Cryptocurrency is a type of value and payment method that is different from fiat currency (e.g., U.S. dollar, foreign currencies). With the exception of El Salvador which recently adopted Bitcoin as legal tender, cryptocurrencies (e.g., Bitcoin, Ether, Ripple) have no government backing or recognition by a central authority as legal tender; their value is supported only by supply and demand. Cryptocurrencies do not have a physical form; instead, they exist as immutable distributed ledgers (electronic records) maintained on public blockchains (as described in subsequent paragraphs). Unlike electronic forms of cash (e.g., online bank accounts), cryptocurrencies are not linked to physical currency. The term "cryptocurrency" is derived from the word "cryptography," which is the use of codes to secure communications. Bitcoin and other similar "coins" use cryptography to control the security and creation of these coins. Cryptocurrencies are usually obtained by purchasing or receiving them on a peer-to-peer basis. That is, they can be received directly from a counterparty in exchange for an asset or service or they can be purchased in exchange for a fiat currency, often from an exchange that specializes in cryptocurrencies. Peer-to-peer exchange of cryptocurrencies relies on the maintenance of an electronic ledger for tracking ownership of the cryptocurrency and information about each transaction; such a ledger is maintained by using blockchain. There are many copies of each ledger and many ledger keepers. Distributing the processing allows many users to each play a small part in the maintenance of the ledger system, which promotes the security of the system by ensuring that no single party controls a blockchain. Background This case study focuses on cryptocurrency that is recorded on a public or "permissionless" blockchain; that is, participation in the network is open to any potential user. Participants (individuals or businesses) connected to the shared network are referred to as "nodes." Before a transaction is recorded on a blockchain, the nodes on the network communicate with each other and agree to the validity of the exchange. This concept is known as "consensus" and aligns with its standard definition - a general agreement or judgment arrived at by most of those concerned. Because of the distributed nature of the transactions and information, an orderly process must be established for verifying which transactions are valid, correct, and confirmed (typically to prevent double-spending by users). The consensus mechanism is the set of rules that governs or determines when a transaction is correct or validated and subsequently posted to the ledger. This mechanism also serves as the governance mechanism to ensure that only transactions that follow the preestablished rules are added to the ledger. In a cryptocurrency transaction, there is no actual exchange of tangible assets; rather, the movement of cryptocurrency is enabled by the signing of a transaction that is broadcast to the distributed ledger. To perform a transfer of cryptocurrency, the initiating party uses a unique private key for its public address and a receiving party's public address. The receiving party also possesses a private key to access the cryptocurrency received at its public address, representing ownership of the cryptocurrency. Each cryptocurrency transaction requires a combination of the private key and public address. To spend or transact the cryptocurrency, the entity must use a private key that matches the public address to which the cryptocurrencies are assigned. Keeping a private key confidential is critical because if this key is compromised, the associated account's cryptocurrency can be freely transferred to other public addresses. Furthermore, in the case of a public blockchain, the use of a private key allows users to be pseudonymous. When a private key is compromised, it is difficult to trace the identity of users by their public address and to have recourse. Likewise, if an entity loses a private key and it is not recovered, the entity will no longer be able to access the assets linked to that key. Another characteristic of cryptocurrency is that a transaction is irreversible once it is sufficiently validated on the blockchain; thus, an entity may lose its cryptocurrency if it sends the cryptocurrency to the incorrect public key address. The receiving party might voluntarily return the cryptocurrency to the entity, but there is limited recourse if it does not, in which case the entity would no longer have control over the cryptocurrency. Company Information BTC4Me Company (the "Entity") holds a significant amount of Bitcoin for investment, which the Entity expects will appreciate in value. The Entity acquired the Bitcoin as part of a single transaction during the prior year. As part of risk assessment procedures, an understanding of the Entity's accounting policy, processes, and controls surrounding the cryptocurrency's balance is obtained by performing procedures (including inquiries of management and process owners) and walkthroughs of the Entity's processes. On the basis of these procedures, the following facts were determined: No activity (e.g., purchases or sales) has occurred since the initial acquisition of the Bitcoin in the prior fiscal year. The Entity's controller (the "Controller") possesses the private key that can be used to send and access the Bitcoin. The private key is held in a "paper wallet" (i.e., a physical paper record of the private key and related information). The Entity currently has unlimited access to the private key, which is stored in the Controller's desk. On a monthly basis, the staff accountant downloads a transaction activity report from the blockchain using a publicly available software tool. This report is then used to create a monthly journal entry to record all cryptocurrency transactions, if any, that occurred during the month. This journal entry is reviewed and approved by the Controller. A monthly account reconciliation is also created at the end of each month and is reviewed by the Controller. Even if no transactions have occurred during the month, the monthly report is still downloaded by the staff accountant as a completeness check and is attached to the monthly account reconciliation. This case study does not discuss the appropriate accounting treatment of cryptocurrency; see Case 19-6 for considerations related to the accounting and valuation of cryptocurrency. Required: 1. Paragraph.26 of AU-C 315 requires the auditor to "identify and assess the risks of material misstatement at... the financial statement level and ... the relevant assertion level." What risks of material misstatement may be identified with regard to the existence and rights and obligations of the Entity's cryptocurrency account balance? 2. Paragraph.24 of AU-C 240 requires the auditor to "evaluate whether the information obtained from the risk assessment procedures and related activities performed indicates that one or more fraud risk factors are present." What potential fraud risks, if any, may be identified with regard to the Entity's cryptocurrency account balance? 3. What potential challenges may auditors face when obtaining sufficient appropriate audit evidence to validate the existence and rights and obligations of the cryptocurrency assets? 4. Assume that instead of securing the private key in a paper wallet, the Entity chooses to use a third-party custodian to protect and secure the private key. During the audit team's identification and assessment of the risks of material misstatement associated with the existence and rights and obligations of the cryptocurrency, what type of information would the team consider when evaluating the custodian's qualifications for securing the Entity's private key?