Most crypto companies fail SOC 2 on key management and access control. Not because they are sloppy. Not because they don't care. But because the standard was written for SaaS companies, and their auditor has never had to evaluate a private key.
At NTD Consulting, the principal has seen this play out across multiple investor diligence processes. A company shows up with a clean SOC 2 report from a reputable firm. The investors ask one follow-up question about multi-sig or cold-wallet policy, and the answer falls apart. The report looked good. The program underneath did not.
The auditor gap no one talks about
SOC 2 is flexible by design. The Trust Services Criteria are principles-based, which means the auditor has enormous discretion over what "reasonable" controls look like. A great SaaS auditor will ask about logical access, change management, and backup retention. A great crypto auditor will also ask:
- How are private keys generated, stored, rotated, and destroyed?
- What is the cold-wallet / hot-wallet split, and who can change it?
- Has the key-recovery process been tested, and is there a log?
- Is blockchain monitoring in place for anomalous transactions?
- How does the custody-provider relationship map to the SOC 2 scope?
If your auditor is not asking those questions, your report may be technically unqualified and strategically useless.
Five questions to ask before you hire or renew
1. "How many crypto or digital asset clients have you audited?"
The answer does not need to be fifty. It needs to be more than zero. You want an audit firm that has seen key-management ceremonies, reserve-verification workflows, and exchange integrations before.
2. "Will the scope explicitly cover our custody and trading operations?"
This is the most common trap. A company runs its SOC 2 audit over its web application and excludes the treasury, trading, or custody functions because "a third party handles that." If customer assets are at risk, the scope should say so.
3. "Who will be on the audit team, and what is their crypto experience?"
Big-name firms sometimes staff crypto audits with junior auditors who learned the criteria from a textbook. Ask for the bios. Ask how many crypto SOC 2 audits the lead has signed.
4. "How do you evaluate controls you cannot directly observe?"
Custody providers, HSMs, and smart contracts often sit outside the company's direct control. A good auditor knows how to review third-party reports, walk through key ceremonies, and design alternative procedures. A weak one checks a box and moves on.
5. "What would cause you to issue a qualified opinion?"
If the auditor cannot describe a scenario that would lead to a qualification, they are not thinking critically about your risk environment.
The bottom line: An unqualified SOC 2 report from the wrong auditor is a false sense of security. Investors know the difference.
When to switch auditors
You do not need to fire your auditor mid-audit. But you should have a serious conversation if any of the following are true:
- They proposed a scope that excludes custody, trading, or treasury.
- They cannot name the crypto-specific controls they will test.
- They treat your custody provider's SOC 2 report as a substitute for their own work.
- They seem more interested in evidence volume than control design.
How to get it right
The best SOC 2 audits for crypto companies start with the business model, not the criteria. Map the actual risks. Identify the controls that matter. Bring in an auditor who has evaluated those controls before.
If you are heading into a fundraise, do a pre-audit readiness review with someone who has been on both sides of the diligence table. Find the gaps before the auditor does — and long before the investor does.
Need a second set of eyes before your SOC 2 audit?
NTD Consulting offers a free 30-minute readiness assessment. No pitch, no pressure — just direct feedback on where your program is likely to get pushed back.
Book a Free Assessment