IT AUDIT CONSULTING — STABLECOIN COMPLIANCE SUITE — TIER 7 · DOC 06
Control Bridge + PRC Mapping → Gap RegisterRoutes T8 · T9 · T10
Tier 7 — Risk & Gap Assessment · DOC 06

Risk & Gap Assessment

The synthesis engine. Takes two simultaneous inputs — the Control Foundation/Bridge (framework traceability lens) and the PRC Mapping (business process reality lens) — and produces a prioritized gap register across all 11 control layers. This is what an OCC examiner does on Day 1 of a target examination. The gap register routes directly to the three Tier 8–10 assurance documents.

Input A — Framework Lens
Control Foundation / Bridge
NIST CSF 2.0 function codes → FFIEC handbook guidance → OCC CSW examination procedures → Implementation requirements. Tells us what a compliant control environment looks like per layer.
Input B — Business Process Lens
PRC Mapping (8 Domains)
Issuance → Minting → Reserve → Custody → AML → Smart Contract → Redemption → Attestation. Tells us what controls are actually in place across the operational lifecycle.
OUTPUTS
Gap heat map — 11 layers Prioritized deficiency register Routes to T8 Compliance Validation Routes to T9 Maturity & SOC 2 Routes to T10 Full Assurance
FILTER BY PRIORITY
GAP TYPE
— gaps shown
Gap Heat Map

Control Layer Risk Rating

Risk rating per layer based on synthesis of Control Bridge examination requirements and PRC Mapping operational reality. Click any layer to jump to its gaps in the register below.

Gap Register

Prioritized Control Deficiency Register

Each gap is drawn from the intersection of Control Bridge examination procedures and PRC Mapping operational controls. Gap type distinguishes control design weakness (the control as designed cannot work), operating gap (the control is designed adequately but not operating), and missing control (no control exists). The PPSI 5 Critical Risks are the top 5 items from this register.

Control Gap Register
SORTED BY PRIORITY · DESIGN / OPERATING / MISSING CONTROL
Layer Gap Gap Type Regulatory Source Remediation Priority Routes to
Assurance Routing

From Gap Register to Assurance Execution

The gap register feeds three downstream assurance tiers. Each tier addresses gaps at a different level of rigor — from baseline validation through maturity assessment to full audit execution.

Tier 8
Compliance Validation
Multi-regulator baseline
All critical and high gaps feed directly into the 4-regulator validation checklist
PPSI 5 Critical Risks are the top 5 items from this register, embedded as flagged items in T8
Pass/fail status tracked per item — feeds back into gap register completion
Audience: DeFi startups to established PPSIs — all begin here
Open Compliance Validation →
Tier 9
Maturity & SOC 2 Readiness
CMMI path + SOC 2 gap assessment
Operating gaps and design gaps map to specific maturity levels — gap analysis determines which level you are currently at
SOC 2 Type II readiness assessment — gap register identifies controls not yet at Level 3
DevSecOps pathway maps gap resolution to engineering lifecycle steps
Audience: FinTech/crypto-native firms building toward SOC 2 Type II
Open Maturity & SOC 2 →
Tier 10
Full Assurance Execution
SOC 2 Type II + integrated audit
All critical gaps trigger SOC 2 key control testing — material weakness evaluation applies to bridge control (L7) and reserve integrity (L3)
SOX ICFR gaps (L3 reserves, L5 custody) require financial statement assertion testing
8-domain integrated audit work program inherits gap register findings as risk-based scope
Audience: PPSI charter applicants, institutions facing OCC/FDIC examination
Open Full Assurance →