SOC 2 as a Service or a Scam

We’ve turned SOC 2 into a checkbox exercise, and now the inevitable has happened (allegedly).

A compliance startup seemingly sold hundreds of companies fake SOC 2 reports.

If the allegations hold up, it’s a brazen example of assurance fraud.

And it raises serious questions about how we’ve built the trust infrastructure around these certifications.

The story comes from a detailed Substack post by an anonymous author called “DeepDelver.” They allege Delve, a VC-backed compliance automation startup, generated the appearance of SOC 2 compliance without the underlying substance.

I haven’t independently verified these allegations. But they’re specific enough to take seriously.

What the Allegations Say

According to DeepDelver, Delve’s platform is built around pre-populated policies, templated risk assessments, canned security simulations, and pre-written board minutes.

And it’s all presented as if clients actually did the work. But the controls describe activities that never occurred.

Board meetings didn’t happen. Security simulations weren’t performed. Trust pages show controls as implemented before any work was done.

The author claims to have analyzed 322 public Delve trust pages. Of those, 321 showed identical SOC 2 control sets.

That’s tough to reconcile with Delve’s marketing claim that it customizes programs for each client.

Even worse, the report alleges draft report sections containing auditor conclusions were pre-generated before clients completed their compliance work.

If true, that’s fabricating auditor judgment.

How Does Something Like This Get Signed Off?

SOC 2 reports are AICPA attestation engagements. A licensed CPA firm accredited by the AICPA has to conduct them. The SOC 2 badge on a company’s website represents an independent professional opinion.

It’s not just a marketing asset.

So how do you allegedly game that system? You find firms willing to rubber-stamp work they didn’t do.

We’ve seen this before.

The SEC eventually charged BF Borgers CPA PC with fabricating audit documentation in more than 1,500 SEC filings. The PCAOB flagged deficiencies in 29 out of 30 audits it inspected.

But for years, the consequences were minimal. Inadequate penalties create inadequate deterrence.

When the downside of getting caught is smaller than the upside of cutting corners, corners will be cut.

Who’s Watching?

The harder question here is regulatory. Who’s actually responsible for investigating this?

The AICPA controls accreditation. State boards govern individual CPAs. The SEC gets involved when it affects public companies.

But for private companies relying on these certifications to win enterprise contracts, it’s less clear who’s checking.

Is the AICPA auditing the badges on company websites? Are the accredited firms being monitored for the volume and uniformity of the reports they sign off on?

These are questions worth asking.

The Real Cost

Companies displaying fake SOC 2 reports deceive their customers and create real security risks. A SOC 2 certification is supposed to tell enterprise buyers a vendor implemented meaningful controls around data security, availability, and confidentiality.

If those controls don’t exist, the certification provides false cover for real vulnerabilities.

And frankly, it also undermines legitimate compliance work. The firms that invest in actual controls and pay for genuine audits are competing against vendors that allegedly bought a badge.

As a CPA, it’s painful to watch. We spend decades building the “assurance” brand, only to have it diluted by a service sold like a software product that generates board minutes out of thin air.

If these allegations prove out, this won’t be the last story like it. The demand for compliance certifications isn’t going away. The market for fast and cheap alternatives will keep growing.

Oversight hasn’t kept pace.

Since we recorded the episode, Delve has fired back. They posted a response calling the allegations misleading and disputing the claims.

I’m not here to play judge and jury. But whether these specific allegations are 100% accurate or not doesn’t change the underlying problem.

The SOC 2 market is built on a foundation of “trust me.” And right now, that foundation looks pretty shaky.

If the AICPA doesn’t police the use of its own logo, the market will continue to treat SOC 2 as a commodity, or worse, a scam.

It’s time for the profession to decide: are we auditors or are we just helping startups check a box?