In 2021, we have seen a number of companies such as Tesla, MicroStrategy, and Square Inc. diversify their investment portfolios by purchasing bitcoin and alternative cryptocurrencies.
As much as we recognize this as a great move in terms of adoption, we ought to take note of the fact that these and more companies in future need to establish an Internal Control Mechanism or Manual on Accounts and Wallet Management.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines Internal Control as a process established by a company’s management team to provide assurance relating to the achievement of its objectives. This includes the process of conveying duties and responsibilities to everyone in the organization with the aim of achieving the said goals such as ensuring:
Reliable financial reporting
Effective and efficient business operations
Compliance with applicable laws and regulations
Safeguarding of assets
Therefore, all companies need to have Internal Control processes and a consequent policy that stipulates how their wallets will be purchased, accessed, and stored in order to safeguard their crypto assets.
Such a policy would outline the company’s principle of action like its set rules or guidelines regarding its wallets and accounts while the processes would set out what actions are to be done.
Crypto transactions should be for legal purposes such as diversifying a company’s investment portfolio or getting into new business markets. They should not be used as a means of laundering money or financing illegal activities such as terrorism. The management team and employees should be trained on blockchain technology, bitcoin and other cryptocurrencies to ensure they have a good understanding of their potential and risks.
It should stipulate who has access to the accounts and wallets as well as their roles and limitations. The company’s management team, especially the CEO, directors/partners and managers, in the financial and legal departments are expected to have complementary levels of access to the company’s crypto accounts and wallets. These people ought to be competent, knowledgeable in crypto, and more importantly, have integrity since they are handling sensitive data.
Credentials and Keys Management
It should set out who can open an account in the company’s name. For instance, it can state that such a decision will be arrived at after a board resolution is passed stating whom, when, and on which exchange(s).
In addition to that, it should state who shall have access to any or all of the credentials in accessing the accounts and the public and private keys. Caution, strong controls and limited access is crucial in protecting digital assets. For instance, a company with hardware wallets might decide to have them stored in a reputable bank’s safety deposit box or in a safe within the company’s premises.
The policy should lay out who shall be making crypto purchases or sales. This can be handled by the heads of the aforementioned departments after seeking approval from the management team in writing to avoid any discrepancies.
It can outline the accounts for these transactions; distinguish who handles the accounts on exchanges, and who transfers the currencies to and from wallets, and stipulate that these records should be kept for at least six years from the date they were populated or from the end of the tax year they relate to in compliance with audit guidelines. This will be effective in verifying financial records, preventing fraud, and facilitating external audits.
Everyone handling the company’s investments is aware of the risks involved. In the crypto space, this should be no different. Handlers should be aware of certain risks such as theft of crypto by people with and without access, loss of private keys, sending crypto from their account to an incorrect address, non-recovery of crypto sent to a wrong address, and delays that occur sometimes when processing transactions.
A great policy should highlight these risks and outline ways of reporting and navigating such instances.
It should lay out the means of monitoring crypto transactions, accounts, and wallets as well as the performers of these roles. The people in charge should look for loopholes in how the accounts and wallets are handled, ensure maintenance of the company’s crypto data privacy, ensure the company has taken various steps in being cybersecure, report any accounts and wallets that are neither approved nor accounted for by the management, and report the use of an exchange that is not approved.
A company can even engage the services of a data security program to alert it on any suspicious activities going on in their servers or accounts. The team can also use blockchain technology to upload and populate their transaction records to prevent unauthorized alteration since immutability is a great feature of this technology.
Such policies provide clarity, consistency, and accountability on how companies operate in terms of their accounts and wallets management. This, in turn, safeguards their assets and guarantees effective business performance which is a great achievement eyed by most organizations. Hence, their creation should be prioritized.