Practical resources drawn from 30 years of building, transforming, and auditing institutional control standards at Goldman Sachs, Tradeweb, and JPMorgan. Published across three domains: the Stablecoin Integrated Compliance Architecture (ICA) — a 12-phase framework from GENIUS Act legislation through full assurance; TradFi institutional audit methodology and case analysis; and applied platforms with live reserve data and incident analysis. Includes interactive tools, free PDF downloads, and a 10-phase stablecoin compliance hub.
// Published Resources
Part 1
TradFi · Institutional Audit Methodology & Case Analysis
Interactive + PDF
Audit Work Program · TradFi & Digital Asset
Operational Resilience Audit Work Program
A comprehensive, regulator-aligned audit work program covering BCP, DR, and operational resilience controls. Eight core audit domains with risk statements, control objectives, audit procedures, evidence request lists, and regulatory mapping across FFIEC BCM, NIST CSF 2.0, COSO ERM, SEC Reg SCI, FINRA Rule 4370, OCC guidance, and ISO 22301. Includes a 5-level maturity model and supplemental digital asset resilience procedures.
Pre-Trade Position Limit Controls — Audit Case Analysis
A TradFi audit case tracing four compounding control failures in a Position Limit Monitoring (PLM) system: a superseded CFTC 17 CFR Part 150 regulatory standard never updated in code; OTC swap positions excluded from the aggregate the regulation requires; a third-party vendor delta settlement price error accepted without independent validation; and no detection mechanism for any of the above. Structured around the three audit assertions — Completeness, Accuracy, and Timeliness — applied to a production pre-trade risk system. Each failure individually is a finding. In sequence they produce a regulatory exposure that appears controlled at the surface.
CFTC Part 150Pre-Trade RiskITGC · SOX 404Four-Stage Failure ChainCME Group Rules
The three-ledger reconciliation problem — bank ledger vs sub-ledger vs custody ledger in TradFi; on-chain vs issuer ledger vs custodian reserve in digital asset — is structurally the same control problem. This platform demonstrates the reconciliation monitoring engine, architecture comparison across Legacy TradFi and Blockchain risk tiers, and a 30-control audit work program mapped to GENIUS Act, OCC NPR, FFIEC, COSO ERM, and NIST CSF. The Reserve Integrity Monitor shows what the output looks like running against live stablecoin reserve data.
Three-Ledger ReconciliationGENIUS ActLegacy vs Blockchain30 Controls · 7 Domains4 Industry ScenariosReserve Integrity Monitor
A 12-phase compliance program for payment stablecoins — from GENIUS Act legislative foundation through full dual-stream integrated assurance. Covers PPSI charter requirements, OCC/FDIC/FinCEN/Treasury NPR obligations, ICA Control Stack (11 layers), PRC Mapping (8 lifecycle domains), PPSI Critical Risks, Gap Assessment, Compliance Examination, Maturity & SOC 2, and Full Integrated Assurance. Built for PPSIs, operators, custodians, and digital asset service providers targeting the January 2027 effective date.
GENIUS Act · OCC NPR12 Phases11-Layer ICA Control StackProgram + Operations Stream4 RegulatorsJan 2027 Effective Date
Six-page interactive reference covering the GENIUS Act, OCC proposed rule 12 CFR Part 15, and CLARITY Act — organized as Regulatory Overview, Lifecycle Playbook, Reserve Management, Compliance Calendar, Technical Architecture, and Charter Pathway. Observational language only — not advisory.
Nine stablecoin lifecycle domains derived from the GENIUS Act and OCC proposed rule 12 CFR Part 15 — 43 process steps, each mapped to one key risk and one key control, with COSO, NIST CSF 2.0, FFIEC, and ISO 27001 framework references. Designed as the stablecoin-specific module within an existing audit universe.
Six control areas mapped to the PRC lifecycle — Reserve Integrity, Key & Wallet Security, ITGC, AML/BSA, Redemption Controls, and Governance & Attestation. What to build first, in what order, and what evidence OCC examination standards require. Derived from the GENIUS Act and OCC proposed rule 12 CFR Part 15. For stablecoin issuers and PPSI applicants building controls infrastructure for the first time.
Control FrameworkEvidence ArchitectureGENIUS Act · OCC NPRFree Download
April 2026
S2
PDF · Stage 2 Gap Assessment
OCC Charter Readiness Checklist
43 priority-coded control requirements derived from the Stablecoin PRC Mapping — one per process step. Every item traces to a specific OCC NPR section or GENIUS Act provision. Critical / High / Medium ratings reflect the Risk Taxonomy severity analysis. Six risk categories: Governance, Operational, Financial/Liquidity, Technology, Compliance/Regulatory, Third-Party. Self-assessment format for stablecoin issuers and PPSI applicants.
Seven audit domains built from the Risk Taxonomy — test procedures derived from the PRC's 43 key controls. Structured for direct auditor execution with control objectives, evidence requirements, and OCC NPR regulatory cites. Covers ITGC Access Management, Change Management & Smart Contract Governance, Reserve Integrity & Reconciliation, Cybersecurity Key Management, AML/BSA, Third-Party & Custodian Risk, and Governance & Attestation.
Applied Examples · Live Output & Incident Analysis
Sample Engagement Output · Dashboard
Reserve Integrity Monitor — SRIM Dashboard
Sample engagement output showing the GENIUS Act three-ledger reconciliation result against Circle Internet Financial public reserve data (on-chain RPC, RPAF attestation, issuer transparency API). Not a commissioned engagement by Circle. IT Audit Consulting is not a Registered Public Accounting Firm.
End-to-end analysis of the March 2026 Resolv USR stablecoin exploit. $25M extracted via single-key unauthorised minting, USR peg collapsed $1.00 → $0.27, protocol insolvent. Five-stage failure chain mapped to ITGC, ITAC, and NIST CSF. Includes inline system flow diagram. TradFi bridge maps each digital asset failure to its institutional audit equivalent.
Analysis of the April 1, 2026 Drift Protocol exploit — largest DeFi hack of 2026. Six-month DPRK-suspected social engineering campaign, durable nonce multisig bypass, $285M drained in under one hour. Five-stage failure chain mapped to ITGC, NIST CSF, and FFIEC IT Handbook. Includes system interaction diagram showing Circle CCTP, Wormhole, and Tornado Cash fund flow. TradFi bridge analysis.
// In Development — Operations Stream · Phases 7–9
Platform · Phase 7 Ops · Q3 2026
Operational Risk Assessment Engine — PRC signal-to-control activation testing. Does the control actually fire under real process conditions?
Platform · Phase 8 Ops · Q3 2026
Control Behavior Testing Suite — AML model validation, risk engine calibration, latency SLA testing. The suite a FinCEN examiner expects a PPSI to have run before examination day.
Platform · Phase 9 Ops · Q4 2026
Control Governance Dashboard — AML tuning cycles, threshold recalibration, smart contract change management. Addresses the FinCEN NPR recurring obligation.
// Free Download
Access Your Free Resource
Enter your details below to access your free resource.
Please enter your first name.
Please enter a valid email address.
No spam. No sales sequences. Just the resource you requested.
On Its Way
The has been sent to your inbox. Check your spam folder if it does not arrive within a few minutes.