The audit examines the full reserve management lifecycle: fiat deposit intake, treasury investment and HQLA management, independent three-ledger reconciliation, CEO/CFO certification, redemption processing, and banking rail failover infrastructure. The work program does not duplicate the scope of the SOC 1 engagement — it focuses on operational resilience controls. Key audit lens: the correct supervisory test is whether the issuer can protect reserves, monitor counterparties, access liquidity, and redeem promptly when needed — not mechanical compliance with any single quantitative threshold that may not represent the final rule.
| Framework | Provision | Relevance to Reserve Management OR |
|---|---|---|
| GENIUS Act | § 4(a)(1)–(6) | 1:1 permissible reserve asset requirement; eligible assets capped at ≤93-day T-bills, overnight repos, cash deposits, government MMFs; prohibition on rehypothecation. Note: the 20-day WAM is an OCC NPR proposed safe harbor condition, not a GENIUS Act statutory requirement. |
| GENIUS Act | § 7 | Redemption right — issuer must process redemptions within required timeframe; redemption clock begins after successful holder onboarding and KYC/AML completion (aligned with NYDFS, FCA, and Bank of England frameworks). Operational controls must support this right. |
| GENIUS Act | § 113 | Operational resilience standards — issuer must maintain systems and processes sufficient to ensure ongoing reserve management and redemption capability under stress. |
| OCC NPR ⚠ | §§ 15.10–15.11 | Proposed reserve asset composition requirements and safe harbor. Subject to final rulemaking: 20-day WAM proposed as safe harbor condition (industry commenters: overly conservative, narrows statutory basket, demonstrated monetization capacity is the more direct test); liquidity ladder floors (overnight ≥10%, 30-day ≥30%, 90-day ≥50%) proposed; 40% single-institution concentration cap proposed (industry commenters: should distinguish custodied bankruptcy-remote assets from unsecured deposit exposure; principles-based assessment preferred). Auditor tests against final rule in effect. |
| OCC NPR | § 15.12 | CEO/CFO monthly certification of reserve compliance; criminal liability under 18 U.S.C. § 1001. Redemption clock defined as beginning after holder onboarding completion and ending when fiat payment instruction is sent — not when funds settle at customer's bank (aligned with NYDFS, FCA, and Bank of England frameworks — clock covers actions within the issuer's control). |
| FDIC NPR ⚠ | §§ 350.5, 350.9 | 10% single-day redemption notification threshold proposed; discretionary T+7 extension window proposed. Subject to final rulemaking: industry commenters raise concerns that a mandatory extended-redemption window tied to a fixed volume threshold may function as a market stress signal; a single timeliness standard with supervisory discretion in stress is the preferred alternative raised in comment letters. Operational backstop calibration also subject to final rule — sizing based on non-discretionary wind-down costs is supported as more proportionate than full trailing OPEX. |
| FDIC NPR | § 350.15 | CEO/CFO certification — parallel requirement to OCC NPR § 15.12. |
| NIST SP 800-34 | Contingency Planning Guide | Primary BCP/DR standard for US-domiciled issuers under OCC/FDIC supervision. Requires BIA → BCP/DRP → testing → RTO/RPO measurement → continuous improvement. Governs banking rail failover tests, reconciliation DR tests, and full simulation exercises. |
| FFIEC BCP | BCP Booklet | Applicable for federally supervised institutions. Requires impact tolerance documentation, recovery objective testing, and board-level oversight of BCP/DR program. Aligns with the 24-hr/4-hr RTO/~0 RPO tolerances established in the BIA. |
| NIST CSF 2.0 | GOVERN · IDENTIFY · PROTECT · DETECT · RESPOND · RECOVER | Cybersecurity framework functions applicable to reserve data protection, reconciliation system availability, incident response, and recovery. |
The following inherent risk ratings represent the auditor's assessment of each identified risk before any mitigating controls are considered. Inherent risk ratings drive the depth and breadth of control design assessment and effectiveness testing in §§ 4–5. Critical and High inherent risks receive the most rigorous testing scope; Medium risks receive standard testing; Low risks receive inquiry-and-observation procedures.
