Welcome to USD1audit.com

What audit means here

For USD1 stablecoins, the word audit is often used loosely in public conversation. A full financial statement audit (a broad review of annual financial statements) is different from a reserve attestation (a narrower accountant review of management's claims about reserves or controls), and both are different from a smart contract audit (a security review of blockchain code). Good reporting starts by naming the scope, the criteria used, the period covered, and the firm that performed the work. The Public Company Accounting Oversight Board, or PCAOB, says attestation work needs suitable criteria, meaning benchmarks that are objective, measurable, complete, and relevant. The American Institute of Certified Public Accountants, or AICPA, published 2025 criteria for reporting on USD1 stablecoins to supply that common frame for reserve and control reporting.^[6][7][8]

That distinction matters because a public reader can otherwise mistake a narrow reserve check for a complete audit of USD1 stablecoins. The New York Department of Financial Services, or DFS, for example, separately focuses on redeemability, reserve assets, and attestations, and it also notes that audited financial statements can still be required under other law. In other words, a reserve report can be important without answering every legal, operational, and balance sheet question on its own.^[1]

• Are outstanding USD1 stablecoins fully matched by reserve assets?
• Can holders redeem USD1 stablecoins clearly and on time?
• Are the reserves segregated from the issuer's own operating assets?
• Do the controls, code, and compliance processes work between reporting dates?

Why auditing USD1 stablecoins matters

The promise behind USD1 stablecoins is simple: a unit should be redeemable for one U.S. dollar. The audit problem is that this promise sits on top of several moving parts at once: reserve quality, custody, legal rights, payment operations, code, and governance. Treasury has warned that broader use of USD1 stablecoins can raise risks of destabilizing runs, payment system disruption, and concentration of economic power if oversight is weak. The Financial Stability Board, or FSB (the international body that coordinates financial stability policy), likewise says arrangements need clear governance, effective risk management, transparent disclosures, and timely redemption rights to reduce run risk.^[10][2]

A market price near one dollar is helpful, but it is not the same as audited evidence. The U.S. Securities and Exchange Commission, or SEC, staff statement on certain dollar-backed designs describes how price stability can be supported by a fixed-price mint and redeem process, reserve assets that meet or exceed outstanding USD1 stablecoins in circulation, and arbitrage (buying in one venue and selling in another to profit from price differences) by designated intermediaries (approved firms that can mint or redeem directly with the issuer). The same statement also makes clear that some holders may only access secondary markets, which means short lived deviations from par (face value) can still happen even when a reserve exists.^[5]

This is also why jurisdiction matters. The FSB stresses cross-border coordination, the European Union uses MiCA and related standards, and U.S. authorities have approached the subject through a mix of state supervision, securities analysis, and broader financial stability work. An audit of USD1 stablecoins should therefore be read in context: what rulebook applies, what rights it creates, and what risks it does not address.^{[1][2][3][4][10]}

Reserves and liability matching

The first layer of an audit of USD1 stablecoins is reserve sufficiency. DFS says regulated dollar-backed issuers should be fully backed at the end of each business day and should maintain clear redemption policies. It also specifies a conservative reserve menu: short-dated U.S. Treasury bills, overnight reverse repurchase agreements (overnight financing transactions backed by securities) collateralized by Treasuries, government money market funds within approved limits, and deposit accounts subject to restrictions. That does not make every issuer safe, but it shows what a high-liquidity reserve (assets that can be turned into cash quickly with limited loss) looks like in supervisory practice.^[1]

A real review then reconciles assets to liabilities. For USD1 stablecoins, liabilities means the total outstanding amount that users can demand back through redemption, net of valid cutoff timing (which period a transaction belongs in) and reconciliation items. DFS monthly attestations call for an independent CPA (certified public accountant) to test reserve market value, outstanding units, and whether the reserve was enough both on the last business day of the period and on at least one randomly selected day. That structure is important because it reduces the chance that an issuer simply window-dresses (temporarily improves appearances) on reporting day.^[1]

Reserve size is only one part of the answer. Asset mix matters because a billion dollars of longer-maturity or hard-to-sell holdings is not the same as a billion dollars of cash or short Treasuries. The SEC staff statement on covered dollar-backed designs also points to low-risk and readily liquid reserves such as cash equivalents, demand deposits, Treasury securities, and registered money market funds. When reading public materials on USD1 stablecoins, the key question is not only whether reserves exist, but whether they can meet redemption demand at the speed users reasonably expect.^[5][1]

