Overall Control Assessment
Total Controls Tested30across 7 domains
Pass2790% pass rate
Review / Follow-up3remediation tracked
Material Deficiencies0none identified
Regulatory Frameworks Mapped10+across all domains
Governance & Oversight4/4PASS
Data Integrity & Ingestion3/4REVIEW
Reconciliation Engine5/5PASS
Exception Management3/4REVIEW
Reserve / Asset Verification4/4PASS
Smart Contract & Token4/5REVIEW
Reporting & Transparency4/4PASS
Domain Objective: Verify that accountability structures exist for cross-ledger integrity across both platform types. Confirm that ownership of reconciliation controls is assigned at a senior level, escalation protocols are documented, and the function has adequate independent oversight on an annual cycle. Applicable to TradFi institutions under FFIEC and COSO, and to digital asset firms under GENIUS Act § 12 and OCC Heightened Standards.
| Ctrl ID | Control Objective | Risk | Test Procedure | Evidence | Reg Ref | Result |
|---|
| GOV-01 |
Board / senior management oversight of cross-ledger integrity risk — risk appetite statement addresses dual-ledger architecture |
High |
Review board risk charter; confirm risk appetite statement explicitly addresses reconciliation integrity; inspect prior 4 quarters of board / risk committee minutes for exception escalations |
Board charter, risk appetite statement, board minutes (4 qtrs) |
OCC SR 11-7 · GENIUS Act § 12 · COSO |
PASS |
| GOV-02 |
Named control owner for reconciliation function — RACI documented, backup designated, escalation matrix tested in prior 12 months |
High |
Obtain RACI matrix; confirm each control domain has named owner and designated backup; review escalation test evidence; verify escalation matrix updated within 12 months |
RACI matrix, escalation test evidence, last review date |
COSO Framework · ISO 31000 · FFIEC |
PASS |
| GOV-03 |
Reconciliation policy documents: frequency, tolerance threshold, escalation trigger, maximum unresolved exception age |
Medium |
Obtain reconciliation policy; confirm it specifies: run frequency (daily / real-time), dollar/unit tolerance with approval history, escalation trigger threshold, max exception age; confirm last review date |
Reconciliation policy, last annual review sign-off |
OCC Heightened Standards · GENIUS Act § 7 · FFIEC ITEH |
PASS |
| GOV-04 |
Internal audit covers cross-ledger reconciliation on annual risk assessment cycle — findings tracked to closure |
Medium |
Confirm cross-ledger integrity in IA annual risk assessment; review most recent IA report on reconciliation; verify all findings have closure dates; review follow-up evidence for closed findings |
IA annual plan, most recent IA report, findings tracker |
IIA Standards 2050 · GENIUS Act § 8 · OCC |
PASS |
Domain Objective: Verify completeness and accuracy of data flowing from both the blockchain ledger and the off-chain system of record into the reconciliation engine. Confirm API reliability, authentication security, and that the normalization layer preserves precision — including decimal handling (USDC 6 decimals), timezone alignment, and currency conversion. One REVIEW finding noted on normalization edge case testing.
⚑ REVIEW — DAT-03: Data Normalization Edge Case Testing
ObservationNormalization layer edge case test suite does not include decimal precision variance (6 vs 18 decimals across token standards) or daylight-saving timezone shift scenarios. No data loss detected in production, but testing gaps create unverified risk surface.
RecommendationExpand test suite to cover ERC-20 6-decimal vs 18-decimal token inputs, UTC vs local timezone misalignment, and FX conversion rounding. Complete by next quarterly review cycle.
