// Published Resources
Part 1
TradFi  ·  Institutional Audit Methodology & Case Analysis
Interactive + PDF Audit Work Program  ·  TradFi & Digital Asset
Operational Resilience Audit Work Program
A comprehensive, regulator-aligned audit work program covering BCP, DR, and operational resilience controls. Eight core audit domains with risk statements, control objectives, audit procedures, evidence request lists, and regulatory mapping across FFIEC BCM, NIST CSF 2.0, COSO ERM, SEC Reg SCI, FINRA Rule 4370, OCC guidance, and ISO 22301. Includes a 5-level maturity model and supplemental digital asset resilience procedures.
BCP & DRFFIEC BCMCOSO ERMNIST CSF 2.0SEC Reg SCI8 Domains · Maturity Model
March 2026
Open Work Program
02
Case Analysis TradFi · Pre-Trade Risk Controls
Pre-Trade Position Limit Controls — Audit Case Analysis
A TradFi audit case tracing four compounding control failures in a Position Limit Monitoring (PLM) system: a superseded CFTC 17 CFR Part 150 regulatory standard never updated in code; OTC swap positions excluded from the aggregate the regulation requires; a third-party vendor delta settlement price error accepted without independent validation; and no detection mechanism for any of the above. Structured around the three audit assertions — Completeness, Accuracy, and Timeliness — applied to a production pre-trade risk system. Each failure individually is a finding. In sequence they produce a regulatory exposure that appears controlled at the surface.
CFTC Part 150Pre-Trade RiskITGC · SOX 404Four-Stage Failure ChainCME Group Rules
April 2026
Bridge
Cross-Ledger  ·  TradFi Reconciliation Methodology Applied to Blockchain
Interactive Platform — 3 Tabs Methodology & Audit Framework  ·  TradFi & Digital Asset
Cross-Ledger Integrity & Reconciliation Platform
The three-ledger reconciliation problem — bank ledger vs sub-ledger vs custody ledger in TradFi; on-chain vs issuer ledger vs custodian reserve in digital asset — is structurally the same control problem. This platform demonstrates the reconciliation monitoring engine, architecture comparison across Legacy TradFi and Blockchain risk tiers, and a 30-control audit work program mapped to GENIUS Act, OCC NPR, FFIEC, COSO ERM, and NIST CSF. The Reserve Integrity Monitor shows what the output looks like running against live stablecoin reserve data.
Three-Ledger ReconciliationGENIUS ActLegacy vs Blockchain30 Controls · 7 Domains4 Industry ScenariosReserve Integrity Monitor
Reconciliation Monitor Architecture Diagram Audit Work Program Reserve Integrity Monitor
Part 2
Stablecoin  ·  Regulatory Foundation → Audit Methodology
Interactive Hub · 12 Phases Stablecoin ICA  ·  GENIUS Act · OCC · FDIC · FinCEN · Treasury
Stablecoin Integrated Compliance Architecture (ICA)
A 12-phase compliance program for payment stablecoins — from GENIUS Act legislative foundation through full dual-stream integrated assurance. Covers PPSI charter requirements, OCC/FDIC/FinCEN/Treasury NPR obligations, ICA Control Stack (11 layers), PRC Mapping (8 lifecycle domains), PPSI Critical Risks, Gap Assessment, Compliance Examination, Maturity & SOC 2, and Full Integrated Assurance. Built for PPSIs, operators, custodians, and digital asset service providers targeting the January 2027 effective date.
GENIUS Act · OCC NPR 12 Phases 11-Layer ICA Control Stack Program + Operations Stream 4 Regulators Jan 2027 Effective Date
Open ICA Hub Regulatory Library Gap Assessment Full Assurance
Step 1 · Regulatory Foundation
Stablecoin Regulatory Library
Six-page interactive reference covering the GENIUS Act, OCC proposed rule 12 CFR Part 15, and CLARITY Act — organized as Regulatory Overview, Lifecycle Playbook, Reserve Management, Compliance Calendar, Technical Architecture, and Charter Pathway. Observational language only — not advisory.
Open Regulatory Library
Step 2 · Audit Universe Module
Process, Risk & Control (PRC) Mapping
Nine stablecoin lifecycle domains derived from the GENIUS Act and OCC proposed rule 12 CFR Part 15 — 43 process steps, each mapped to one key risk and one key control, with COSO, NIST CSF 2.0, FFIEC, and ISO 27001 framework references. Designed as the stablecoin-specific module within an existing audit universe.