| Risk ID | Risk Statement | Inherent Likelihood | Inherent Impact | Inherent Risk Rating | Testing Priority |
|---|---|---|---|---|---|
| RM-R01 | Primary reserve bank failure or prolonged outage | MEDIUM | CRITICAL | CRITICAL | PRIORITY 1 |
| RM-R02 | Three-ledger reconciliation gap or mismatch | MEDIUM | CRITICAL | CRITICAL | PRIORITY 1 |
| RM-R03 | Unauthorized token minting without matching fiat reserve | LOW | CRITICAL | HIGH | PRIORITY 2 |
| RM-R04 | Portfolio limit breach or monetization capacity failure | MEDIUM | HIGH | HIGH | PRIORITY 2 |
| RM-R05 | Redemption surge exceeding available liquidity pool | MEDIUM | CRITICAL | CRITICAL | PRIORITY 1 |
| RM-R06 | External custodian operational failure or insolvency | LOW | CRITICAL | HIGH | PRIORITY 2 |
| RM-R07 | CEO/CFO certification executed on inaccurate reserve data | LOW | CRITICAL | HIGH | PRIORITY 2 |
| RM-R08 | Custodian / counterparty concentration risk impairing reserve access or monetization | MEDIUM | HIGH | HIGH | PRIORITY 2 |
| RM-R09 | Reserve system RTO/RPO failure during technology outage | LOW | CRITICAL | HIGH | PRIORITY 2 |
For each control, the auditor assesses whether the control, as designed, is capable of preventing, detecting, or reducing the risk it purports to address to an acceptable level. This assessment is based on policy review, walkthroughs with control owners, and inspection of control documentation. It does not assess whether the control has operated effectively — that is addressed in § 5.
| Control ID | Control Name | Design Assessment Procedures | Design Adequacy Question |
|---|---|---|---|
| RM-C01 | Redundant Banking Rails (Primary / Secondary / Tertiary) | Obtain and review written banking rail failover policy. Confirm policy specifies trigger criteria, activation authority, and maximum switchover time. Verify three distinct banking partners are named with independent correspondent networks. Inspect contractual SLAs for each partner. Confirm policy covers simultaneous primary + secondary failure scenario. | Does the policy, as designed, provide a credible failover path that would maintain redemption processing capability within the 24-hour impact tolerance ceiling under a sustained primary bank outage? |
| RM-C02 | Dual-Control Mint Gate (Technical + Operational) | Review mint authorization policy and workflow documentation. Confirm two independent approvers are required (Treasury Operations + Independent Compliance Officer). Verify system configuration enforces dual-control — single-approver minting is technically blocked. Obtain and review access control matrix. Confirm no override or emergency bypass exists that could permit single-approver minting. | Is the dual-control gate designed such that a single insider cannot authorize a mint without confirmed receipt of fiat funds? |
| RM-C03 | Automated Three-Ledger Daily Reconciliation | Review reconciliation system design documentation. Confirm three data sources (on-chain supply, issuer ledger, custodian statement) are reconciled automatically at each mint/burn event and at daily EOD. Verify exception alert threshold ($1,000 discrepancy) and automatic minting suspension threshold (0.01% of supply). Confirm reconciliation results are written to an immutable audit log. Inspect exception escalation workflow design. | Is the reconciliation system designed to detect a ledger mismatch of material size within the same business day it occurs, and to automatically halt further minting until resolved? |
| RM-C04 | Pre-Trade Investment Compliance & Monetization Checks | Obtain the issuer's documented portfolio risk limits policy (WAM ceiling, liquidity composition floors, and concentration limits as defined under the final rule or the issuer's own risk framework). Confirm pre-trade checks are embedded in the investment execution workflow and enforce these documented limits. Verify system blocks or requires documented Compliance Officer approval for any transaction that would breach a defined limit. Critical additional test: obtain the issuer's monetization capacity documentation — liquidity stress scenario analysis, or equivalent evidence demonstrating the issuer's ability to liquidate reserves to fiat within the 24-hour redemption ceiling under both normal and stressed conditions. Verify this analysis is reviewed and updated at least quarterly. Confirm custodied non-cash assets (segregated, bankruptcy-remote) are assessed separately from unsecured deposit exposure in the concentration framework. | Are the pre-trade checks and portfolio monitoring controls designed so that: (a) no investment can be executed that would cause the issuer's portfolio to breach its documented risk limits; and (b) the issuer maintains documented evidence of monetization capacity — the ability to meet redemption demand within the impact tolerance ceiling under stress? |
