Bitcoin, blockchain, and beyond: Audit essentials for assurance leaders

Digital assets are no longer future trends—they’re business realities. As blockchain, stablecoins, and crypto adoption accelerate, internal audit leaders must evolve their approaches to governance, risk, and assurance.

New laws and executive orders, changes in oversight, and updated guidance are reshaping how internal auditors approach bitcoin, stablecoins, blockchain, and related assets. The Guiding and Establishing National Innovation for U.S. Stablecoins Act of 2025 (GENIUS Act) established a federal framework for stablecoins, with requirements for reserves, transparency, and oversight. The Securities and Exchange Commission (SEC) has also launched a dedicated Crypto Task Force and shifted its approach from aggressive enforcement to clearer rulemaking on custody, disclosure, and trading. Additionally, new guidance from banking regulators (like the FDIC and OCC) is opening up certain crypto activities for banks under oversight, rather than the prior blanket prohibitions. 

Risk profiles, control environments, and regulatory expectations continue to transform quickly. As internal auditors, you must have the tools and understanding you need to audit, assess risk, and advise management in this evolving environment.

• Blockchain and digital assets
  • What is blockchain?
  • How does blockchain work?
• What are the basics of bitcoin?
• What are smart contracts?
• A shift in the regulatory environment – from fragmented enforcement to structured oversight
• What are stablecoins?
  • What is the GENIUS Act and how has it shaped stablecoin regulation?
• The SEC Crypto Task Force and other regulatory guidance
• What is the tokenization of real-world assets?
• What are some of the more recent global trends in cryptocurrency?
• Audit concepts (and implications) to be aware of

A shift in the regulatory environment – from fragmented enforcement to structured oversight

In 2025, a massive shift occurred in the regulatory environment, transitioning from fragmented enforcement to structured oversight. Regulatory leadership changes aimed at promoting a safe, sound, and resilient banking system contributed to this shift. Notably, the appointment of Travis Hill as the Acting Chairman of the Federal Deposit Insurance Corporation (FDIC) in January 2025 was particularly significant.

Acting Chairman Hill stated that the FDIC’s new focus includes adopting a more open-minded approach to innovation and technology adoption, with an emphasis on fintech partnerships and cryptocurrency. This shift in mindset from FDIC, OCC, and SEC regulators has opened up the possibility for regulated institutions to explore digital assets without the fear of regulatory harm.

What are stablecoins?

With the U.S. administration’s new stance on cryptocurrency, stablecoins have grown in popularity. Stablecoins are designed to maintain a stable value, typically by being pegged to a reserve asset, such as a fiat currency (e.g., the U.S. dollar), a commodity (e.g., gold), or through algorithmic mechanisms.

Stablecoins’ primary purpose is to combine the speed and transparency of digital assets with the price stability of traditional currencies. This contrasts with other cryptocurrencies, like bitcoin, which can experience significant price fluctuations.

Stablecoins allow individuals to use cryptocurrency with greater confidence that the digital assets will maintain their value. The benefits of stablecoin’s include:

• Faster, lower-cost transactions
• Decentralized finance helps with trading, lending, and yield farming
• Cross-border transfers to reduce reliance on banks and costly remittance services
• Hedging offers a way to exit volatile cryptocurrency positions without converting to fiat

While stablecoin is considered a more “stable” option for cryptocurrency, it does come with risk, such as:

• Reserve transparency to answer questions about whether reserves are fully backed and accessible
• Regulatory uncertainty and varying treatment by global regulators
• Operational risk, including custody, governance, and smart contract vulnerabilities
• Systemic risk, especially if widely adopted in payments or integrated with traditional finance

What is the GENIUS Act and how has it shaped stablecoin regulation?

The Guiding and Establishing National Innovation for U.S. Stablecoins Act of 2025 (GENIUS Act) represents a pivotal legislative milestone, signaling U.S. intent to modernize digital payments infrastructure through regulated stablecoins. While this is a tremendous step forward, it also raises debate over the adequacy of safeguards and political ethics amid ongoing developments in digital asset policy.

The GENIUS Act is expected to have a significant impact on the stablecoin market and the broader cryptocurrency landscape, specifically in these key areas:

• Establishing a regulatory framework. The Act aims to provide clear guidelines and rules for the issuance and management of stablecoins.
• Protecting consumers. By requiring issuers to hold reserves and prioritize stablecoin holders in bankruptcy, the bill safeguards consumers from potential losses.
• Promoting responsible innovation. The Act encourages the responsible development and adoption of stablecoins while mitigating risks.
• Enhancing national security. The legislation includes provisions to prevent money laundering and other illicit activities associated with stablecoins.
• Maintaining U.S. dollar dominance. By providing a clear regulatory pathway, the Act ensures the U.S. dollar remains a dominant force in the digital economy.

With new regulatory clarity, banks view stablecoin as a competitive and strategic necessity. As more people use stablecoins to send money home, submit international remittances, or conduct their business, banks feel pressure to stay relevant in digital money rails. The gap between nonbank issuers and regulated banks is viewed as a growth opportunity.

While this is an exciting opportunity, it also has the potential for tremendous risk. With new regulatory requirements, organizations may not have mature controls in place. This provides an opportunity for internal audit, risk management, and compliance professionals to step up and ensure that stablecoin and other cryptocurrency are well-managed within your organization.

The SEC Crypto Task Force and other regulatory guidance

The SEC’s Crypto Task Force is a dedicated initiative to draw clearer lines about when a digital asset constitutes a “security” or not, design tailored disclosure and registration paths for crypto issuers and intermediaries and ensure that investor protections are applied appropriately to digital asset markets.

