Three assurance frameworks, one program: The SOC Readiness page maps all three AICPA/PCAOB assurance frameworks to the 11 ICA control layers. SOC 1 AT-C §320 covers financial reporting controls (L03 Reserve, L05 Custody — the reserve attestation monthly CPA firms will examine). SOC 2 AT-C §205 Type I/II covers all 11 layers across the five Trust Services Criteria. SOX ICFR (PCAOB AS 2201) covers L03 and L05 for public company PPSIs. All three converge on a single evidence package for OCC/FDIC examination.
SOC 1 · AT-C §320
Internal Controls Over Financial Reporting
Reserve composition, WAM calculation, CEO/CFO certification workflow, and custodian settlement controls. This is the framework for the monthly CPA firm reserve examination required by OCC NPR § 15.12.
Scope: L03 + L05
Type I: design adequacy
Type II: operating effectiveness 6+ months
Type I: design adequacy
Type II: operating effectiveness 6+ months
SOC 2 · AT-C §205
Trust Services Criteria — All 11 ICA Layers
Security (CC) · Availability (A) · Processing Integrity (PI) · Confidentiality (C) · Privacy (P) mapped across all 11 layers. NIST CSF 2.0 function codes serve as SOC 2 control identifiers for cross-reference with OCC CSW examination procedures.
Scope: All 11 layers
Type I gate: all L2+
Type II gate: all L3+ × 6 months
Type I gate: all L2+
Type II gate: all L3+ × 6 months
SOX ICFR · PCAOB AS 2201
Public Company PPSI — L03 + L05
For PPSIs that are public companies or subsidiaries of public companies. Management assessment of ICFR with independent auditor attestation. Reserve composition and custody controls are the primary ICFR assertions.
Scope: L03 + L05
Public company PPSIs only
Integrated with SOC 1 engagement
Public company PPSIs only
Integrated with SOC 1 engagement
Trust Services Criteria
CC
Common Criteria (Security)
Controls protecting information from unauthorized access, use, modification, or disclosure. Maps to all 11 ICA layers.
A
Availability
System availability for operation and use as committed or agreed. Maps to L08 Resilience & Business Continuity.
PI
Processing Integrity
System processing is complete, valid, accurate, timely, and authorized. Maps to L03 Reserve, L04 Mint/Burn, L05 Custody.
C
Confidentiality
Information designated as confidential is protected. Maps to L06 Financial Crime, L07 Technology.
P
Privacy
Personal information is collected, used, retained, and disposed in conformity with commitments. Maps to L06 CDD/KYC.
Layer-to-SOC Mapping
All 11 ICA Layers — SOC Framework Alignment
Each ICA layer mapped to its applicable SOC framework, Trust Services Criteria codes, control description for SOC report, and scope determination. L03 and L05 are the primary SOC 1 scope layers — the monthly reserve attestation and annual custody examination are SOC 1 engagements.
| ICA Layer | SOC Type | TSC Codes | Control Description | Scope |
|---|---|---|---|---|
| L01 Governance & Risk Oversight | SOC 2 | CC1 | Control Environment: governance structure, risk management | Required |
| L02 Legal Entity & Perimeter | SOC 2 | CC1 | Organizational context and regulatory scope | Supporting |
| L03 Reserve & Financial Integrity | SOC 1 + SOC 2 + SOX | PI2, PI3 | Financial reporting controls — reserve composition, WAM, CEO/CFO cert | Required — primary scope |
| L04 Mint/Burn & Token Lifecycle | SOC 2 | PI1, PI2 | Processing integrity — supply authorization, block/freeze/reject | Required |
| L05 Custody & Key Management | SOC 1 + SOC 2 + SOX | PI2, CC6 | Access controls over reserve assets and signing keys | Required — primary scope |
| L06 Financial Crime & Sanctions | SOC 2 | CC6, P3, P4 | Confidentiality and privacy — AML data, OFAC screening, SAR | Required |
| L07 Technology & Cybersecurity | SOC 2 | CC6, CC7, CC8 | Logical access, change management, system operations | Required |
| L08 Resilience & BCP | SOC 2 | A1 | Availability — BCP/DR, §113 incident, validator/cloud resilience | Required |
| L09 Consumer Protection | SOC 2 | CC5 | Disclosure controls, T+2 SLA, yield prohibition governance | Required |
| L10 DeFi Risk & Cross-Chain | SOC 2 | CC9 | Third-party risk, bridge governance, DeFi allowlisting | Supporting |
| L11 Real-Time Monitoring | SOC 2 | CC7 | System monitoring, anomaly detection, model governance | Required |
How SOC Readiness closes the traceability loop
The SOC engagement closes the full seven-level traceability chain: GENIUS Act statute → OCC/FDIC/FinCEN NPR → NIST CSF 2.0 → FFIEC Handbook → OCC CSW examination procedure → control design standard → operational process → SOC 2 Type II audit evidence. The SOC report becomes the primary examination package for OCC Day 1 examination, supplementing or replacing ad hoc evidence requests with a formal independent attestation.