Open PRC Mapping
S1
PDF · Stage 1 Control Design
Stablecoin Control Foundation Guide
Six control areas mapped to the PRC lifecycle — Reserve Integrity, Key & Wallet Security, ITGC, AML/BSA, Redemption Controls, and Governance & Attestation. What to build first, in what order, and what evidence OCC examination standards require. Derived from the GENIUS Act and OCC proposed rule 12 CFR Part 15. For stablecoin issuers and PPSI applicants building controls infrastructure for the first time.
Control FrameworkEvidence ArchitectureGENIUS Act · OCC NPRFree Download
April 2026
S2
PDF · Stage 2 Gap Assessment
OCC Charter Readiness Checklist
43 priority-coded control requirements derived from the Stablecoin PRC Mapping — one per process step. Every item traces to a specific OCC NPR section or GENIUS Act provision. Critical / High / Medium ratings reflect the Risk Taxonomy severity analysis. Six risk categories: Governance, Operational, Financial/Liquidity, Technology, Compliance/Regulatory, Third-Party. Self-assessment format for stablecoin issuers and PPSI applicants.
GENIUS Act · OCC NPR43 Items · PRC-DerivedCritical / High / MediumFree Download
April 2026
S3
PDF · Stage 3 Audit Execution
Stablecoin Technology Audit Work Program
Seven audit domains built from the Risk Taxonomy — test procedures derived from the PRC's 43 key controls. Structured for direct auditor execution with control objectives, evidence requirements, and OCC NPR regulatory cites. Covers ITGC Access Management, Change Management & Smart Contract Governance, Reserve Integrity & Reconciliation, Cybersecurity Key Management, AML/BSA, Third-Party & Custodian Risk, and Governance & Attestation.
7 Domains · 43 ControlsGENIUS Act · OCC NPRITGC · ITACFree Download
April 2026
Part 3
Applied Examples  ·  Live Output & Incident Analysis
Sample Engagement Output · Dashboard
Reserve Integrity Monitor — SRIM Dashboard
Sample engagement output showing the GENIUS Act three-ledger reconciliation result against Circle Internet Financial public reserve data (on-chain RPC, RPAF attestation, issuer transparency API). Not a commissioned engagement by Circle. IT Audit Consulting is not a Registered Public Accounting Firm.
Open Reserve Integrity Monitor
I1
Case Analysis DeFi · Solana Stablecoin
Resolv USR Exploit — Unauthorised Minting, $25M
End-to-end analysis of the March 2026 Resolv USR stablecoin exploit. $25M extracted via single-key unauthorised minting, USR peg collapsed $1.00 → $0.27, protocol insolvent. Five-stage failure chain mapped to ITGC, ITAC, and NIST CSF. Includes inline system flow diagram. TradFi bridge maps each digital asset failure to its institutional audit equivalent.
Unauthorised MintingITGC · ITAC · NIST CSFSystem Flow DiagramTradFi Bridge
March 2026
I2
Case Analysis DeFi · Solana Perp DEX
Drift Protocol Exploit — Governance Takeover, $285M
Analysis of the April 1, 2026 Drift Protocol exploit — largest DeFi hack of 2026. Six-month DPRK-suspected social engineering campaign, durable nonce multisig bypass, $285M drained in under one hour. Five-stage failure chain mapped to ITGC, NIST CSF, and FFIEC IT Handbook. Includes system interaction diagram showing Circle CCTP, Wormhole, and Tornado Cash fund flow. TradFi bridge analysis.
Governance TakeoverITGC · NIST CSF · FFIECSystem Flow DiagramDPRK-suspectedCircle CCTP
April 2026
// In Development — Operations Stream · Phases 7–9
Platform · Phase 7 Ops · Q3 2026
Operational Risk Assessment Engine — PRC signal-to-control activation testing. Does the control actually fire under real process conditions?
Platform · Phase 8 Ops · Q3 2026
Control Behavior Testing Suite — AML model validation, risk engine calibration, latency SLA testing. The suite a FinCEN examiner expects a PPSI to have run before examination day.
Platform · Phase 9 Ops · Q4 2026
Control Governance Dashboard — AML tuning cycles, threshold recalibration, smart contract change management. Addresses the FinCEN NPR recurring obligation.