Crypto Losses? Your Audit Controls Already Win
Blockchain
financial services
August 05, 2026· 7 min read

Crypto Losses? Your Audit Controls Already Win

40% of crypto losses stem from credential failures, not blockchain tech. Auditors already possess the controls expertise needed—segregation of duties and key custody aren't new problems.

$16.69 Billion in Crypto Losses Came Down to One Question Nobody Asked

Forty percent of $16.69 billion in crypto losses traces back to stolen private keys. Not smart contract exploits. Not protocol vulnerabilities. Not zero-day attacks on bleeding-edge code.

Someone got access to a credential they shouldn't have had, and nobody had a second signature to stop them.

CoinDesk published that number, and I keep coming back to it because of what happens when you strip away the word "crypto." You're left with a control failure auditors have been documenting since the 1980s. Who can sign? Who approves the second signature? What happens to access when someone leaves? Where's the recovery key, and who actually tested it?

That's not blockchain innovation. That's segregation of duties, key custody, and access recertification — the oldest controls in the book. We dressed a forty-year-old control failure in a new costume and decided it needed a brand-new expert.

The Thing That Was Supposed to Be Different

The blockchain was trustless. The people holding the keys weren't.

I've watched this exact pattern four times now — new technology arrives, promises to solve old problems through mathematical elegance, then fails at precisely the same human layer every predecessor failed at. The dotcom boom gave us "information wants to be free" until someone had to figure out who could update the product catalog. Cloud gave us "infrastructure as code" until someone had to decide who could spin up a $300,000 EC2 instance. AI is giving us "autonomous agents" until someone has to decide who can modify the training data.

Crypto promised to eliminate trusted intermediaries, then invented custodians, exchange admins, and wallet signers — trusted intermediaries by another name.

The mathematical guarantee was real. The operational reality was not. A private key is a credential with catastrophic blast radius and no undo button. Move $100 million to the wrong address and there's no bank to call, no wire recall, no fraud department. The transaction is mathematically final the moment it's confirmed.

But here's what bothers me: auditors already know how to reason about credentials like this. We've been managing dual control on wire transfers, segregating duties on financial reporting systems, and recertifying access to crown jewel databases for decades. The crypto-native crowd often doesn't have that muscle memory — they came up through cryptography and distributed systems, not control frameworks and SOC 2 audits.

The Pattern We've Seen Before

Nobody gets fired the day the railroad arrives. The town just slowly empties out.

When electronic trading came to the NYSE floor in the late 1990s, the specialists knew more about market microstructure than anyone. They understood order flow, price discovery, information asymmetry — all the mechanics that made markets work. What they didn't understand was that knowing how markets work matters less when the entire market moves to a platform they don't control.

The crypto industry built sophisticated systems for Byzantine fault tolerance and zero-knowledge proofs, then lost $6.7 billion because they didn't implement separation of duties.

I was advising a client last quarter who'd hired a "Head of Blockchain Security" — sharp guy, PhD in cryptography, could explain Merkle trees and elliptic curves in his sleep. I asked him who reviews access logs for their cold wallet. He looked at me like I'd asked him to explain indoor plumbing. That's not a crypto question, that's a controls question. But he'd been hired to solve crypto problems.

The gap isn't technical knowledge. It's pattern recognition. The ability to look at a private key and see every wire fraud, every privileged access failure, every insider threat you've investigated before. Strip away "blockchain" and "cryptographic signature" and you're left with: someone had access they shouldn't have had, or someone who should have said no didn't, or someone left the company and nobody revoked their credentials.

What Your Clients Aren't Asking (But Should Be)

Here's where it gets uncomfortable for both sides. The traditional audit firms are afraid to engage with crypto because it feels foreign. The crypto-native firms are moving fast and breaking things, which is a great DevOps philosophy and a terrible controls philosophy.

I sat in a meeting where a crypto startup founder told me they didn't need traditional controls because "the code is the control." His multisig wallet required three of five signatures to move funds. Sounds great, right? I asked him:

  • Who are the five signers, and did anyone document that?

  • What's the process when someone leaves the company?

  • Who tests that the 3-of-5 threshold actually works?

  • Where are the keys stored, and who audits access to that storage?

  • If four signers get hit by the same bus, what's the recovery process?

He didn't have answers. Not because he was incompetent — he'd built legitimately impressive technology. But because he'd spent years learning how to eliminate trusted third parties and zero years learning how to be a trusted third party himself.

That's the opening for our profession. The thing that makes digital assets feel foreign to a controls person — the Merkle trees, the consensus algorithms, the cryptographic signatures — is the smallest part of the risk. The part that actually loses the money is the part you already audit everywhere else.

The Question That Reveals Everything

If your firm touches digital assets right now — either internally or for clients — ask this: who owns key-management controls, the engineers or the people who run your control environment?

In most organizations, those aren't the same people. The engineers understand the technology. The controls team understands segregation of duties, access recertification, and incident response. The $6.7 billion got lost in the gap between them.

I'm not saying the cryptography doesn't matter. I'm saying that when you're investigating why $50 million walked out the door, you're almost never going to find "insufficient understanding of elliptic curve cryptography" as the root cause. You're going to find someone had admin rights they didn't need, or a key lived in a Dropbox folder protected by a password that hadn't changed in three years, or the person who set up the recovery process left eighteen months ago and nobody's entirely sure it still works.

We keep solving the math problem while ignoring the human problem. The math has been solved. The humans remain unsolved.

What This Means Monday Morning

Here's what to actually do with this:

For audit teams: The next time someone brings you a "crypto controls" engagement, start with your existing key management and privileged access frameworks. If your client can't answer the standard key custody questions, the fancy blockchain architecture doesn't matter. Begin with: who has keys, who approved their access, when was it last reviewed, what's the recovery process, and who's tested it in the last 90 days?

For finance leaders: If you're evaluating custody solutions or exchange partners, ask to see their access control matrices and their privileged access management policies before you ask about their cryptographic key derivation functions. The latter is probably fine. The former is where the losses happen.

For crypto companies: Hire someone who's failed a SOC 2 audit. Not as a joke — as actual strategic advice. Bring in someone who knows what control deficiencies look like in practice, who's investigated insider incidents, who understands that "the code is the control" is not an acceptable answer to "what compensating controls exist when the code is wrong?"

The blockchain doesn't need new experts. It needs old experts who've seen credentials mismanaged in seventeen different contexts and can spot the eighteenth before it costs $100 million.

But what do I know — I've only watched this movie four times. Maybe the fifth time will be different.


What are you asking Monday morning? If your firm touches digital assets — even tangentially — who's reviewing key management controls, and do they report to engineering or to your control functions? That reporting line tells you everything about whether you're managing crypto risk or just hoping nothing breaks.

Need Enterprise Solutions?

RSM provides comprehensive blockchain and digital asset services for businesses.

More Blockchain Posts

October 25, 2024

Exploring the Use Cases of Zero-Knowledge Proofs Beyond Cryptocurrencies

Hey there, blockchain enthusiasts! In our last post, we dove into the exciting world of DeFi and how zero-knowledge proo...

May 04, 2024

Distributed Ledger Technology: The Backbone of Blockchain

In our last post, we discussed the key differences between centralized and decentralized systems. Today, we're going to ...

August 29, 2024

Unlocking a Greener Future for NFTs with Proof-of-Stake Blockchains

In our last post, we addressed the environmental concerns surrounding NFTs. Today, we're diving deeper into the world of...