What are crypto risks for SMSF Auditors?

How is Crypto a Risk for SMSF Auditors?

Cryptocurrency introduces a unique and significant set of risks for Self-Managed Superannuation Fund (SMSF) auditors in Australia. While SMSFs are legally permitted to invest in crypto, these assets create complex audit, compliance, and security challenges. The Australian Taxation Office (ATO) and the Australian Securities and Investments Commission (ASIC) have issued guidance and warnings highlighting the importance of a meticulous approach.

 

The Critical Issue: Asset Security

The most pressing risk for auditors is asset security. An SMSF auditor cannot pass an audit if they believe the fund’s assets are insecure. Currently, nearly all crypto assets held in SMSFs are considered insecure, exposing auditors to significant liability.

 

Auditor Obligations

An SMSF auditor’s role is to provide an opinion on:

1. The accuracy of the fund’s financial records.

2. Compliance with the Superannuation Industry (Supervision) Act 1993 (SIS Act) and associated regulations.

Holding assets insecurely would likely constitute a contravention of these laws. Auditors are legally obligated to identify and report such breaches.

Note: This liability has not yet been publicly tested in court by the ATO or ASIC. Auditors passing audits today may be unaware of their full exposure.

 

Understanding Crypto Asset Security

“Asset security” refers to how well assets are protected from theft, loss, or misappropriation. Cryptocurrency is notoriously insecure:

• Crypto hacks: Any crypto account connected to the internet can be hacked. Assets can be stolen via crypto withdrawals or converted to fiat and withdrawn.
• 2FA limitations: Two-factor authentication does not fully protect against hacking.
• Self-custody risks: Personal devices, backups, or passwords can be lost, compromising access to funds.
• Exchange custody risks: Exchanges do not have sufficient balance sheets to survive catastrophic hacks. 2024 saw record-level exchange hacks and fraud.
• Historical losses: Around 20% of all Bitcoin (~A$600bn) is estimated to have been lost or stolen.

 

Institutional-Grade Security

Financial institutions now require licensed, insured custody with blocked withdrawals—this is considered the minimum standard for institutional-grade security.

• Providers like Zodia (owned by Standard Chartered, NAB, and other banks) offer true institutional-grade custody.
• Claims such as “using Fireblocks” can be misleading; Fireblocks is a custody software company and relies on Zodia for secure, licensed custody for institutional clients.

Auditors must ensure that SMSF trustees adopt these measures. Failing to recommend or require licensed custody while passing audits exposes auditors to risk.

 

Auditor Liability

Auditors must assess the security measures trustees have in place:

• Aware of risks: If aware of crypto security risks.

• Knew a solution existed: If a licensed custody solution is available.

• Did not recommend it: And yet still passed the audit.

Failing to report contraventions can result in:

• Penalties for the auditor.

• Regulatory action from ATO or ASIC for deficient conduct, including failure to properly investigate investments and their recoverability.

 

Key Auditor Considerations

1. Financial and Compliance Audit

• Financial audit: Verifies accuracy of statements, including asset valuations.

• Compliance audit: Checks compliance with SIS Act and regulations.

• Insecurely held assets could result in a qualified audit report or contravention findings.

2. Reporting Contraventions

• Auditors must file an Auditor/Actuary Contravention Report (ACR) with the ATO if breaches are found or suspected.

• Trustees must also be informed in writing.

3. Professional Judgment and Independence

• Auditors must exercise professional judgment in determining the materiality of breaches.

• Compliance with APES 110 Code of Ethics is required, emphasizing integrity, objectivity, and competence.

• Passing audits despite concerns about asset security could constitute a serious ethical breach.

4. Proving Ownership

• Asset segregation: SMSF assets must be separate from personal assets.

• Auditors must verify wallets or exchange accounts are legally and beneficially owned by the SMSF.

5. Security

• Only platforms with blocked withdrawals and licensed custody are fully secure.

• Self-custody and exchange custody are insufficient for institutional-grade security.

6. Record-Keeping and Audit Trail

• Auditors must ensure comprehensive transaction records exist: purchases, sales, transfers.

• Valuations must be at market value at the end of the financial year.

• Capital Gains Tax (CGT) must be accurately calculated for all disposals.

7. Fund Operations and Compliance

• Investment strategy: Must address diversification, risk, liquidity, and the rationale for crypto investments.

• Fund deed: Must permit crypto investments.

• Sole Purpose Test: SMSF must serve solely to provide retirement benefits.

• Related-party transactions: SMSFs cannot buy crypto from members or related parties.

• Borrowing and leverage: Must remain compliant with SIS Act rules.

 

The Reality

• Crypto held in Australian SMSFs is generally insecure.

• Marketing claims of “world-class security” are often exaggerated.

• Financial institutions invest in crypto only with licensed, insured custody and blocked withdrawals—the same standard SMSF auditors should require.

 

Summary: Auditor Risk

Auditors face risks due to:

• The decentralised, volatile, and technical nature of crypto.

• Difficulty in verifying ownership, valuation, and compliance.

• Potential for permanent asset loss and regulatory penalties.

Without institutional-grade security, SMSF auditors may face:

• Suspension or cancellation of registration.

• Financial penalties.

• Legal liability if a fund member suffers loss.

Bottom line: Auditors must demand licensed, insured custody with blocked withdrawals to mitigate risk. Failure to do so exposes both the SMSF and the auditor to potentially significant consequences.