Deadline2026-06-30 · Management confirmed
| Ctrl ID | Control Objective | Risk | Test Procedure | Evidence | Reg Ref | Result |
|---|
| DAT-01 | On-chain data ingested directly from authenticated node RPC — no unvalidated intermediary substitution | High | Confirm blockchain data pulled via direct RPC call (totalSupply(), event logs) from contract address; verify no unvalidated third-party API as sole source; cross-check against block explorer independently | Ingestion architecture doc, RPC config, sample query log | GENIUS Act § 4(a)(3) · OCC Tech 2024 | PASS |
| DAT-02 | Off-chain API connections authenticated, TLS 1.2+ encrypted, API keys stored in secrets vault | High | Inspect API integration specs; confirm TLS version ≥ 1.2 in transit; verify API key storage in secrets vault (not plaintext); confirm auth certificates current and monitored for expiry | API integration spec, TLS config, secrets vault evidence | NIST CSF PR.DS-2 · OCC 2020-68 · FFIEC | PASS |
| DAT-03 | Normalization layer maps blockchain and off-chain schemas without precision loss — decimal, timezone, FX conversion verified | High | Obtain data dictionary; test edge cases: 6-decimal USDC precision, 18-decimal ERC-20 variance, UTC midnight snapshot timezone handling; confirm no data dropped or truncated on transform | Data dictionary, normalization test cases, edge case log | ISO 20022 · DTCC data standards · OCC | REVIEW |
| DAT-04 | Snapshot timestamps aligned across both ledgers within defined tolerance — block time lag documented and enforced | Medium | Verify reconciliation uses identical snapshot timestamp (UTC 00:00:00) for both ledgers; confirm tolerance for ETH block time lag (~12 sec) is documented; review last 30 run logs for timestamp misalignment | Snapshot config, timestamp log (30 days) | OCC NPRM Part III § 3(b) | PASS |
Domain Objective: Test that the reconciliation engine correctly identifies matches, near-matches, and breaks across both ledgers at the required frequency. Verify tolerance logic is documented and governance-approved, exception classification is accurate, and cross-chain aggregation includes all sub-ledgers. This domain is the technical core of the entire cross-ledger control framework.
| Ctrl ID | Control Objective | Risk | Test Procedure | Evidence | Reg Ref | Result |
|---|
| RCN-01 | Reconciliation runs at required frequency (daily / real-time) — automated job completion confirmed, failure alert within 15 minutes | High | Inspect scheduler configuration; review 60-day run log for zero missed cycles; test synthetic job failure in UAT; measure time from failure to alert notification delivery; confirm ≤ 15 min SLA | Scheduler config, 60-day run log, UAT alert test evidence | GENIUS Act § 7 · OCC Part III § 3(b) | PASS |
| RCN-02 | Match rule correctly implements: Ledger A total = Ledger B total at snapshot — independently reperformed and validated | High | Independently reperform reconciliation using raw source data; compare to system output; vary test cases: multi-chain aggregation, FX conversion, rounding; confirm zero unexplained discrepancy between independent result and system result | Independent reperformance workpapers, raw data extract | GENIUS Act § 4(a)(3) · SEC Rule 15c3-3 | PASS |
| RCN-03 | Tolerance threshold documented, CFO/CRO approved, and not widened without governance sign-off in prior 12 months | High | Obtain tolerance policy; confirm CFO and CRO sign-off on current threshold; test system flags breaks at threshold boundary; check governance log for any unapproved threshold changes in period | Tolerance policy, approval sign-off, governance change log | OCC Heightened Standards · COSO · GENIUS Act | PASS |
| RCN-04 | Suspense / pending items tracked separately — aged items escalated; zero items exceed OCC T+2 window | Medium | Obtain suspense aging report; confirm zero items exceed T+2 SLA; review root cause analysis for any aged items; verify escalation protocol triggered for items approaching SLA; confirm suspense balance does not impair coverage ratio | Suspense aging report, escalation log, root cause analysis | OCC NPRM Part VI § 6(a) | PASS |
| RCN-05 | Cross-chain aggregation includes all sub-ledgers — injection test confirms omitted chain triggers break detection | High | List all chains/systems in scope; confirm all included in aggregation query; inject test case with one sub-ledger deliberately excluded; verify reconciliation engine detects and flags break; document test result | Scope inventory, aggregation query review, injection test result | GENIUS Act § 4(a)(3) | PASS |
Domain Objective: Verify that reconciliation breaks are classified by type and severity, investigated, resolved within defined SLAs, and escalated to management where required. Root cause analysis completeness and recurring exception patterns are key indicators of systemic control weakness. One REVIEW finding on RCA completeness for recurring exceptions.
