March 22, 2026
Methodology About Contact
TOKENIZATION COMPLIANCE
The Vanderbilt Terminal for Digital Asset Compliance
INDEPENDENT GLOBAL INTELLIGENCE FOR COMPLIANCE & REGULATION
MiCA Licensed CASPs: 12 ▲ Deadline Jul 2026 | AML Fines (2026): $2.1B ▲ Global Crypto | KYC Verifications: 890M ▲ 2025 Global | Travel Rule: 72% ▲ VASP Compliance | SEC No-Action: 4 Letters ▲ Tokenized Securities | Compliance Software: $1.8B ▲ Market Size | VASP Registrations: 3,400+ ▲ Global | 1099-DA Deadline: Jan 2027 ▼ First Filing | MiCA Licensed CASPs: 12 ▲ Deadline Jul 2026 | AML Fines (2026): $2.1B ▲ Global Crypto | KYC Verifications: 890M ▲ 2025 Global | Travel Rule: 72% ▲ VASP Compliance | SEC No-Action: 4 Letters ▲ Tokenized Securities | Compliance Software: $1.8B ▲ Market Size | VASP Registrations: 3,400+ ▲ Global | 1099-DA Deadline: Jan 2027 ▼ First Filing |
Home Stablecoin Compliance Stablecoin Audit and Attestation Compliance: CPA Requirements
Layer 1

Stablecoin Audit and Attestation Compliance: CPA Requirements

Complete guide to stablecoin audit and attestation compliance covering AICPA standards, attestation engagement procedures, reserve verification, CPA firm selection, and reporting requirements under the GENIUS Act and MiCA.

Advertisement

Audit and attestation compliance is the transparency mechanism that gives stablecoin holders, regulators, and the market confidence that a stablecoin is actually backed by the reserves its issuer claims. The history of the stablecoin market is littered with instances where issuers’ claims about reserve backing did not match reality – from Tether’s admission that USDT was not fully backed at all times to the opacity of reserve composition that characterized the market before regulatory frameworks mandated independent verification. The GENIUS Act, MiCA, and other regulatory frameworks now require specific, frequent, and standardized verification by registered accounting professionals.

Attestation vs. Audit: Understanding the Difference

Attestation Engagement

An attestation engagement is a review by an independent accountant of specific assertions made by management. For stablecoin issuers, the primary assertion is: “The value of reserve assets equals or exceeds the total outstanding stablecoin supply as of [date].”

Types of Attestation:

  • Examination (highest assurance): The accountant performs procedures sufficient to express an opinion on whether the assertion is fairly stated in all material respects. This is the standard required by the GENIUS Act and is equivalent in assurance level to a financial statement audit.
  • Review (moderate assurance): The accountant performs limited procedures (primarily inquiry and analytical procedures) and provides negative assurance (“nothing came to our attention…”). Lower assurance than an examination.
  • Agreed-Upon Procedures (no assurance): The accountant performs specific procedures agreed upon by the parties and reports findings without providing assurance. This was the standard historically used by some stablecoin issuers and is no longer considered sufficient by regulators.

Financial Statement Audit

An audit of the stablecoin issuer’s complete financial statements, conducted under PCAOB or AICPA auditing standards. The audit covers the issuer’s financial position, results of operations, and cash flows – not just the reserve.

When Both Are Required: Under the GENIUS Act, stablecoin issuers must obtain:

  1. Monthly attestation on reserve adequacy (examination-level engagement)
  2. Annual audited financial statements (PCAOB-standard audit)

Both engagements may be performed by the same firm, but the attestation and audit serve different purposes and follow different standards.

AICPA Standards for Stablecoin Attestation

AT-C Section 205: Examination Engagements

The AICPA’s Attestation Standards, specifically AT-C Section 205, govern examination engagements. For stablecoin reserve attestations:

Management’s Assertion: The stablecoin issuer’s management must provide a written assertion that:

  • The total value of reserve assets equals or exceeds the total outstanding stablecoin supply as of the examination date
  • Reserve assets are of the types and quality specified by the applicable regulatory framework
  • Reserve assets are held in properly segregated accounts

Practitioner’s Procedures: The CPA performing the examination must:

  1. Obtain an understanding of the stablecoin issuer’s operations, reserve management process, and internal controls
  2. Assess the risk of material misstatement
  3. Perform procedures to obtain sufficient appropriate evidence, including:
    • Confirm reserve asset balances with custodians, banks, and counterparties
    • Inspect evidence of asset ownership and segregation
    • Verify the total outstanding stablecoin supply across all blockchains
    • Reconcile reserve values to independent pricing sources
    • Test the completeness and accuracy of the reserve composition
    • Evaluate the adequacy of internal controls over reserve management
  4. Form an opinion on whether the assertion is fairly stated

Practitioner’s Report: The report includes:

  • Identification of management’s assertion
  • Description of the nature of the engagement
  • The practitioner’s opinion (unmodified, qualified, adverse, or disclaimer)
  • Any material findings or exceptions

SOC 1 and SOC 2 Reports

Some stablecoin issuers also obtain SOC (System and Organization Controls) reports:

  • SOC 1: Focuses on controls relevant to user entities’ financial reporting (relevant for institutional users of the stablecoin)
  • SOC 2: Focuses on controls related to security, availability, processing integrity, confidentiality, and privacy (relevant for all stablecoin users)

SOC reports complement but do not replace the reserve attestation requirement.

