Phase 7 · Program Stream — ICA Gap Assessment
ICA Gap Assessment
The Program Stream synthesis engine. Takes two simultaneous inputs from Phase 6 — the Control Bridge (framework traceability lens, Design Input) and the PRC Mapping (operational reality lens, Process Input) — and produces a prioritized control deficiency register across all 11 ICA Control Stack layers. This answers: "Are controls correctly designed against regulatory expectations?" — the Program Stream question. Contrast with the Phase 7 Operations Stream (Operational Risk Assessment), which asks whether controls are actually activating correctly in real time.
PROGRAM STREAM OUTPUTS
Gap heat map — 11 ICA layers
Prioritized deficiency register
Routes to Phase 8 Compliance Examination
Routes to Phase 9 Program Maturity
Routes to Phase 10 Full Assurance
Gap Heat Map
Control Layer Risk Rating
Risk rating per layer based on synthesis of Control Bridge examination requirements and PRC Mapping operational reality. Click any layer to jump to its gaps in the register below.
Gap Register
Prioritized Control Deficiency Register
Each gap is drawn from the intersection of Control Bridge examination procedures and PRC Mapping operational controls. Gap type distinguishes control design weakness (the control as designed cannot work), operating gap (the control is designed adequately but not operating), and missing control (no control exists). The PPSI 5 Critical Risks are the top 5 items from this register.
| Layer |
Gap |
Gap Type |
Regulatory Source |
Remediation |
Priority |
Routes to |
Assurance Routing
From Gap Register to Assurance Execution
The gap register feeds three downstream assurance tiers. Each tier addresses gaps at a different level of rigor — from baseline validation through maturity assessment to full audit execution.
All critical and high gaps feed directly into the 4-regulator examination checklist
PPSI 5 Critical Risks are the top 5 items from this register, embedded as flagged items in Phase 8
Pass/fail status tracked per item — feeds back into gap register completion
Audience: all PPSIs — Program Stream compliance examination entry point
Open Compliance Validation →
Operating gaps and design gaps map to specific maturity levels — gap analysis determines which level you are currently at
SOC 2 Type II readiness assessment — gap register identifies controls not yet at Level 3
DevSecOps pathway maps gap resolution to engineering lifecycle steps
Audience: FinTech/crypto-native firms building toward SOC 2 Type II
Open Maturity & SOC 2 →
All critical gaps trigger SOC 2 key control testing — material weakness evaluation applies to bridge control (L7) and reserve integrity (L3)
SOX ICFR gaps (L3 reserves, L5 custody) require financial statement assertion testing
8-domain integrated audit work program inherits gap register findings as risk-based scope
Audience: PPSI charter applicants, institutions facing OCC/FDIC examination
Open Full Assurance →