⚑ REVIEW — EXC-03: Recurring Exception Root Cause Tracking
ObservationThree recurring exception patterns identified in prior 90-day period (timing classification on same issuer's wires). Root cause analysis was documented per-occurrence but not aggregated into a systemic finding for governance committee reporting.
RecommendationImplement monthly recurring exception review — any pattern appearing ≥ 3 times in rolling 90 days auto-escalates to governance committee with systemic root cause report. Update exception tracker template to include pattern-flagging field.
Deadline2026-04-30 · Management confirmed
| Ctrl ID | Control Objective | Risk | Test Procedure | Evidence | Reg Ref | Result |
|---|
| EXC-01 | All exceptions classified by type (timing / data error / true break) and severity (Critical / High / Medium / Low) within SLA | High | Sample 20 exceptions from period; verify each has classification assigned within SLA; test classification logic: inject true break; confirm it is not misclassified as timing; document error rate | Exception log, 20-sample analysis, classification decision tree | OCC SR 11-7 · COSO | PASS |
| EXC-02 | Critical exceptions (supply > reserves) alerted to Risk Officer within 15 minutes — UAT-tested | High | Review alert threshold configuration; inject synthetic critical exception in UAT; measure time from detection to Risk Officer notification; confirm ≤ 15 min SLA met; check for false negative scenarios | Alert config, UAT injection test log, notification timestamp log | GENIUS Act § 4(a)(3) · OCC Safety & Soundness | PASS |
| EXC-03 | Exception resolution tracked to closure with root cause; systemic patterns (≥ 3 recurrences) escalated to governance | Medium | Review exception tracker; confirm all Critical/High exceptions have documented root cause; identify recurring patterns in prior 90 days; verify systemic patterns reported at governance committee; check for pattern-blind spots | Exception tracker, root cause log, governance committee minutes | IIA Standards · OCC Heightened Standards · COSO | REVIEW |
| EXC-04 | False positive rate tracked; exception model tuned quarterly with governance approval of threshold changes | Medium | Obtain false positive rate for period; confirm quarterly model tuning conducted; review change log for all threshold adjustments; verify governance sign-off for each change; confirm no unapproved changes | False positive log, tuning change log, approval documentation | COSO Framework · OCC | PASS |
Domain Objective: Confirm the existence, completeness, valuation, and encumbrance status of assets backing the off-chain ledger. For financial instruments, verify permitted asset compliance per OCC NPRM Option A (T-Bills ≤ 93-day maturity, cash, Fed balances), reserve segregation in bankruptcy-remote structures, and RPAF attestation scope. This domain is the most directly examined under the GENIUS Act and is the foundation of any stablecoin OCC charter readiness programme.