This is also where proof of reserves (a public demonstration of some reserve balances) can mislead if it is treated as the whole story. Proof of reserves can help confirm that some assets exist, but an audit of USD1 stablecoins must also verify the matching liability total, account ownership, legal segregation, cutoff timing, and whether reserves were pledged, lent, or otherwise reused. The SEC staff statement says some issuers publish proof of reserves, while DFS and the AICPA framework place equal weight on management assertions, reporting criteria, and controls.^[5][1][6][7]

Between-date risk matters as much as point-in-time accuracy. A monthly reserve check is stronger than silence, but it still does not prove that controls worked perfectly every day between two report dates. That is one reason DFS also requires an annual attestation on internal controls, and why the AICPA added a separate controls component to its criteria for reporting on USD1 stablecoins. For USD1 stablecoins, the best reading is therefore cumulative: reserve evidence plus controls evidence, not reserve evidence instead of controls evidence.^[1][6][7]

Legal structure and creditor protection

The second layer is legal structure. Reserve assets for USD1 stablecoins should not sit casually inside the issuer's general operating pool. DFS says reserve assets should be segregated from proprietary assets and held in custody for the benefit of holders, with appropriate account titling. The SEC staff statement similarly notes that risk changes depending on whether reserves may be reached by issuer creditors, and gives bankruptcy-remote (structured to reduce creditor claims on reserve assets if the issuer fails) treatment as an example of a risk-reducing feature.^[1][5]

Redemption rights deserve their own document review. DFS expects clear, conspicuous redemption policies and, absent special circumstances, treats timely redemption as no later than two business days after a compliant request. The FSB goes further at the international level and says users should have a robust legal claim and timely redemption at par for single-currency arrangements. A public report on USD1 stablecoins is weak if it describes reserves in detail but is vague about who can redeem, on what terms, with what fees, and within what time.^[1][2]

This is why lawyers and accountants both show up in a serious audit of USD1 stablecoins. The accountant can test numbers, but only legal analysis can confirm whether holders are senior, unsecured, beneficial owners, or protected in some other way. If direct redemption is limited to designated intermediaries, retail users may depend more heavily on market makers and exchanges than on the issuer itself. That difference affects how much comfort a reserve report truly gives ordinary users.^[5][2]

In practice, the legal file should answer mundane but decisive questions. Which entity issues USD1 stablecoins? Which entity owns the bank accounts or custody accounts? Are the accounts titled for the benefit of holders? Can reserves be used for operating expenses or borrowing? What happens in insolvency (an inability to pay debts)? If an audit package avoids these questions, it may be polished without being especially informative.^[1][5]

Internal controls and governance

The third layer is internal control. In plain English, internal controls are the policies and checks that stop one employee, one script, or one mistaken file from breaking the entire liability and reserve ledger. DFS requires not only regular reserve attestations but also an annual attestation over the effectiveness of internal controls, structure, and procedures for compliance with reserve requirements. That matters because most failures in USD1 stablecoins do not start with a public number; they start with permissions, reconciliations, approvals, exception handling, and incomplete records.^[1]

Accounting standards point in the same direction. The AICPA's 2025 Stablecoin Reporting Criteria describes Part I as a framework for presenting and disclosing outstanding USD1 stablecoins and backing assets, and Part II as criteria focused on risk and controls. Put simply, a good report on USD1 stablecoins should not only say what the reserves were on a date, but also explain the control system that keeps reserves, supply records, and redemptions accurate between dates.^[6][7]

Governance (who can decide what, and under what authority) is part of audit quality too. The FSB says issuers should disclose governance frameworks, conflicts management, risk management, data safeguards, and recovery or resolution planning (how the arrangement is stabilized or wound down safely if it fails). The European Banking Authority, or EBA, MiCA work program likewise includes internal governance arrangements, recovery plans, redemption plans, liquidity rules, and liquidity stress testing (simulating how reserves behave under pressure) for relevant token issuers in the European Union. A file that shows reserves but hides decision rights is not a complete file.^[2][4]

PCAOB attestation guidance is useful here because it reminds readers that attestation is built around criteria and evidence, not general impressions. If management says an issuer of USD1 stablecoins has dual approval for minting, daily reconciliations, restricted access to reserve accounts, and tested incident response, the review should be able to point to evidence for those claims. The more a report depends on management narrative without a clear standard or tested control objective, the less informative it becomes.^[8]

