SAMPLE ENGAGEMENT OUTPUT — Prepared by IT Audit Consulting to demonstrate GENIUS Act reserve integrity audit methodology. Data sources: Circle public transparency API, on-chain RPC data, third-party registered public accounting firm attestation (March 2026). Not a commissioned engagement by Meridian Payment Stablecoin Corp.. IT Audit Consulting has no affiliation with Meridian Payment Stablecoin Corp. or the registered public accounting firm referenced herein. IT Audit Consulting is not a Registered Public Accounting Firm. Past institutional affiliations referenced for biographical purposes only.
// Stablecoin Reserve Integrity Monitor — Sample Engagement Output
Stablecoin Reserve Integrity Audit Report
GENIUS Act · 25 Controls · 5 Domains · Independent Opinion
Token
Meridian USD (MUSD)
Issuer
Meridian Payment Stablecoin Corp.
Snapshot Date
17 March 2026 — 00:00:00 UTC
Regulatory Framework
GENIUS Act (Jul 2025) · OCC NPRM (Feb 2026)
Attestation Firm
Third-Party registered public accounting firm (Mar 2026)
Prepared By
IT Audit Consulting
// Stablecoin Reserve Integrity Monitor Dashboard Technical Architecture Audit Report
// Audit work program, control test results, and findings for the Stablecoin Reserve Audit Work Program.
← View Dashboard
// Audit Work Program — Control Test Results (25 Controls Across 5 Domains)
Ctrl IDControl ObjectiveRiskTest ProcedureEvidenceResult
RES-01Reserves held in segregated, bankruptcy-remote accountsHIGHInspected custody agreements; verified non-commingling with operating funds; confirmed custodian segregationCustody agreements, bank confirmation letters 2026-03-01PASS
RES-02Reserve assets restricted to OCC proposed permitted assets only (per proposed § 15.11(b))HIGHObtained portfolio file; verified no corporate debt or crypto holdings; confirmed all instruments within 93-day maturityregistered public accounting firm portfolio schedule and attestationPASS
RES-03Daily reserve ratio: FMV(assets) ≥ outstanding token supply (100% floor)HIGHIndependently recalculated using independent price feed service; compared to issuer 30-day reserve ledger30-day reserve ledger, independent price feed logPASS
RES-04Monthly third-party attestation by registered public accounting firm covering existence, completeness, valuationMEDIUMConfirmed registered public accounting firm engagement letter; verified scope aligns with GENIUS Act §4(b)(1)Registered public accounting firm attestation report, engagement letterPASS
RES-05No rehypothecation, pledging, or commingling of reserve assetsHIGHInspected custodian confirmations for restriction clauses; verified no securities lending agreementsCustodian statements, negative confirmation letterPASS
Ctrl IDControl ObjectiveRiskTest ProcedureEvidenceResult
ISS-01Minting triggered only upon verified fiat deposit (T+0 wire confirmation)HIGHSelected 25 mint events; traced each to corresponding verified wire; confirmed zero exceptionsMint log, wire confirmation receipts, 25-sample analysisPASS
ISS-02Multi-party authorization (3-of-5 multi-sig: Treasury + Compliance + Technology)HIGHReviewed smart contract governance parameters; verified multi-sig threshold is 3-of-5 keyholdersSmart contract audit, multi-sig approval logsPASS
ISS-03Burn events linked to authenticated redemptions; reserve released within proposed OCC T+2 window (per proposed § 15.12)HIGHSampled 20 burn events; confirmed each has corresponding validated redemption; verified reserve release timingBurn log, redemption queue, reserve ledger updatesPASS
ISS-04Smart contract upgrade: 48-hour timelock, 4-of-7 approval, independent pre-deployment auditMEDIUMVerified 48-hour timelock configuration; confirmed last upgrade required 4-of-7 key approvalGovernance log, upgrade proposal records, independent smart contract audit reportPASS
ISS-05Emergency pause function tested quarterly; runbook maintained and accessibleMEDIUMConfirmed pause function present in contract ABI; identified last test executed Q4 2025 — Q1 2026 test not yet completedTest execution log Q4 2025, contract ABI, DR runbookREVIEW
Ctrl IDControl ObjectiveRiskTest ProcedureEvidenceResult
CST-01Minter/Burner private keys held in FIPS 140-2 Level 3 HSMs with geographic key shardingHIGHInspected HSM vendor certificates; verified Shamir Secret Sharing across 3+ geographic sitesHSM certification, key custody procedure, shard inventoryPASS
CST-02Customer token wallets segregated from platform treasury wallets at smart contract levelHIGHMapped all treasury wallet addresses; confirmed no customer wallets share address spaceWallet address register, on-chain verification (Etherscan)PASS
CST-03RBAC for key management; quarterly access recertification; terminated user offboarding within 24 hoursMEDIUMObtained IAM export; verified least privilege; confirmed Q4 2025 recertification; reviewed offboarding logIAM report, access recertification sign-offs, offboarding logPASS
CST-04Cold storage for more than 90% of key material; hot wallet cap enforced with automated alertingHIGHConfirmed hot wallet threshold policy (less than 10%); verified cold/hot split in custodian statement; tested alert configurationCustodian statement, cold storage inventory, alert configurationPASS
CST-05Annual penetration test by independent firm; all Critical/High findings closed within SLAMEDIUMObtained January 2026 independent penetration test report; confirmed zero open Critical or High findingsindependent penetration test report [Q4 2025], remediation trackerPASS
Ctrl IDControl ObjectiveRiskTest ProcedureEvidenceResult
RCN-01Automated daily three-ledger reconciliation: Blockchain / Issuer Ledger / Reserve Ledger at 00:00 UTCHIGHReviewed reconciliation engine architecture; confirmed automated job schedule; inspected 30-day exception logReconciliation job logs, exception report log (30 days)PASS
