Crypto Attestation Vs Audit: What The Difference Means
Crypto attestations and audits are not the same. Learn why scope, timing and wording matter before relying on exchange or stablecoin reserve reports.
Crypto companies often publish reserve reports with reassuring words around them. The problem is that words such as attestation, audit and proof of reserves do not all mean the same thing. If you understand the difference, you can read those claims with less confusion and more useful caution.
The Short Version
A crypto attestation is usually a report on a specific statement at a specific point in time. An audit is generally broader, more formal and built around a fuller set of accounts, controls and evidence. Neither word should be treated as a guarantee that an exchange, issuer or protocol is safe. The useful question is what was checked, when it was checked and what was left outside the report.
What A Crypto Attestation Usually Checks
In crypto, an attestation often appears when a stablecoin issuer, exchange or custodian wants an outside firm to report on a narrow claim. That claim might be that a certain pool of assets existed on a certain date, or that management prepared a schedule of reserves using a stated method.
That can be useful, but it is not the same as saying the whole business has been audited. The report may cover one balance, one wallet list, one reserve schedule or one set of agreed procedures. If the subject is narrow, the comfort you can take from it is narrow too.
A monthly reserve attestation may sound like a full check on solvency. It usually is not. It may tell you something about assets presented for checking at that moment, while saying little about off balance sheet obligations, internal controls, future liquidity pressure, cyber risk or whether customers can withdraw during stress.
That is why our proof of reserves explainer treats reserve evidence as one piece of a wider risk picture. A report can reduce one uncertainty without removing every other one.
Why An Audit Is Broader
An audit is usually a more comprehensive engagement. In ordinary company reporting, an auditor examines financial statements, gathers evidence, considers whether the statements are materially misstated and gives an opinion under an audit framework. The exact rules depend on the jurisdiction and standard being used, but the direction is clear: the audit is not just a quick snapshot of one number.
International assurance standards also distinguish between audits, reviews and other assurance engagements. IAASB’s ISAE 3000 deals with assurance engagements other than audits or reviews of historical financial information. That distinction matters because an attestation style report can sit in the assurance family without becoming a financial statement audit.
The practical difference is scope. A fuller audit can involve testing evidence, understanding controls, checking management assertions, considering materiality and forming an opinion on broader financial information. A narrow attestation may only report whether a stated schedule agrees with specific evidence at a defined date.
Why Timing Changes The Meaning
Many crypto reserve reports are point in time reports. They may say what was observed on one date, or during one short reporting window. That helps if you want to know whether a claim was checked then. It helps less if you want to know what happened before, after or during a market panic.
Imagine an exchange that publishes a reserve attestation dated 31 May. The report may show that a reserve schedule matched certain wallet balances on that date. It may not show whether assets were borrowed shortly before the check, whether customer liabilities were complete, whether the firm had other debts, or whether withdrawals would still work during a rush for the exit.
This is one reason stablecoin reporting deserves careful reading. A stablecoin can look calm until confidence changes quickly. Our guide to a stablecoin depeg explains why the link to one pound or one dollar can break when reserves, redemption mechanics or market trust come under pressure.
How To Read The Wording
The most useful habit is to slow down on the exact wording. Do not stop at the headline. Look for the subject, the date, the responsible party, the outside firm, the level of assurance and the exclusions.
The subject tells you what was checked. Was it a reserve schedule, a wallet balance, a management assertion, a control process or a full set of financial statements? The date tells you whether the report is current or stale. The responsible party tells you who prepared the information. The outside firm tells you who checked it, but not automatically how much comfort the report gives.
The level of assurance is especially important. Some reports provide reasonable assurance, which is generally stronger. Others provide limited assurance, where the wording may be closer to saying that nothing came to the practitioner’s attention that caused them to believe the statement was materially wrong. That is useful language, but it is not the same as proving that everything is fine.
Common Mistakes To Avoid
The first mistake is treating any third party report as a safety certificate. A recognised accounting firm can add discipline to a report, but it does not remove the risks of the business being reported on. The FCA warns that crypto remains high risk and that UK consumers should not expect the same protections that apply to many regulated financial products.
The second mistake is looking only at assets. A reserve number is incomplete without the liability side. If a platform holds assets but owes customers more, or has obligations that are not included in the schedule, the reserve picture can mislead. This is why the phrase fully backed needs careful support, not just repetition.
The third mistake is confusing transparency with protection. Public reporting can help readers ask better questions. It does not give FSCS protection, guarantee withdrawals, insure assets or prevent poor management. If you want the wider stablecoin context, our stablecoin explainer is a useful starting point.
A Worked Example
Suppose a fictional stablecoin issuer says it has GBP-backed tokens in circulation. At the end of each month, it publishes an attestation from an outside firm. The report says management prepared a reserve schedule, the firm compared selected bank and custody statements to that schedule, and no material exception was found as of that date.
That is useful information. It suggests someone outside the company looked at evidence for that reserve schedule. But the reader still needs to ask what was not covered. Did the report test all customer liabilities? Did it assess whether the issuer could meet redemptions during stress? Did it test internal controls over wallet access? Did it cover the days after the reporting date?
Now compare that with a fuller annual financial statement audit. The audit might look at the broader accounts, test evidence across the reporting period, consider material misstatement and give an opinion on the financial statements as a whole. Even then, an audit is not a promise that the company will never fail. It is a broader and more formal opinion than a narrow reserve attestation.
What This Means For You
If you see a crypto company using the word attested, ask what exactly has been attested. If you see the word audited, check whether it means a full financial statement audit or a narrower assurance report being described loosely in marketing copy.
The safest reading habit is to translate every report into three plain questions: what was checked, when was it checked and what was excluded? If those answers are hard to find, that is useful information in itself.
This is especially important with exchanges, custodians and stablecoin issuers because ordinary users often depend on someone else’s controls. You may see a clean looking report, but you are still exposed to the business model, governance, technology, legal structure and market conditions around it.
In Plain English
An attestation usually checks a specific claim. An audit usually checks a broader set of accounts or controls. Neither is a guarantee.
Read the scope before you trust the headline. A report that checks reserves on one date does not automatically prove solvency, safety or future liquidity.
Useful evidence is still evidence, but it has edges.
Related Reads
- Proof Of Reserves Explained: What It Can And Cannot Prove
- Stablecoin Depeg Explained: Why The Peg Can Break
- What is USDT, and why is Tether controversial?
- What is a stablecoin?
Disclaimer: Cryptocurrency investments are highly volatile and speculative. Their value can rise and fall sharply, and you could lose all of your investment. This article is for informational and educational purposes only and does not constitute financial advice. Always do your own research before making any investment decision.