The Vendor Vetting Playbook
How to Tell If Your Compliance Is Real
After the Delve leak exposed 533 fabricated audit reports, every security team needs to re-examine how they vet vendors. This is the guide we wish existed before.
Before You Sign
5 questions every buyer should ask before purchasing compliance services
Who is the audit firm? Can you verify them?
Every legitimate CPA firm conducting SOC 2 audits should be findable in the AICPA peer review database. If the firm doesn't appear in public registries, that's not a minor gap -- it's a disqualifying factor. Cross-reference the firm name against PCAOB registrations, state CPA boards, and the AICPA Peer Review Program.
Search the AICPA Peer Review portal at pfrportal.aicpa.org before engaging any audit firm.
How long does the audit process take?
A real SOC 2 Type 2 audit covers a minimum observation period of 6 months. If a vendor promises you a completed Type 2 report in 4-6 weeks, the math doesn't work. Type 1 reports can be faster since they test at a point in time, but even these require meaningful on-site or remote assessment work -- not just a questionnaire.
Expect 3-6 months for Type 1, 6-12 months for Type 2. Anything faster deserves scrutiny.
Will the auditor examine your actual systems?
Legitimate auditors need to observe your controls in operation. This means examining your infrastructure, reviewing configurations, testing access controls, and interviewing personnel. If the entire audit can be completed via a web form or a single Zoom call, the controls aren't being tested -- they're being rubber-stamped.
Ask for a detailed audit plan with specific dates for control testing and evidence collection.
What happens when they find issues?
Every real audit finds issues. Zero exceptions across all control areas is not a sign of excellence -- it's a sign of fabrication. Legitimate auditors document exceptions, management responses, and remediation timelines. The presence of findings actually increases report credibility.
Ask for a sample report showing how exceptions and management responses are documented.
Can you speak directly to the auditor?
In a legitimate engagement, the audit firm is independent. You should be able to contact the signing partner or engagement manager directly. If the vendor insists on mediating all communication with the auditor, or if the 'auditor' only communicates through the vendor's sales team, the independence required by AICPA standards is likely compromised.
Request the engagement partner's direct contact information before signing any contract.
Red Flags in SOC 2 Reports
These are the exact patterns forensic analysts found across the 533 leaked Delve reports
Identical boilerplate across sections
When system descriptions, control narratives, and test procedures use the same generic language regardless of what the company actually does. Delve reports used 99.8% identical text across 533 different companies.
Zero exceptions in any control test
No audit is perfect. When every single control test passes with no exceptions, no deviations, and no observations across the entire report, it suggests controls weren't actually tested. Real audits find things.
Marketing language instead of technical descriptions
System descriptions should read like architecture documentation, not a sales brochure. Phrases like 'industry-leading security' or 'best-in-class controls' have no place in an audit report. Look for specific technologies, configurations, and procedures.
Same page numbering across different reports
Different companies with the same table of contents structure and identical page numbers is a clear sign of template reuse. Legitimate reports have varying lengths based on the complexity of the organization's systems and controls.
'Unable to test' without explanation
When an auditor notes they were 'unable to test' a control but provides no explanation for why, and no alternative procedures were performed, it suggests the control was simply skipped rather than genuinely inaccessible.
Auditor not in AICPA/PCAOB databases
If you cannot find the audit firm in the AICPA Peer Review database or PCAOB registration, the firm may not have the qualifications to issue SOC 2 reports. This was a key indicator with Delve-associated firms like Accorp Partners.
Finding even one of these red flags warrants investigation.
Finding two or more means you should immediately seek an independent re-audit from a verified firm. Use our report scanner to check for template fingerprints automatically.
What Real Compliance Looks Like
Markers of a genuine, rigorous audit process
Specific findings with remediation timelines
Legitimate auditors document exactly what they found, when the issue was identified, what the management response was, and the expected remediation date. Specificity is a hallmark of genuine work.
Example from a real report
"During testing, we identified that 3 of 25 sampled access reviews were completed 12 days past the quarterly deadline. Management has committed to implementing automated reminders by Q3 2025."
Unique test procedures per control
Each control objective should have a test procedure tailored to how that specific company implements the control. Cookie-cutter test procedures across unrelated controls indicate template reuse.
Example from a real report
"We selected a sample of 15 change requests from the Jira backlog, verified each had peer review approval in GitHub, and confirmed deployment logs matched the approved changes."
Technical system descriptions
The system description section should read like architecture documentation: specific cloud providers, regions, database technologies, network configurations, and authentication mechanisms.
Example from a real report
"The system operates on AWS us-east-1 and us-west-2 using EKS clusters with pod-level network policies. Authentication is handled via Okta SSO with FIDO2 MFA enforced for all administrative access."
Evidence of actual control testing
Look for specific sample sizes, date ranges, population descriptions, and testing methodologies. The auditor should describe how they selected samples, what they inspected, and what they concluded from each test.
Example from a real report
"We selected a random sample of 25 terminated employees from a population of 47 terminations during the audit period and verified that access was revoked within 24 hours for 23 of 25 (92%)."
If You've Been Affected
Concrete steps to assess exposure and rebuild trust
Identify which vendor reports may be compromised
Gather all SOC 2 and ISO 27001 reports from your vendors. Cross-reference the audit firm against known problematic entities (Accorp Partners, Gradient Certification, firms associated with UAF). Use our database search to check if any of your vendors appear in the leak.
Request an independent audit from a verified firm
For any vendor whose report is flagged, request they undergo a fresh audit from an AICPA-registered firm. Provide them with a list of pre-approved audit firms (Big 4, or recognized mid-tier firms like Schellman, A-LIGN, or Coalfire). Set a clear deadline for the new report.
Review your own vendor risk management process
The Delve situation exposed gaps in how organizations validate third-party audit reports. Update your vendor management policy to include audit firm verification as a mandatory step. Add AICPA/PCAOB database checks to your onboarding checklist.
Document the gap for your board and compliance team
Prepare a brief for your board, CISO, or compliance committee. Document which vendors are affected, the potential risk exposure, and your remediation timeline. Transparency here protects the organization and demonstrates good governance.
Consider switching to a vetted alternative
If your current compliance vendor was involved in the Delve ecosystem, it may be time to switch. Evaluate platforms that use established, independently verifiable audit firms and provide genuine evidence-based compliance.
Put This Playbook Into Action
Use our free tools to verify your vendor's compliance right now.
Report Scanner
Paste your SOC 2 report text and detect template fingerprints instantly
Trust Assessment
Answer 10 questions and get a vendor trust score with risk breakdown
Quiz Game
Test if you can spot the difference between real audits and mill templates
Vetted Alternatives
Compare pre-vetted compliance platforms with verified audit partnerships