OR-AUD-01 · Reserve Management

Reserve Management
OR Audit Work Program

Structured 10-section audit work program for the Reserve Management operational resilience domain. Covers BIA verification, control design assessment, control effectiveness testing, impact tolerance verification, and scenario stress test evidence review. Anchored to GENIUS Act, OCC NPR, FDIC NPR, NIST SP 800-34, FFIEC BCP, and NIST CSF 2.0. Several OCC/FDIC NPR proposed thresholds (WAM, concentration cap, redemption notification window) are subject to final rulemaking — auditors must test against the final rule in effect, not proposed safe harbor numbers.

GENIUS Act §§ 4, 7, 113OCC NPR §§ 15.10–15.12FDIC NPR §§ 350.5, 350.9NIST SP 800-34 · FFIEC BCPNIST CSF 2.0Proposed Rules — Final Rule Pending9 Risks · 8 Controls
§ 1Audit Objective
Primary Audit Objective
Determine whether the Reserve Management operational resilience program is designed and operating effectively to ensure that: (1) all redemption obligations can be fulfilled within the 24-hour impact tolerance ceiling; (2) the treasury ledger can be restored within the 4-hour RTO; (3) reserve records maintain near-zero RPO under any foreseeable disruption; and (4) the issuer can demonstrate monetization capacity — the operationally tested ability to convert reserves into fiat and meet redemption demand under both normal and stressed conditions. Controls must meet the requirements of the GENIUS Act and the final rule in effect; where NPR proposed safe harbor thresholds have not yet been finalized, the auditor tests against the issuer's own documented risk framework and the statutory objective of timely redemption.

The audit examines the full reserve management lifecycle: fiat deposit intake, treasury investment and HQLA management, independent three-ledger reconciliation, CEO/CFO certification, redemption processing, and banking rail failover infrastructure. The work program does not duplicate the scope of the SOC 1 engagement — it focuses on operational resilience controls. Key audit lens: the correct supervisory test is whether the issuer can protect reserves, monitor counterparties, access liquidity, and redeem promptly when needed — not mechanical compliance with any single quantitative threshold that may not represent the final rule.

