Welcome to USD1auditors.com

What "auditors" means on this page

In everyday crypto conversation, people often use the word "audit" too loosely. A wallet dashboard may be called an audit. A short letter from an accounting firm may be called an audit. A smart contract review (a technical inspection of blockchain code) may be called an audit. A full set of annual financial statements may also be called an audit. Those are very different services. If you are trying to understand USD1 stablecoins, the first job of an auditor is not to create confidence with a slogan. It is to reduce uncertainty by testing evidence against defined criteria and then describing the scope of that work in plain terms.

For USD1 stablecoins, "auditors" can refer to more than one kind of independent reviewer. It may mean a public accounting firm performing a financial statement audit. It may mean a public accounting firm performing an attestation (an independent report on whether specific information matches stated criteria). It may mean specialists reviewing controls over token operations, custody, or cybersecurity (how systems are protected against misuse or attack). In large programs, it may involve multiple reports, each answering a different question. The AICPA published stablecoin-specific reporting criteria in 2025 and then expanded that framework in January 2026 with a second part focused on controls supporting token operations, which shows how quickly this area has been moving.^[1][2]

That distinction matters because different reports give different levels of comfort. A financial statement audit asks whether the financial statements are fairly presented, in all material respects, under the relevant accounting framework (the rulebook used to prepare the statements). "Material" means large enough to matter to a reasonable reader. An attestation examination usually focuses on a narrower subject, such as whether reserves covered outstanding USD1 stablecoins at a stated date. A review is narrower still. Agreed-upon procedures report only the procedures performed and the factual findings. A so-called proof of reserves (a public claim or report meant to show certain reserve assets exist) may be even more limited if it only shows a snapshot of certain addresses or accounts. A good reader should always ask: what exactly was examined, as of what date, under which standards, and with what exclusions?

Another important point is that the word "issuer" needs to be clear. Here, issuer means the entity that creates and redeems USD1 stablecoins. If an exchange lists USD1 stablecoins, or a wallet displays USD1 stablecoins, that does not make the exchange or wallet the issuer. Auditors care deeply about who holds the legal obligation to redeem, who controls reserve assets, who signs off on reports, who has access to mint and burn functions, and whose balance sheet actually bears the liabilities. Global standard setters have emphasized the same themes: governance (who is responsible for which decisions and controls), disclosure, risk management, data quality, and clear redemption rights.^[7][9]

Audit, attestation, and proof of reserves are not the same thing

A useful mental model is to separate three questions.

The first question is financial: do the issuer's financial statements fairly present its assets, liabilities (amounts it owes), revenues, expenses, and related disclosures? That is the home territory of a financial statement audit. The second question is reserve specific: at a stated point in time, did reserve assets (cash or near-cash assets held to support redemption) equal or exceed the obligations tied to outstanding USD1 stablecoins under the chosen criteria? That is often the home territory of an examination or another attestation engagement. The third question is operational: do the systems and controls over minting and burning (creating and destroying units), reconciliations, access rights, custody, incident response, and reporting work as designed over time? That is where controls reporting becomes crucial.^[1][2][11]

For many readers, the easiest mistake is to assume that a reserve report answers all three questions at once. It does not. A month-end reserve examination may say something important about a specific date, but it does not automatically tell you whether the issuer had strong controls all month, whether related party exposures (dealings with affiliates or insiders) were appropriate, whether the redemption process worked under stress, or whether the broader financial statements contain other risks. Likewise, a financial statement audit may be extensive, but if the public report does not separately explain how outstanding USD1 stablecoins were measured and reconciled, readers may still be missing key operating detail.

This is one reason the new AICPA criteria matter. Part I was designed to create a common framework for reporting on outstanding stablecoins and the assets backing them. Part II added criteria for controls supporting token operations. In plain English, that means the profession itself recognized that point-in-time reserve numbers are not enough. The quality of the surrounding control environment also matters, especially for products like USD1 stablecoins that depend on both offchain (outside the blockchain) assets and onchain (recorded on the blockchain) activity.^[1][2]

