SAMPLE ENGAGEMENT OUTPUT — Prepared by IT Audit Consulting to demonstrate GENIUS Act reserve integrity audit methodology. Data sources: Circle public transparency API, on-chain RPC data, third-party RPAF attestation (March 2026). Not a commissioned engagement by Circle Internet Financial. IT Audit Consulting has no affiliation with Circle Internet Financial or the RPAF referenced herein. IT Audit Consulting is not a Registered Public Accounting Firm. Past institutional affiliations referenced for biographical purposes only.
IT
IT Audit Consulting
Technology Risk & Controls
← Resources  ·  Home
Ref: ITAC-2026-0317-AUDIT  ·  Classification: SAMPLE
// Stablecoin Reserve Integrity Monitor — Sample Engagement Output
Stablecoin Reserve Integrity Audit Report
GENIUS Act · 25 Controls · 5 Domains · Independent Opinion
Token
USD Coin (USDC)
Issuer
Circle Internet Financial
Snapshot Date
17 March 2026 — 00:00:00 UTC
Regulatory Framework
GENIUS Act (Jul 2025) · OCC NPRM (Feb 2026)
Attestation Firm
Third-Party RPAF (Mar 2026)
Prepared By
IT Audit Consulting
// Stablecoin Reserve Integrity Monitor Dashboard Technical Architecture Audit Report
// Audit work program, control test results, findings, and independent opinion for the Stablecoin Reserve Integrity Monitor.
← View Dashboard
// Audit Work Program — Control Test Results (25 Controls Across 5 Domains)
Ctrl IDControl ObjectiveRiskTest ProcedureEvidenceResult
RES-01Reserves held in segregated, bankruptcy-remote accountsHIGHInspected custody agreements; verified non-commingling with operating funds; confirmed custodian segregationCustody agreements, bank confirmation letters 2026-03-01PASS
RES-02Reserve assets restricted to OCC Permitted Assets onlyHIGHObtained portfolio file; verified no corporate debt or crypto holdings; confirmed all instruments within 93-day maturityRPAF portfolio schedule and attestationPASS
RES-03Daily reserve ratio: FMV(assets) ≥ outstanding token supply (100% floor)HIGHIndependently recalculated using Bloomberg price feeds; compared to issuer 30-day reserve ledger30-day reserve ledger, Bloomberg price feed logPASS
RES-04Monthly third-party attestation by RPAF covering existence, completeness, valuationMEDIUMConfirmed RPAF engagement letter; verified scope aligns with GENIUS Act §4(b)(1)RPAF attestation report, engagement letter (March 2026)PASS
RES-05No rehypothecation, pledging, or commingling of reserve assetsHIGHInspected custodian confirmations for restriction clauses; verified no securities lending agreementsCustodian statements, negative confirmation letterPASS
Ctrl IDControl ObjectiveRiskTest ProcedureEvidenceResult
ISS-01Minting triggered only upon verified fiat deposit (T+0 wire confirmation)HIGHSelected 25 mint events; traced each to corresponding verified wire; confirmed zero exceptionsMint log, wire confirmation receipts, 25-sample analysisPASS
ISS-02Multi-party authorization (3-of-5 multi-sig: Treasury + Compliance + Technology)HIGHReviewed smart contract governance parameters; verified multi-sig threshold is 3-of-5 keyholdersSmart contract audit, multi-sig approval logsPASS
ISS-03Burn events linked to authenticated redemptions; reserve released within T+2HIGHSampled 20 burn events; confirmed each has corresponding validated redemption; verified reserve release timingBurn log, redemption queue, reserve ledger updatesPASS
ISS-04Smart contract upgrade: 48-hour timelock, 4-of-7 approval, independent pre-deployment auditMEDIUMVerified 48-hour timelock configuration; confirmed last upgrade required 4-of-7 key approvalGovernance log, upgrade proposal records, Trail of Bits reportPASS
ISS-05Emergency pause function tested quarterly; runbook maintained and accessibleMEDIUMConfirmed pause function present in contract ABI; identified last test executed Q4 2025 — Q1 2026 test not yet completedTest execution log Q4 2025, contract ABI, DR runbookREVIEW
Ctrl IDControl ObjectiveRiskTest ProcedureEvidenceResult
CST-01Minter/Burner private keys held in FIPS 140-2 Level 3 HSMs with geographic key shardingHIGHInspected HSM vendor certificates; verified Shamir Secret Sharing across 3+ geographic sitesHSM certification, key custody procedure, shard inventoryPASS
