1. Introduction
The Markets in Crypto-Assets Regulation (MiCA) is the European Union’s first comprehensive and successful attempt to coordinate the regulation of crypto-assets and their service providers across all of its member states. By setting uniform licensing, governance, disclosure, and operational standards, MiCA seeks to reduce regulatory fragmentation, enhance investor protection, and provide supervisors with consistent tools to oversee what is now a rapidly evolving market.
While MiCa does establish formal regulatory expectations, its adoption does not resolve the complex challenges faced by audit professionals. Namely, for auditors, regulatory clarity is only a starting point. The inherent volatility of crypto-assets, novel operational frameworks, and the complexity of internal control structures all require careful and professional interpretation and judgement. That is why large audit firms, including the Big Four, approach all post-MiCA engagements with deliberate caution. Currently, their strategies reflect both the new opportunities presented by harmonized regulation and the enduring structural risks that MiCA, unfortunately, does not quite eliminate.
Thus, in the current environment, auditors must learn how to balance regulatory compliance, valuation rigor, internal control assessment, and reputational considerations. The purpose of this article is to examine how major audit firms are navigating these complexities today, over a year after MiCA took effect. The article highlights areas of engagement where auditors are increasingly active and domains where there is still professional hesitation, and explores the underlying rationale for such cautious approaches.
2. MiCA’s Regulatory Framework and Audit Implications
MiCA addresses several categories of crypto-assets, including asset-referenced tokens (ARTs), electronic money tokens (EMTs), and other crypto-assets that do not qualify as traditional financial instruments. The regulation also standardizes licensing, governance, and disclosure requirements for crypto-asset service providers and issuers, creating a much more coherent legal framework across the EU. This standardization is especially crucial for auditors, as it defines the regulatory perimeter and clarifies which entities are formally subject to MiCA’s provisions.
The European Banking Authority (EBA) has further developed MiCA’s framework by issuing guidance on standardized reporting requirements. These guidelines guarantee that all supervisory authorities can access comparable data across all jurisdictions. From an audit perspective, this type of reporting requirements provide context for understanding whether a client complies with regulations, but they do not eliminate the necessity of independent assessment under auditing standards. Thus, auditors must interpret regulatory compliance alongside established financial reporting principles, particularly when MiCA provisions intersect with International Financial Reporting Standards (IFRS) or certain local accounting frameworks.
The regulatory structure of MiCA, therefore, creates both opportunities and limitations. On one the hand, auditors can rely on documented regulatory controls as part of their assessment procedures. But on the other, compliance with MiCA alone remains insufficient when it comes to addressing valuation uncertainty, operational complexity, or the assurance limitations inherent in crypto-asset engagements. As a result, auditors are compelled to maintain professional skepticism, even in environments where regulatory clarity has improved substantially.
3. The Challenges of Valuation in Crypto-Audit Engagements
Valuation is arguably the most significant technical challenge auditors face when assessing crypto-assets. Namely, digital assets exhibit extreme price volatility and frequently trade on platforms with limited liquidity, which complicates the application of fair value principles over IFRS. In many cases, observable market inputs required to support Level 1 value measurements are unavailable. Consequently, auditors must rely on Level 2 and Level 3 inputs, which incorporate assumptions, unobservable market data, or unreliable modelling techniques.
Level 3 valuations, in particular, demand a great amount of careful professional judgement. Namely, they are inherently more subjective in nature and carry a higher risk of material misstatement. Therefore, auditors must evaluate whether all inputs are appropriate, all assumptions are reasonable, and that their methodology is consistent over time. The lack of standardized guidance on asset categorization—for instance, tokens that confer utility, governance rights, or staking privileges—further complicates classification and measurement. Auditors, thus, must reconcile these features with existing financial reporting while still ensuring compliance with MiCA.
Beyond the issue of fair value measurement, other valuation-related considerations worth mentioning include impairment testing, transaction revenue recognition, and potential off-balance-sheet exposures. Each one of them introduces additional layers of complexity that must be taken into account. Collectively, these factors explain why audit firms approach crypto engagements with caution, even when a client operates within a clear regulatory perimeter.
4. Operational and Internal Control Complexity
Operational assessment is another critical aspect of crypto audits post-MiCA. Distributed ledger technology, small contracts, and self-custody arrangements create novel risks not encountered in traditional financial audits.
Namely, auditors must now evaluate:
- The integrity and completeness of blockchain transactions
- Custody practices and key management frameworks
- Governance over token insurance, operational risk mitigation, and transaction approval.
Therefore, MiCA mandates governance and operational safeguards for regulated entities, including documented risk management policies, the segregation of duties, and internal control frameworks. However, it is important to mention that regulatory compliance is not at all equivalent to auditability. That is why auditors must assess whether documented controls translate into verifiable evidence, and whether the entity’s operational practices support reliable financial reporting.
Of course, decentralized systems further complicate operational assessment. When assets are held outside regulated custodians or in self-managed wallets, auditors face challenges in verifying existence, rights, and obligations. While smart contract interactions may be verifiable on-chain, understanding their economic implications and risk exposure requires specialized expertise. This creates a persistent gap between regulatory compliance and the substantive audit evidence that auditors can obtain.