| RM-C05 | Redemption Queue Management & Surge Protocol | Review redemption queue management policy and volume monitoring documentation. Confirm intraday monitoring of redemption volume against the issuer's defined early-warning thresholds. Verify the issuer has a pre-prepared regulatory communication package ready for dispatch at applicable notification thresholds under the final rule. Confirm the protocol specifies priority queue management, liquidity draw-down sequencing, and escalation to senior management at defined trigger levels. Critically: verify the protocol explicitly states that redemption processing continues without mandatory pause regardless of volume level — the operational response is proactive communication and secondary rail activation, not gate-closure. Note: the FDIC NPR proposes a 10% notification trigger and discretionary T+7 extension window, both subject to final rulemaking and active industry comment. Test against whichever version is the final rule in effect at audit date, with focus on whether the issuer maintains redemption continuity throughout. Verify the 24-hour redemption ceiling is explicitly stated as the maximum processing time in all circumstances. | Is the redemption monitoring and queue management system designed to maintain uninterrupted redemption processing within the 24-hour ceiling — using secondary rail activation and proactive regulatory communication rather than redemption gating — even under a simultaneous 30% redemption surge and primary bank outage? |
| RM-C06 | Custodian & Counterparty Risk Management | Review the issuer's custodian and counterparty risk management policy. Confirm the policy is structured around the following principles-based framework: (1) counterparty quality assessment — credit strength, operational reliability, regulatory standing; (2) legal protection verification — assets legally segregated, bankruptcy-remote, and confirmed inaccessible to custodian for proprietary use; (3) operational access testing — issuer's ability to mobilize reserves rapidly under stress has been tested; (4) monetization capacity under stress — issuer can demonstrate reserve liquidation capacity within redemption timelines. Obtain custodian agreements and verify they include substitution rights exercisable without custodian consent. Confirm concentration limits are documented against the final rule in effect (the OCC NPR proposed 40% cap is subject to final rulemaking; custodied non-cash assets may be treated differently from unsecured deposit exposure under the final rule). Verify annual counterparty creditworthiness and operational resilience review is performed and documented. | Is the custodian and counterparty risk management framework designed to protect reserve access, legal segregation, and monetization capacity under stress — rather than treating diversification across custodians as an end in itself? |
| RM-C07 | CEO/CFO Certification Workflow with Criminal Liability Briefing | Review certification workflow design. Confirm auto-population from reconciliation data. Verify reconciliation sign-off is a prerequisite gate before certification package is released for officer signature. Confirm criminal liability briefing documentation (18 U.S.C. § 1001) is embedded in the workflow. Verify certification package retention period meets regulatory requirements. | Is the certification workflow designed so that a CEO/CFO cannot sign the certification until the independent reconciliation sign-off is confirmed? |
| RM-C08 | Near-Zero RPO Reserve Data Backup & Recovery | Review reserve system backup architecture documentation. Confirm continuous or near-continuous replication to a geographically separate secondary system. Verify defined 4-hour RTO and near-zero RPO targets. Confirm backup covers on-chain data feed configurations, issuer ledger, and reconciliation engine state. Review documented recovery runbook and verify it specifies step-by-step restoration procedures within the RTO window. | Is the backup architecture designed to support recovery of the full reserve management system to a near-current state within 4 hours of a primary system failure? |
For each control, the auditor tests whether the control has operated as designed throughout the audit period. Testing methods include transaction sampling, log inspection, system-generated report review, observation, re-performance, and inquiry. Sample sizes are calibrated to inherent risk ratings from § 3 — Critical-risk controls receive larger samples.
