Field Notes

The Delve totally-fake-SOC-2-reports for sale scandal is a fraud dressed up as a process problem

By Nate Lee, co-founder of TrustMind
The Delve totally-fake-SOC-2-reports for sale scandal is a fraud dressed up as a process problem

The Delve totally-fake-SOC-2-reports for sale scandal is a fraud dressed up as a process problem.

Some are pointing to automated compliance tools as the problem but that lets the real accountability structure off the hook.

I've worked with auditors across the full spectrum. Big 4, mid-tier shops, and the budget providers you bring in when cost is the top priority. Every tier has tradeoffs. The Big 4 sell brand insurance. The mid-tier firms often do sharper technical work. The low-cost providers cut corners on depth but still show up and look at something.

What allegedly happened with Delve is in a different category.

Wholesale fabricated evidence. Reports that didn't reflect any testing at all.

Blaming automation misses the deeper failure: the entire industry treats the audit report as proof of work. Delve spent heavily on building a credible brand and large sales operation while skipping the part where you do the work. The system rewarded it, because nobody downstream was checking.

Most enterprises treat third-party audit reports as terminal artifacts. The report arrives, it goes in the GRC system, the checkbox gets checked. The entire value proposition of an independent audit is that you don't have to redo the auditor's job yourself.

Delve exploited that trust directly. The system assumes the auditor did the work. When that doesn't happen, 99% of shops have no backstop.

We've all seen this firsthand where the SOC 2 report hit the shared drive and the entire conversation shifts to "Great! We're covered." No one opened the report, checks what controls where there or how they were tested. The logo on the letterhead was the diligence.

As AI tooling makes it cheaper to generate something that looks like a rigorous audit, that habit gets more dangerous. Every vendor assurance team that treats the report as the finish line is one fabricated PDF or giant control gap away from a massive risk they'll never catch.

For those running vendor assurance programs: what does your process look like for validating that an audit reports align with your expectations vs. just filing it and moving on?