IT AUDIT CONSULTING — STABLECOIN COMPLIANCE SUITE — TIER 10 · DOC 09
SOC 2 Type II · SOX ICFR · Integrated Technology AuditOCC / FDIC Examination Ready
Tier 10 — Full Assurance Execution · DOC 09

Full Assurance — SOC 2 Type II +
Integrated Technology Audit

The full execution tier. SOC 2 Type II testing program structured across three zones (Zone A Protocol Risk, Zone B Stablecoin Control Plane, Zone C Exit and Recovery) using the DRIFT incident analysis paradigm. SOX ICFR testing for reserve (L3) and custody (L5) financial statement assertions. Integrated technology audit work program across 8 lifecycle domains. Designed for PPSI charter applicants facing OCC/FDIC examination.

S1SOC 2 Type II Testing — 3 Zones
S2Deficiency Evaluation Framework
S3Integrated Technology Audit — 8 Domains
S4OCC / FDIC Exam Readiness Package
Section 1 — SOC 2 Type II Testing Program

SOC 2 Type II — Operating Effectiveness Testing

Type II testing validates that controls operated effectively over the audit period (typically 12 months). The key question for stablecoin SOC 2 is not just "did the control exist?" but "did the control act fast enough and in sequence to prevent irreversible loss?" Zone B (Stablecoin Control Plane) is the highest-leverage zone — the bridge control (L7) is the DRIFT paradigm's critical control where failure constitutes a likely material weakness.

Zone A — Protocol Risk
Layers 1–3: Governance, Legal Entity, Reserve Integrity. Protocol-level controls that govern administrative actions and financial backing.
CC6.1 CC6.2 CC8.1 CC5.2 SOX ICFR (L3)
Control / TSC Criteria Population Test Procedures Sample Deficiency Evaluation
CC6.1CC6.2Governance access controlMulti-sig authorization for admin actions; timelock enforcement All admin/governance transactions during period 1. Inspect multi-sig threshold configuration (≥ 2-of-3)
2. Verify signer authentication method (hardware-backed)
3. Reperform 2 transaction simulations
4. Confirm timelock delay enforced before execution
5. Test: attempt single-sig transaction — confirm rejection		 25 transactions
(risk-weighted)

