I thoughts an attest is a form of audit. Can you explain why you think this is insufficient?
And aren't these reports going to take time to complete? Every report in the past took about a month to complete and I don't see why that's a red flag.
An attestation offers considerably less assurance than an audit.
An audit is the most comprehensive type of assurance. Often called positive assurance. A clean audit opinion means the auditor collected sufficient and appropriate evidence to form an opinion on the financial statements (or reserves in tether/usdc case).
On the other hand, an attestation or review is a form of negative assurance where auditors state that nothing has come to their attention to indicate that subject matters or financial statements contain a material misstatement. In this type of assurance, auditors do not give an opinion; they simply say that financial statements look "reasonable".
Unlike positive assurance, auditors are not required to obtain sufficient and appropriate evidence to form an opinion. Instead, they only need to review if there are any problems with financial statements or subject matters.
Thanks! How would an attestation work with a fraud. For example, suppose a company simply produced a false bank statement.
Would an attestation have no ability to verify that the statement was fraudulent? In other words we must trust the entity undergoing attestation in order to rely on the attestation, and the attestation merely certifies there is no error of math or logic in what was presented.
With an audit, the auditors get a representation from management that they will provide the truth etc. The auditors would also get third party evidence eg. from the bank providing the audit client's account. For important things you would always get third party evidence from banks, custodians, etc or even just go and check to see if physical things exist!
With an attestation or limited/negative assurance engagement, there's no third party evidence. Instead, the auditors just rely on what they are given and whether it looks reasonable. The auditors would state in their "report" that only limited evidence was gathered and not enough to form the basis of an opinion.
Basically, limited / negative assurance is not really that useful in most circumstances.
Regarding fraud - auditors are not expected to find/uncover fraud under any type of engagement, which is a common misconception.
The biggest audit firms won't go any where near tether, and this alone, tells you quite a bit :)
Thanks, that’s what I figured. And that’s very interesting about not even audit or assurance finding fraud.
> Basically, limited / negative assurance is not really that useful in most circumstances.
So what exactly can we glean from USDC having attestations? It’s certainly a step up from Tether in that respect but I’m also not sure it tells us all that much.
Or maybe a better way of asking is: how exactly would you prove that a stablecoin was backed?
To prove a stablecoin was backed you'd probably do the following:
1) review the processes and controls which operate the business to check they were operating correctly for the period under review
2) interview the various key stakeholders to assess competence and get representations
3) perform substantive testing over the collateral balance for the whole period. Eg daily bank reconciliations. Get third party confirmations for EVERYTHING.
4) perform a contingent liabilities review and a legal review.
5) see if there are any related party transactions
6) do a going concern assessment
The key thing would be to check existence, completeness and valuation of collateral and existence and completeness of liabilities (issued tokens).
Depending on what the assets are that would entail different procedures. For tether I would want to see their whole CP portfolio to perform a thorough credit risk and systemic risk assessment. Do some modelling to understand valuation implications under various scenarios.
Is worth noting that it's not feasible to do this on a monthly basis because it's so onerous. Hence why probably they just do monthly attestations. I would expect that the legal entity which issues the tokens and holds the collateral is audited at least once a year.
Never knew my audit knowledge would ever be useful/interesting :)
They seem to have caught up somewhat for the April report, but March was extremely delay. News article below.
I’m not an expert, but I think an attestation just examines if a statement makes sense. My accountant did one for my revenues and the percent that were in USD. I sent them a spreadsheet with my revenues from various sources and calculations showing total USD.
The accountant verified that my spreadsheet said what I said it said. However, they did not actually verify the info underying the spreadsheet beyond examining some screenshots of customer addresses I provided. They samples a handful at random.
In USDC’s case, I think the auditor would look at a bank statement and say “the bank statement on May 31st indeed says Circle has $X” and Circle says this money is theirs for backing USDC.
Stuff they wouldn’t verify:
* Was the money there before that specific minute of the day?
* Did it remain there after?
* Was the money from deposits, or was it from a loan or some other source? (Bitfinex did this with a prior attestation, mixing up Bitfinex’s money and reserve funds)
So most people would assume these attestations mean “At all times USDC had backing of basically all of their tokens by $ in a bank account, free and unencumberer” but the attestations don’t examine that claim at all. They examine a very specific moment in time, and don’t examine the source of the funds.
In an audit you might actually examine the accounts at a time not chosen by Circle.
https://www.centre.io/usdc-transparency