Recently Bitstamp did a public display of assets under management and while I think its important they and others (like Kraken and the Vault of Satoshi) do this it does not an audit make.
Just look this video where Roger Ver attests things look good at Mt. Gox or what happened with Neo&Bee.
Don’t get me wrong what Bitstamp, Kraken and Vault of Satoshi are doing is great but they are not “audits” at least useful ones.
au-dit : an official inspection of an individual’s or organization’s accounts, typically by an independent body.
What kind of litmus test must be passed for me to consider something a useful “audit”?
- Does it look at evidence in balance? For example if someone has a million dollars in the bank but has signed first right debt agreements for two-million your still likely out of luck in the event they go under.
- Does it look at the complete picture? Its entirely possible an entity has all of its assets under its control and is debt free but the principals have unobstructed access to the funds or that the security and engineering practices are so lax that at any given moment a system can be compromised without detection.
- Does it measure practices to a standard? Audits are performed to some standard, for example the Sarbanes Oxley audits use a standard set of criteria that help assure financials are being tracked published accurately. While the WebTrust for CA audits ensures that certificate authorities are following common minimum standards for securing their operations.
- Is the standard relevant to the business in question? The risks in each system are different even if only subtly; there are many things in a WebTrust for CA audit that might be relevant to a bitcoin exchange but there are just as many things that are not the same is true for a SOX report. For an audit to be valuable it has to be one that was designed to prove something relevant.
- Is it performed by an independent third-party? Conflicts of interest are abound and when money is involved people often do the wrong thing. While the use of celebrity people from the community in a pinch is fine (and no disrespect intended) these individuals have a vested interest in the success of bitcoin.
- Is it performed by a qualified individual or group? Often times the “low bid” auditor wins but these are the same auditors who ask for stupid things.
So to-date has there been a single usfull bitcoin audit? I think its safe to say no. I would go so far to say that the practices of most Bitcoin entities are not actually audit-able because one has to design processes and procedures to ensure that they are and this slows down the “innovation train”.
In Coindesk post about Bitstamp’s “audit” Mike Hearn was quoted as saying “It’s a bit early to be setting standards yet” I would respond by asking the question if not now when? In my opinion this is exactly the right time to be tackling this problem.
These standards take time to be developed and have impacts on the way businesses operate and starting now not only ensures that the rapid growth in the Bitcoin ecosystem takes into consideration meeting some shared requirements on liquidity, solvency, audibility, transparency and security but by doing it now the requirements end-up being defined by the Bitcoin community instead of thrust upon it.
Regardless we need to be honest about what’s being shown when these events occur, they do little more than prove an entity has an amount of Bitcoin but nothing more.