Menu
We care about your data. At Lukka, we invest both our time and capital to make sure that you can trust our products. This is challenging and requires constant attention, but our goal is to manage the risk associated with our products so that we can enable you to focus on your business and not on the reliability or quality of our products. We strive to add the frameworks that you care about and want your feedback.
AICPA SOC reports serve an important role in the management of Service Organization (or vendor) risk. The AICPA independently sets the standards associated with SOC Audits. Typically annually, an independent auditor conducts SOC audits using this framework of a Service Organizations controls – these conclude with a report describing the results of the audit. This helps any organization that is using a Service Organization as a vendor to rely on these reports to mitigate risks associated with the products that they are using.
Service Organization Company. This is a term used to describe vendors in a standards framework that is governed by the American Institute of Certified Public Accountants (AICPA).
A SOC 1 Report is the result of an audit of controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting. In short, if our products produce financial calculations, you want us to have this report created by a reputable auditor.
A SOC 2 Report is the result of an audit of the controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy risk domains. Not every SOC 2 includes all of these, so make sure to check for which are relevant to your business and that you ask for the report to ensure it has what you need.
This is very important to understand: Both Type 1 and Type II audits “report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description”. However, a Type I is “at a specific date”, so usually faster, less costly, and gives you much LESS assurance that controls are working. In contrast, Type II is conducted “throughout a specified period”, so is more comprehensive (during a Type II audit, the controls are verified to be working over a period in order to ensure they are working consistently). Type II reports typically take longer and are more costly to conduct, but the result is more mature controls. Lukka only conducts Type II audits for BOTH SOC 1 and SOC 2 reports.
12 Month Period
Updated Annually
SOC 1 reports are on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (ICFR). These reports, prepared in accordance with AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, are specifically intended to meet the needs of entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements.
No, they are all custom-tailored to the specific Service Organization and can vary significantly. We recommend asking any Service Organization that you plan on using as a vendor who their SOC auditor is, for a copy of the SOC report, whether it was a Type I or Type II (Type II is strongly preferred), and how many years the Service Organization has conducted SOC audits.
Lukka conducts both SOC 1 Type II and SOC 2 Type II audits annually. For the portion of the year outside of testing periods, we offer bridge letters to customers upon request.
Lukka was the first company serving the crypto industry to perform an AICPA SOC 1 Type II audit in 2018 and then a SOC 2 Type II in 2019. Read more about how we invest in top auditors to look at our technology risk so that you don’t have to.
Per the AICPA, SOC 2 reports cover controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy. These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.
These reports can play an important role in:
No, they are all custom-tailored to the specific Service Organization and can vary significantly. SOC 2 reports specifically may or may not include any of the 5 risk domain areas: Security, Availability, Processing Integrity, Confidentiality, and Privacy. We recommend asking any Service Organization that you plan on using as a vendor who their SOC auditor is, for a copy of the SOC report, whether it was a Type I or Type II (Type II is strongly preferred), and how many years the Service Organization has conducted SOC audits.
ISO/IEC stands for International Organization for Standardization/International Electrotechnical Commission. ISO/IEC is a joint committee that issues the ISO/IEC 27000 family of standards. Out of the dozen standards in the 27000 family, ISO/IEC 27001 is the world’s best known standard for information security management systems.
ISO 27001 Certifications can only be issued by organizations, called certification bodies, which are entities licensed by accreditation bodies, to perform certification audits and assess if a company’s Information Security Management System is compliant with ISO/IEC 27001. Lukka’s ISO/IEC Certification was issued by an independent organization called the British Standards Institution (BSI).
BSI was the world’s first National Standards Body and was a key player in the formation of other standards bodies. In 1995, BSI originally published BS 7799 to provide a comprehensive set of controls comprising best practices in information security. In October 2005, BS 7799 was revised and updated to what is now recognized as ISO/IEC 27001.
AICPA SOC reports serve an important role in the management of Service Organization (or vendor) risk. The AICPA independently sets the standards associated with SOC Audits. Typically annually, an independent auditor conducts SOC audits using this framework of a Service Organizations controls – these conclude with a report describing the results of the audit. This helps any organization that is using a Service Organization as a vendor to rely on these reports to mitigate risks associated with the products that they are using.
Service Organization Company. This is a term used to describe vendors in a standards framework that is governed by the American Institute of Certified Public Accountants (AICPA).
A SOC 1 Report is the result of an audit of controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting. In short, if our products produce financial calculations, you want us to have this report created by a reputable auditor.
A SOC 2 Report is the result of an audit of the controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy risk domains. Not every SOC 2 includes all of these, so make sure to check for which are relevant to your business and that you ask for the report to ensure it has what you need.
This is very important to understand: Both Type 1 and Type II audits “report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description”. However, a Type I is “at a specific date”, so usually faster, less costly, and gives you much LESS assurance that controls are working. In contrast, Type II is conducted “throughout a specified period”, so is more comprehensive (during a Type II audit, the controls are verified to be working over a period in order to ensure they are working consistently). Type II reports typically take longer and are more costly to conduct, but the result is more mature controls. Lukka only conducts Type II audits for BOTH SOC 1 and SOC 2 reports.
12 Month Period
Updated Annually
SOC 1 reports are on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (ICFR). These reports, prepared in accordance with AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, are specifically intended to meet the needs of entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements.
No, they are all custom-tailored to the specific Service Organization and can vary significantly. We recommend asking any Service Organization that you plan on using as a vendor who their SOC auditor is, for a copy of the SOC report, whether it was a Type I or Type II (Type II is strongly preferred), and how many years the Service Organization has conducted SOC audits.
Lukka conducts both SOC 1 Type II and SOC 2 Type II audits annually. For the portion of the year outside of testing periods, we offer bridge letters to customers upon request.
Lukka was the first company serving the crypto industry to perform an AICPA SOC 1 Type II audit in 2018 and then a SOC 2 Type II in 2019. Read more about how we invest in top auditors to look at our technology risk so that you don’t have to.
Per the AICPA, SOC 2 reports cover controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy. These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.
These reports can play an important role in:
No, they are all custom-tailored to the specific Service Organization and can vary significantly. SOC 2 reports specifically may or may not include any of the 5 risk domain areas: Security, Availability, Processing Integrity, Confidentiality, and Privacy. We recommend asking any Service Organization that you plan on using as a vendor who their SOC auditor is, for a copy of the SOC report, whether it was a Type I or Type II (Type II is strongly preferred), and how many years the Service Organization has conducted SOC audits.
ISO/IEC stands for International Organization for Standardization/International Electrotechnical Commission. ISO/IEC is a joint committee that issues the ISO/IEC 27000 family of standards. Out of the dozen standards in the 27000 family, ISO/IEC 27001 is the world’s best known standard for information security management systems.
ISO 27001 Certifications can only be issued by organizations, called certification bodies, which are entities licensed by accreditation bodies, to perform certification audits and assess if a company’s Information Security Management System is compliant with ISO/IEC 27001. Lukka’s ISO/IEC Certification was issued by an independent organization called the British Standards Institution (BSI).
BSI was the world’s first National Standards Body and was a key player in the formation of other standards bodies. In 1995, BSI originally published BS 7799 to provide a comprehensive set of controls comprising best practices in information security. In October 2005, BS 7799 was revised and updated to what is now recognized as ISO/IEC 27001.
…and hundreds more businesses.