§ 2Scope & Regulatory Anchor
FrameworkProvisionRelevance to Reserve Management OR
GENIUS Act§ 4(a)(1)–(6)1:1 permissible reserve asset requirement; eligible assets capped at ≤93-day T-bills, overnight repos, cash deposits, government MMFs; prohibition on rehypothecation. Note: the 20-day WAM is an OCC NPR proposed safe harbor condition, not a GENIUS Act statutory requirement.
GENIUS Act§ 7Redemption right — issuer must process redemptions within required timeframe; redemption clock begins after successful holder onboarding and KYC/AML completion (aligned with NYDFS, FCA, and Bank of England frameworks). Operational controls must support this right.
GENIUS Act§ 113Operational resilience standards — issuer must maintain systems and processes sufficient to ensure ongoing reserve management and redemption capability under stress.
OCC NPR ⚠§§ 15.10–15.11Proposed reserve asset composition requirements and safe harbor. Subject to final rulemaking: 20-day WAM proposed as safe harbor condition (industry commenters: overly conservative, narrows statutory basket, demonstrated monetization capacity is the more direct test); liquidity ladder floors (overnight ≥10%, 30-day ≥30%, 90-day ≥50%) proposed; 40% single-institution concentration cap proposed (industry commenters: should distinguish custodied bankruptcy-remote assets from unsecured deposit exposure; principles-based assessment preferred). Auditor tests against final rule in effect.
OCC NPR§ 15.12CEO/CFO monthly certification of reserve compliance; criminal liability under 18 U.S.C. § 1001. Redemption clock defined as beginning after holder onboarding completion and ending when fiat payment instruction is sent — not when funds settle at customer's bank (aligned with NYDFS, FCA, and Bank of England frameworks — clock covers actions within the issuer's control).
FDIC NPR ⚠§§ 350.5, 350.910% single-day redemption notification threshold proposed; discretionary T+7 extension window proposed. Subject to final rulemaking: industry commenters raise concerns that a mandatory extended-redemption window tied to a fixed volume threshold may function as a market stress signal; a single timeliness standard with supervisory discretion in stress is the preferred alternative raised in comment letters. Operational backstop calibration also subject to final rule — sizing based on non-discretionary wind-down costs is supported as more proportionate than full trailing OPEX.
FDIC NPR§ 350.15CEO/CFO certification — parallel requirement to OCC NPR § 15.12.
NIST SP 800-34Contingency Planning GuidePrimary BCP/DR standard for US-domiciled issuers under OCC/FDIC supervision. Requires BIA → BCP/DRP → testing → RTO/RPO measurement → continuous improvement. Governs banking rail failover tests, reconciliation DR tests, and full simulation exercises.
FFIEC BCPBCP BookletApplicable for federally supervised institutions. Requires impact tolerance documentation, recovery objective testing, and board-level oversight of BCP/DR program. Aligns with the 24-hr/4-hr RTO/~0 RPO tolerances established in the BIA.
NIST CSF 2.0GOVERN · IDENTIFY · PROTECT · DETECT · RESPOND · RECOVERCybersecurity framework functions applicable to reserve data protection, reconciliation system availability, incident response, and recovery.
