SIO-5.5 Internal Audit Function
SIO-5.5.1
The internal audit function must be independent and have sufficient authority and resources. In particular, stablecoin issuers must ensure that the qualification of the internal audit staff members and the internal audit resources, in particular its auditing tools and risk analysis methods, are adequate for the nature, scale and complexity of the risks associated with the licensed stablecoin issuer’s business model, activities, and risk appetite.
Added: July 2025SIO-5.5.2
The internal audit function must follow a risk-based approach, independently review and provide objective assurance of the compliance of all activities undertaken by the stablecoin issuer, including the use of third-party entities, with the licensee’s policies and procedures and with the regulatory requirements.
Added: July 2025SIO-5.5.3
The internal audit function must not be involved in designing, selecting, establishing, or implementing specific internal control policies, mechanisms, procedures or risk limits. However, this should not prevent the Board and the senior management from requesting input from the internal audit function on matters relating to risk, internal controls and compliance with applicable rules.
Added: July 2025SIO-5.5.4
The internal audit function must review the adequateness of the processes for the development of stablecoin whitepaper, its approval and the processes followed for issuance of the approved stablecoin and how the approved stablecoin is offered to the public.
Added: July 2025SIO-5.5.5
Internal audit work should be performed regularly in accordance with an audit plan and a detailed audit programme following a risk-based approach.
Added: July 2025SIO-5.5.6
Stablecoin issuers must, at least once a year, draw up an internal audit plan on the basis of the annual internal audit control objectives. The internal audit plan must be approved by the board or relevant board committee.
Added: July 2025
