Investor Advisory - Exercise Caution With Third-Party Verification/Proof of Reserve Reports

Proof of reserve reports are inherently limited, and customers should exercise extreme caution when relying on them to conclude that there are sufficient assets to meet customer liabilities.

March 8, 2023

This document represents the views of the Public Company Accounting Oversight Board’s (PCAOB or “Board”) Office of the Investor Advocate staff and not necessarily those of the Board or other PCAOB staff. It is not a rule, policy, or statement of the Board.

The Office of the Investor Advocate is aware of some service providers, including PCAOB-registered audit firms, issuing proof of reserve reports (“PoR Reports”) to certain crypto entities (e.g., crypto exchanges, stablecoin issuers). Crypto entities may engage a service provider to issue a PoR Report in an attempt to reassure customers in response to widespread concerns about, for example, the type of reserve holdings, or, the safety and availability of customers’ digital assets in the event that some or all of the customers decide to withdraw their assets (e.g., if there is a run on a crypto exchange or stablecoin issuer).

The Office of the Investor Advocate is issuing this Investor Advisory because of concerns that investors and others may place undue reliance on PoR Reports, which are not within the PCAOB’s oversight authority. Importantly, investors should note that PoR engagements are not audits and, consequently, the related reports do not provide any meaningful assurance to investors or the public.

As a general matter, these PoR Reports purport to provide an asset verification for an asset type at a particular moment in time, subject to significant limitations based on the procedures performed. For example, the procedures undertaken likely do not address the crypto entity’s liabilities, the rights and obligations of the digital asset holders, or whether the assets have been borrowed by the crypto entity to make it appear they have sufficient collateral or “reserves” in excess of customer demands. For this reason, if the assets were borrowed by the crypto entity at the time of the PoR engagement, investors would not know based on the PoR Report. Also, because PoR Reports concern digital assets at one point in time they do not provide any assurance about whether the assets were used, lent, or otherwise became unavailable to customers following issuance of the PoR Report. Moreover, PoR Reports also provide no assurance regarding the effectiveness of internal controls or of governance of the crypto entity.

Despite any representations to the contrary, PoR Reports are not equivalent or more rigorous than an audit, and they are not conducted in accordance with PCAOB auditing standards. In addition, there is a lack of uniformity regarding service providers that perform PoR engagements. For example, some PoR engagements are performed by accounting firms, whereas others are performed by non-accountant assurance providers. Management of the crypto entities also have discretion on whether the results of PoR reports are made public, including the extent and format of the information provided.

PoR engagements, whether intended to provide reasonable assurance, limited assurance, or no assurance (agreed-upon procedures), are not subject to PCAOB auditing standards and the engagements are not subject to PCAOB inspection. Importantly, such reports do not provide assurance that such reserves will be adequate as of the date of the PoR Report, in the future, or that customer assets will be protected.

For “agreed-upon procedures,” the management of the crypto entity, not the provider of the PoR Report, determines the procedures to be performed by the third party when conducting the engagement. Under these circumstances, the PoR Report provides only factual findings of the outcome of the procedures performed, and there is no representation as to the sufficiency of such procedures. These types of PoR reports do not express an opinion on the adequacy of the “reserves” or the financial stability of the crypto entity or the validity of management’s assertion(s).

Similarly, PoR engagements that purport to provide limited or reasonable assurance are not subject to uniform standards. Therefore, the manner in which the engagements are performed yield different results based on the different standards selected by management and PoR service providers.

Proof of reserve reports are inherently limited, and customers should exercise extreme caution when relying on them to conclude that there are sufficient assets to meet customer liabilities.