Until last year, digital currencies seemed like a futuristic experiment, with few people buying into their sustainability and limited outlets for exchanges. However, digital currencies such as bitcoin are now accepted at a variety of businesses from publicly traded companies like Overstock.com to online outlets such as Etsy, and many small businesses. In addition, digital currency exchanges and even ATMs are increasing, further expanding the prevalence of these denominations.
As with any new technology, the strategy to accept digital currency for payment can increase revenue and clientele, but leave the organization susceptible to unforeseen risks. As part of the risk assessment process, internal auditors can review internal and external changes posed by these currencies and provide management with the tools necessary to mitigate associated risks.
The Revenue Process
Although the revenue process is fundamental to the sustainability of all organizations, many organizations are drastically reshaping their revenue-cycle activities, including payment processing and the forms of payment accepted for goods and services. For some organizations, that means accepting digital currencies.
While there are many digital currencies, bitcoin is the most commonly accepted, with more than 12.8 million (worth about US$8 billion) in circulation as of June 1. With no readily accepted or legal definition and no U.S. federal government or central bank backing, large fluctuations in bitcoin’s value — from less than US$1 to more than US$1,000 last year — have caused many consumers, investors, and businesses to question its viability. Moreover, volatility associated with digital currencies may affect a company’s ability to meet revenue-cycle objectives. Such risks may prevent companies from accepting those currencies and expanding their customer base. However, service providers such as Coinbase allow merchants to accept digital currencies without ever having possession, enabling them to avoid volatility, financial reporting, and tax-compliance risks.
The Many Risks
assess the risks and opportunities stemming from digital currencies, internal
auditors should address these questions:
- What is digital currency and how does it work?
- What makes digital currencies more susceptible to fraud than cash?
- How does accepting digital currencies support the organization’s
- Can internal audit be involved from the beginning of preparations to
accept digital currencies?
- How does this change the revenue process?
- What process maps and documentation does the organization need to
- What risks will emerge and can they be mitigated?
- Is there sufficient IT expertise?
- What specific types of fraud and hacking are occurring within the
- What are common security protocols?
- Should the organization use a reputable service provider to mitigate
- Can internal audit perform a due-diligence audit on the provider’s
security protocol? Cold storage and two-factor authentication are recommended
- How can systems best be tested before going live?
- What are the financial reporting and tax issues?
- What information needs to
be communicated to the external auditor?
In an Investor Alert released in May, the U.S. Securities and Exchange Commission cites specific concerns regarding the acceptance and usage of bitcoins, including the lack of central authority, government regulation, difficulty in tracing money, lack of insurance and recoverability, volatility, and security. In addition, the payment processing associated with digital currencies is ripe for fraud.
Recently, Mt. Gox, the largest platform for buying and selling bitcoins, filed for bankruptcy after a security breach compromised nearly 750,000 bitcoins. The exchange went offline, leaving users unable to recover their losses.
Because of the degree of anonymity associated with digital currency transactions, money laundering and hacking are additional risks. Last year, the U.S. government seized the Silk Road exchange because it was suspected of being a haven for money laundering, drastically reducing the value of bitcoins overnight.
Financial reporting and compliance risks also are concerns. Until recently, there was little guidance on how to account for digital currencies. Like cash transactions, there is no third-party reporting, which creates numerous tax compliance risks, including underreporting, mischaracterization, and outright evasion, according to the U.S. Government Accountability Office. Moreover, U.S. Internal Revenue Service guidance issued in March posits that digital currency is to be treated as property for tax purposes, rather than as currency.
Internal Audit’s Role
Internal audit can play a central role in assessing risks associated with the use of digital currencies. These risks could impact all spectrums of an organization’s objectives, including the strategic, compliance, reporting, and operational objectives suggested by COSO’s Enterprise Risk Management–Integrated Framework. In performing a risk assessment, internal audit should be able to identify the risks associated with digital currencies. If the organization directly accepts digital currencies, IT auditors may be necessary to provide assurance that appropriate information security protocols are in place and operating effectively.
Assessing and mitigating process and execution risks is imperative to ensure payment processing is performed effectively. As with the implementation of any new system, testing is vital and should be done before the system goes live to prevent customers from encountering disruptions and errors in the ordering process, or worse, a system vulnerability resulting in a security breach.
To mitigate both financial and tax reporting risks, communication with the firm’s external auditor is necessary to ensure transactions are accounted for appropriately in the company’s financial statements and conform with the applicable tax code (i.e., as property). Internal audit also can assist with the due diligence of selecting a reputable service provider and advise management about the risks and benefits associated with such partnerships.
Lastly, internal audit can provide advice on the credit risk the organization may become susceptible to in creating credit-granting policies and procedures. Should management decide to extend credit to customers who ultimately will pay in a digital currency, the agreement terms must be clearly delineated to prevent the organization from assuming undue credit risk, barring a decrease in the currency’s value from the inception of the extended credit to actual payment.
At the Forefront of Digital Discussions
While ultimately the decision to do business in a digital currency rests with senior management, executives should consult with internal audit regarding the numerous risks it poses to meeting the organization’s objectives and how, or whether, those risks can be controlled within its risk appetite. With such a major modification to a main business process, internal audit should be at the forefront of all discussions related to accepting digital currencies. This decision must be thought through carefully at all levels of the organization.