Delve and the 494 Fake SOC 2 Reports: What the Compliance Industry Should Learn

The Auditor Conclusion Was Already Written

Here is the fact that should stop every compliance professional in their tracks: in the leaked Delve SOC 2 reports, the auditor’s conclusions existed in draft form before clients had submitted any evidence. No system descriptions. No network diagrams. No signatures. The conclusion was already there.

That is not a process shortcut. That is the definition of a sham audit.

Delve, a Y Combinator-backed GRC automation platform that raised $32 million at a $300 million valuation, is now at the center of what may be the most significant compliance fraud scandal the industry has seen. Anonymous researchers publishing under the name “DeepDelver” analyzed 575 leaked files and found that 493 of 494 SOC 2 reports contained identical boilerplate language, including the same grammatical errors, the same structural quirks, and the same missing word across 259 Type II reports: “because there no security incidents reported during the engagement.”

Across 259 companies. Over three-month observation periods each. Not one had a security incident, a personnel change, a customer termination, or a cybersecurity insurance claim.

That is not good controls. That is a template.

What Delve Was Selling

Delve marketed itself as “AI-native” compliance that could deliver SOC 2, ISO 27001, HIPAA, and GDPR certifications “in days rather than months.” The pitch was compelling, especially to early-stage startups that needed a SOC 2 report to close enterprise deals. The company claimed 120+ automated integrations and positioned itself as the fast, cheap alternative to traditional compliance work.

The reality, according to the leaked evidence and internal whistleblower materials, was different.

The platform generated pre-written board meeting minutes requiring one-click acceptance. Risk assessments came pre-populated with ten identical default risks for all clients. Security incident simulations were pre-populated with three identical incidents across all clients. Trust pages were published the moment clients logged in, listing security measures that did not exist: vulnerability scanning, penetration testing, data recovery simulations. Employee security control evidence was created for staff who never completed onboarding.

When your compliance automation pre-fills the evidence before the controls exist, you are not automating compliance. You are automating the appearance of compliance.

The Auditors

Delve’s advertised “US-based CPA firms” traced primarily to offshore certification mills. One firm, Accorp, handled approximately 99% of clients. Another, Gradient Certification, was registered in Wyoming through a mailbox agent and filed dormant accounts showing zero revenue for four consecutive years. At least one report retained one firm’s identification number despite using a different firm’s cover page.

The high-profile clients got reports from legitimate US firms like Prescient and Aprio. But those clients completed most of their work off-platform.

In other words, the front door looked real. The back office was not.

Why This Matters Beyond Delve

The Delve scandal is not just about one startup that cut corners. It exposes a structural problem in how SOC 2 reports are consumed.

When a SaaS company sends a SOC 2 report to an enterprise buyer, that buyer typically does not call the auditor. They do not check the AICPA peer review database. They do not verify the engagement partner’s CPA license. They read the conclusion, check the box, and move on.

That trust chain just broke.

TechCrunch reported that Delve had performed the security compliance work on LiteLLM, the open-source AI proxy that was subsequently compromised by TeamPCP in March 2026, exposing credentials across 36% of cloud environments. The organization that was supposed to verify LiteLLM’s security controls used a compliance platform that was allegedly fabricating reports.

Downstream, organizations that accepted SOC 2 reports from Delve clients made vendor risk decisions based on potentially non-existent control environments. According to tracking efforts at dupedbydelve.com, organizations that may have received compliance documentation ultimately originating from Delve clients include OpenAI, PayPal, Stripe, Amazon, Microsoft, and the U.S. Department of Veterans Affairs.

That is the blast radius when compliance is treated as a product rather than a process.

Delve’s Defense

Delve published a blog post arguing that it is an “automation platform,” not an auditing firm. Templates are standard practice. Pre-filled materials are “starting points only” that customers are responsible for reviewing. Final reports are issued “solely by independent, licensed auditors, not Delve.”

Industry commentators were not persuaded. As one noted: when your defense to “you faked the reports” is “we only made the drafts, the auditors signed them,” you have described the alleged fraud mechanism in your own press release.

What Organizations Should Do Right Now

If you are a Delve client: Get independent legal counsel. Unpublish any Delve-generated trust pages and compliance badges. Commission a gap assessment from a legitimate, AICPA-registered CPA firm with a verifiable peer review history. Notify enterprise customers whose vendor risk decisions relied on your Delve-issued reports.

If you accepted a SOC 2 report from a vendor: Ask your vendors what compliance automation platform they used. Verify the auditing firm independently: check the AICPA peer review public file, verify the engagement partner’s CPA license through the state board, and confirm the firm has a real operating history. Look at Section 3 of the SOC 2 report for company-specific detail. If it reads like boilerplate, it probably is.

If you are evaluating compliance platforms: Require disclosure of the actual auditing firms before engaging. Speak directly with the auditors about their methodology. Verify that trust center pages reflect actual controls, not auto-generated marketing. And be skeptical of any platform that promises SOC 2 “in days.” The controls take time because the controls are the point.

The Deeper Problem

The compliance industry has a pricing problem that creates a quality problem. Delve was not operating in a vacuum. Competitors offer SOC 2 “express packages” for $5,000. At that price, the economics of a genuine audit do not work. The engagement partner cannot spend the hours required to evaluate controls, test evidence, and write a report that actually reflects the client’s security posture. Something has to give, and what gives is rigor.

A real SOC 2 Type II engagement is expensive because it requires qualified professionals to evaluate actual controls over an actual observation period. Shortcuts exist. But the shortcut where the conclusion is pre-written is not a shortcut. It is fraud.

We do SOC 2 readiness work because we understand what auditors actually look for and we build the controls that survive real scrutiny. We do not issue the reports ourselves, and we never will. The independence between the party building the controls and the party attesting to them is the whole point of the framework.

When that independence disappears, the report is just paper.

What Comes Next

As of early April 2026, no formal regulatory action has been announced by the SEC, AICPA, or any state CPA board. The fraud was exposed by anonymous Substack journalism, not regulators. Insight Partners, which led Delve’s $32 million Series A, scrubbed its blog post explaining why it invested.

The compliance industry is watching to see whether the AICPA takes enforcement action against the involved auditing firms, whether state CPA boards investigate, and whether downstream organizations pursue legal claims.

For the rest of us, the lesson is straightforward: compliance is not a product you buy. It is a discipline you practice. And if the report was written before anyone looked at the evidence, nobody was practicing anything except optimism.

Privacy & Security

Five Supply Chain Attacks in Twelve Days: March 2026 Broke Open Source Trust

Apr 3, 2026

In twelve days, attackers compromised Trivy, Checkmarx, LiteLLM, Telnyx, and Axios — and the supply chain security model most organizations rely on did not survive.

Privacy & Security