Fraudulent GRC Allegations: Cautionary Tale or Wake Up Call?

The investigation alleges that a platform called Delve handed hundreds of startups SOC 2 reports built from templates, signed off by offshore rubber-stamp audit firms operating through US shell entities, and supported by evidence that was fabricated rather than gathered. Board meeting notes for meetings that never happened. Risk assessments copy-pasted identically across nearly 500 accounts. Auditor conclusions pre-written before any client had even filled in their company description — a structural violation of AICPA independence requirements. When clients discovered problems and threatened to leave, the response was charm, promises, and boxes of donuts. The full investigation is detailed, sourced, and damning.

To be clear: this is an extreme case. The allegations include deliberate fraud, fabricated evidence, and auditor independence violations that go well beyond sloppy compliance work. Other compliance platforms are very good at automating components of security and compliance and I am not suggesting they are doing what Delve is alleged to have done.

But that’s not quite the point.

The Broader Question the Delve Story Raises

Even setting aside allegations of fraud, the Delve situation should prompt a harder look at the bargain end of the SOC 2 market. The compliance automation space has produced a tier of platforms and bundled audits that compete primarily on price and speed — promising a “passing” SOC 2 audit in days at costs that would have seemed impossible a few years ago. The automation is real, and when done right it does reduce burden and accelerate the compliance process. But the audit at the end of that process still has to mean something.

The risk isn’t that every cheap SOC 2 is fraudulent. It’s that a report produced with minimal auditor engagement, templated risk assessments and reports may provide far less assurance than it appears. Not fabricated, perhaps, but not meaningfully tested either to validate scope, controls and the automation itself. That distinction matters less than it sounds when an enterprise security team starts asking hard questions, or when a breach occurs and the report is scrutinized.

The Delve case is extreme. The underlying dynamic — companies using platforms to prioritize speed and margin over audit quality, with auditors who follow rather than lead — is not.

The One Question to Ask the Auditor

Whether you’re using a compliance platform or relying on a third party that is using an audit firm you don’t know, there is one question that will tell you quickly whether your auditor is engaged or just signing a report where automation is central:

“How was the automation validated to rely on the outcomes?”

If the auditor can answer this clearly and specifically, you’re likely in good hands. If they deflect, hand it back to the platform company, or their answers are too general — that’s a signal worth taking seriously.

A quality audit firm should be able to explain how they verified that automated evidence collection was complete, accurate, and timely. I wrote another blog post that breaks down exactly what this looks like in practice in Assessing the Real Power of Automated Controls — covering the key dimensions to rely on automation any credible auditor should be able to speak to: completeness (did the automation cover all relevant systems?), accuracy (do the rules actually map to the compliance requirements?), timeliness (is the data fresh enough to rely on?), and exception handling (what happens when something fails?).

You don’t need to recognize the CPA firm’s name to ask this question.  Smaller or newer firms aren’t automatically suspect — but any credible auditor, regardless of size, should be able to defend their methodology and address their testing strategy. If the compliance platform company is the one answering for the auditor, that’s worth noting.

What Good Actually Looks Like

Efficient and effective are not opposites. A well-run SOC 2 engagement today should use automation, AI and other tools to reduce friction — pulling evidence from cloud infrastructure, monitoring configurations continuously, streamlining documentation and managing requirements. The difference between compliance automation and the shortcut version is whether it’s being used to collect and structure real evidence that can be validated efficiently, or to manufacture the appearance of it.

A reputable auditor independently designs test procedures, pushes back when something doesn’t add up, notes exceptions, and produces a report reflecting their own professional judgment. That may cost a little more than a rubber stamp but it’s also the only version that holds up when someone actually asks questions.

The Delve story is a cautionary extreme. But the question it should leave every compliance buyer asking — who is actually behind this report, and what did they really test? — is one worth asking regardless of which platform or auditor you’re using.