Sean Cheng is the Global Head of Internal Audit at Bybit. He joined the company in August 2024 and was soon promoted to his current global role in January 2025. Sean has held senior audit and risk roles at QuadReal Property Group, New World Development, and KPMG China, where he led internal audits, regulatory compliance reviews and risk advisory projects across Hong Kong and Canada. He holds CPA and CIA designations and is well-versed in the international internal audit standards and complex compliance frameworks across traditional finance and now the crypto sector.
Personal Background and Crypto Journey
Can you tell us about your professional background and what inspired your transition from traditional finance and real estate to the crypto industry?
I’ve spent over 16 years in internal audit and risk management, primarily in Hong Kong. And it’s quite natural to develop a career in traditional finance and real estate. I’ve worked across multinational corporations and consulting firms, including QuadReal, New World Development, and KPMG China, which exposed me to a wide range of industries and multi-jurisdictional projects.
During my time at KPMG, I focused heavily on compliance review projects for investment banks and securities brokerages, often engaging directly with regulators. That experience shaped how I approach governance — not just from a control perspective, but from a regulatory and business alignment standpoint.
The international and cross-industry made me realize that while industries and geographies may differ, the fundamentals of governance and risk don’t change.
What inspired me to transition into crypto was the chance to apply those same principles in an industry that’s still defining its standards. The crypto space is fast-moving, complex, and full of potential, and I saw it as an opportunity not just to grow professionally, but to contribute meaningfully to building trust and accountability in a rapidly evolving ecosystem.
When did you first become interested in blockchain and digital assets, and what motivated you to join Bybit specifically?
To be honest, I wasn’t a believer in blockchain or Web3 at first. Like many from the traditional finance world, I had my doubts — especially around trust, security, and long-term sustainability. But as I watched the industry grow and mature, I started to see its disruptive potential — particularly how the technology could enhance transparency, and reshape how value is transferred globally.
What really motivated me to join Bybit was the timing. There’s a clear global push from regulators to bring more structure and accountability to the crypto space. That’s where I felt I could truly add value — by helping to build strong governance and control frameworks as the industry evolves.
It was also a perfect fit in terms of both challenge and impact. Bybit operates at a global scale in a fast-paced and complex environment — exactly the kind of setting where internal audit can be strategic, agile, and deeply relevant. Joining at this stage felt like the right opportunity to help shape the future of the industry from within.
How has your experience at global firms shaped your approach to internal audit in the fast-paced crypto environment?
Working at global firms and large conglomerates gave me exposure to a wide range of industries — from real estate and retail to financial services and aviation. That came with a steep learning curve. As an internal auditor, you had to quickly understand each industry’s operations, risks, and what good or optimal controls should look like — all while operating in fast-paced and often highly regulated environments.
That experience shaped how I approach internal audit today: with agility, structure, and a strong focus on risk. It also reinforced the idea that audit can’t be one-size-fits-all — every business model requires tailored insight and understanding.
But most importantly, it nurtured a strong sense of curiosity. Especially in a space like crypto, where innovation is constant and the landscape shifts rapidly, staying relevant means being willing to learn — not just about industry trends, but about how individual business units function, what risks they face, and how you can add value through controls and governance. That mindset has been critical in helping me stay ahead and keep internal audit strategic, not just reactive.
What are the most significant differences you’ve observed between auditing in the traditional finance sector and the crypto industry?
In traditional finance, things tend to move at a slower pace. Systems are mature, regulations are clearly defined, and audit work can sometimes become routine — even a bit too comfortable.
Crypto is the complete opposite. It’s crazily fast and dynamic. New products launch quickly, the business evolves constantly, and regulatory frameworks are still taking shape. That adds complexity but also creates opportunities for internal audit to play a bigger role in shaping governance from the ground up.
Another major difference is how we use technology. In crypto, it’s much easier to leverage real-time data and build tools like risk radars or analytics dashboards to enhance audit efficiency and insight. The access to live data allows us to be more proactive — not just looking back at what went wrong, but flagging risks as they emerge.
All of these make the work more challenging, but also far more rewarding. You’re not just ticking boxes — you’re helping define what good governance looks like in a fast-moving, frontier industry.
Corporate Governance and Internal Audit Structure
How is Bybit’s internal audit function structured, and what are your key priorities as Global Head of Internal Audit?
At Bybit, internal audit reports directly to the CEO and COO, and we also have reporting lines to local boards in different jurisdictions. The team is globally structured, covering various business units and regions, and we bring in external specialists when needed — especially for more technical or emerging areas.
Our work mainly falls into four areas: business audits to optimize processes and controls, compliance audits to ensure we’re aligned with regulatory expectations, IT audits, and forensic investigations for potential misconduct or fraud.
As for my priorities — it’s not just about doing audits for the sake of it. I focus on building a risk-based plan that actually reflects where the business is heading. We aim to stay agile, so we can quickly shift our focus to new or emerging risks. Another top priority is to help foster a strong culture of risk management and compliance across the organization. Internal audit plays a key role here — we’re not just looking back at what went wrong; we’re partnering with the business to get ahead of issues before they happen. That means working closely with senior leadership to set the right tone from the top and making sure compliance is part of everyday decision-making. When audit and compliance are seen as part of the company’s growth strategy — not just gatekeepers — it builds a stronger foundation for sustainable success.
What are the main governance frameworks and risk management practices Bybit employs to ensure robust oversight and compliance?
We take a practical, principles-based approach to governance and risk management. While we may not strictly follow one formal framework, we draw on globally recognized best practices to ensure clear accountability, effective oversight, and proactive risk mitigation across the business.
Our risk management efforts are built into day-to-day operations — not just from the top down. We work closely with departments like Group Risk Control, Legal and Compliance, and Security teams to identify key risks early, understand potential impacts, and ensure controls are fit for purpose.