| Control ID | Test Procedure | Sample / Scope | Evidence Required |
|---|---|---|---|
| RM-C01 | Request evidence of at least one banking rail failover test conducted during the audit period. Review test script, execution log, and results. Inspect records showing secondary rail was activated, transactions processed, and primary rail restored. Confirm test scope included a redemption payment processed via secondary rail. | All failover tests conducted in audit period (minimum 1 required). Inspect execution records for most recent test. | Test script · execution log · transaction confirmation via secondary rail · post-test restoration record · sign-off by Treasury Manager |
| RM-C02 | Select a sample of mint transactions from the audit period. For each, obtain the system audit log confirming two approvals were captured before execution. Inspect approver identities to verify both approvers held required roles (Treasury Operations + Independent Compliance Officer). Test for any mint transactions with a single approval or where both approvers were from the same team. | 25 mint transactions (or all if fewer than 25 in period). Higher sample if total mints >500. | System audit log per transaction · approver role confirmation · zero exceptions expected |
| RM-C03 | Obtain the reconciliation exception log for the audit period. Review all exceptions for timely investigation and resolution. Select 10 reconciliation run results and verify three-ledger match confirmation is recorded. Test that at least one reconciliation run was executed at or near each mint/burn event by cross-referencing mint/burn timestamps against reconciliation run log. Verify immutable audit log configuration. | Full exception log (audit period) · 10 reconciliation run results · 5 mint/burn event timestamp comparisons | Exception log · reconciliation run reports · mint/burn event timestamps · immutable log configuration evidence |
| RM-C04 | Select a sample of investment transactions. For each, verify the pre-trade check was executed and result recorded before settlement. Test whether the issuer's documented portfolio limits (WAM ceiling, liquidity composition, concentration) were in compliance at the time of each transaction. Inspect any blocked or overridden transactions — verify each has documented Compliance Officer approval. Obtain the current portfolio composition report and verify it meets the issuer's documented limits. Critically: obtain and review the issuer's most recent monetization capacity analysis or liquidity stress test — confirm it demonstrates the ability to liquidate sufficient reserves to meet redemption demand within the 24-hour impact tolerance ceiling under at least one stress scenario. Verify this analysis was reviewed by senior management within the prior 12 months. Confirm custodied assets are assessed separately from unsecured deposit exposure. | 15 investment transactions · all blocked/overridden transactions in period · current portfolio compliance report · monetization capacity analysis / liquidity stress test | Pre-trade check logs · blocked transaction records · Compliance Officer approvals · current portfolio report vs. documented limits · monetization capacity / stress analysis signed by management |
| RM-C05 | Inspect intraday redemption volume monitoring system. Verify monitoring runs continuously and logs volume against issuer-defined early-warning thresholds. Review alert log for all elevated-volume events in the audit period — inspect management response records for timeliness and content (escalation, communication package, liquidity assessment). Verify the issuer's regulatory communication package template is current and pre-populated. If any regulatory notification threshold was triggered during the audit period (per the final rule in effect), inspect notification records for timeliness, content, and evidence that redemption processing continued without pause. Test 20 redemption transactions: confirm processing time from validated request to confirmed fiat disbursement is within the 24-hour ceiling. Key test: confirm there is no instance where redemptions were suspended or gated during a high-volume period — the operational response should be secondary rail activation and communication, not pause. | Monitoring system configuration · all alert events in period · management response records · communication package template · regulatory notification records (if applicable) · 20 redemption processing timestamps | Monitoring configuration · alert log · escalation records · notification records · redemption timestamps (zero exceptions expected against 24-hr ceiling) |
| RM-C06 | Obtain and review the issuer's most recent annual counterparty risk assessment — confirm it evaluates: (a) counterparty credit quality and operational resilience; (b) legal segregation and bankruptcy-remoteness of custodied assets; (c) the issuer's legal right to substitute custodians without counterparty consent; (d) concentration levels against the issuer's documented limits under the final rule in effect. Inspect concentration reports for a 3-month sample period and verify no breach of the issuer's documented limits. For custodied non-cash assets, verify legal segregation opinion or equivalent confirmation is current. Confirm substitution right clauses in custodian agreements are exercisable. Verify at least one documented test of custodian substitution or asset transfer procedure was conducted during the audit period or prior 12 months. Note: if the final rule adopts a principles-based approach rather than a hard percentage cap, test the issuer's own documented concentration framework and whether it is risk-sensitive to asset type and holding structure. | Annual counterparty risk assessment · 90 daily concentration reports (3-month sample) · legal segregation confirmation · custodian agreement substitution clauses · substitution/transfer test records | Counterparty assessment · concentration reports vs. documented limits · legal segregation opinion · agreement excerpts · substitution test evidence |
| RM-C07 | Obtain all monthly CEO/CFO certification packages for the audit period. Verify each package was completed within 5 business days of month-end. Confirm each package includes: (a) reconciliation sign-off before officer signature date, (b) criminal liability briefing acknowledgment, (c) supporting reserve data. Inspect system log confirming auto-population from reconciliation data (not manual entry). | All certification packages in audit period (12 expected) · system auto-population log | 12 certification packages · sign-off timestamps vs. certification date · liability briefing acknowledgments · auto-population log |
| RM-C08 | Review backup and recovery system configuration documentation. Obtain evidence of the most recent RTO/RPO test. Inspect test plan, execution log, and results. Confirm achieved RTO was within the 4-hour ceiling and achieved RPO was within tolerance. Verify test scope included full reserve system restoration, not just partial components. Inspect geographic separation of primary and secondary systems. | Most recent RTO/RPO test (minimum 1 required in audit period) · backup configuration documents | Test plan · execution log · achieved RTO/RPO metrics · geographic separation evidence · recovery runbook |
Verify that the three Reserve Management impact tolerances are formally documented, accepted by management, operationalized in the controls framework, and tested against actual performance data from the audit period.