| Ctrl ID | Control Objective | Risk | Test Procedure | Evidence | Reg Ref | Result |
|---|
| RES-01 | Off-chain assets confirmed via independent custodian confirmation letters — issued direct to auditor, as-of date matches snapshot, no encumbrances | High | Obtain custodian letters issued directly to auditor (not management); confirm as-of date = snapshot; verify no pledging, lending, or security interest noted; obtain negative confirmation on encumbrances from BNY / State Street | Custodian confirmation letters, negative pledge confirmation | GENIUS Act § 4(a)(4) · AICPA AU-C 505 | PASS |
| RES-02 | Valuation uses FMV with observable Level 1/2 inputs (ASC 820); no prohibited assets in portfolio; coverage ratio independently recalculated | High | Obtain valuation methodology; confirm FMV uses Bloomberg / Fed pricing (Level 1 or Level 2 per ASC 820); verify portfolio contains zero prohibited assets (corporate debt, crypto, maturity > 93 days); independently recalculate coverage ratio | Valuation methodology, portfolio schedule, independent recompute | OCC NPRM Part II § 2(b) · ASC 820 | PASS |
| RES-03 | Reserves held in segregated bankruptcy-remote structures — no commingling with operating funds; legal opinion obtained within 12 months | High | Inspect account agreements; confirm accounts titled in trust / segregated structure per GENIUS Act § 4(a)(1); verify legal bankruptcy-remoteness opinion obtained within prior 12 months from qualified counsel | Account agreements, trust documentation, legal opinion (date) | GENIUS Act § 4(a)(1) · UCC Article 8 | PASS |
| RES-04 | Monthly RPAF attestation covers all four required elements: existence, completeness, valuation, permitted-assets-only — no qualification or scope limitation | High | Confirm RPAF engagement letter; verify attestation scope covers existence, completeness, valuation, and permitted asset compliance; review attestation opinion for qualifications or emphasis paragraphs; confirm no management-imposed scope limitation accepted | Attestation engagement letter, attestation report, mgmt rep letter | GENIUS Act § 8 · PCAOB AT 3101 | PASS |
Domain Objective: Verify the integrity of smart contract logic governing token issuance, transfer, and redemption. Confirm that access controls restrict minting and burning to authorised addresses only, upgrade governance meets OCC technology standards, all events are fully logged, and emergency pause capability is tested on its prescribed frequency. One REVIEW finding on quarterly pause test cadence.
⚑ REVIEW — SMC-04: Emergency Pause Function — Q1 2026 Test Overdue
ObservationEmergency pause function was last tested in Q4 2025 (10 Dec 2025). Q1 2026 test was due by 31 March 2026 and had not been completed as of the audit snapshot date (17 March 2026). Function remains technically operational per ABI inspection. Gap is documentation and frequency compliance, not capability.
RecommendationComplete Q1 2026 pause test in UAT by 28 March 2026. Document: test scenario, execution steps, result, CTO sign-off, CISO sign-off. Implement calendar reminder 30 days before each quarterly test due date.
Deadline2026-03-31 · Technology Risk team assigned
| Ctrl ID | Control Objective | Risk | Test Procedure | Evidence | Reg Ref | Result |
|---|
| SMC-01 | Mint / burn functions access-controlled — only authorised multi-sig address can call; unauthorised call rejected | High | Inspect smart contract source for access control modifier on mint() and burn() functions; verify only authorised multi-sig address in onlyMinter allowlist; test rejection of unauthorized call in testnet environment; document test result | Contract source / ABI, access control test on testnet, audit report | GENIUS Act § 5 · OCC Tech Guidance 2024 | PASS |
| SMC-02 | Upgrade governance: 48-hour timelock, 3-of-5 multi-sig threshold, independent pre-deployment audit — last upgrade compliant | High | Verify timelock parameter (minimum 48 hours); confirm last upgrade required 3-of-5 keyholder approval; obtain most recent independent smart contract audit report; verify no critical findings unresolved at time of deployment | Governance contract params, upgrade proposal logs, audit report | GENIUS Act § 11 · OCC SR 20-24 | PASS |
| SMC-03 | All mint and burn events logged with: timestamp, amount, triggering address, linked transaction hash — 20-sample trace to off-chain deposit | High | Export mint/burn event log for period; confirm all required fields populated for every event; trace 20 sampled mints to corresponding verified wire receipt in bank account; document any events with missing fields | Event log export, 20-sample trace workpapers, block explorer | GENIUS Act § 5(a) · OCC Recordkeeping | PASS |
| SMC-04 | Emergency pause function operational and tested quarterly — Q1 2026 test overdue as of snapshot date | Medium | Confirm pause function in contract ABI; retrieve last test execution log; confirm quarterly cadence (Q4 2025 completed; Q1 2026 not yet completed as of 17 Mar 2026); review DR runbook for pause activation procedure | Contract ABI, test log (Q4 2025), DR runbook — Q1 pending | OCC Operational Resilience · GENIUS Act § 11 | REVIEW |
| SMC-05 | Cross-chain bridge: independent audit exists, bridge reserve equals locked source-chain tokens, pause capability confirmed | High | Identify all bridges in scope; confirm each has independent smart contract audit within 12 months; verify bridge reserve = locked tokens on source chain at snapshot; test bridge pause capability in testnet; review bridge incident response plan | Bridge audit reports, bridge reserve reconciliation, pause test | OCC Tech Guidance 2024 · MiCA Art. 36 | PASS |
Domain Objective: Confirm that internal reconciliation reports and external public disclosures are accurate, consistent, timely, and meet regulatory transparency requirements. Verify sign-off chain (CFO + CRO) is in place before external attestation submission, and that the continuous monitoring dashboard is exactly consistent with attested values. Consumer protection disclosures (non-FDIC notice, redemption rights) reviewed for completeness.