On the governance side, we’ve established cross-functional committees and reporting lines to support decision-making in critical areas like regulatory compliance, product risk, and client asset safeguarding. The goal is to create a culture where risk is owned by the business and not just the control functions.
So while we’re still evolving, especially in such a fast-moving space, the focus is always on being pragmatic, responsive, and forward-looking when it comes to risk and governance.
How does your team collaborate with other departments (e.g., security, compliance, operations) to identify and mitigate risks proactively?
Collaboration is really at the heart of how Bybit operates — and that’s especially true for internal audit. We regularly connect with business unit leaders and second-line functions like Compliance, Security, and Finance to ensure our audit priorities stay aligned with emerging risks, key business changes, and regulatory developments.
For example, with the Compliance team, we have ongoing catch-ups to stay on top of regulatory requirements, support licensing efforts, and ensure we’re audit-ready across jurisdictions. On the Security side, we work closely with them from an IT audit standpoint — especially when it comes to assessing security controls and reviewing technology governance frameworks.
We also co-develop tools like risk radars with the Group Risk Control team to proactively identify potential issues and enable a more agile, forward-looking audit approach.
It’s not just about testing controls only — we partner with the business to roll out governance enhancements and strengthen overall risk culture. The goal is always to add value and support sustainable growth through smarter risk management.
How do you ensure your audit processes remain agile and relevant amid rapid regulatory and technological changes in the crypto sector?
To stay agile, we keep very close to the business — not just second-line functions — to really understand their initiatives, industry trends, and where the risks are evolving. This helps us adjust our internal audit plan quickly and stay aligned with what matters most.
On the technology front, we continuously build our team’s capabilities in using data analytics and real-time risk monitoring tools. This allows us to be more efficient and insightful in our audits, especially when covering multiple jurisdictions.
We also focus on smart resource allocation to avoid over-auditing the same areas, which can lead to audit fatigue. Instead, we prioritize high-risk areas and leverage cross-jurisdiction collaboration to maximize impact without duplicating efforts.
In a fast-moving industry like crypto, staying flexible and proactive is essential — and that means constantly learning, adapting, and partnering closely with the business.
Risk Mitigation, Transparency, and Business Continuity
How do you ensure that Bybit’s business continuity plans are regularly updated and tested to address evolving threats and market volatility?
Following the recent heist incident, we’ve doubled down on strengthening our global crisis management and business continuity framework. We’re currently enhancing our global manual and refreshing our Business Impact Analysis (BIA) to better understand the criticality, dependencies, and recovery time objectives of core business functions.
In parallel, we’re also revamping our BCP playbooks to address high-risk scenarios like cyber incidents, customer data breaches, and major operational disruptions. Each playbook will outline clear, actionable steps tailored to specific situations and teams.
Equally important, we’re focusing on preparedness beyond just the tech or security teams. Regular crisis drills are conducted with broader participation — including frontline and business teams — to ensure a swift and coordinated response when crises arise. We also conduct post-drill reviews to identify areas for improvement and adjust our plans accordingly. The goal is to build resilience across the organization, not just within isolated departments.
What advice would you give to other exchanges or financial institutions looking to strengthen their own governance and risk frameworks?
If I had to give one piece of advice, it’s this: don’t let governance and risk become just a box-ticking exercise.
In traditional finance, internal audit teams often focus heavily on compliance reviews and end up detached from the actual business. That approach doesn’t work in crypto. To stay relevant, you need to get closer to the business — understand the products, the operations, and the real risks that come with them. Business audits shouldn’t be an afterthought — they should be central.
Another big piece is tech. With the transaction volumes we deal with in this space, you simply can’t keep expanding your team to keep up. Traditional sampling approaches don’t give you meaningful insights anymore. That’s why leveraging data — real-time monitoring, risk dashboards, automated alerts — is a must. It’s the only way to scale internal audit effectively and still be insightful.
And lastly, coordination is key — especially across jurisdictions. As more countries tighten their regulatory oversight, crypto exchanges often find themselves subject to multiple audits for similar areas. So we put a lot of thought into how to allocate resources smartly, avoid over-auditing, and prevent audit fatigue — while still fulfilling each regulator’s expectations. That balance is critical.
Looking Ahead
How do you see the role of internal audit evolving as the crypto industry matures and regulatory expectations increase?
In the early stages, internal audit plays a hands-on, advisory role—working closely with the business to establish governance frameworks and controls that provide a strong foundation. It’s a collaborative effort focused on setting the right tone from the start.
As the crypto industry and company mature, internal audit shifts towards a more independent, assurance-focused role. One critical area where we add value is ensuring that policies and procedures remain consistent and aligned across different jurisdictions. This is especially important for centralized functions that support multiple regions, where conflicting or unclear rules can create compliance gaps or operational risks.
By helping to harmonize governance practices globally, internal audit supports the business in growing sustainably and responsibly—providing a stable platform with clear and consistent controls.
What are your top priorities for Bybit’s internal audit function over the next 6 months?
Over the next six months, I’ll be focusing on three key priorities.
First, we’ll continue to enhance and expand our risk radar dashboard to cover more critical business areas. This helps us spot potential issues earlier and respond faster, making our audits more efficient and effective.
Second, we’re reviewing the compliance audit plans tailored to each jurisdiction to ensure we stay aligned with local regulations, allocate resources wisely, and effectively support our regulatory licensing roadmap as we grow.
Third, I’m reviewing the team’s skillsets and identifying talent pipelines to make sure our team grows in step with the business.
This article was written by FM Contributors at www.financemagnates.com.Thought LeadershipRead More
You might also be interested in reading Metaverse tech gets US greenlight to use speedier 6GHz frequency.