Audit and compliance teams will need to treat investor protection not as an afterthought but as a design principle—ensuring systems, disclosures, safeguards, and controls are structured for transparency, accountability, and recovery. Additionally, risk assessments should focus on counterparty risk, smart contract failures, key compromise, and the insolvency of intermediaries, as these are areas where investor harm tends to materialize in the crypto space. Assurance scopes may expand to include review of code, custody architecture, disclosure completeness, and fallback or recovery mechanisms.

In the July 2025 interagency joint statement, the OCC, FDIC, and Federal Reserve outlined guidance on the safekeeping of crypto assets, stating that crypto custody differs from the custody of securities or cash, and that these special risks must be addressed explicitly. Some banks are expressing interest in outsourcing their cryptocurrency custody because they lack the necessary in-house skills. While that may be a good option, it’s important to note that while banks can outsource these activities, they cannot outsource the risk.

Although banking regulators are relaxing procedural barriers, risk management expectations will remain rigorous because a poor risk management decision could cause a lot of harm to your company’s brand.

What is the tokenization of real-world assets?

Tokenization of real-world assets is the process of converting ownership rights of tangible assets, including real estate, art, sports memorabilia, or collectibles, into digital tokens on a blockchain, enabling them to be bought, sold, and traded more efficiently and with greater accessibility.

The tokenization process creates digital representations that serve as certificates of ownership, enabling multiple investors to own fractional shares of the asset. These tokens can then be traded on blockchain-based marketplaces, allowing for faster settlement and broader access to investments. Blockchain’s inherent transparency and immutability also help reduce fraud and enhance investor confidence.

What are some of the more recent global trends in cryptocurrency?

When it comes to innovation in the digital asset space, the U.S. is slightly behind other regions in its adoption. The European Union’s (EU’s) Markets in Crypto-Assets (MiCA) regulation, Asia’s central bank digital currency (CBDC) pilots, and global cross-border payment initiatives are major, overlapping efforts to modernize the financial system using digital technology. While MiCA focuses on regulating private crypto-assets within the EU, CBDC pilots in Asia are exploring government-controlled digital currencies and broader initiatives seek to improve all international payments, including those involving digital assets.

Additionally, cross-border payment initiatives are being spearheaded to address the persistent issues of slow, expensive, and opaque cross-border payments. These efforts, often led by international bodies, are increasingly overlapping with the digital currency work being undertaken in the EU and Asia.

While these areas are positively influencing crypto regulations and working to establish new technical and governance standards for cross-border usage, this emerging technology is also seeing an increase in scams and attacks, including in-person attacks. There’s been an increase in cases involving individuals known to have extensive crypto holdings being kidnapped for their private crypto keys. Unlike online hacking, these “wrench attacks” are a physical form of theft that targets individuals directly, forcing them to reveal the keys that grant access to their cryptocurrency wallets. Once a thief forces a victim to transfer funds, the blockchain transaction is permanent and cannot be reversed by a third party, unlike a fraudulent charge on a credit card.

Audit concepts (and implications) to be aware of

Whenever an organization approaches a new technology, it’s time to go back to the basics to understand what the business wants to accomplish and the universe of risks that might accompany that technology. This is especially helpful if you’re conducting an audit risk assessment or are in the second line of defense and need to test the risks.

There are several risk categories to consider:

• Operational risks. Operational risks arise from failures in processes, systems, people, and technology when managing digital assets. To manage this type of risk, auditors need to review operational controls, third-party risk management, reconciliation processes, and business continuity plans.
• Regulatory risks. Regulatory risks stem from the evolving legal and compliance environment for digital assets. Internal auditors should evaluate compliance programs, regulatory change management processes, and governance over disclosures and filings to ensure effective oversight.
• Cybersecurity risks. Cybersecurity risks involve threats to the confidentiality, integrity, and availability of digital asset systems. Internal auditors should assess cybersecurity controls, including wallet security, incident response, network defenses, and vendor cyber risk management.
• Financial reporting risk. Financial reporting risks include valuation and impairment challenges, off-balance sheet exposure, and complexity in revenue recognition. To offset this, internal auditors must review fair value hierarchy determinations, evaluate off-balance-sheet arrangements for adequately disclosed risks, obligations, and contingencies, and test revenue recognition policies to ensure accuracy.
• Compliance risk. Weak Know Your Customer (KYC) or anti-money laundering requirements or inadequate monitoring may expose institutions to enforcement actions, fines, or reputational harm if illicit funds move through their systems. Regulators require accurate, accessible, and auditable records of digital asset transactions, ownership, and customer data for regulatory exams, audits, and legal proceedings.
• Technology risk. Smart contract vulnerabilities, key management failures, and exchange hacks and fraud all contribute to technology risk. Auditors should verify whether third-party code audits, penetration testing, and formal verification tools were utilized prior to deployment. Auditors should also review change management processes for contract updates and emergency response plans to address any emerging vulnerabilities.
• Third-party risk. Third-party risk can come from crypto custodians and exchanges, outsourced compliance vendors, and cloud service providers. Internal auditors should assess segregation of duties, insurance coverage, financial stability, incident response plans, vendor due diligence processes, and cloud security certifications.

Digital assets introduce new risks and regulatory expectations that require clear oversight from the board, risk committees, and executive leadership. Regulators expect real-time or near-real-time monitoring for unusual activity across cryptocurrency wallets, exchanges, and on and off-ramps.

As cryptocurrency adoption continues to grow, it presents a tremendous opportunity for internal auditors to step up as leaders within their organizations and professional communities to learn the products, understand the risks, and ensure that consumers and their businesses are well protected.