Scoutinternal

Audit Confirmation and Balance Report Requests

Audit Confirmation and Balance Report Requests

Problem

External auditors and BitGo clients frequently submit requests for audit balance confirmations and wallet balance reports — most commonly for year-end dates such as December 31 — to verify digital asset holdings as of a specific point in time. These requests arrive via email to support@bitgo.com or balanceconfirmations@bitgo.com and require coordination between BitGo's support team and the Product Operations (ProdOps) team to reconcile wallet balances, generate confirmation letters, and return signed documents to the requesting auditor. Common complications include wrong confirmation dates, missing enterprise IDs, balance discrepancies caused by unsupported tokens or internal tooling issues, and delays due to reconciliation backlogs.

Diagnostics

  • Determine whether the request is a legitimate audit confirmation or spam/scam (see Scenario 1 below for red flags).
  • Identify the enterprise ID(s) involved. If the requestor is an external auditor, they may not have the enterprise ID — ask them to provide it or confirm it with their client.
  • Confirm the cut-off date, time, and time zone requested for the balance snapshot (e.g., "December 31, 2024 23:59 UTC" vs. "December 31, 2024 21:00 HKT"). Incorrect dates are a frequent source of rework.
  • Check whether the request involves multiple enterprises under the same client (e.g., multiple fund entities, separate trading enterprises).
  • Verify if the requestor has authorization — a signed audit request letter from the client is typically required when the request comes from an external auditor.
  • Check whether the request includes needs beyond balance confirmation, such as transaction history, SOC reports, fee summaries, or staking balances.
  • Determine if the enterprise has trading (Go/OFC) wallets in addition to custody wallets — trading wallet balances use the "ofc" prefix on coin tickers (e.g., "ofclink", "ofcbch") and require finance team involvement.
  • Check the internal Slack channel (#prod-ops / C025HQVD89W) for any existing threads about the client's audit request.

Resolution

Scenario: audit-confirmation-31-request#spam-scam-request

Trigger: The inbound email is not a genuine audit confirmation request but is instead a fraudulent solicitation (e.g., advance-fee scam, unsolicited "inheritance" or "unclaimed funds" scheme).

Signals: inheritance funds, bank manipulation, unsolicited transfer request, ECOWAS, unrelated to any BitGo enterprise

Steps:

  1. Do not respond to the sender.
  2. Do not forward any BitGo account or customer information.
  3. Mark the ticket as spam/resolved with no action taken.
  4. If the email was sent to a BitGo distribution list, flag it internally so other team members are aware.

Notes: These scam emails occasionally arrive at support@bitgo.com or premiumsupport@bitgo.com. They have no relation to any BitGo client and should never receive a substantive reply.

Scenario: audit-confirmation-31-request#standard-auditor-confirmation

Trigger: An external audit firm (e.g., Deloitte, KPMG, Ernst & Young, PwC, RSM, Grant Thornton, CohnReznick, Richey May, Baker Tilly, MHA Cayman, Haynie & Company, Akram & Associates) submits a confirmation request on behalf of a BitGo client for a specific balance date.

Signals: audit confirmation, balance confirmation, year ended December 31, financial statements, attached confirmation letter, fund audit

Steps:

  1. Acknowledge receipt of the request promptly. Example: "Thank you for reaching out to BitGo support. We have received your request and are looking into it with our operations team."
  2. Request the enterprise ID(s) if not provided. Ask: "Please provide the Enterprise ID/s involved." The auditor may need to obtain this from their client.
  3. Confirm the exact cut-off date, time, and time zone. Mismatches are common (e.g., auditor requests May 31 but team initially generates March 31 balances). Verify before generating the report.
  4. Post the request in the internal ProdOps Slack channel (C025HQVD89W) with the enterprise ID(s), requested date/time, and any attached confirmation forms.
  5. The ProdOps / Product Operations team reconciles wallet balances as of the requested date and prepares the confirmation letter. This typically takes up to 5 business days; larger accounts or multiple enterprises may take longer.
  6. Once reconciliation is complete, attach the signed confirmation letter and any supporting documentation (balance files in PDF and/or Excel) to the reply. Send directly to the auditor (and CC the client if requested).
  7. If the auditor raises discrepancies after receiving the confirmation, escalate back to ProdOps for investigation. Common issues include incorrect date on the confirmation, missing wallets, and balance discrepancies for specific tokens.

Notes: - If the auditor requests a SOC 1 or SOC 2 report, note that the BitGo SOC audit cycle runs from October 1 to September 30. If the requested period falls outside the current SOC report cycle, provide the latest SOC report plus a bridge letter.

  • For requests requiring both wallet balances and transaction history, the transaction history is generated separately and may require additional time.
  • Trading wallet balances (Go/OFC wallets) require coordination with the BitGo finance team.