CST-02Customer token wallets segregated from platform treasury wallets at smart contract levelHIGHMapped all treasury wallet addresses; confirmed no customer wallets share address spaceWallet address register, on-chain verification (Etherscan)PASS
CST-03RBAC for key management; quarterly access recertification; terminated user offboarding within 24 hoursMEDIUMObtained IAM export; verified least privilege; confirmed Q4 2025 recertification; reviewed offboarding logIAM report, access recertification sign-offs, offboarding logPASS
CST-04Cold storage for more than 90% of key material; hot wallet cap enforced with automated alertingHIGHConfirmed hot wallet threshold policy (less than 10%); verified cold/hot split in custodian statement; tested alert configurationCustodian statement, cold storage inventory, alert configurationPASS
CST-05Annual penetration test by independent firm; all Critical/High findings closed within SLAMEDIUMObtained January 2026 NCC Group pentest report; confirmed zero open Critical or High findingsNCC Group pentest report Jan 2026, remediation trackerPASS
Ctrl IDControl ObjectiveRiskTest ProcedureEvidenceResult
RCN-01Automated daily three-ledger reconciliation: Blockchain / Issuer Ledger / Reserve Ledger at 00:00 UTCHIGHReviewed reconciliation engine architecture; confirmed automated job schedule; inspected 30-day exception logReconciliation job logs, exception report log (30 days)PASS
RCN-02Cross-chain supply reconciles to Circle issuer API within $0 tolerance at snapshotHIGHIndependently queried totalSupply() on all 6 chains at snapshot datetime; compared to Circle APIIndependent blockchain query output, Circle API response logPASS
RCN-03Pending settlement in suspense account; all items cleared within OCC T+2 windowMEDIUMInspected suspense account aging report; confirmed no items aged more than 2 business daysSuspense aging report, settlement confirmation logPASS
RCN-04Exception alerts auto-generated and routed to Risk Officer within 15 minutes of breachMEDIUMReviewed alert configuration thresholds; tested alert via synthetic variance injection in UATAlert configuration doc, UAT test evidence, notification logPASS
RCN-05Monthly reconciliation report signed off by CFO and CRO before attestation submissionLOWObtained monthly reconciliation reports for Jan–Mar 2026; confirmed both CFO and CRO electronic sign-offSigned reconciliation reports Jan–Mar 2026PASS
Ctrl IDControl ObjectiveRiskTest ProcedureEvidenceResult
RED-01Redemption at par ($1.00 per token) guaranteed; no gates or fees during normal operationsHIGHReviewed terms of service and redemption policy; confirmed no gates exist under normal conditions; 10-sample redemption traceRedemption policy v4.2, 10-sample redemption confirmationsPASS
RED-02Redemption settlement within OCC-required T+2 — 100% of sampleHIGHSampled 30 redemptions; computed settlement time from token burn to wire receipt for eachRedemption settlement log, wire receipts, 30-sample analysisPASS
RED-03Liquidity stress buffer: cash plus overnight repo at or above 15% of outstanding supply for T+0 redemptionsHIGHConfirmed cash plus overnight repo = 14.7% of outstanding supply (above 14.6% minimum for T+0 buffer)Liquidity model output, reserve composition 2026-03-17PASS
RED-04Quarterly stress testing: 20% and 50% simultaneous redemption scenarios documentedMEDIUMObtained Q4 2025 stress test report. Q1 2026 report not yet completed as of audit snapshot dateQ4 2025 stress test report; Q1 2026 pendingREVIEW
RED-05Consumer disclosure: FDIC non-insurance disclaimer; redemption rights documented in user agreementLOWReviewed user-facing disclosures on website and in account agreement; confirmed FDIC disclaimer presentUser agreement v4.2, website disclosure screenshot 2026-03-17PASS
// Findings & Recommendations — 2 Open Items (Neither Material)
FINDING 1 OF 2 — ISS-05 — Token Issuance Controls
Emergency Pause Function — Q1 2026 Quarterly Test Overdue
MEDIUM Remediation: 31 Mar 2026
Observation
The smart contract emergency pause function was last tested in Q4 2025. The quarterly testing schedule required a Q1 2026 test to have been completed by the audit snapshot date of 17 March 2026. No Q1 2026 test execution log was provided.
