What is an audit?

With the intent to foster the general community’s understanding of what an audit is and what expectations we should put forth, this post aims to provide a trigger for further points of view and challenging ideas (note: ideas and opinions here are solely mine).

Generally speaking, an audit is an independent assessment of a project seen through the lens of a particular concern. Examples of these concerns include security, compliance, economics, etc.

In the crypto space, audits have largely focused on security, with their primary goal being to assess correctness (with respect to a specification), as well as to identify potential vulnerabilities in implemented code. These are known as code audits.

Code audits are generally requested by project owners to assess the security quality of their code, typically as a means to convey trust to the community at large. As in any other business-to-business relationship, an audit has an agreed timeline and scope, and its findings point to specific improvements in the code, ranked according to a severity scale.

Although the definition outlined above seems straightforward, there is a growing misconception of what it means to be audited. If someone claims that project X has been audited, that is not to say that project X is secure. It simply means there exists an audit report for project X, whose findings should be carefully considered by the project’s stakeholders (developers, investors, community, etc). Hence, it is important to also define what an audit is not:

  • An audit is NOT a statement that a project is safe and free from bugs. An audit reports what has been found to be wrong with the best effort possible given the agreed scope and timeline;
  • An audit report is NOT a one-size-fits-all analysis. Rather, it is specific to the concern it targets. A code audit is not an economic audit, which in turn is not a compliance audit;
  • An audit is NOT peer-reviewed, as is generally the case with scientific papers;
  • An audit is NOT a guarantee that the code has been deployed following all the recommendations in the report.

It would be great to hear from others about their thoughts and if and how these points are in tune with their understanding :)