Smart contract and operational security

The fourth layer is technical assurance. A smart contract (software that runs on a blockchain) controls minting, burning, transfer restrictions, and sometimes upgrade paths for USD1 stablecoins. Reviewing that code means asking basic questions: Who can mint? Who can pause? Who can blacklist or restore an address? Can the code be upgraded without user notice? Are supply records consistent across the issuer system and the blockchain? None of these are theoretical questions if large values can move with a few privileged signatures.^[9][2]

The National Institute of Standards and Technology, or NIST, calls its framework the Secure Software Development Framework, or SSDF (a framework for building and maintaining safer software), and says secure development needs organizational preparation, software protection, well-secured releases, and a response process for vulnerabilities. It also says these practices should be integrated into the software development life cycle, not bolted on at the end. For USD1 stablecoins, that means code review should be continuous: dependency tracking, change management, key management, incident response, logging, and post-release monitoring all matter as much as a one-time review before launch.^[9]

Technical audit work also has to cover administrative controls (who can change or override the code). The Financial Action Task Force, or FATF, said in a 2026 report that illicit finance risk in this area can involve smart contract features, cross-chain activity (moving value between blockchains), and unhosted wallets (wallets controlled directly by users rather than by an intermediary). The same report notes good practices such as redemption due diligence and, where appropriate, the ability to freeze, burn, allow-list (limit transfers to pre-approved addresses), or deny-list (block named high-risk addresses) addresses. Those features can help compliance, but they also create concentrated powers. A balanced audit of USD1 stablecoins should explain who holds those powers, how they are approved, logged, tested, and challenged, and what happens if a key is lost or compromised.^[12][2]

Code review, however, is not a substitute for reserve review. An issuer can have elegant smart contracts and weak bank controls, or strong reserve controls and brittle code. The FSB's broad framework, the AICPA's reporting criteria, and NIST's SSDF all point toward the same lesson: the safest reading of USD1 stablecoins is multidisciplinary. The more the public sees only one layer, the more hidden risk remains in the others.^[2][6][9]

Compliance, sanctions, and transfer controls

The fifth layer is compliance testing. FATF's 2021 guidance says countries should assess and mitigate risks tied to virtual asset activity, license or register providers, supervise them, and apply its standards to arrangements involving USD1 stablecoins. For an issuer of USD1 stablecoins, that means an audit of operations is incomplete if it ignores onboarding, sanctions screening, suspicious activity controls, recordkeeping, travel rule handling (required originator and beneficiary information for some transfers), and redemption-side customer due diligence (identity and risk checks).^[11]

The FATF's 2026 targeted report sharpens the point. It highlights peer-to-peer use through unhosted wallets, cross-chain movement, and the difficulty issuers may have controlling activity beyond official redemption channels. It also recommends proportionate controls, including technical and governance measures, stronger public-private cooperation, and supervisory expertise in smart contract functions and blockchain analytics (tools that trace and analyze on-chain movements). Auditing USD1 stablecoins, then, is partly an exercise in checking whether formal policies can actually be enforced in the environments where the tokens circulate.^[12]

There is an important tradeoff here. Stronger compliance features may lower some legal and illicit finance risks, but they can also increase governance risk if the public cannot tell when an address can be frozen, who can authorize it, or how errors are reversed. The FSB's emphasis on transparent disclosure and FATF's emphasis on risk-based controls point to the same answer: power is not the problem by itself; undisclosed power is.^[2][12]

New York DFS also treats this layer as part of the core risk picture. Its guidance says reviews of USD1 stablecoins may consider cybersecurity, information technology, Bank Secrecy Act and anti-money laundering compliance, sanctions, consumer protection, safety and soundness, and payment system integrity in addition to reserve and redemption questions. That is a useful reminder that a narrow reserve attestation can be strong within its own scope while still leaving major compliance and operational questions open.^[1]

Public disclosure and reporting quality

The sixth layer is disclosure quality. The FSB says users and other stakeholders should receive comprehensive and transparent information about governance, conflicts, redemption rights, the stabilization mechanism, operations, risk management, and financial condition. The European Securities and Markets Authority, or ESMA, describes MiCA as a European Union framework built around transparency, disclosure, authorization, supervision, market integrity, and better-informed consumers. In practical terms, a strong public file on USD1 stablecoins should tell readers what was tested, when it was tested, who performed the work, and what was outside scope.^[2][3]

