// Resources — IT Audit Consulting

Tools, Frameworks & Audit Resources

Practical resources drawn from 30 years of building, transforming, and auditing institutional control standards at Goldman Sachs, Tradeweb, and JPMorgan. Six published resources across three categories: interactive platforms you can explore now, a live incident case analysis, and free PDF downloads for immediate use.

// Published Resources
Part 1
TradFi  ·  Institutional Audit Methodology & Case Analysis
Interactive + PDF Audit Work Program  ·  TradFi & Digital Asset
Operational Resilience Audit Work Program
A comprehensive, regulator-aligned audit work program covering BCP, DR, and operational resilience controls. Eight core audit domains with risk statements, control objectives, audit procedures, evidence request lists, and regulatory mapping across FFIEC BCM, NIST CSF 2.0, COSO ERM, SEC Reg SCI, FINRA Rule 4370, OCC guidance, and ISO 22301. Includes a 5-level maturity model and supplemental digital asset resilience procedures.
BCP & DRFFIEC BCMCOSO ERMNIST CSF 2.0SEC Reg SCI8 Domains · Maturity Model
March 2026
Open Work Program
02
Case Analysis TradFi · Pre-Trade Risk Controls
Pre-Trade Position Limit Controls — Audit Case Analysis
A TradFi audit case tracing four compounding control failures in a Position Limit Monitoring (PLM) system: a superseded CFTC 17 CFR Part 150 regulatory standard never updated in code; OTC swap positions excluded from the aggregate the regulation requires; a third-party vendor delta settlement price error accepted without independent validation; and no detection mechanism for any of the above. Structured around the three audit assertions — Completeness, Accuracy, and Timeliness — applied to a production pre-trade risk system. Each failure individually is a finding. In sequence they produce a regulatory exposure that appears controlled at the surface.
CFTC Part 150Pre-Trade RiskITGC · SOX 404Four-Stage Failure ChainCME Group Rules
April 2026
Read Analysis
Bridge
Cross-Ledger  ·  TradFi Reconciliation Methodology Applied to Blockchain
Interactive Platform — 3 Tabs Methodology & Audit Framework  ·  TradFi & Digital Asset
Cross-Ledger Integrity & Reconciliation Platform
The three-ledger reconciliation problem — bank ledger vs sub-ledger vs custody ledger in TradFi; on-chain vs issuer ledger vs custodian reserve in digital asset — is structurally the same control problem. This platform demonstrates the reconciliation monitoring engine, architecture comparison across Legacy TradFi and Blockchain risk tiers, and a 30-control audit work program mapped to GENIUS Act, OCC NPR, FFIEC, COSO ERM, and NIST CSF. The Reserve Integrity Monitor shows what the output looks like running against live stablecoin reserve data.
Three-Ledger ReconciliationGENIUS ActLegacy vs Blockchain30 Controls · 7 Domains4 Industry ScenariosReserve Integrity Monitor
Reconciliation Monitor Architecture Diagram Audit Work Program Reserve Integrity Monitor
Part 2
Stablecoin  ·  Regulatory Foundation → Audit Methodology
Step 1 · Regulatory Foundation
Stablecoin Regulatory Library
Six-page interactive reference covering the GENIUS Act, OCC proposed rule 12 CFR Part 15, and CLARITY Act — organized as Regulatory Overview, Lifecycle Playbook, Reserve Management, Compliance Calendar, Technical Architecture, and Charter Pathway. Observational language only — not advisory.
Open Regulatory Library
Step 2 · Audit Universe Module
Process, Risk & Control (PRC) Mapping
Nine stablecoin lifecycle domains derived from the GENIUS Act and OCC proposed rule 12 CFR Part 15 — 43 process steps, each mapped to one key risk and one key control, with COSO, NIST CSF 2.0, FFIEC, and ISO 27001 framework references. Designed as the stablecoin-specific module within an existing audit universe.
Open PRC Mapping
S1
PDF · Stage 1 Control Design
Stablecoin Control Foundation Guide
Six control areas mapped to the PRC lifecycle — Reserve Integrity, Key & Wallet Security, ITGC, AML/BSA, Redemption Controls, and Governance & Attestation. What to build first, in what order, and what evidence OCC examination standards require. Derived from the GENIUS Act and OCC proposed rule 12 CFR Part 15. For stablecoin issuers and PPSI applicants building controls infrastructure for the first time.