"Our team has advised that if the audit request comes from the auditors representing you (the client), we will need a signed audit request letter from you. If the request came directly from you, we will need cut-off date and time and the relevant enterprise ID, and the type of data required for the audit (transaction history, balance, audit logs etc)" "Hi Team, Thanks for sharing the right Enterprise ID's to be looked into. Can find 5 enterprise ID's on this list, will have an audit prepared for the same." "Please submit your requests to support@bitgo.com to obtain point-in-time balance sheet, transaction histories or other related items"

Scenario: audit-confirmation-31-request#client-direct-report-request

Trigger: A BitGo client (not an external auditor) requests balance reports or transaction history for their own enterprise for audit or reconciliation purposes.

Signals: report request, balance statement, transaction history, holdings report, year-end, month-end closing, point-in-time balance

Steps:

  1. Acknowledge the request and confirm the following details are provided:
    • Enterprise ID(s)
    • Wallet ID(s) (or "all wallets")
    • Type of coin(s) (or "all coins")
    • Cut-off day, time, and time zone
    • Date the information is needed by
    • Full name and job title of the requestor
  2. If any details are missing, request them before proceeding.
  3. Check whether the reports can be self-served from the BitGo UI. Balance reports and transaction histories are often available directly from the platform under the Reports section. If so, advise the client.
  4. If the client cannot generate the reports themselves (e.g., due to a UI error or the report requires a specific point-in-time snapshot not available in the UI), escalate to ProdOps via the Slack channel.
  5. Deliver the completed reports within 5 business days, or communicate a revised timeline for larger accounts.

Notes: - If the client reports an error when trying to access the Reports screen in the UI, collect their login email and escalate to engineering. In at least one case, a UI-side fix resolved the issue.

  • Holding reports may occasionally contain discrepancies due to internal tooling updates. If the client identifies discrepancies, escalate to ProdOps/engineering for re-reconciliation.

"We have identified the discrepancy issue in your holding reports, however, it will take a while for the engineering team to fix. Will it help if we provide you with your wallets' balances on 31st Jan and 28th Feb 2023 for your reconciliation work?" "All of these reports should be available from with the UI. Is your team experiencing an error when attempting to download these?"

Scenario: audit-confirmation-31-request#wrong-date-or-balance-discrepancy

Trigger: The auditor or client receives the confirmation but the balance date is incorrect, a wallet is missing, or the balances do not match the client's records.

Signals: wrong date, discrepancy, balance does not match, missing wallet, incorrect confirmation, updated cutoff time

Steps:

  1. Acknowledge the reported issue and apologize for the inconvenience.
  2. Confirm the correct date, time, and time zone with the requestor.
  3. Escalate to ProdOps to regenerate the confirmation with the corrected parameters.
  4. If the discrepancy involves a specific token balance:
    • Check if the token is supported on the BitGo platform. Unsupported tokens (even if present on-chain at a wallet's receive address) will not appear in BitGo-generated reports. Direct the client to the contract constants page: https://app.bitgo.com/api/v1/client/constants.
    • Check if the discrepancy is related to staking balances (e.g., ETH, DOT, SOL, ADA staking) which may or may not be included depending on reconciliation timing.
    • Check if the discrepancy is related to an internal tooling or indexer issue. In past cases, balances for certain coins (e.g., XLM, AXL, MFT) were temporarily incorrect due to system updates. Escalate to engineering if confirmed.
  5. Provide the corrected confirmation letter once reconciliation is redone.

Notes: - A common error is generating the report for the wrong month (e.g., March 31 instead of May 31). Always double-check the requested date before sending.

  • Trading wallet coin tickers include an "ofc" prefix (e.g., "ofclink"). The "ofc" designation indicates the coin is in a trading wallet — this is normal and can be explained to auditors.
  • For unsupported tokens held on-chain at BitGo wallet addresses, BitGo cannot provide balance confirmation. The client may need to verify these balances independently via blockchain explorers.

"The confirmation sent seems to have a date referring to 31 March 2023 ( See extract below), we are confirming the balance as at 31 May 2023." "The term 'OFC' simply indicates that the coin is in a trading wallet." "I have rechecked out system and confirmed congruence with the blockchain at the amount you stated [235,289.7749 MFT]. I have updated the confirmation and am investigating the temporary discrepancy, I believe due to an internal tooling update concerning the balance calculation around the time of developing the report."

Scenario: audit-confirmation-31-request#multiple-enterprises-or-entities

Trigger: The audit involves multiple enterprise accounts under the same client umbrella, or the auditor initially provides only one entity but later requests additional entities.