| Ctrl ID | Control Objective | Risk | Test Procedure | Evidence | Reg Ref | Result |
|---|
| RPT-01 | Internal reconciliation reports produced at required frequency — CFO and CRO sign-off obtained before external attestation submission | Medium | Obtain internal reconciliation reports for period; confirm both CFO and CRO electronic sign-off present on each report; verify sign-off timestamps precede external attestation submission timestamp; check for any report without dual sign-off | Signed reconciliation reports, sign-off timestamps, submission log | OCC Heightened Standards · COSO Reporting | PASS |
| RPT-02 | Public-facing transparency dashboard/report exactly matches attested internal records at same snapshot datetime — zero discrepancy permitted | High | Screenshot public dashboard at snapshot datetime; compare all displayed values (supply, reserve FMV, coverage ratio) to internal reconciliation report at identical date/time; document any discrepancy > $0 for investigation | Dashboard screenshot at snapshot, internal report comparison | GENIUS Act § 10 · SEC Rule 17a-3 | PASS |
| RPT-03 | Consumer disclosures include: non-FDIC notice, redemption rights, asset backing description — legal review dated within 12 months | Medium | Review user-facing disclosures on public website and account agreement; confirm non-FDIC disclaimer is prominent and accurate; verify redemption rights section specifies par value and T+2 SLA; confirm last legal review date | Account agreement, website disclosure screenshot, legal review | GENIUS Act § 9 · FTC Act § 5 · CFPB | PASS |
| RPT-04 | All required regulatory filings (OCC / SEC / FinCEN) submitted on time — no material restatements in prior 12 months | High | Confirm all required filings submitted by deadlines per compliance calendar; review for any amendments or restatements filed in period; obtain management representation confirming no missed filing deadlines; cross-check against regulatory correspondence file | Filing confirmation receipts, compliance calendar, mgmt rep, reg correspondence | GENIUS Act § 13 · Bank Secrecy Act · SEC Rules | PASS |
GENIUS Act (2025)
Stablecoin reserve backing, issuance controls, monthly RPAF attestation, redemption rights, federal oversight threshold ($10B)
OCC NPRM (Feb 2026)
Federal bank charter for stablecoin issuers, permitted asset definitions, OCC examination standards, safety and soundness
FFIEC IT Exam Handbook
IT governance, operations, information security, business continuity — applicable to bank-chartered stablecoin issuers and sponsor banks
COSO ERM Framework
Universal internal control and enterprise risk management — reconciliation ownership, tolerance governance, exception escalation
NIST CSF 2.0
Cybersecurity framework — key management, data protection (PR.DS), access control, detection and response for custody systems
IIA Standards (2024)
Internal audit independence, risk-based planning, evidence standards — applicable to IA functions covering digital asset and TradFi reconciliation
SEC / DTCC Rules
Tokenized securities custody (Rule 15c3-3), T+1 settlement, DTCC integration — legal title reconciliation for tokenized equities and bonds
MiCA (EU 2024) · ISO 31000
EU crypto-asset regulation for cross-border issuers; ISO 31000 enterprise risk management for supply chain and industrial applications