Looks like someone external does an audit(1), and then the auditor creates a Merkle tree which you can then validate (by a Markle leaf which you can access from your account).
Specifically for Crypto.com the auditors:
> obtained and inspected the scripts used by management to extract the Customer Liability Report from the database. Based on management’s explanation of the various parameters we ensured that the logic and the parameters are designed to extract a complete and accurate listing of client liability balances of the In-Scope Assets as at 00:00:00 UTC on 7 December 2022 while excluding any company internal accounts. It was found that the script was queried against the latest production data at the time of the data extract, which showed latest updated
time as of 23:59:59 UTC on 6 December 2022. We observed management access the
database and execute the scripts to extract the relevant data from the database. We
subsequently obtained the data produced from management (i.e. the Customer Liability
Report) and performed a row count and sum check on the data set. We did not identify any
discrepancies based on the row count and sum check performed.
> Using the Mazars’ Silver Sixpence Merkle Tree Generating tool, we aggregated the client data obtained from management in this procedure and computed the Merkle Root Hash. The Hash for the Merkle Root based on the information supplied in procedure 6 is e535cf418ab603cc4b338069a814037d53 c50bf37dc5776631f3d9c3110e08af
So you do still have to trust the audit, and assume no foul-play, because I think this just shows that your balance was included in the audit (as a liability). I believe this just stops Binance from being able to hide customer liabilities from Mazars.
* (1) In Binance's case this wasn't actually an audit, and Mazars did this piece of work with Binance assuming good-faith according to processes mutually agreed between Mazars and Binance. As per the Mazars disclaimer, "This AUP engagement is not an assurance (financial audit) engagement. Accordingly, we do not express an opinion or an assurance conclusion. Had we performed additional procedures, other matters might have come to our attention that would have been reported". I would note that IMO the Binance page does use the word "Auditor" a lot on the PoR page which might be slightly misleading (they are an auditor, but they aren't financially auditing Binance...?).
In the interest of championing transparency, we would like to share some of the shortcomings in the Proof of Reserves process that we’ve identified.
A Proof of Reserves involves proving control over on-chain funds at the point in time of the audit, but cannot prove exclusive possession of private keys that may have theoretically been duplicated by an attacker.
The procedure cannot identify any hidden encumbrances or prove that funds had not been borrowed for purposes of passing the audit. Similarly, keys may have been lost or funds stolen since the latest audit.
The auditor must be competent and independent to minimize the risk of duplicity on the part of the auditee, or collusion amongst the parties.
How does this even work?