5. Clear Shifts in Audit Company Engagement Practices
Naturally, MiCA has not brought only uncertainty. In fact, several positive observable trends have emerged in large audit firm practices.
- Governance-centric assessment
Nowadays, audit firms increasingly prioritize the evaluation of internal controls, governance frameworks, and risk management practices. Plus, MiCA-aligned policies allow auditors to contextualize crypto risk within broader enterprise control environments.
- Limited assurance engagements
Next, narrowly scoped engagements, such as attestations on reserve holdings, compliance checks, or system controls, are becoming more and more common. These engagements offer stakeholders meaningful assurance while mitigating auditors’ liability risk.
- Diversified institutional exposure
Finally, crypto activities embedded in diversified financial institutions are assessed within broader enterprise risk frameworks. This approach reduces concentration risk and provides auditors with a comparative baseline against traditional business lines.
6. With New Improvements Come New Challenges
Despite these evolving practices, audit firms remain cautious due to several structural factors.
- Decentralized finance (DeFi) exposure: the absence of centralized governance structures definitely complicates accountability and auditability
- Custody and key management: self-custody arrangements present irreducible risk, as even string controls cannot fully mitigate potential loss or unauthorized access.
- Reputational and supervisory risk: ESMA has highlighted instances where MiCA-compliant entities still disseminate misleading investor information, emphasizing reputational concerns.
7. Internal Company Dynamics
Another important aspect of the post-MiCA audit reality is that internal firm dynamics have never been as heterogenous. Namely, while MiCA standardizes regulatory requirements, auditors’ risk tolerance and operational discretion still remain tied to local offices. Thus, there are many variations in supervisory interpretation, local litigation risk, and market maturity. All of them contribute to differences in engagement decisions across jurisdictions, even if they are all MiCA-compliant.
8. Implications for Crypto Companies
From everything mentioned so far, it is evident that, while MiCA compliance is necessary, it is not sufficient for securing audits from top-tier firms. To achieve that, companies still must:
Robust governance and internal control documentation
Clearly define an engagement scope
Demonstrate adequate capitalization and diversification
Integrate crypto operations into broader enterprise structures
Failure to satisfy these conditions may lead to prolonged onboarding, repeated risk assessments, or rejection, regardless of the overall regulatory and MiCA compliance status.
9. Conclusion: Professional Skepticism for the Win
As demonstrated in this article, MiCA provides clarity and regulatory harmonization, but it does not eliminate fundamental challenges in crypto auditing. Valuation complexity, operational uncertainty, and the limits of traditional audit frameworks ensure that auditors still maintain structured professional boundaries.
Post-MiCA engagement patterns suggest that regulatory compliance is a necessary condition, but not at all a sufficient one for audit readiness.
Large audit firms’ cautious involvement signals both emerging confidence in regulated crypto operations and persistent structural prudence. For regulators, firms, and stakeholders alike, the post-MiCA environment demonstrates the delicate balance between regulatory clarity and professional judgment in this ever-evolving domain.
- Deloitte. (2023). Accounting and financial reporting considerations for crypto-assets. Deloitte Insights.
- European Banking Authority (EBA). (2024). EBA provides further guidance on reporting requirements under MiCA. EBA Press Release.
- European Banking Authority (EBA). (2024). Governance arrangements and risk management requirements under MiCA.
- European Parliament Research Service (EPRS). (2022). Markets in Crypto-Assets (MiCA): Regulation of digital assets in the EU.
- European Securities and Markets Authority (ESMA). (2024). Markets in Crypto-Assets Regulation (MiCA): Overview and supervisory approach.
- Institute of Chartered Accountants in England and Wales (ICAEW). (2023). Crypto-assets: Audit, assurance and regulation.
- International Federation of Accountants (IFAC). (2023). Crypto-assets and the audit profession: Navigating emerging risks.
- KPMG. (2023). Crypto-assets and audit risk: Governance, controls, and valuation challenges. KPMG Thought Leadership.
- PwC. (2024). MiCAR and the qualification of crypto-assets as financial instruments.
- Reuters. (2025). European securities regulator warns about crypto firms misleading customers.
- Sutton, S. G., Holt, M., & Arnold, V. (2023). The implications of blockchain and crypto-assets for accounting and auditing. Journal of Emerging Technologies in Accounting, 20(1).
- Zetzsche, D. A., Arner, D. W., & Buckley, R. P. (2020). Decentralized finance. Journal of Financial Regulation, 6(2), 172–203.
This site may reference or link out to external websites operated by third parties. These sites are independent from ADABA, and ADABA has no control over their content or activities. A link or mention should not be interpreted as an endorsement, partnership, approval, or recommendation of any third-party provider, nor does ADABA take responsibility for any of the products, services, or information they offer.
All content provided here is for general informational purposes only. Nothing in this material constitutes legal, tax, financial, or investment advice. Readers should seek guidance from qualified professionals before making decisions in any of these areas. ADABA accepts no liability for actions taken—or not taken—based on the use of the information provided here.
ADABA makes no representations or warranties regarding the accuracy, completeness, timeliness, or reliability of the information presented. We disclaim any responsibility for losses or claims arising from errors, omissions, or other issues contained in this material.