Now compare that with a simple proof of reserves claim. If an issuer posts a list of wallets, a chart, or a one-page memo, the information may still be useful. Onchain data can confirm whether certain addresses held particular assets at a point in time, and bank confirmations can support certain cash balances. But an informal proof of reserves usually does not answer all of the harder questions an auditor asks. It may not test completeness of liabilities, rights to assets, side agreements, concentration risk (too much dependence on one asset, counterparty, or custodian), control failures between reporting dates, or whether some reserve assets were pledged, reused, or otherwise restricted. Under the U.S. payment stablecoin statute adopted in July 2025, monthly reports must include the total number of outstanding payment stablecoins and the amount and composition of reserves, including average tenor (average time to maturity) and geographic location of custody, and those monthly reports must be examined by a registered public accounting firm.^[4]

That legal move matters beyond the United States. It pushes the market vocabulary toward more precise language. If a public accounting firm is performing an examination under a statutory framework, the reader should expect clearer criteria, clearer dates, clearer management assertions, and clearer responsibilities. If the document does not say those things, the safest assumption is that its scope is limited.

The core questions an auditor asks about USD1 stablecoins

When an auditor evaluates USD1 stablecoins, the headline question sounds simple: are the reserves there? In practice, that broad question breaks into a chain of narrower questions.

The first is existence. Do the claimed reserve assets actually exist as of the report date? If the reserves are cash at banks, the auditor may obtain bank confirmations, examine statements, and test reconciliations. If the reserves include short-dated government securities, money market holdings, or reverse repurchase positions, the auditor will want independent evidence from custodians, brokers, trustees, or other third parties. Existence sounds basic, but it is only the beginning.

The second is rights and restrictions. Does the issuer have legal rights to those reserve assets, and are the assets available to support redemptions of USD1 stablecoins? This is where liens, pledges, rehypothecation restrictions (limits on reusing pledged assets), custody agreements, bankruptcy remoteness claims (claims that reserve assets are kept apart from the issuer's assets if the issuer fails), and reserve segregation become important. A balance may exist but still be less useful than readers think if the asset is encumbered (legally tied up), pledged, or held in a way that delays access during stress. The U.S. statute for payment stablecoins expressly addresses reserve composition, public reserve reporting, and a prohibition on reserve rehypothecation, which shows how central this issue has become.^[4]

The third is valuation. Even if the reserve assets exist and belong to the issuer, how should they be measured? Cash is straightforward. Treasury bills are usually less ambiguous than longer-dated or less liquid instruments, but valuation still depends on the measurement basis, the reporting framework, and any premium, discount, or accrued interest. Liquidity (how quickly something can be turned into cash without a major loss) also matters. A reserve asset can look safe on paper and still create timing risk if it cannot be converted quickly enough to meet heavy redemption demand.

The fourth is completeness of liabilities. Auditors do not only count reserve assets. They also need to know how many USD1 stablecoins were outstanding at the relevant time. That requires reconciliation (matching one record to another) between blockchain data, internal mint and burn logs, treasury records, omnibus accounts, and any other systems that affect circulating supply. This is where onchain visibility helps, but it does not fully solve the problem. Wrapped versions, bridged versions (representations moved across blockchains), tokens held in treasury wallets, and tokens pending settlement can complicate the count. If the liability side is incomplete, the reserve ratio can look stronger than it really is.

The fifth is cutoff and timing. Were transactions recorded in the right period and at the right time? Suppose a large reserve transfer arrived just before month-end, or a large redemption request was processed just after the reporting timestamp. Suppose reserve assets moved between entities around the reporting date. These details can change the picture materially. Audit work often focuses on whether the report date was just a normal day or a specially managed snapshot.

The sixth is presentation and disclosure. Even when the numbers are correct, readers can still be misled by vague or incomplete disclosure. Good reporting tells you what counts as reserves, where the reserves are held, which legal entity is obligated to redeem, what fees apply, whether redemptions are at par, what the main risks are, and what happened after the reporting date that could matter. The FSB's revised recommendations in 2023 explicitly emphasize comprehensive and transparent information about governance, conflicts of interest, redemption rights, stabilization mechanisms, operations, risk management, and financial condition.^[7]

The seventh is controls. Controls are the checks that reduce the chance of error, manipulation, or unauthorized action. For USD1 stablecoins, strong controls include segregated duties, controlled access to mint and burn permissions, independent reconciliations, exception handling, incident response, and oversight by management and the board. The AICPA's 2026 addition of control criteria for token operations is important because it recognizes that operational integrity is not a side topic. It is part of the trust model itself.^[2]

Why onchain transparency helps, but is not enough

One of the appealing features of USD1 stablecoins is that some parts of the system are visible on a blockchain. You can often inspect smart contracts, track transfers, and estimate circulating amounts. That is useful evidence, and competent auditors should use it. But onchain evidence is only one layer.