⚠ Rulemaking status & threshold notice (as of June 2026): No GENIUS Act final rules have been issued. Six agencies (OCC, FDIC, NCUA, FinCEN/OFAC, Treasury) have issued proposed rules between Feb–April 2026; the Federal Reserve Board proposed rule is still pending. The statutory deadline for final rules is July 18, 2026; the Act takes effect January 18, 2027 (or 120 days after final rules, if earlier). Rows marked ⚠ contain proposed thresholds under active industry comment that may be revised in the final rule. Auditors must verify which version of the rule is in effect at the time of the audit and calibrate all testing accordingly. Where the final rule adopts principles-based standards rather than hard numerical thresholds, testing must focus on demonstrated outcomes — monetization capacity, redemption continuity, legal access to reserves.
Audit period: The work program covers the 12-month period ending [Audit Period End Date]. Control effectiveness testing covers a representative sample period of no less than 6 months within the audit period. Impact tolerance and scenario testing evidence covers the most recent full calendar year or since the last audit, whichever is shorter.
§ 3Risk Assessment — Inherent Risk Rating

The following inherent risk ratings represent the auditor's assessment of each identified risk before any mitigating controls are considered. Inherent risk ratings drive the depth and breadth of control design assessment and effectiveness testing in §§ 4–5. Critical and High inherent risks receive the most rigorous testing scope; Medium risks receive standard testing; Low risks receive inquiry-and-observation procedures.

Risk IDRisk StatementInherent LikelihoodInherent ImpactInherent Risk RatingTesting Priority
RM-R01Primary reserve bank failure or prolonged outageMEDIUMCRITICALCRITICALPRIORITY 1
RM-R02Three-ledger reconciliation gap or mismatchMEDIUMCRITICALCRITICALPRIORITY 1
RM-R03Unauthorized token minting without matching fiat reserveLOWCRITICALHIGHPRIORITY 2
RM-R04Portfolio limit breach or monetization capacity failureMEDIUMHIGHHIGHPRIORITY 2
RM-R05Redemption surge exceeding available liquidity poolMEDIUMCRITICALCRITICALPRIORITY 1
RM-R06External custodian operational failure or insolvencyLOWCRITICALHIGHPRIORITY 2
RM-R07CEO/CFO certification executed on inaccurate reserve dataLOWCRITICALHIGHPRIORITY 2
RM-R08Custodian / counterparty concentration risk impairing reserve access or monetizationMEDIUMHIGHHIGHPRIORITY 2
RM-R09Reserve system RTO/RPO failure during technology outageLOWCRITICALHIGHPRIORITY 2
Auditor note: Three risks carry a Critical inherent rating (RM-R01, RM-R02, RM-R05). These drive the Priority 1 testing scope — specifically, the banking rail failover test, reconciliation exception log review, and redemption surge scenario evidence review. Any control gaps against Priority 1 risks are automatically classified as material findings requiring immediate management response. Re: RM-R04 and RM-R08: The OCC NPR proposed specific safe harbor thresholds (20-day WAM, specific liquidity ladder floors, 40% concentration cap) that are subject to final rulemaking and active industry comment. Auditors should test against the issuer's own documented portfolio risk limits consistent with the final rule in effect, and additionally test whether the issuer can demonstrate monetization capacity — the ability to liquidate reserves and meet redemption demand within the 24-hour tolerance under both normal and stressed conditions. For custodied non-cash assets (T-bills, repo, MMF shares held in segregated structures), the relevant risk is legal access failure and settlement disruption, not custodian credit exposure — these should be assessed separately from unsecured deposit concentration.
§ 4Control Design Assessment

