Key Points

• A whistleblower alleged compliance platform Delve generated fabricated SOC 2 and ISO 27001 compliance certifications and weakened independent audit testing.
• If certifications are flawed, liability and regulatory exposure may sit with the companies that relied on them.
• The case highlights growing risk in compliance automation where speed outpaces independent verification.

An anonymous whistleblower has accused Delve, a venture-backed compliance automation startup, of generating fabricated SOC 2 and ISO 27001 evidence and routing customers through audit firms that rubber-stamped reports. If accurate, the allegations suggest that hundreds of companies may be relying on security attestations that do not reflect real control implementation or testing.

Delve has denied the claims, saying it does not issue compliance reports and that independent auditors are responsible for final opinions. The company also disputes allegations that it supplied pre-filled evidence, describing its materials as standard templates.

The whistleblower, writing under the name “DeepDelver,” said the platform undermined the core safeguard of SOC 2: independent validation. According to the allegations, audit conclusions were generated before observation periods ended, and controls were marked effective despite missing evidence for access reviews, logging or incident response testing.

The allegations are supported by data analysis of a leaked Google spreadsheet containing hundreds of client audit reports. Textual analysis found that nearly identical boilerplate language appeared in 493 of 494 SOC 2 reports, including identical grammatical errors, and that all 259 SOC 2 Type II reports contained word-for-word identical auditor conclusions including a sentence with a missing word.

Big Picture

“Affected companies include well-known AI startups as well as NASDAQ-traded firms, some of which process the protected health information of millions of Americans. If the compliance attestations are invalid, some clients could face criminal liability under HIPAA and fines of up to 4% of global revenue under GDPR." Summer Fowler, IANS Faculty

The allegations also highlight how security attestations are consumed by executives and boards.

“A SOC 2 Type II report was never meant to be a security guarantee. It’s an attestation that specific scoped controls operated effectively during a limited observation period. The fact that hundreds of companies apparently accepted pre-populated evidence without questioning it shows how much the market has prioritized speed over control effectiveness." Jeff Brown, IANS Faculty

DeepDelver also alleged that most Delve customers were routed toward a small set of audit firms, raising questions about auditor independence. Delve disputed that characterization, saying customers can choose their auditors and that firms in its network are widely used.

IANS Faculty Recommendations

If you are a Delve customer

• Re-review your SOC 2 as a security artifact: Scrutinize access control, logging, incident response, and change management controls. If conclusions do not match how security actually operates -- or were written before testing finished -- assume the control is unproven.
• Confirm auditor independence in writing: Verify accreditation and require confirmation that auditors designed and executed their own tests. Pre-generated conclusions undermine the credibility of the entire report.
• Reduce exposure tied to security claims: Identify where SOC 2 reports or trust pages were used with customers or regulators and narrow or remove claims until validated. If you're in healthcare, check whether any HIPAA attestations relied on Delve-generated evidence.

If you are not a Delve customer

• Verify your auditor independence: Confirm that your auditor designed their own test procedures and did not receive pre-drafted conclusions from your GRC platform. Ask your platform vendor explicitly “What does your auditor access, and at what stage?”
• Spot-check your trust page and questionnaire responses against reality: Pick 5–10 controls at random and verify that the underlying evidence actually exists and is current.
• Build a brief vetting checklist into your vendor management process for any compliance platform or auditor: AICPA accreditation status, U.S. physical presence, whether the firm has any business relationship with your platform vendor, and how many clients they audit annually.

Summer Fowler, IANS Faculty

Authors & Contributors

Dan Maloof, Author - Editor in Chief, IANS News Team

Summer Fowler, IANS Faculty

Jeff Brown, IANS Faculty

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our News and blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.