Key Management and Audit Procedures for Digital Assets

How does key management impact digital asset audits?

Cody Peterson: Key management is absolutely central to digital asset audits. Control over the private key essentially equals control over the asset. If one person has unrestricted access to the private key, it presents a significant risk. Segregation of duties is crucial here. When we’re talking about a company generating new keys, they need to make sure that no single individual has complete access. Even in multi-signature wallets, where you have multiple keys required to authorize a transaction, you add security but also increase complexity for audits.

How does Digital Signature Verification (DSV) improve audit efficiency?

Cody Peterson: DSV, or Digital Signature Verification, is one of the most efficient ways we verify ownership of assets without needing on-chain transactions. Instead of asking clients to make multiple transactions, we have them sign a message off-chain using the private key. This signature is then verified against the public key. With DSV, we can handle thousands of addresses in one go, which saves considerable time and simplifies audits. If the client is technically capable, this approach is significantly more efficient.

What are the challenges of using multi-signature wallets?

Cody Peterson: Multi-signature wallets introduce a layer of security, but they do make the process more complex for clients. You’re adding multiple parties with separate keys, so there’s more organization required. In an audit, we still use similar procedures, but with multi-signature wallets, it’s more involved. If a client is using a third-party provider, we might see a "three of five" or "four of seven" multi-sig configuration. This can add layers to the audit process since every key and access point needs verification.

Why is blockchain reconciliation essential for accurate reporting?

Cody Peterson: Blockchain reconciliation is vital to ensure that the financial records align with the blockchain data. Blockchain is the ultimate source of truth. In an ideal scenario, companies perform a quarterly reconciliation between their internal books and blockchain records. Without this, you risk discrepancies that can impact financial statements. If a company relies solely on wallet transaction records, they could miss rollbacks or other changes on-chain. For example, Arbitrum or Optimism have a challenge window, meaning a transaction can be rolled back within a certain timeframe, which could impact year-end reporting. Regular reconciliation mitigates these risks and ensures accurate records.

What are common pitfalls in private key management?

Cody Peterson: A common pitfall we see is companies overlooking the recovery process of private keys. They may securely generate and shard keys but fail to establish a reliable recovery method. Sometimes they rely on a single person to hold the recovery information, like a mnemonic phrase, but that introduces risk. Even if this individual has approval protocols, it doesn’t prevent them from accessing the key entirely. To mitigate this, companies should design a recovery process alongside key generation, using techniques like multi-sig or storing key parts in separate locations. The goal is to avoid a single point of failure.

How does the relationship with clients influence audit effectiveness?

Cody Peterson: Building a strong relationship with clients early on is critical. If a client informs us about new assets or protocols they’re considering, we can evaluate the technical requirements ahead of time, develop tooling, or ensure the data reliability from a given blockchain. This upfront collaboration saves time and minimizes risks during audits. For clients new to digital assets, we often start with discussions to understand their plans and ensure the audit team is aligned with the exposures they’re facing. A proactive approach leads to more successful audit outcomes.

What research is EY conducting on digital assets?

Cody Peterson: At EY’s Digital Asset Research Center, we’re focused on the tokenization of assets, and we’ve been documenting protocols and assets extensively. Each chain has unique characteristics, so we perform asset evaluations that assess data reliability. We recently released a study on ZK Rollups, and we’re examining tokenization and the rise of secondary platforms like Arbitrum and Optimism. With each new chain or token standard, we analyze how we can rely on its data for audits. This research helps us expand our auditing capabilities as the space evolves.