For each control, the auditor assesses whether the control, as designed, is capable of preventing, detecting, or reducing the risk it purports to address to an acceptable level. This assessment is based on policy review, walkthroughs with control owners, and inspection of control documentation. It does not assess whether the control has operated effectively — that is addressed in § 5.

Control IDControl NameDesign Assessment ProceduresDesign Adequacy Question
RM-C01 Redundant Banking Rails (Primary / Secondary / Tertiary) Obtain and review written banking rail failover policy. Confirm policy specifies trigger criteria, activation authority, and maximum switchover time. Verify three distinct banking partners are named with independent correspondent networks. Inspect contractual SLAs for each partner. Confirm policy covers simultaneous primary + secondary failure scenario. Does the policy, as designed, provide a credible failover path that would maintain redemption processing capability within the 24-hour impact tolerance ceiling under a sustained primary bank outage?
RM-C02 Dual-Control Mint Gate (Technical + Operational) Review mint authorization policy and workflow documentation. Confirm two independent approvers are required (Treasury Operations + Independent Compliance Officer). Verify system configuration enforces dual-control — single-approver minting is technically blocked. Obtain and review access control matrix. Confirm no override or emergency bypass exists that could permit single-approver minting. Is the dual-control gate designed such that a single insider cannot authorize a mint without confirmed receipt of fiat funds?
RM-C03 Automated Three-Ledger Daily Reconciliation Review reconciliation system design documentation. Confirm three data sources (on-chain supply, issuer ledger, custodian statement) are reconciled automatically at each mint/burn event and at daily EOD. Verify exception alert threshold ($1,000 discrepancy) and automatic minting suspension threshold (0.01% of supply). Confirm reconciliation results are written to an immutable audit log. Inspect exception escalation workflow design. Is the reconciliation system designed to detect a ledger mismatch of material size within the same business day it occurs, and to automatically halt further minting until resolved?
RM-C04 Pre-Trade Investment Compliance & Monetization Checks Obtain the issuer's documented portfolio risk limits policy (WAM ceiling, liquidity composition floors, and concentration limits as defined under the final rule or the issuer's own risk framework). Confirm pre-trade checks are embedded in the investment execution workflow and enforce these documented limits. Verify system blocks or requires documented Compliance Officer approval for any transaction that would breach a defined limit. Critical additional test: obtain the issuer's monetization capacity documentation — liquidity stress scenario analysis, or equivalent evidence demonstrating the issuer's ability to liquidate reserves to fiat within the 24-hour redemption ceiling under both normal and stressed conditions. Verify this analysis is reviewed and updated at least quarterly. Confirm custodied non-cash assets (segregated, bankruptcy-remote) are assessed separately from unsecured deposit exposure in the concentration framework. Are the pre-trade checks and portfolio monitoring controls designed so that: (a) no investment can be executed that would cause the issuer's portfolio to breach its documented risk limits; and (b) the issuer maintains documented evidence of monetization capacity — the ability to meet redemption demand within the impact tolerance ceiling under stress?
RM-C05 Redemption Queue Management & Surge Protocol Review redemption queue management policy and volume monitoring documentation. Confirm intraday monitoring of redemption volume against the issuer's defined early-warning thresholds. Verify the issuer has a pre-prepared regulatory communication package ready for dispatch at applicable notification thresholds under the final rule. Confirm the protocol specifies priority queue management, liquidity draw-down sequencing, and escalation to senior management at defined trigger levels. Critically: verify the protocol explicitly states that redemption processing continues without mandatory pause regardless of volume level — the operational response is proactive communication and secondary rail activation, not gate-closure. Note: the FDIC NPR proposes a 10% notification trigger and discretionary T+7 extension window, both subject to final rulemaking and active industry comment. Test against whichever version is the final rule in effect at audit date, with focus on whether the issuer maintains redemption continuity throughout. Verify the 24-hour redemption ceiling is explicitly stated as the maximum processing time in all circumstances. Is the redemption monitoring and queue management system designed to maintain uninterrupted redemption processing within the 24-hour ceiling — using secondary rail activation and proactive regulatory communication rather than redemption gating — even under a simultaneous 30% redemption surge and primary bank outage?
RM-C06 Custodian & Counterparty Risk Management Review the issuer's custodian and counterparty risk management policy. Confirm the policy is structured around the following principles-based framework: (1) counterparty quality assessment — credit strength, operational reliability, regulatory standing; (2) legal protection verification — assets legally segregated, bankruptcy-remote, and confirmed inaccessible to custodian for proprietary use; (3) operational access testing — issuer's ability to mobilize reserves rapidly under stress has been tested; (4) monetization capacity under stress — issuer can demonstrate reserve liquidation capacity within redemption timelines. Obtain custodian agreements and verify they include substitution rights exercisable without custodian consent. Confirm concentration limits are documented against the final rule in effect (the OCC NPR proposed 40% cap is subject to final rulemaking; custodied non-cash assets may be treated differently from unsecured deposit exposure under the final rule). Verify annual counterparty creditworthiness and operational resilience review is performed and documented. Is the custodian and counterparty risk management framework designed to protect reserve access, legal segregation, and monetization capacity under stress — rather than treating diversification across custodians as an end in itself?
RM-C07 CEO/CFO Certification Workflow with Criminal Liability Briefing Review certification workflow design. Confirm auto-population from reconciliation data. Verify reconciliation sign-off is a prerequisite gate before certification package is released for officer signature. Confirm criminal liability briefing documentation (18 U.S.C. § 1001) is embedded in the workflow. Verify certification package retention period meets regulatory requirements. Is the certification workflow designed so that a CEO/CFO cannot sign the certification until the independent reconciliation sign-off is confirmed?
RM-C08 Near-Zero RPO Reserve Data Backup & Recovery Review reserve system backup architecture documentation. Confirm continuous or near-continuous replication to a geographically separate secondary system. Verify defined 4-hour RTO and near-zero RPO targets. Confirm backup covers on-chain data feed configurations, issuer ledger, and reconciliation engine state. Review documented recovery runbook and verify it specifies step-by-step restoration procedures within the RTO window. Is the backup architecture designed to support recovery of the full reserve management system to a near-current state within 4 hours of a primary system failure?
§ 5Control Effectiveness Testing