RCN-02Cross-chain supply reconciles to Circle issuer API within $0 tolerance at snapshotHIGHIndependently queried totalSupply() on all 6 chains at snapshot datetime; compared to Circle APIIndependent blockchain query output, Circle API response logPASS
RCN-03Pending settlement in suspense account; all items cleared within proposed OCC settlement window (per proposed § 15.12)MEDIUMInspected suspense account aging report; confirmed no items aged more than 2 business daysSuspense aging report, settlement confirmation logPASS
RCN-04Exception alerts auto-generated and routed to Risk Officer within 15 minutes of breachMEDIUMReviewed alert configuration thresholds; tested alert via synthetic variance injection in UATAlert configuration doc, UAT test evidence, notification logPASS
RCN-05Monthly reconciliation report signed off by CFO and CRO before attestation submissionLOWObtained monthly reconciliation reports for Jan–Mar 2026; confirmed both CFO and CRO electronic sign-offSigned reconciliation reports Jan–Mar 2026PASS
Ctrl IDControl ObjectiveRiskTest ProcedureEvidenceResult
RED-01Redemption at par ($1.00 per token) per proposed OCC § 15.12 — no gates or fees during normal operationsHIGHReviewed terms of service and redemption policy; confirmed no gates exist under normal conditions; 10-sample redemption traceRedemption policy v4.2, 10-sample redemption confirmationsPASS
RED-02Redemption settlement within proposed OCC T+2 window (per proposed § 15.12) — 100% of sampleHIGHSampled 30 redemptions; computed settlement time from token burn to wire receipt for eachRedemption settlement log, wire receipts, 30-sample analysisPASS
RED-03Liquidity stress buffer: cash plus overnight repo at or above 15% of outstanding supply for T+0 redemptions (illustrative threshold)HIGHConfirmed cash plus overnight repo = 15.0% of outstanding supply (above 15.0% illustrative minimum for T+0 buffer)Liquidity model output, reserve composition 2026-03-17PASS
RED-04Quarterly stress testing: 20% and 50% simultaneous redemption scenarios documentedMEDIUMObtained Q4 2025 stress test report. Q1 2026 report not yet completed as of audit snapshot dateQ4 2025 stress test report; Q1 2026 pendingREVIEW
RED-05Consumer disclosure: FDIC non-insurance disclaimer; redemption rights documented in user agreementLOWReviewed user-facing disclosures on website and in account agreement; confirmed FDIC disclaimer presentUser agreement v4.2, website disclosure screenshot 2026-03-17PASS
// Findings & Recommendations — 2 Open Items (Neither Material)
FINDING 1 OF 2 — ISS-05 — Token Issuance Controls
Emergency Pause Function — Q1 2026 Quarterly Test Overdue
MEDIUM Remediation: 31 Mar 2026
Observation
The smart contract emergency pause function was last tested in Q4 2025. The quarterly testing schedule required a Q1 2026 test to have been completed by the audit snapshot date of 17 March 2026. No Q1 2026 test execution log was provided.
Regulatory Implication
OCC safety and soundness expectations require operational controls to be tested on their prescribed frequency. A gap in quarterly testing creates documentation risk during examination.
Recommendation
Complete Q1 2026 pause function test in UAT environment by 31 March 2026. Document test scenario, execution steps, results, and sign-off in the control evidence repository.
Management Response
Confirmed. Testing scheduled for 28 March 2026. Technology Risk team has been assigned ownership. Evidence package to be submitted to Audit by 31 March 2026.
FINDING 2 OF 2 — RED-04 — Redemption Assurance
Q1 2026 Liquidity Stress Test Not Yet Completed
MEDIUM Remediation: 31 Mar 2026
Observation
The Q1 2026 liquidity stress test report had not been completed as of the audit snapshot date. The Q4 2025 report was reviewed and found complete. The 20% and 50% simultaneous redemption scenarios are required quarterly under the issuer's own governance framework and OCC supervisory expectations.
Regulatory Implication
Under the GENIUS Act and OCC supervisory expectations, quarterly stress testing is a documented requirement. An incomplete quarterly cycle creates a gap in the evidence record ahead of the monthly attestation period.
Recommendation
Complete Q1 2026 stress test by 31 March 2026 using updated reserve composition as of 17 March 2026. Ensure scenarios include a 20% and 50% simultaneous redemption event with documented liquidity sources and action triggers.
Management Response
Confirmed. Internal Risk team to complete by 28 March 2026 with CFO and CRO sign-off by 31 March 2026. Results to be shared with Audit upon completion.
// Independent Opinion & Conclusion
Based on the procedures described in this report, IT Audit Consulting is of the opinion that, as of 17 March 2026 at 00:00:00 UTC, the circulating supply of Meridian USD (MUSD) as verified on-chain across six blockchains is fully reconciled with the issuer's reported circulating supply, and the fair market value of reserve assets held in segregated custodial accounts equals or exceeds outstanding token supply at a coverage ratio of 100.80%. Reserve assets consist exclusively of OCC NPRM Option A permitted instruments. No material control deficiencies were identified across the five control domains tested. Two medium findings were raised relating to quarterly testing cadence and are subject to agreed management remediation plans with a deadline of 31 March 2026.
This opinion is limited to the procedures performed and the data sources described herein. It does not constitute a full financial statement audit. IT Audit Consulting is not a Registered Public Accounting Firm and this report does not substitute for the monthly attestation required under the GENIUS Act. This report is intended to supplement, not replace, the registered public accounting firm attestation required under the GENIUS Act.