100% high-value		 CD: Isolated threshold breach
SD: Repeated timelock bypass
MW: Multi-sig controls non-operational
CC8.1Smart contract change managementAudit, version control, deployment authorization All smart contract deployments and upgrades 1. Trace deployed contract hash → audited version
2. Inspect audit report existence and scope
3. Verify approval workflow documentation
4. Confirm no critical unresolved findings at deployment
5. Test: verify deployment to a known-unaudited version is blocked		 100% if
<10 changes;
otherwise
15 changes		 CD: One unreviewed deployment
SD: Pattern of bypassed approvals
MW: No change management process
CC5.2SOX ICFRReserve integrity — 1:1 backingFinancial assertion: reserves = outstanding stablecoin liabilities All business days in period (reserve reconciliation) 1. Sample 20 business days — trace reserve balance to custodian statement
2. Verify 1:1 ratio maintained at each sampled date
3. Confirm WAM ≤ 20 days on each sampled date
4. Test ICFR: inspect documentation, test key controls, review last assessment
5. Verify CEO/CFO certifications filed monthly per FDIC NPR §350.4(h)(2)
6. Confirm operational backstop pool is separate and documented		 20 business
days
(random
selection)		 CD: Single-day reconciliation gap
SD: WAM breach undetected >1 week
MW: Reserve ratio breach material to reported liabilities
Zone B — Stablecoin Control Plane ⭐ Highest Leverage
Layers 4–8: Token Controls, Custody, Financial Crime, Technology, Resilience. Where issuer control is strongest — and where DRIFT-type failures concentrate.
CC6.6 CC7.2 CC6.5 SOX ICFR (L5) CC9.2 BRIDGE BSA/AML/CFT
Control / TSC Criteria Population Test Procedures Sample Deficiency Evaluation
CC6.6FinCEN NPRBlock / freeze / reject capabilityPrimary AND secondary market; FinCEN/OFAC Apr 8 NPR compliance All blacklist/freeze actions during period; secondary market coverage 1. Inspect approval workflow for freeze/block actions
2. Test freeze in non-production: attempt transfer from frozen wallet — confirm rejection
3. Test secondary market coverage: smart contract transaction without PPSI party — confirm block capability exists
4. Attempt transfer from restricted address — confirm contract-level rejection
5. Review governance procedures for responding to lawful orders		 100%
freeze actions
(typically
low volume)		 CD: Delayed freeze execution
SD: Secondary market gap in coverage
MW: No freeze capability — CRITICAL. Failure here meets material weakness standard given financial impact exposure.
CC6.5SOX ICFRCustody key managementHSM FIPS 140-2 Level 3, dual control; financial assertion: custody assets on balance sheet All key access events; custody account balances 1. Inspect HSM certification (FIPS 140-2 Level 3 or higher)
2. Validate dual-control and split-knowledge — test via interview and documentation
3. Review key ceremony records: witnesses, procedures, immutable log
4. Test recovery procedures: document key loss scenario runbook
5. Confirm custodian SOC 1/2 reviewed and no material exceptions
6. Verify GENIUS Act § 110 eligibility documentation for custodian		 100% key
access events
(or 25 if
high volume)		 CD: Single undocumented key access
SD: Dual-control bypass documented pattern
MW: HSM not FIPS 140-2 Level 3; private keys unprotected
CC7.2BSA/AML/CFTTransaction monitoring & AML detectionKYT alerts, OFAC screening, SAR filing (primary market scope) All high-risk alerts; SAR filings; OFAC screening results 1. Replay 3 known exploit wallet patterns — verify alert generated within SLA (<15 min P1)
2. Validate OFAC screening: test known SDN wallet — confirm blocking
3. Sample 10 SARs: verify timeliness (30-day), quality, and primary-market scope only
4. Confirm no SARs filed for secondary-market smart contract transactions (per FinCEN NPR Apr 8)
5. Review AML/CFT program 5-element compliance documentation
6. Inspect risk assessment for last smart contract change or new blockchain deployment		 30 alerts
10 SARs
100%
OFAC hits		 CD: Alert SLA breach — isolated
SD: SAR scope misconfigured; systemic OFAC gap
MW: AML/CFT program non-existent or not operational; OFAC strict-liability exposure material
CC9.2Bridge control — KEY CONTROLCross-chain attestation; mint authorization; bridge pause capability. DRIFT: $230M escaped here. All cross-chain transfers (burn/mint events) 1. Trace 5 burn → attestation → mint sequences end-to-end
2. Simulate flagged wallet bridge attempt — verify attestation denied OR bridge paused
3. Test emergency bridge pause function — confirm activation and recovery procedures
4. Review attestation service SLA and uptime
5. Confirm rate limits and velocity controls on bridge
6. Review audit trail for all bridge transactions during period		 25 transfers
(incl. large
+ high-risk
wallets)		 CD: Attestation SLA delay
SD: High-risk wallet allowed through once
⚠ MW: Bridge allowed flagged transfer without intervention. This is the DRIFT failure pattern. Likely MATERIAL WEAKNESS given financial exposure magnitude.
Zone C — Exit & Recovery
Layers 9–11: Consumer Protection, Ecosystem/DeFi Risk, Real-Time Monitoring. Last defensive line before irreversibility.
CC3.2 CC7.3 CC7.4 A1.2
Control / TSC Criteria Population Test Procedures Sample Deficiency Evaluation
CC3.2Consumer protection — redemptionT+1 SLA; significant redemption FDIC notification (>10%) All redemption requests during period; FDIC notifications 1. Sample 20 redemption requests — trace to fulfillment time; confirm T+1 SLA met
2. Test 10% threshold monitoring — simulate redemption request above threshold
3. Verify FDIC notification procedures and channel established
4. Review monthly reserve disclosures for 5-day timeliness
5. Inspect consumer complaint log: ACK ≤ 5 days, resolution ≤ 30 days		 20 redemptions
6 monthly
disclosures		 CD: Single T+1 SLA miss
SD: FDIC notification threshold not monitored
MW: Systematic redemption failures; FDIC notification not established
CC7.4Incident response & governanceIR plan tested; GENIUS Act § 113 notification SLAs; tabletop exercise All security incidents during period; tabletop exercises 1. Review incident response plan — confirm § 113 notification SLAs defined
2. Inspect last tabletop exercise documentation and findings
3. Sample all security incidents — compare response time to SLA
4. Verify escalation and decision-making authority documented
5. Confirm regulatory notification procedures cover OCC, FDIC, and FinCEN pathways		 100%
incidents
(or 10 if
high volume)		 CD: One delayed response
SD: Missing regulatory notification procedures
MW: No incident response plan; no § 113 notification capability
A1.2Real-time monitoring availability24/7 on-chain coverage; P1 ≤ 15 min; OFAC blockchain analytics All monitoring alerts; on-chain events; escalation logs 1. Review SIEM monitoring coverage — confirm all active contract addresses in scope
2. Test P1 escalation SLA — review alert-to-escalation time logs
3. Verify blockchain analytics covers OFAC secondary market screening per FinCEN NPR Apr 8
4. Review MTTD/MTTR quarterly reports against Board-approved targets
5. Confirm 12-month log retention is enforced		 25 P1/P2
alerts
MTTD/MTTR
last 4 qtrs		 CD: Single P1 SLA breach
SD: OFAC screening gap in secondary markets
MW: No real-time monitoring; no incident detection capability
Section 2 — Deficiency Evaluation Framework

SOC 2 / SOX Deficiency Classification

Deficiency severity determines reporting consequences and remediation urgency. For stablecoin PPSIs, the financial impact threshold is tied to outstanding issuance — a reserve reconciliation gap material to the reported liability balance is a material weakness regardless of nominal dollar amount.

Deficiency Classification Standard
Level 1
Control Deficiency
  • Isolated control failure — not repeated or systemic
  • Control design adequate; operating effectiveness lapsed once
  • Low likelihood of misstatement or financial impact
  • Remediated before period end or within 30 days
  • Example: Single delayed reserve reconciliation; one missed audit log entry
  • Reporting: Management letter comment
Level 2
Significant Deficiency
  • Pattern of control failures — systemic or repeated
  • More than remote likelihood of material misstatement
  • Detection delay creates meaningful risk window
  • Control design weakness requiring redesign
  • Example: AML alert SLA consistently missed; SAR scope misconfigured; secondary market OFAC gap
  • Reporting: Disclosed to audit committee; management response required
Level 3
Material Weakness
  • Reasonable possibility of material misstatement in financial statements
  • Key control non-operational or bypassed
  • Financial statement assertion directly affected
  • Bridge control failure allowing large unauthorized transfer (DRIFT pattern)
  • Reserve ratio breach material to outstanding liabilities
  • Block/freeze/reject capability non-existent; OFAC strict-liability exposed
  • Reporting: Disclosed in SOC 2 report; SOX adverse opinion; regulator notification required
Section 3 — Integrated Technology Audit Work Program

8-Domain Stablecoin Technology Audit

Lifecycle-aligned audit work program covering all 8 operational domains from governance through redemption. Each domain includes process steps, key risks, audit procedures, and required evidence. Designed for delivery as an integrated technology audit or as co-source work alongside a PPSI's internal audit function.