Most reserve assets that back USD1 stablecoins are offchain. They may sit in bank deposits, Treasury instruments, money market funds, or other traditional financial arrangements. Those positions are not fully visible onchain. Even when reserve assets are tokenized, a reader still needs to know the legal structure, custodian, settlement terms, and whether the issuer has a clean claim to the asset. Offchain evidence therefore remains essential.

Onchain visibility also says little by itself about legal promises. A blockchain can show that USD1 stablecoins exist and moved. It cannot by itself tell you whether a holder has a robust legal claim against the issuer or the reserve assets, whether the issuer must redeem at par on demand, what disclosure obligations apply, or how insolvency law would treat the reserve pool. Those are legal and regulatory questions. The FSB's recommendations are explicit that stablecoin arrangements should provide a robust legal claim and timely redemption, and that users should receive comprehensive disclosures.^[7]

A final limitation is operational. A contract may look correct in code and still be governed poorly. If a small number of keys can mint unlimited USD1 stablecoins, freeze redemptions, or reroute reserves, then governance and access control matter as much as the visible code path. That is why a narrow smart contract review, while helpful, is not a substitute for broader assurance over issuer operations and reserve management.

How reserve testing usually works in practice

A careful reserve engagement for USD1 stablecoins often begins with scope. Which legal entity is reporting? Which blockchains are in scope? Which versions of USD1 stablecoins count as outstanding? What reserve assets count as eligible? What timestamp defines the reporting date? Without precise scoping, even a technically correct report can mislead.

After scope, the auditor usually tests the liability side. Management provides the count of outstanding USD1 stablecoins, and the auditor tests how that figure was produced. That can include inspecting mint and burn logs, tracing transactions to chain data, checking treasury wallets, reconciling internal ledgers to public supply data, and testing exceptions. If there are bridge arrangements (setups that move or represent units across blockchains), omnibus wallets (pooled wallets serving many users), or third-party minting relationships, those must be evaluated too.

The auditor then tests the asset side. For cash, this commonly means independent confirmations and statement review. For securities or fund holdings, it can mean custodian confirmations, broker statements, portfolio listings, and valuation testing. For repo or similar positions (short-term funding arrangements backed by securities), the auditor may inspect agreements, counterparties, collateral terms, and maturities. The point is not only to total the reserve assets, but to understand their composition, quality, liquidity, and availability for redemption.

Next comes the matching exercise. Do eligible reserve assets cover the obligations tied to outstanding USD1 stablecoins under the stated criteria? If the criteria say only certain asset types qualify, nonqualifying holdings are excluded. If the criteria call for reserves to be in the same currency, foreign currency positions may not count the same way. If the reporting framework requires separate disclosure of custody location, tenor, or concentration, the auditor tests that detail too. Under U.S. law, public month-end reporting includes reserve composition, average tenor, and geographic location of custody, and the report is examined by a registered public accounting firm.^[4]

Finally, the auditor considers subsequent events and anomalies. Did anything happen after the reporting date that calls the report into question? Were there large redemptions, liquidity events, cyber incidents, sanctions issues, or legal changes? Good assurance does not predict the future, but it should not ignore immediately relevant facts that become known before issuance of the report.

A strong reserve report therefore reads less like advertising and more like a measurement document. It tells you the criteria, the scope, the date, the exclusions, management's responsibilities, the practitioner's responsibilities, and the conclusion. If those pieces are missing, treat the document as marketing until proven otherwise.

Controls over minting, burning, and custody

Readers often focus on reserves because reserves are easier to visualize. But many failures involving USD1 stablecoins would begin in operations rather than in asset selection. The two biggest examples are unauthorized issuance and weak reconciliation.

Unauthorized issuance risk is straightforward. If the issuer, an affiliate, or a compromised key can mint USD1 stablecoins outside approved workflows, liabilities can rise before reserves do. Even if the error is reversed later, the temporary mismatch matters. Good control design uses restricted roles, approval workflows, logging, monitoring, and after-the-fact review by staff who are independent from the original transaction.