Signals: multiple enterprises, additional entity, second entity, BBF Offshore, fund entities, enterprise name confirmation

Steps:

  1. Ask the auditor or client to confirm all enterprise names and IDs that need to be included in the audit confirmation.
  2. If the client has multiple enterprises (e.g., trading and custody, or multiple fund structures), verify which specific enterprises are in scope. Example: "Can you please confirm if this would be the right enterprise name and ID involved here for this audit?"
  3. Generate separate confirmation letters for each enterprise, or a consolidated one if appropriate.
  4. If an enterprise ID has no data or no wallet activity, inform the requestor: "For this enterprise ID: [ID], there is no data present."

Notes: Some clients (e.g., eToro) may have three or more enterprises (e.g., eToro Europe Ltd, eToro Trading, eToro Trading 2). Always confirm scope before generating reports to avoid rework.

"Meanwhile can you please confirm if this would be the right enterprise name and ID involved here for this audit? eToro Europe Ltd : 5ae93fa2a6ff5ed01679492c2d5eb7a9." "For this enterprise ID: 65ea0a20475f06edc030ea06a30ee17e, there is no data present. For the remaining three other enterprises I have attached the audit confirmations below."

Scenario: audit-confirmation-31-request#reconciliation-delay

Trigger: The ProdOps or engineering team needs additional time to reconcile wallet balances, particularly for wallets with staking, complex fee structures, or known indexer issues.

Signals: reconciliation delay, engineering team, wallet fees, staking wallet, system update, additional days

Steps:

  1. Communicate the delay to the requestor proactively with an estimated timeline: "Our Engineering Team are still currently reconciling [Client]'s Wallet Balances as at [date], however, we anticipate this reconciliation to be completed by no later than [estimated date]."
  2. If the auditor has an urgent deadline, offer to provide a preliminary or partial balance confirmation (e.g., confirmed balances without fee data) while the full reconciliation is completed.
  3. Follow up internally on the ProdOps Slack channel and track any related Jira tickets.
  4. Once reconciliation is complete, deliver the final signed confirmation letter.

Notes: - Known causes of reconciliation delays include staking balance inconsistencies (ETH, CSPR, DOT, SOL, ADA), BTC wallet fee data, and system upgrades.

  • In past cases, the ProdOps team has needed 1-2 additional business days after initial reconciliation to complete final checks and sign off.

"We have recently identified some inconsistencies in the reports for ETH and CSPR staking wallets. To rectify this error, we're planning to implement a system update on July 29th. Therefore, could we send you a confirmation of your balance at the beginning of August 2023?" "We are happy to inform you that we have successfully reconciled the balances for your enterprise account. Nonetheless, we require an additional 1-2 business days to complete our final check and sign off on it."

Scenario: audit-confirmation-31-request#audit-questionnaire-or-proof-request

Trigger: The client or auditor requests completion of an audit questionnaire about BitGo's security controls, or asks for proof of specific custody features such as 2-of-3 multi-sig configuration.

Signals: audit questionnaire, security controls, 2-of-3 multi-sig, proof of custody, SOC report, operational questionnaire

Steps:

  1. For audit questionnaires about BitGo's operational security (password policies, OTP, admin roles, whitelist management, video verification), answer based on current platform capabilities. Consult internal documentation or the Trust team for custodial-specific questions.
  2. For SOC 1 / SOC 2 report requests, provide the latest available report. Note the audit cycle (October 1 – September 30). If coverage for the requested period is not yet available, provide the current report plus a bridge letter.
  3. For requests to prove 2-of-3 multi-sig configuration, clarify what form of evidence the auditor requires (e.g., platform documentation, on-chain verification, UI screenshot). BitGo's multi-sig architecture is documented in public-facing materials, but on-chain proof may require examining specific transaction signatures on a blockchain explorer.

Notes: - Video call verification (facial recognition) for outgoing transactions is only required for custodial (Trust) wallets and triggers at: transactions ≥ $250k, rolling 24-hour transactions ≥ $250k, or transactions to a newly whitelisted address for the first time.

  • Wallet policy unlock for changes requires a video call with a verified enterprise owner and is limited to 48 hours.

"Any admin on the wallet can add/remove whitelisted addresses for 48 hours, after that the policy will be locked and any further changes required, will need to be manually unlocked by support after completing a call with a verified person on that enterprise" "Our SOC report audit cycle ran from October 1st, 2022, to September 30th, 2023. Therefore, coverage for December 2023 will be included in the next cycle. I have attached our SOC 1 Type 2 report and Bridge letter for 2023 in this reply for your reference."

Related

  • understanding-policies — Wallet policies and admin approval settings are frequently referenced in audit questionnaires
  • setting-up-a-wallet — Wallet settings including admin roles and user permissions are relevant to audit control questions