Z client." So the scope is critical.

I think eventually, over time, that'll become more obvious. But I can tell you right now, the auditing firms are being careful because some of these services are higher risk than others, right? So there is a conversation, "Yes, we'll do a SOC report for this service, but maybe not for this service yet." So those are the types of things. Again, it gets back to scope and understanding what you're getting, because I'm seeing right now, even some of our clients who are receiving reports, they're very limited. They really are.

Westfall: I want to sort of wrap things up coming from the perspective of firm or company and you want to get some assurance around the processes, what should you use to be thinking in terms of the SOC report? What are you looking out for? And is it something that you think is only going to grow in importance over time?

Perilloux: I think two things come to mind. One is... I don't want to repeat myself, but making a decision on the scope of the report. I think, again, I can't say it enough. Right now it's critical because these are not typical business processes that you run into over the last 20 years. These are new business processes. So everyone understanding scope.

But I think right now, something I would highly suggest really across the board is considering a readiness assessment. Those have been around a long time, but I can't think of a time when they would be more helpful. Readiness assessments, typically, if there's an organization that wants to do a SOC report, but they really don't have a lot of background on the SOC report, they're not sure what it is, maybe they've listened to a podcast like this and say, "How can I see what it is?" Or they've gone to an association, but they don't quite know. Having an auditor that is doing the SOC report, to some extent, that auditor can also do the readiness assessment. And we do a lot of those. It's not doing the work for the client but is providing them the understanding of what's needed and the direction of what's needed for a SOC report, and it's more of the education around it. And that's been extremely effective in that. So, by the time that we go through that and they finish, they make the updates. They fill in the gaps they need to fill in. Then they come back to us and say, "Okay, we've done our work. We're ready. Let's go ahead and start this SOC report process."

So the readiness assessment, it's critical, but I think scope and having that assessment early is done, because as you know, Chris, you don't jump into a SOC report and have it done and say, "Okay, well, let's fix whatever it says." Because if it's qualified, that's not what you want to have as a report. So you want to have some planning, prep involved.


The information in this article is not – and is not intended to be – audit, tax, accounting, advisory, risk, performance, consulting, business, financial, investment, legal, or other professional advice. The information is general in nature, based on existing authorities, and is subject to change. The information is not a substitute for professional advice or services, and you should consult a qualified professional adviser before taking any action based on the information. Crowe is not responsible for any loss incurred by any person who relies on the information discussed in this document.