Weak reconciliation is quieter, but just as dangerous. If internal treasury records, blockchain activity, custodian reports, and management reports do not match quickly and reliably, problems can remain hidden. A reconciliation control should not only identify mismatches. It should define who investigates them, how fast they must be resolved, who signs off, and what happens if the difference is large. This is exactly the kind of "control over token operations" issue that the AICPA's 2026 update brought into sharper focus.^[2]

Custody is another area where language can hide risk. Custody means safekeeping of assets. For reserve assets, the questions include where the assets are held, under whose name, with what legal protections, and under what withdrawal conditions. For private keys, the questions include who can authorize transactions, how backups are managed, how emergency access works, and how incidents are escalated. For systemic payment arrangements, global standard setters have already signaled that infrastructures used at scale for USD1 stablecoins should meet serious expectations for governance, risk management, and operational resilience (the ability to keep functioning through outages, errors, and attacks).^[7][9]

An investor, policymaker, or journalist reading about USD1 stablecoins should therefore be cautious of any assurance package that is all reserve and no operations. Reserves answer, "what supports redemption?" Controls answer, "what keeps the support system reliable between reporting dates?" Both matter.

How regulation is shaping expectations for auditors

Auditor expectations for USD1 stablecoins are no longer set only by market custom. Regulation now matters much more than it did a few years ago, and that is changing the baseline for what a credible report looks like.

In the United States, the SEC's Division of Corporation Finance stated in April 2025 that certain reserve-backed, one-for-one redeemable products described in its statement, backed by low-risk and readily liquid reserve assets, do not involve the offer and sale of securities in the circumstances described there. That statement did not bless every design, but it did sharpen the market's focus on reserve-backed structures, redemption on demand, and liquid reserve assets.^[3]

The larger shift came in July 2025, when the United States adopted a federal payment stablecoin statute. Among other things, the law requires monthly public reporting on reserve composition, the number of outstanding payment stablecoins, average tenor, and geographic location of custody. It also requires those monthly disclosures to be examined by a registered public accounting firm, requires monthly CEO and CFO certification, prohibits deceptive naming, and requires annual audited financial statements for larger issuers using PCAOB (the U.S. audit standard setter for public company audits) auditing standards.^[4]

For readers of USD1 stablecoins reports, that means two practical things. First, the words "examined by a registered public accounting firm" now have direct legal significance in at least one major jurisdiction. Second, larger issuers may end up publishing two different kinds of public assurance: monthly reserve-related examinations and annual financial statement audits. Those are related, but they are not identical.

The European Union has moved on a different but equally important track. Under MiCA, issuers of asset-referenced tokens and e-money tokens need the relevant authorization, while e-money token issuers must issue at par on receipt of funds, redeem at par (one dollar for one dollar) at any moment upon request, invest received funds in secure, low-risk assets in the same currency, deposit them in a separate account with a credit institution, and maintain recovery and redemption plans. The MiCA regime for asset-referenced tokens and e-money tokens has applied since 30 June 2024, and the broader regulation has applied since 30 December 2024.^[5][6]

For USD1 stablecoins, that EU framework is significant because it links disclosure, governance, reserve quality, redemption mechanics, and supervision in a single regime. Auditors do not replace regulators, but regulatory structure influences what auditors and attestors are asked to measure. When rules become more specific, assurance work usually becomes more comparable across issuers.

International standard setters are also pushing in the same direction. In 2023, the FSB finalized recommendations that stress cross-border cooperation, comprehensive governance, risk management, data quality, disclosure, legal claims to redemption, and prudential requirements. In 2022, CPMI and IOSCO confirmed that the Principles for Financial Market Infrastructures apply to systemically important stablecoin arrangements that transfer stablecoins. In 2024, the Basel Committee tightened criteria for certain stablecoins to receive preferential treatment under bank capital standards and introduced common disclosure requirements for banks' cryptoasset exposures, with implementation set for 1 January 2026.^[7][8][9]

At the same time, harmonization is not complete. In October 2025, the FSB said jurisdictions had made progress but that regulation of global stablecoin arrangements was still lagging, with significant gaps and inconsistencies that create opportunities for regulatory arbitrage. That matters because the same phrase on two different issuer websites may still reflect different legal obligations, different asset rules, and different assurance expectations depending on jurisdiction.^[10]

The practical takeaway is simple: do not read a report about USD1 stablecoins in isolation from its regulatory setting. Ask where the issuer is supervised, what regime applies, whether the assurance language matches that regime, and whether the report is voluntary, statutory (required by law), or both.

Red flags when reading reports about USD1 stablecoins

The biggest red flag is vagueness. If a report uses comforting language but does not state the exact scope, criteria, date, legal entity, standard, and conclusion, it is less valuable than it appears.