Reserve Verification Procedures

Stablecoin Supply Verification

The accountant must independently verify the total outstanding supply of stablecoins:

  1. Query the blockchain(s) on which the stablecoin is deployed to determine the total supply
  2. For multi-chain stablecoins: aggregate supply across all chains, accounting for bridged and locked tokens
  3. Compare the blockchain-derived supply to the issuer’s internal records
  4. Verify that the minting/burning process is consistent with reported supply changes
  5. Account for any stablecoins that are treasury-held (issued but not yet distributed)

Technical Challenges:

  • Multi-chain deployment requires querying multiple blockchain nodes or data providers
  • Bridge contracts may complicate supply calculation (tokens locked on one chain and minted on another)
  • The accountant needs technical expertise or must engage blockchain specialists
  • Real-time supply fluctuations require point-in-time snapshot methodology

Reserve Asset Verification

Treasury Securities:

  • Confirm holdings with the custodian (independent confirmation letter)
  • Verify CUSIP numbers, maturity dates, and face values
  • Obtain mark-to-market valuations from independent pricing services (Bloomberg, Refinitiv)
  • Verify that securities are held in segregated custody accounts

Bank Deposits:

  • Confirm balances with each depository institution (standard bank confirmation letter)
  • Verify that accounts are properly titled and segregated
  • Confirm that no liens, pledges, or encumbrances exist on the accounts
  • For FDIC-insured deposits: verify coverage per the $250,000 per depositor limit

Reverse Repos:

  • Confirm outstanding agreements with counterparties
  • Verify collateral (US Treasury securities) held in triparty custody
  • Confirm maturity dates and rates
  • Verify that agreements include adequate margin and default provisions

Federal Reserve Balances:

  • Confirm balances with the Federal Reserve Bank
  • Verify account ownership and access

Reconciliation

The accountant performs a reconciliation:

Total Outstanding Stablecoin Supply (blockchain-verified)    $X,XXX,XXX,XXX
Total Reserve Assets (independently verified)                $X,XXX,XXX,XXX
Over/(Under) Collateralization                               $XX,XXX,XXX
Reserve Ratio                                                10X.X%

The reserve ratio must be 100% or greater for compliance. Any shortfall constitutes a qualification or adverse finding.

CPA Firm Selection

Qualification Requirements

The CPA firm performing stablecoin attestations must:

  • Be registered with the PCAOB (for annual audits of issuers subject to GENIUS Act)
  • Have experience with financial services attestation engagements
  • Have technical capability to verify blockchain-based supply data
  • Maintain independence from the stablecoin issuer under AICPA/PCAOB independence standards
  • Have adequate professional liability insurance

Leading Firms

Tier 1 (Large stablecoin issuers):

  • Grant Thornton: Performs USDC attestations for Circle. Deep experience with stablecoin reserve verification.
  • Deloitte: Engaged by institutional stablecoin projects. Full-service capability.
  • KPMG: Crypto-asset advisory and attestation practice.

Tier 2 (Mid-size issuers):

  • WithumSmith+Brown: Previously performed Paxos attestations. Specializes in digital asset clients.
  • BDO: Growing digital asset practice with attestation capability.
  • Armanino: Early mover in crypto attestation (performed Tether attestations). Known for blockchain-integrated audit tools.

Tier 3 (Smaller issuers):

  • Friedman LLP: Historically engaged by crypto clients.
  • Marcum LLP: Digital asset attestation and audit practice.
  • Cohen & Company: Growing crypto practice.

Engagement Costs

Engagement TypeFrequencyCost Range
Monthly reserve attestation (examination)Monthly$25,000-$75,000 per month
Annual financial statement auditAnnual$200,000-$500,000
SOC 2 Type II reportAnnual$100,000-$250,000
Agreed-upon procedures (supplementary)As needed$15,000-$50,000
Total Annual$600,000-$1,650,000

Independence Considerations

CPA independence requirements restrict certain relationships:

  • The CPA firm cannot have a financial interest in the stablecoin issuer
  • The firm cannot provide certain non-audit services that impair independence (management functions, bookkeeping, valuation services used in the attestation)
  • Personnel involved in the attestation must be rotated according to applicable standards
  • The firm must evaluate independence annually and document the assessment

Regulatory Reporting

GENIUS Act Reporting

  • Monthly attestation reports must be published on the issuer’s website within 30 days as required under the stablecoin licensing framework
  • Annual audited financial statements must be filed with the OCC or state regulator
  • The regulator may request additional ad hoc attestation engagements

MiCA Reporting

  • ART issuers must have reserves audited every six months
  • Audit results must be published on the issuer’s website within three months
  • The NCA or EBA may request additional verification

Best Practices

  1. Engage the attestation firm early – before launching the stablecoin, not after. The firm needs time to understand the reserve structure and design appropriate procedures.
  2. Invest in internal controls over reserve management. Strong controls reduce attestation cost and risk of findings.
  3. Automate blockchain supply verification using standardized tools that the attestation firm can independently validate.
  4. Maintain continuous reserve adequacy – not just at the monthly attestation date. Point-in-time testing can miss intra-period shortfalls.
  5. Publish attestation reports promptly and in full. Redacting or delaying publication undermines the transparency purpose.
  6. Prepare for expanded scope as regulators refine attestation requirements. The trend is toward more frequent, more granular verification.
Advertisement
Related Articles
GENIUS Act Compliance Guide: Stablecoin Issuer Requirements
GENIUS Act Compliance Requirements: Stablecoin Regulation Implementation Guide
MiCA EMT and ART Compliance: European Stablecoin Rules
Payment Stablecoin Compliance: Money Transmission and E-Money
Stablecoin AML Compliance: Transaction Monitoring and Reporting
Advertisement
Network Intelligence

Institutional Access

Coming Soon