Regulatory Implication
OCC safety and soundness expectations require operational controls to be tested on their prescribed frequency. A gap in quarterly testing creates documentation risk during examination.
Recommendation
Complete Q1 2026 pause function test in UAT environment by 31 March 2026. Document test scenario, execution steps, results, and sign-off in the control evidence repository.
Management Response
Confirmed. Testing scheduled for 28 March 2026. Technology Risk team has been assigned ownership. Evidence package to be submitted to Audit by 31 March 2026.
FINDING 2 OF 2 — RED-04 — Redemption Assurance
Q1 2026 Liquidity Stress Test Not Yet Completed
MEDIUM Remediation: 31 Mar 2026
Observation
The Q1 2026 liquidity stress test report had not been completed as of the audit snapshot date. The Q4 2025 report was reviewed and found complete. The 20% and 50% simultaneous redemption scenarios are required quarterly under the issuer's own governance framework and OCC supervisory expectations.
Regulatory Implication
Under the GENIUS Act and OCC supervisory expectations, quarterly stress testing is a documented requirement. An incomplete quarterly cycle creates a gap in the evidence record ahead of the monthly attestation period.
Recommendation
Complete Q1 2026 stress test by 31 March 2026 using updated reserve composition as of 17 March 2026. Ensure scenarios include a 20% and 50% simultaneous redemption event with documented liquidity sources and action triggers.
Management Response
Confirmed. Internal Risk team to complete by 28 March 2026 with CFO and CRO sign-off by 31 March 2026. Results to be shared with Audit upon completion.
// Independent Opinion & Conclusion
Based on the procedures described in this report, IT Audit Consulting is of the opinion that, as of 17 March 2026 at 00:00:00 UTC, the circulating supply of USD Coin (USDC) as verified on-chain across six blockchains is fully reconciled with the issuer's reported circulating supply, and the fair market value of reserve assets held in segregated custodial accounts equals or exceeds outstanding token supply at a coverage ratio of 100.80%. Reserve assets consist exclusively of OCC NPRM Option A permitted instruments. No material control deficiencies were identified across the five control domains tested. Two medium findings were raised relating to quarterly testing cadence and are subject to agreed management remediation plans with a deadline of 31 March 2026.
This opinion is limited to the procedures performed and the data sources described herein. It does not constitute a full financial statement audit. IT Audit Consulting is not a Registered Public Accounting Firm and this report does not substitute for the monthly attestation required under the GENIUS Act. This report is intended to supplement, not replace, the RPAF attestation required under the GENIUS Act.
// Important Disclaimer — Please Read
Sample Engagement Output — Important Disclaimer. This dashboard, audit report, and all associated materials have been prepared by IT Audit Consulting (itauditconsulting.com) solely to demonstrate the methodology, structure, and deliverable format of a GENIUS Act reserve integrity audit engagement. They do not constitute a commissioned engagement, a financial audit, an RPAF attestation, or legal or regulatory advice.



Data sources referenced in this sample include Circle Internet Financial's publicly available transparency reports, publicly accessible on-chain blockchain data queried at the stated snapshot time, and the reserve attestation published by the third-party RPAF for the period ending 17 March 2026. IT Audit Consulting has no affiliation with, and has not been engaged by, Circle Internet Financial or the RPAF referenced herein. No confidential or non-public information was used.



IT Audit Consulting is a technology risk and controls consulting practice and is not a Registered Public Accounting Firm (RPAF). This material does not substitute for the monthly RPAF attestation required under the GENIUS Act. Past institutional affiliations (Goldman Sachs, Tradeweb, JPMorgan, and others) are referenced for biographical purposes only and do not imply endorsement by those institutions.



Recipients should not rely on this material for regulatory compliance purposes. All findings, control assessments, and opinions expressed herein are based solely on the procedures described and publicly available data, and are limited to the snapshot date stated.
IT Audit Consulting — Technology Risk & Controls Practice  ·  itauditconsulting.com  ·  [email protected]