| Service | Impact Tolerance | Verification Procedure | Evidence Required |
|---|---|---|---|
| Redemption Processing | 24 hr MAX | Obtain written management sign-off on the 24-hour redemption ceiling as the stated impact tolerance. Inspect system configuration confirming redemption SLA monitoring against this threshold. Sample 20 redemption transactions from the audit period and measure processing time from request validation to confirmed fiat disbursement. Identify any instances where processing exceeded 24 hours and inspect escalation records. | Signed tolerance statement · SLA monitoring configuration · 20 redemption processing timestamps · exception records (if any) |
| Treasury Ledger Recovery | 4 hr RTO | Obtain written management acceptance of the 4-hour RTO for the treasury ledger system. Inspect recovery runbook and verify it specifies step-by-step restoration procedures calibrated to 4-hour ceiling. Review most recent RTO test results and confirm achieved RTO was within 4 hours. Identify any unplanned outages during the audit period and review actual recovery time records. | Signed RTO statement · recovery runbook · test results with achieved RTO · unplanned outage records (if any) |
| Reserve Records | ~0 RPO | Obtain written management acceptance of near-zero RPO for reserve records. Inspect backup replication configuration — confirm continuous or near-continuous replication with defined maximum data loss threshold (e.g., ≤1 minute). Review most recent RPO test results confirming achieved data loss was within tolerance. Inspect backup replication monitoring to confirm replication lag alerts are configured. | Signed RPO statement · replication configuration · test results with achieved RPO · replication lag alert configuration |
| Step | Evidence Review Procedure | Evidence Required |
|---|---|---|
| Documentation Review | Obtain the written RM-S01 scenario stress test documentation. Verify the scenario description matches the OR Program (48-hour outage + 30% surge). Confirm the scenario was formally accepted by management as a plausible stress test scenario. Review the scenario protocol — does it specify the activation sequence, role assignments, decision points, and 24-hour redemption ceiling as the measure of success? | Written scenario document · management sign-off · protocol documentation |
| Test Execution Evidence | Confirm the scenario test was executed at least once during the audit period (or within the prior 12 months). Obtain the test execution log — verify it covers all six protocol stages (T+0 detection through T+48hr resolution). Confirm the test was conducted with actual system activation, not merely a tabletop discussion. Review observer/facilitator sign-off confirming execution scope. | Execution log · observer sign-off · system activation records |
| Results & Findings | Review test results report. Confirm measured outcomes against impact tolerance: (a) did secondary/tertiary rails activate within the defined timeframe? (b) was the 24-hour redemption ceiling maintained throughout the simulated 48-hour outage with no mandatory pause or gate? (c) was a proactive regulatory communication package dispatched at applicable volume thresholds under the final rule in effect? (d) did the reconciliation engine maintain three-ledger integrity and correct exception alerting throughout the scenario? Inspect any identified gaps and verify remediation actions are completed or formally tracked with milestones. Note re: notification threshold: test evidence should show that the issuer's operational response to high redemption volume is proactive communication and liquidity management — not threshold-triggered redemption suspension, consistent with the principle of maintaining redemption continuity under stress and pending the final rule. | Results report · outcome measurements vs. tolerances · redemption processing continuity evidence · regulatory communication dispatch records · gap/remediation log |
The following escalation thresholds govern how control failures and exceptions identified during this audit are classified and escalated. These thresholds apply to both audit findings and to the operational exception evidence reviewed under § 5.