Good public reporting also names the criteria. PCAOB attestation standards say an attest engagement should be performed only when the subject matter can be evaluated against suitable criteria, and it describes suitable criteria as objective, measurable, complete, and relevant. That is why the AICPA's 2025 criteria matter. They give issuers and accountants a common reporting baseline instead of allowing every issuer of USD1 stablecoins to invent its own vocabulary for reserves, disclosures, and controls.^[8][6][7]

It is also important to read legal interpretations narrowly. The SEC staff statement from 2025 addresses a specific category of dollar-backed designs, says it is not a rule and has no legal force or effect, and excludes yield-bearing (paying holders an ongoing return) designs from the statement's scope. So if USD1 stablecoins promise interest, rewards, or some other passive return, a reader should not assume that a narrow reserve-and-redemption analysis answers the entire legal question.^[5]

European readers should be just as careful. MiCA does not rest on a single reserve report. The EBA's pages for relevant token issuers show a broader framework that includes authorization, rules for highly liquid reserve instruments, liquidity management, stress testing, redemption plans, recovery plans, and internal governance. In other words, an audit of USD1 stablecoins that will be used across borders needs to be read against the whole control environment, not only a monthly reserve number.^[4][3]

Red flags when reading an audit or attestation

Several warning signs repeat across weak files on USD1 stablecoins.

• A reserve report never states the reporting standard or the criteria used.^[8][6]
• A proof of reserves display does not reconcile outstanding USD1 stablecoins or explain reconciliation items.^[1][5]
• Asset categories are vague, with no detail on type, due date, custody location, or whether assets can be reused.^[1][5]
• There is no public redemption policy, no fee disclosure, or no timing standard.^[1][2]
• Reserves can be lent, pledged, or used for general operations, or there is no clear statement on segregation and creditor protection.^[1][5]
• Transfer controls exist, but the report does not explain who can freeze, burn, allow-list, or deny-list addresses.^[12][2]
• A code review exists, but there is no evidence of change management, key management, or vulnerability response after release.^[9]

None of these signs automatically proves that USD1 stablecoins are unsound. But each sign narrows the amount of verified information available to the reader, and that means the remaining comfort comes more from trust in management than from tested evidence. For a topic built on redemption promises, that is a meaningful distinction.^[1][2][8]

Common questions about audits of USD1 stablecoins

Is a reserve attestation the same as a full audit?

No. A reserve attestation is usually narrower and tied to specific management assertions and criteria, while a full financial statement audit is broader in scope. DFS guidance itself separates reserve attestations from other audited financial statement obligations, and PCAOB attestation standards treat attest work as its own kind of engagement with its own criteria and evidence rules.^[1][8]

Can a perfect reserve report guarantee that USD1 stablecoins will never trade below one dollar?

No. Market price also depends on market access, redemption frictions, intermediary structure, timing, and user confidence. The SEC staff statement explains that some holders may rely on secondary markets and designated intermediaries for arbitrage, while Treasury has warned that weak oversight can contribute to run dynamics and payment disruption. A reserve report helps, but it is not a guarantee of uninterrupted par trading.^[5][10]

Can public blockchain data remove the need for off-chain audit work?

No. Public blockchain data can help verify circulation and some forms of transaction activity, but it cannot by itself prove who controls reserve bank accounts, how custody is structured, what legal rights holders have, or whether compliance and redemption controls work. That is why supervisory guidance, accounting criteria, and FATF controls all extend beyond on-chain evidence.^{[1][6][11][12]}

Does regulation solve everything?

No. Regulation can set minimum rules, reporting duties, and supervisory expectations, but readers still need to understand scope and gaps. U.S. guidance, the SEC staff view, MiCA, EBA technical standards, FSB recommendations, and FATF guidance all address different pieces of the puzzle. Auditing USD1 stablecoins still requires judgment about how those pieces fit together for a specific issuer, chain, and user base.^{[1][2][3][4][5][11]}

The bottom line

Auditing USD1 stablecoins is best understood as a stack of evidence. Reserves must exist and stay liquid. Liabilities must be counted correctly. Holders need clear redemption rights. Reserves should be segregated. Controls must work between reporting dates. Code and keys need continuous security. Compliance tools must be governed and disclosed. Public reports should use named criteria and narrow scopes. When these layers align, confidence rises. When one layer is missing, the whole promise becomes harder to trust.^{[1][2][6][8][9][12]}

No single report can remove all risk. But a careful audit process can turn the question from Do I like the story to What evidence exists, who tested it, under what standard, and what remains outside scope. That is the right frame for USD1audit.com and for anyone trying to judge USD1 stablecoins on substance rather than marketing.^[1][5][10]