For each control, the auditor tests whether the control has operated as designed throughout the audit period. Testing methods include transaction sampling, log inspection, system-generated report review, observation, re-performance, and inquiry. Sample sizes are calibrated to inherent risk ratings from § 3 — Critical-risk controls receive larger samples.

Control IDTest ProcedureSample / ScopeEvidence Required
RM-C01 Request evidence of at least one banking rail failover test conducted during the audit period. Review test script, execution log, and results. Inspect records showing secondary rail was activated, transactions processed, and primary rail restored. Confirm test scope included a redemption payment processed via secondary rail. All failover tests conducted in audit period (minimum 1 required). Inspect execution records for most recent test. Test script · execution log · transaction confirmation via secondary rail · post-test restoration record · sign-off by Treasury Manager
RM-C02 Select a sample of mint transactions from the audit period. For each, obtain the system audit log confirming two approvals were captured before execution. Inspect approver identities to verify both approvers held required roles (Treasury Operations + Independent Compliance Officer). Test for any mint transactions with a single approval or where both approvers were from the same team. 25 mint transactions (or all if fewer than 25 in period). Higher sample if total mints >500. System audit log per transaction · approver role confirmation · zero exceptions expected
RM-C03 Obtain the reconciliation exception log for the audit period. Review all exceptions for timely investigation and resolution. Select 10 reconciliation run results and verify three-ledger match confirmation is recorded. Test that at least one reconciliation run was executed at or near each mint/burn event by cross-referencing mint/burn timestamps against reconciliation run log. Verify immutable audit log configuration. Full exception log (audit period) · 10 reconciliation run results · 5 mint/burn event timestamp comparisons Exception log · reconciliation run reports · mint/burn event timestamps · immutable log configuration evidence
RM-C04 Select a sample of investment transactions. For each, verify the pre-trade check was executed and result recorded before settlement. Test whether the issuer's documented portfolio limits (WAM ceiling, liquidity composition, concentration) were in compliance at the time of each transaction. Inspect any blocked or overridden transactions — verify each has documented Compliance Officer approval. Obtain the current portfolio composition report and verify it meets the issuer's documented limits. Critically: obtain and review the issuer's most recent monetization capacity analysis or liquidity stress test — confirm it demonstrates the ability to liquidate sufficient reserves to meet redemption demand within the 24-hour impact tolerance ceiling under at least one stress scenario. Verify this analysis was reviewed by senior management within the prior 12 months. Confirm custodied assets are assessed separately from unsecured deposit exposure. 15 investment transactions · all blocked/overridden transactions in period · current portfolio compliance report · monetization capacity analysis / liquidity stress test Pre-trade check logs · blocked transaction records · Compliance Officer approvals · current portfolio report vs. documented limits · monetization capacity / stress analysis signed by management
RM-C05 Inspect intraday redemption volume monitoring system. Verify monitoring runs continuously and logs volume against issuer-defined early-warning thresholds. Review alert log for all elevated-volume events in the audit period — inspect management response records for timeliness and content (escalation, communication package, liquidity assessment). Verify the issuer's regulatory communication package template is current and pre-populated. If any regulatory notification threshold was triggered during the audit period (per the final rule in effect), inspect notification records for timeliness, content, and evidence that redemption processing continued without pause. Test 20 redemption transactions: confirm processing time from validated request to confirmed fiat disbursement is within the 24-hour ceiling. Key test: confirm there is no instance where redemptions were suspended or gated during a high-volume period — the operational response should be secondary rail activation and communication, not pause. Monitoring system configuration · all alert events in period · management response records · communication package template · regulatory notification records (if applicable) · 20 redemption processing timestamps Monitoring configuration · alert log · escalation records · notification records · redemption timestamps (zero exceptions expected against 24-hr ceiling)
RM-C06 Obtain and review the issuer's most recent annual counterparty risk assessment — confirm it evaluates: (a) counterparty credit quality and operational resilience; (b) legal segregation and bankruptcy-remoteness of custodied assets; (c) the issuer's legal right to substitute custodians without counterparty consent; (d) concentration levels against the issuer's documented limits under the final rule in effect. Inspect concentration reports for a 3-month sample period and verify no breach of the issuer's documented limits. For custodied non-cash assets, verify legal segregation opinion or equivalent confirmation is current. Confirm substitution right clauses in custodian agreements are exercisable. Verify at least one documented test of custodian substitution or asset transfer procedure was conducted during the audit period or prior 12 months. Note: if the final rule adopts a principles-based approach rather than a hard percentage cap, test the issuer's own documented concentration framework and whether it is risk-sensitive to asset type and holding structure. Annual counterparty risk assessment · 90 daily concentration reports (3-month sample) · legal segregation confirmation · custodian agreement substitution clauses · substitution/transfer test records Counterparty assessment · concentration reports vs. documented limits · legal segregation opinion · agreement excerpts · substitution test evidence
RM-C07 Obtain all monthly CEO/CFO certification packages for the audit period. Verify each package was completed within 5 business days of month-end. Confirm each package includes: (a) reconciliation sign-off before officer signature date, (b) criminal liability briefing acknowledgment, (c) supporting reserve data. Inspect system log confirming auto-population from reconciliation data (not manual entry). All certification packages in audit period (12 expected) · system auto-population log 12 certification packages · sign-off timestamps vs. certification date · liability briefing acknowledgments · auto-population log
RM-C08 Review backup and recovery system configuration documentation. Obtain evidence of the most recent RTO/RPO test. Inspect test plan, execution log, and results. Confirm achieved RTO was within the 4-hour ceiling and achieved RPO was within tolerance. Verify test scope included full reserve system restoration, not just partial components. Inspect geographic separation of primary and secondary systems. Most recent RTO/RPO test (minimum 1 required in audit period) · backup configuration documents Test plan · execution log · achieved RTO/RPO metrics · geographic separation evidence · recovery runbook
§ 6Impact Tolerance Verification

Verify that the three Reserve Management impact tolerances are formally documented, accepted by management, operationalized in the controls framework, and tested against actual performance data from the audit period.