| Finding Severity | Threshold Definition | Required Management Response | Board Notification |
|---|---|---|---|
| CRITICAL | Control failure directly affecting a Critical-rated inherent risk (RM-R01, RM-R02, RM-R05). Any instance of redemption processing exceeding 24-hour ceiling. Any undetected reconciliation gap >0.01% of supply. Any instance of single-approver minting. | Immediate written response within 5 business days. Interim compensating control implemented within 10 business days. Permanent remediation plan with milestones within 30 business days. | Yes — Board notified within 5 business days of finding communication. Regulator notification assessed. |
| HIGH | Control gap or weakness affecting a High-rated inherent risk. Design adequacy failure on a Priority 2 control. Effectiveness testing exception rate >10% on any single control. | Written response within 10 business days. Remediation plan within 45 business days. | Board informed in next scheduled meeting agenda. |
| MEDIUM | Process gaps, documentation deficiencies, or minor control design improvements identified. Effectiveness testing exception rate >5% on any single control. | Written response within 20 business days. Remediation within 90 days. | Included in periodic management report. |
| LOW | Observations and best-practice recommendations not constituting a control failure. | Management response at discretion. Acknowledged in writing. | Included in annual management report only. |
The audit concludes with an assessment of whether the Reserve Management OR Program meets the minimum threshold for regulatory readiness. Sign-off is granted only when all criteria below are satisfied. Partial sign-off is not available — a single unresolved Critical finding or unmet Mandatory criterion prevents regulatory readiness sign-off.
- All 8 controls assessed as adequately designed (no design failures outstanding)
- Dual-control mint gate confirmed technically enforced with no single-approver bypass path
- Three-ledger reconciliation confirmed to run at each mint/burn event and daily EOD
- Banking rail failover policy specifies secondary and tertiary arrangements with independent rails and tested activation procedures
- CEO/CFO certification workflow confirmed to require reconciliation sign-off before officer signature
- Redemption queue protocol confirms processing continuity — no mandatory pause or gate — at any volume level
- Zero Critical findings from effectiveness testing
- All 12 monthly CEO/CFO certifications completed within 5 business days of month-end
- No redemption processing exceptions exceeding 24-hour ceiling in audit period
- At least one successful banking rail failover test conducted in the audit period (per NIST SP 800-34 / FFIEC BCP)
- Reconciliation exception log shows all exceptions investigated and resolved within defined SLA
- Monetization capacity analysis (liquidity stress test) reviewed by management within prior 12 months
- Written management acceptance of all three impact tolerances (24 hr redemption, 4 hr RTO, ~0 RPO)
- RTO/RPO test results confirm achieved values within tolerance (NIST SP 800-34 §3.5 requirement)
- No unplanned outage during audit period exceeded RTO ceiling without documented post-incident review
- BCP/DR test findings register shows all critical items from most recent test cycle closed or risk-accepted with documented rationale
- RM-S01 scenario test executed within the prior 12 months with documented results showing redemption continuity — no gating
- All GENIUS Act § 4 reserve composition requirements confirmed met throughout audit period (1:1 backing, eligible assets, no rehypothecation)
- OCC NPR § 15.12 / FDIC NPR § 350.15 certification requirements confirmed met for all months
- Issuer's portfolio risk limits documented and consistent with the final rule in effect at audit date; where safe harbor thresholds differ from NPR proposals, issuer has documented rationale
- No open Critical or High findings from this audit at time of sign-off
All findings identified during this audit are recorded in the following format. Each finding is linked to the control, risk, and audit section that generated it. Management responses are recorded in the same log.
| Finding ID | Audit Section | Control / Risk Ref | Finding Description | Severity | Mgmt Response | Remediation Date | Status |
|---|---|---|---|---|---|---|---|
| RM-F-001 | § [X] | RM-C[X] / RM-R[X] | [Describe finding — what was observed, what it means, what the expected state is] | OPEN | [Management's agreed corrective action] | [DD/MM/YYYY] | IN PROGRESS |
| RM-F-002 | § [X] | RM-C[X] / RM-R[X] | [Describe finding] | OPEN | [Management response] | [DD/MM/YYYY] | NOT STARTED |