Phase 7 · Program Stream — ICA Gap Assessment

ICA Gap Assessment

The Program Stream synthesis engine. Takes two simultaneous inputs from Phase 6 — the Control Bridge (framework traceability lens, Design Input) and the PRC Mapping (operational reality lens, Process Input) — and produces a prioritized control deficiency register across all 11 ICA Control Stack layers. This answers: "Are controls correctly designed against regulatory expectations?" — the Program Stream question. Contrast with the Phase 7 Operations Stream (Operational Risk Assessment), which asks whether controls are actually activating correctly in real time.

Phase 6 Design Input — Framework Lens
Control Bridge (Phases 4–6)
NIST CSF 2.0 function codes → FFIEC handbook guidance → OCC CSW examination procedures → ICA Control Stack layer → Implementation requirements. Defines what a compliant control environment looks like per layer.
Phase 6 Process Input — Operational Reality Lens
PRC Mapping (8 Domains)
Issuance Authorization → Minting → Reserve Management → Custody → Distribution & AML → Smart Contract → Redemption → Attestation. Defines what controls are actually in place across the operational lifecycle.
PROGRAM STREAM OUTPUTS
Gap heat map — 11 ICA layers Prioritized deficiency register Routes to Phase 8 Compliance Examination Routes to Phase 9 Program Maturity Routes to Phase 10 Full Assurance
FILTER BY PRIORITY
GAP TYPE
— gaps shown
Gap Heat Map

Control Layer Risk Rating

Risk rating per layer based on synthesis of Control Bridge examination requirements and PRC Mapping operational reality. Click any layer to jump to its gaps in the register below.

Gap Register

Prioritized Control Deficiency Register

Each gap is drawn from the intersection of Control Bridge examination procedures and PRC Mapping operational controls. Gap type distinguishes control design weakness (the control as designed cannot work), operating gap (the control is designed adequately but not operating), and missing control (no control exists). The PPSI 5 Critical Risks are the top 5 items from this register.

Control Gap Register
SORTED BY PRIORITY · DESIGN / OPERATING / MISSING CONTROL
Layer Gap Gap Type Regulatory Source Remediation Priority Routes to
Assurance Routing

From Gap Register to Assurance Execution

The gap register feeds three downstream assurance tiers. Each tier addresses gaps at a different level of rigor — from baseline validation through maturity assessment to full audit execution.

Phase 8 · Program Stream
Compliance Examination
Multi-regulator baseline
All critical and high gaps feed directly into the 4-regulator examination checklist
PPSI 5 Critical Risks are the top 5 items from this register, embedded as flagged items in Phase 8
Pass/fail status tracked per item — feeds back into gap register completion
Audience: all PPSIs — Program Stream compliance examination entry point
Open Compliance Validation →
Phase 9 · Program Stream
Program Maturity & SOC 2 Readiness
CMMI path + SOC 2 gap assessment
Operating gaps and design gaps map to specific maturity levels — gap analysis determines which level you are currently at
SOC 2 Type II readiness assessment — gap register identifies controls not yet at Level 3
DevSecOps pathway maps gap resolution to engineering lifecycle steps
Audience: FinTech/crypto-native firms building toward SOC 2 Type II
Open Maturity & SOC 2 →
Phase 10 · Full Convergence
Full Integrated Assurance
SOC 2 Type II + integrated audit
All critical gaps trigger SOC 2 key control testing — material weakness evaluation applies to bridge control (L7) and reserve integrity (L3)
SOX ICFR gaps (L3 reserves, L5 custody) require financial statement assertion testing
8-domain integrated audit work program inherits gap register findings as risk-based scope
Audience: PPSI charter applicants, institutions facing OCC/FDIC examination
Open Full Assurance →