Why Lumina
The difference is
who does the work.
Most compliance advisory firms hand you a template and a junior associate. We do the opposite — practitioners with 8+ years on these exact engagements, fixed fees, and deliverables written for auditors, not presentations.
Audit-grade by default
We design controls that genuinely reduce exposure and fit your team's actual workflows — so evidence collection is a byproduct of how you operate, not a fire drill before every audit. A program built to actually work always produces better outcomes than one built to look good.
Senior delivery, every time
Our principals are Big 4 trained IT auditors with 8+ years across ITGC, SOC 1/2, ISO 27001, and SOX. The same person who scopes your work designs your controls, authors your policies, and sits across from your auditors. No handoffs. No supervision from a distance.
Fixed fees. Before we start.
After the gap assessment, you receive a fixed-fee proposal for the remaining work. Not a range. Not an estimate. A number. If scope expands on our end, that's our problem — not your invoice.
Transparent progress. Every week.
Every week of an active engagement you receive a written update: what was completed, what's in progress, what's blocked, and what we need from you. You never have to chase us for a status.
Credentials
Certified to deliver.
Our team holds the same credentials your auditors and their firms require. Not decorative — operationally relevant to every engagement we run.
Our role in the process
Advisor or auditor —
depending on the service.
For ITGC and SOX IT controls engagements, we act as the IT auditor. We scope and test your IT general controls, run walkthroughs, identify and rate deficiencies, and produce the documentation your external audit firm relies on. Your external auditors test overall SOX compliance — we own the IT controls layer directly.
For SOC 1, SOC 2, and ISO 27001 engagements, we are your readiness advisor. The attestation report or certification must come from an independent third party — a licensed CPA firm for SOC 1 and SOC 2, an accredited certification body for ISO 27001. Our job is to get your controls, evidence, and team to the point where that third party can issue a clean report without surprises.
In either role, we attend planning calls, respond to audit requests, and stay available throughout — as your advocate, your translator, or the person doing the testing.
We do not have a preferred auditor or certification body and don't earn referral fees. For attestation engagements, we'll help you choose the right firm based on your budget, timeline, and industry.
How we engage
Four stages.
No surprises.
Every engagement runs the same four stages in the same order. You know what happens each week, what you'll receive, and what it costs before we start.
Assess
Every engagement · Foundation stage
Every engagement starts with a gap assessment. No assumptions, no templates pulled from a prior client.
- — We map your current controls against the target framework.
- — Every gap is risk-rated: critical, significant, or low.
- — You receive a prioritized remediation roadmap with effort estimates.
- — We define scope, in-scope systems, and control owners.
- — Fixed-fee proposal for the remaining work delivered at the end of this stage.
Gap report + remediation roadmap + fixed-fee proposal
Design
Every engagement · Architecture stage
We design controls that fit how your team actually works — not a generic policy template from a previous client.
- — Controls designed against your specific technology stack and org structure.
- — Each control mapped to its framework criterion, owner, and evidence source.
- — Segregation of duties mapped across your actual team roles.
- — Control objectives written in auditor-consumable format.
- — Policy library structure designed before any writing begins.
Controls matrix + policy framework + owner assignments
Implement
Every engagement · Largest stage
We work alongside your teams to deploy controls, author policies, and build the evidence library.
- — Weekly status updates: what's done, what's pending, what's blocked.
- — Policy library authored and approved (30+ policies for most frameworks).
- — Evidence procedures documented and tested with your team.
- — Evidence library built: screenshots labeled, access reviews formatted, logs annotated.
- — Open gaps tracked with owners, dates, and remediation approach.
Policy library + evidence library + remediation tracker
Sustain
Post-audit · Optional retainer
Once you pass the audit, we can stay on under an ongoing advisory retainer to keep the program healthy between cycles.
- — Monthly evidence collection and control monitoring.
- — Annual policy review cycle with approval workflow.
- — Customer security questionnaire support.
- — Pre-audit preparation for next year's renewal.
- — Risk register maintenance and quarterly reporting.
Ongoing program management via advisory retainer
See it in
your context.
We'll walk through what this engagement looks like for your specific framework, team, and timeline.