ServiceImpact ToleranceVerification ProcedureEvidence Required
Redemption Processing 24 hr MAX Obtain written management sign-off on the 24-hour redemption ceiling as the stated impact tolerance. Inspect system configuration confirming redemption SLA monitoring against this threshold. Sample 20 redemption transactions from the audit period and measure processing time from request validation to confirmed fiat disbursement. Identify any instances where processing exceeded 24 hours and inspect escalation records. Signed tolerance statement · SLA monitoring configuration · 20 redemption processing timestamps · exception records (if any)
Treasury Ledger Recovery 4 hr RTO Obtain written management acceptance of the 4-hour RTO for the treasury ledger system. Inspect recovery runbook and verify it specifies step-by-step restoration procedures calibrated to 4-hour ceiling. Review most recent RTO test results and confirm achieved RTO was within 4 hours. Identify any unplanned outages during the audit period and review actual recovery time records. Signed RTO statement · recovery runbook · test results with achieved RTO · unplanned outage records (if any)
Reserve Records ~0 RPO Obtain written management acceptance of near-zero RPO for reserve records. Inspect backup replication configuration — confirm continuous or near-continuous replication with defined maximum data loss threshold (e.g., ≤1 minute). Review most recent RPO test results confirming achieved data loss was within tolerance. Inspect backup replication monitoring to confirm replication lag alerts are configured. Signed RPO statement · replication configuration · test results with achieved RPO · replication lag alert configuration
§ 7Scenario Stress Test Evidence Review
Scenario RM-S01: 48-hour primary bank outage coinciding with a 30% single-day redemption surge. Tests whether banking rail failover activates within the defined timeframe, secondary and tertiary rails absorb redemption volume, and the 24-hour redemption ceiling is maintained throughout — with proactive regulatory communication dispatched at applicable thresholds under the final rule. The key measure of success is uninterrupted redemption processing. A properly structured PPSI reserve portfolio should be designed to meet very substantial redemption demand over a short period without requiring mandatory pause or gating.
StepEvidence Review ProcedureEvidence Required
Documentation Review Obtain the written RM-S01 scenario stress test documentation. Verify the scenario description matches the OR Program (48-hour outage + 30% surge). Confirm the scenario was formally accepted by management as a plausible stress test scenario. Review the scenario protocol — does it specify the activation sequence, role assignments, decision points, and 24-hour redemption ceiling as the measure of success? Written scenario document · management sign-off · protocol documentation
Test Execution Evidence Confirm the scenario test was executed at least once during the audit period (or within the prior 12 months). Obtain the test execution log — verify it covers all six protocol stages (T+0 detection through T+48hr resolution). Confirm the test was conducted with actual system activation, not merely a tabletop discussion. Review observer/facilitator sign-off confirming execution scope. Execution log · observer sign-off · system activation records
Results & Findings Review test results report. Confirm measured outcomes against impact tolerance: (a) did secondary/tertiary rails activate within the defined timeframe? (b) was the 24-hour redemption ceiling maintained throughout the simulated 48-hour outage with no mandatory pause or gate? (c) was a proactive regulatory communication package dispatched at applicable volume thresholds under the final rule in effect? (d) did the reconciliation engine maintain three-ledger integrity and correct exception alerting throughout the scenario? Inspect any identified gaps and verify remediation actions are completed or formally tracked with milestones. Note re: notification threshold: test evidence should show that the issuer's operational response to high redemption volume is proactive communication and liquidity management — not threshold-triggered redemption suspension, consistent with the principle of maintaining redemption continuity under stress and pending the final rule. Results report · outcome measurements vs. tolerances · redemption processing continuity evidence · regulatory communication dispatch records · gap/remediation log
§ 8Exception Escalation Thresholds

The following escalation thresholds govern how control failures and exceptions identified during this audit are classified and escalated. These thresholds apply to both audit findings and to the operational exception evidence reviewed under § 5.

