The approach is the point.

Every engagement starts with a call about what you're trying to assure and who you need to assure it to. The scope is tailored to that — LP satisfaction, board satisfaction, regulator satisfaction, or counterparty satisfaction each require different depth and different evidence. We won't sell you a Level 3 CCSS audit when Level 1 readiness is what closes the current conversation.

Before we assess anything new, we map what your current assurances actually cover: SOC 2 scope, ISO 27001 certificate conditions, smart contract audit perimeters, prior CCSS work, penetration test findings. Most operational risk lives in the seams between these, and the first deliverable is a coverage map that shows where the seams are.

We don't audit documentation. We audit documentation against evidence the documentation was followed. Signed runbooks, ceremony attestations, access logs, reconciliation output, redemption tickets, liquidation execution records — whatever operational artifact the documented procedure should have produced, we ask for it on specific dates. Gaps between procedure and artifact are the audit.

Alongside the evidence work, we evaluate the underlying technical design — cryptographic choices, custody architecture, reserve segregation, oracle governance, bridge validator structure, whatever the engagement scope covers. We reference CCSS where it applies and NIST SP 800-90A where random-number generation is in scope, and we note where the design is stronger or weaker than its documentation claims.

The deliverable is structured around the question that started the engagement. LPs get a report they can file and point to. Boards get a risk picture they can react to. Regulators get evidence organized the way regulators read it. Trust centers get something publishable. No filler, no Executive Summary that repeats the Executive Summary.

Findings don't close themselves. We stay available after the report lands to answer questions from the buyer the report was written for — your LP, your board, your counterparty — and to support remediation when requested. The engagement doesn't end at delivery.