A second red flag is category blur. If smart contract review, proof of reserves, monthly reserve attestation, annual audit, and controls reporting are all described with the same word, readers should slow down. Precision is not a formality here. It is the substance.

A third red flag is one-sided transparency. If you can see a long discussion of reserve assets but almost nothing about outstanding USD1 stablecoins, redemption process, custody location, key management, conflicts of interest, related parties, or who can mint and burn, the picture is incomplete. Under both the FSB framework and the U.S. statutory model, disclosure is expected to cover more than a single reserve total.^[4][7]

A fourth red flag is a point-in-time report with no surrounding control discussion. A report date can be managed. Controls are harder to stage. That is one reason the market has been moving toward stronger operations-related criteria.^[2]

A fifth red flag is no clear redemption language. For USD1 stablecoins, the ultimate question is whether a holder can reasonably expect timely redemption for U.S. dollars under disclosed terms. If that answer is unclear, the reserves matter less than readers think. Arrangements built to support USD1 stablecoins are increasingly expected by regulators to provide clear redemption rights and strong disclosure.^[3][6][7]

Practical reading tips

If you only have a few minutes, focus on these questions:

• Which legal entity issued the report and which legal entity issued the USD1 stablecoins?
• Is the document a financial statement audit, an attestation examination, a review, an agreed-upon procedures report, or an informal reserve memo?
• What exact date and time does the report cover?
• How were outstanding USD1 stablecoins measured?
• Which assets counted as reserves, and were any excluded?
• Who held the reserve assets, and were any assets pledged or restricted?
• What did the report say about controls over minting, burning, reconciliation, and custody?
• What are the redemption terms, fees, and timing?
• Was the report prepared under a statutory regime, a professional criteria framework, or both?

If those answers are easy to find, the reporting package is probably doing a serious job. If they are hard to find, or scattered across marketing pages, legal terms, and social posts, skepticism is justified.

Frequently asked questions

Does an audit guarantee that USD1 stablecoins will never break their peg?

No. An audit or attestation can provide evidence about reserves, disclosures, controls, or financial statements, but it does not guarantee future market behavior. Peg stability can still be affected by redemption demand, operational failures, legal disputes, market stress, banking disruptions, cyber incidents, or flaws in governance. Assurance reduces uncertainty; it does not eliminate risk.

If reserves exceed outstanding USD1 stablecoins at month-end, is that enough?

It is good news, but not the whole story. You also need to know whether the reserve assets were eligible, liquid, legally available for redemption, properly valued, and free of restrictions. You also need confidence that outstanding USD1 stablecoins were counted completely and that controls remained effective between reporting dates. This is why a narrow reserve snapshot and a broader control framework answer different questions.^[1][2][4]

Why do redemption rights matter so much?

Because the economic promise behind USD1 stablecoins is not only that supporting assets exist, but that holders can obtain U.S. dollars under disclosed terms. The FSB highlights robust legal claims and timely redemption. MiCA requires par issuance and par redemption at any moment for e-money tokens, along with secure, low-risk assets and recovery and redemption planning. In other words, reserve quality and redemption design belong in the same conversation.^[6][7]

Are all public accounting firm reports comparable?

No. Scope, criteria, standards, and jurisdiction matter. A monthly examination of reserve information is not the same as an annual audit of financial statements. A voluntary report may differ from a statutory report. A report prepared under AICPA attestation standards is not identical to a PCAOB financial statement audit. The document title alone is never enough.^[4][11]

Does onchain data make auditors less important?

Not really. Onchain data makes some testing easier and more transparent, especially around issuance, burning, and public movement of USD1 stablecoins. But auditors still provide independent work on the offchain side: bank balances, custody arrangements, asset eligibility, legal rights, valuation, internal controls, and disclosure quality. In reserve-backed products, the hardest questions often live where the blockchain ends.

What would a strong public reporting package look like?

A strong package for USD1 stablecoins would usually include a clear description of the issuer and governing entity, public reserve composition, the count of outstanding USD1 stablecoins, an independently issued reserve examination or equivalent attestation, annual audited financial statements where relevant, plain-language redemption terms, discussion of custody and controls, and enough methodology detail for an informed reader to understand what was and was not tested. The AICPA criteria, the U.S. statutory framework, MiCA, and the FSB recommendations all point in that direction, even though they do not use identical language.^{[1][2][4][6][7]}