Finding SeverityThreshold DefinitionRequired Management ResponseBoard Notification
CRITICAL Control failure directly affecting a Critical-rated inherent risk (RM-R01, RM-R02, RM-R05). Any instance of redemption processing exceeding 24-hour ceiling. Any undetected reconciliation gap >0.01% of supply. Any instance of single-approver minting. Immediate written response within 5 business days. Interim compensating control implemented within 10 business days. Permanent remediation plan with milestones within 30 business days. Yes — Board notified within 5 business days of finding communication. Regulator notification assessed.
HIGH Control gap or weakness affecting a High-rated inherent risk. Design adequacy failure on a Priority 2 control. Effectiveness testing exception rate >10% on any single control. Written response within 10 business days. Remediation plan within 45 business days. Board informed in next scheduled meeting agenda.
MEDIUM Process gaps, documentation deficiencies, or minor control design improvements identified. Effectiveness testing exception rate >5% on any single control. Written response within 20 business days. Remediation within 90 days. Included in periodic management report.
LOW Observations and best-practice recommendations not constituting a control failure. Management response at discretion. Acknowledged in writing. Included in annual management report only.
§ 9Regulatory Readiness Sign-off Criteria

The audit concludes with an assessment of whether the Reserve Management OR Program meets the minimum threshold for regulatory readiness. Sign-off is granted only when all criteria below are satisfied. Partial sign-off is not available — a single unresolved Critical finding or unmet Mandatory criterion prevents regulatory readiness sign-off.

Mandatory — Control Design
  • All 8 controls assessed as adequately designed (no design failures outstanding)
  • Dual-control mint gate confirmed technically enforced with no single-approver bypass path
  • Three-ledger reconciliation confirmed to run at each mint/burn event and daily EOD
  • Banking rail failover policy specifies secondary and tertiary arrangements with independent rails and tested activation procedures
  • CEO/CFO certification workflow confirmed to require reconciliation sign-off before officer signature
  • Redemption queue protocol confirms processing continuity — no mandatory pause or gate — at any volume level
Mandatory — Control Effectiveness
  • Zero Critical findings from effectiveness testing
  • All 12 monthly CEO/CFO certifications completed within 5 business days of month-end
  • No redemption processing exceptions exceeding 24-hour ceiling in audit period
  • At least one successful banking rail failover test conducted in the audit period (per NIST SP 800-34 / FFIEC BCP)
  • Reconciliation exception log shows all exceptions investigated and resolved within defined SLA
  • Monetization capacity analysis (liquidity stress test) reviewed by management within prior 12 months
Mandatory — Impact Tolerance & BCP/DR
  • Written management acceptance of all three impact tolerances (24 hr redemption, 4 hr RTO, ~0 RPO)
  • RTO/RPO test results confirm achieved values within tolerance (NIST SP 800-34 §3.5 requirement)
  • No unplanned outage during audit period exceeded RTO ceiling without documented post-incident review
  • BCP/DR test findings register shows all critical items from most recent test cycle closed or risk-accepted with documented rationale
Mandatory — Scenario & Regulatory
  • RM-S01 scenario test executed within the prior 12 months with documented results showing redemption continuity — no gating
  • All GENIUS Act § 4 reserve composition requirements confirmed met throughout audit period (1:1 backing, eligible assets, no rehypothecation)
  • OCC NPR § 15.12 / FDIC NPR § 350.15 certification requirements confirmed met for all months
  • Issuer's portfolio risk limits documented and consistent with the final rule in effect at audit date; where safe harbor thresholds differ from NPR proposals, issuer has documented rationale
  • No open Critical or High findings from this audit at time of sign-off
§ 10Finding Log Template

All findings identified during this audit are recorded in the following format. Each finding is linked to the control, risk, and audit section that generated it. Management responses are recorded in the same log.

Finding IDAudit SectionControl / Risk RefFinding DescriptionSeverityMgmt ResponseRemediation DateStatus
RM-F-001§ [X]RM-C[X] / RM-R[X] [Describe finding — what was observed, what it means, what the expected state is] OPEN [Management's agreed corrective action] [DD/MM/YYYY] IN PROGRESS
RM-F-002§ [X]RM-C[X] / RM-R[X] [Describe finding] OPEN [Management response] [DD/MM/YYYY] NOT STARTED
Finding closure: A finding is marked CLOSED only when the auditor has reviewed and confirmed the remediation evidence. Management self-certification of remediation without auditor verification does not constitute closure. Critical findings require re-testing of the relevant control effectiveness procedures before closure.