Control FrameworkEvidence ArchitectureGENIUS Act · OCC NPRFree Download
April 2026
S2
PDF · Stage 2 Gap Assessment
OCC Charter Readiness Checklist
43 priority-coded control requirements derived from the Stablecoin PRC Mapping — one per process step. Every item traces to a specific OCC NPR section or GENIUS Act provision. Critical / High / Medium ratings reflect the Risk Taxonomy severity analysis. Six risk categories: Governance, Operational, Financial/Liquidity, Technology, Compliance/Regulatory, Third-Party. Self-assessment format for stablecoin issuers and PPSI applicants.
GENIUS Act · OCC NPR43 Items · PRC-DerivedCritical / High / MediumFree Download
April 2026
S3
PDF · Stage 3 Audit Execution
Stablecoin Technology Audit Work Program
Seven audit domains built from the Risk Taxonomy — test procedures derived from the PRC's 43 key controls. Structured for direct auditor execution with control objectives, evidence requirements, and OCC NPR regulatory cites. Covers ITGC Access Management, Change Management & Smart Contract Governance, Reserve Integrity & Reconciliation, Cybersecurity Key Management, AML/BSA, Third-Party & Custodian Risk, and Governance & Attestation.
7 Domains · 43 ControlsGENIUS Act · OCC NPRITGC · ITACFree Download
April 2026
Part 3
Applied Examples  ·  Live Output & Incident Analysis
Sample Engagement Output · Dashboard
Reserve Integrity Monitor — SRIM Dashboard
Sample engagement output showing the GENIUS Act three-ledger reconciliation result against Circle Internet Financial public reserve data (on-chain RPC, RPAF attestation, issuer transparency API). Not a commissioned engagement by Circle. IT Audit Consulting is not a Registered Public Accounting Firm.
Open Reserve Integrity Monitor
I1
Case Analysis DeFi · Solana Stablecoin
Resolv USR Exploit — Unauthorised Minting, $25M
End-to-end analysis of the March 2026 Resolv USR stablecoin exploit. $25M extracted via single-key unauthorised minting, USR peg collapsed $1.00 → $0.27, protocol insolvent. Five-stage failure chain mapped to ITGC, ITAC, and NIST CSF. Includes inline system flow diagram. TradFi bridge maps each digital asset failure to its institutional audit equivalent.
Unauthorised MintingITGC · ITAC · NIST CSFSystem Flow DiagramTradFi Bridge
March 2026
Read Analysis
I2
Case Analysis DeFi · Solana Perp DEX
Drift Protocol Exploit — Governance Takeover, $285M
Analysis of the April 1, 2026 Drift Protocol exploit — largest DeFi hack of 2026. Six-month DPRK-suspected social engineering campaign, durable nonce multisig bypass, $285M drained in under one hour. Five-stage failure chain mapped to ITGC, NIST CSF, and FFIEC IT Handbook. Includes system interaction diagram showing Circle CCTP, Wormhole, and Tornado Cash fund flow. TradFi bridge analysis.
Governance TakeoverITGC · NIST CSF · FFIECSystem Flow DiagramDPRK-suspectedCircle CCTP
April 2026
Read Analysis
// Coming Soon — In Development
Article · Q2 2026
What Bank-Examiner-Grade ITGC Controls Actually Look Like — and Why Most Digital Asset Firms Are Not Ready
Framework · Q2 2026
SOC 2 Type II Readiness Checklist for Digital Asset Custodians and Stablecoin Issuers
Guide · Q2 2026
Operational Resilience Audit Work Program — Digital Asset Adaptation
Interactive + PDF Audit Work Program  ·  TradFi & Digital Asset NEW
Operational Resilience Audit Work Program — TradFi & Digital Asset
A comprehensive, regulator-aligned audit work program for evaluating BCP, DR, and operational resilience controls at Traditional Financial Institutions and Digital Asset / Stablecoin companies. Covers all 8 core audit domains with risk statements, control objectives, audit procedures, evidence request lists, and regulatory mapping across FFIEC BCM, NIST CSF 2.0, COSO ERM / ICIF, SEC Reg SCI, FINRA Rule 4370, OCC guidance, and ISO 22301. Includes a 5-level maturity model and supplemental Digital Asset / blockchain resilience procedures.
BCP & DR FFIEC BCM COSO ERM NIST CSF 2.0 SEC Reg SCI FINRA 4370 Digital Asset 8 Domains · Maturity Model Free Download
March 2026 · Applicable to TradFi and Digital Asset / Stablecoin organizations
Open Work Program