Why perform a personal Bitcoin audit?

A personal audit is not just for large holders. Whether you hold a small amount or manage an institutional treasury, an audit helps you confirm that your coins are where you think they are, document provenance for taxes or legal needs, and prepare defensible proof of control. In Canada, clear records also ease work with the Canada Revenue Agency and support FINTRAC compliance for businesses. Importantly, a good audit produces verifiable proofs without ever exposing your private keys.

Audit overview: three core goals

• Verify ownership: Prove you control the keys that control specific UTXOs on the Bitcoin blockchain.
• Reconcile records: Match on-chain balances to your exchange statements, wallet exports, and bookkeeping.
• Produce safe proof: Create auditable evidence for tax, legal, or third-party needs without sharing secrets.

Step 1: Prepare your tools and environment

Before you begin, gather the components you will need. Use a secure, offline-capable workflow when handling proofs. Recommended items:

• Hardware wallet(s) containing the keys you want to verify (Ledger, Trezor, or similar).
• Access to a Bitcoin full node or a trusted block explorer for independent verification. Running your own node is best for privacy and assurance.
• Wallet software that supports watch-only exports, descriptors, or PSBTs (e.g., Bitcoin Core, Sparrow Wallet, Specter-Desktop).
• Secure computer for record-keeping and an offline machine for signing when needed.
• Spreadsheet or accounting software to reconcile transaction history and balances.

If you do not run a full node, choose a privacy-respecting block explorer or consider temporary use of a trusted node. For Canadian businesses handling large volumes, documenting node setup (hardware, IP, and uptime) can support internal audits and compliance reviews.

Step 2: Export addresses or descriptors safely

Do not export private keys. Instead, export public information that allows you to list addresses and UTXOs under your control.

Using a hardware wallet and compatible wallet software

• Connect your hardware wallet to a wallet app in watch-only mode and export the wallet descriptor or the list of addresses. Many apps can create a watch-only file that contains no secrets.
• Import the descriptor into your full node or a watch-only wallet to reveal the on-chain UTXOs associated with those addresses.
• Record the derivation path and address types (bech32, p2sh-segwit, taproot) so your audit is reproducible later.

Example: Sparrow Wallet and Bitcoin Core let you import descriptors and track balances without exposing private keys. Keep the exported files secure but readable for auditors; they do not contain seeds.

Step 3: Reconcile on-chain balances to your records

Now compare what the blockchain shows with your records from exchanges, custodians, and personal wallets.

Practical reconciliation checklist

• List each address or wallet descriptor and the exact UTXOs with txid, vout, and satoshi amount.
• Match deposits and withdrawals recorded by exchanges (Bitbuy, Coinsquare, or others) to the corresponding on-chain transactions. Keep CSVs or PDFs of exchange statements.
• Note fees, timing differences (confirmations), and any dust UTXOs or small change outputs from previous transactions.
• For business treasuries, reconcile monthly and keep immutable snapshots (signed statements or ledger exports) to support audits.

Tip: Use a watch-only wallet connected to your node to generate a trustworthy balance that cannot be altered by a custodial provider.

Step 4: Prove control safely

There are several ways to prove control of funds without revealing seeds. Choose methods that fit the audience (tax authority, lawyer, family member, or exchange). Never send private keys or seed phrases.

Option A: Sign a message (legacy addresses)

Signing a message from an address proves control. This method works best with legacy and segwit address formats supported by your wallet. Note that some modern wallets or Taproot addresses may not support the standardized message signing workflow.

Option B: Make a small on-chain move

Send a tiny, clearly labeled transaction from the address you control to an address under your control or to an auditor. The transaction id serves as proof because it appears on-chain and can only be created by someone with the private key. This option has a small fee cost and reveals a linkage between addresses, reducing privacy, so use it selectively.

Option C: Create a PSBT signed in a controlled way

Partially Signed Bitcoin Transactions let you demonstrate the ability to sign inputs without broadcasting the transaction. You can create a PSBT that spends a tiny UTXO, sign it with your hardware device, and give the signed PSBT to an auditor to verify the signature offline. This is powerful for multisig setups where multiple key-holders must co-sign.

Always avoid sending signed PSBTs to untrusted parties who might attempt to broadcast them unexpectedly. Use clearly defined policies and time-limited test transactions for audits.

Step 5: Document provenance and chain of custody

Good audits include provenance: where coins came from and how they moved. For Canadians, this documentation simplifies tax reporting and helps with compliance if your business is subject to FINTRAC rules.

• Keep CSV exports of wallet histories and exchange statements for relevant tax years.
• Annotate transactions in your ledger: source (exchange deposit, mining reward, on-chain transfer), purpose (savings, payroll), and counterparties when applicable.
• For gifts or inheritance transfers, record gift letters or signed declarations identifying sender, recipient, and date.

Tip: Use immutable formats where possible. PDFs of signed statements and time-stamped snapshots from your node strengthen evidentiary value.

Step 6: Prepare audit packages for different audiences

Different parties need different information. Prepare tailored audit packages:

• For tax or legal professionals: Spreadsheet reconciliations, exchange statements, signed summaries of holdings, and notes on valuation dates. Keep all records for the CRA-required retention period.
• For family or executor: Clear inheritance instructions, watch-only files for balances, and legal documents linking keys to estate plans without exposing seeds.
• For auditors or third parties: A read-only package: watch-only descriptors, signed messages or PSBTs proving control, and a reconciliation report. Avoid sharing private info.

Security and privacy considerations

Audits can expose information. Balance the need for proof with privacy and operational security.

• Avoid broadcasting proof transactions unless necessary. Each on-chain proof reduces privacy by linking addresses.
• Use watch-only exports when sharing balance information. They are safe and do not reveal private keys.
• Beware of social engineering. Do not respond to unsolicited audit requests. Verify identities, especially if the request concerns a large amount of value.
• Store audit artifacts securely. Even watch-only descriptors should be kept under access control to prevent unwanted correlation.

Common audit scenarios and examples

Scenario: Verifying a hardware wallet transfer

If you moved funds from an exchange (for example, Bitbuy) to a hardware wallet, export the hardware wallet descriptor and compare the deposit transaction id to your exchange withdrawal record. Produce a signed PSBT or small transaction if the exchange requires proof of control for a compliance review.

Scenario: Business treasury audit

Create monthly snapshots from your node, export watch-only descriptors for auditors, and maintain an internal log of treasury policy decisions. When dealing with payroll or vendor payments, keep invoices linked to on-chain transactions to demonstrate legitimate business activity for FINTRAC or CRA reviews.

Maintaining audit hygiene over time

• Schedule periodic audits: quarterly for active users, annually for most holders.
• Keep backups of descriptors and reconciliation reports in geographically separated locations to survive disaster scenarios common in Canada such as floods or fires.
• Review multisig and keyholder roles periodically. Update legal paperwork when trustees, executors, or signers change.
• Stay current with wallet and node software to ensure compatibility with modern address types like Taproot.

Final checklist before finishing your audit

• Exported watch-only descriptor or address list: yes or no?
• On-chain UTXO list reconciled with exchange and wallet statements?
• Control proof created (signed message, PSBT, or small tx) where required?
• Audit package prepared for intended audience without exposing private keys?
• Secure backups of audit artifacts stored safely and redundantly?