The Vendor Vetting Playbook: How to Tell If Your Compliance Is Real

After the Delve leak exposed 533 template-based audit reports, every security team needs to re-examine how they vet vendors. This is the guide we wish existed before.

When hundreds of supposedly independent SOC 2 reports turn out to be nearly identical templates, it raises a disturbing question: how many of your vendor's certifications are actually worth the paper they're printed on? The Delve leak wasn't just a scandal — it was a wake-up call for anyone responsible for third-party risk management.

Whether you're a CISO evaluating new vendors or a compliance leader responsible for your organization's security posture, knowing how to distinguish real compliance from cookie-cutter checkbox exercises is now an essential skill. Our SOC 2 compliance services can help ensure your certifications stand up to scrutiny.

---

Before You Sign: 5 Questions Every Buyer Should Ask

Before you engage any compliance vendor or auditor, these are the questions that will reveal whether you're dealing with a legitimate operation or a template factory.

1. Who is the audit firm? Can you verify them?

Every legitimate CPA firm conducting SOC 2 audits should be findable in the AICPA peer review database. If the firm doesn't appear in public registries, that's not a minor gap — it's a disqualifying factor. Cross-reference the firm name against PCAOB registrations, state CPA boards, and the AICPA Peer Review Program.

Search the AICPA Peer Review portal at pfrportal.aicpa.org before engaging any audit firm.

2. How long does the audit process take?

A real SOC 2 Type 2 audit covers a minimum observation period of 6 months. If a vendor promises you a completed Type 2 report in 4-6 weeks, the math doesn't work. Type 1 reports can be faster since they test at a point in time, but even these require meaningful on-site or remote assessment work — not just a questionnaire.

Expect 3-6 months for Type 1, 6-12 months for Type 2. Anything faster deserves scrutiny.

3. Will the auditor examine your actual systems?

Legitimate auditors need to observe your controls in operation. This means examining your infrastructure, reviewing configurations, testing access controls, and interviewing personnel. If the entire audit can be completed via a web form or a single Zoom call, the controls aren't being tested — they're being approved without independent verification.

Ask for a detailed audit plan with specific dates for control testing and evidence collection.

4. What happens when they find issues?

Every real audit finds issues. Zero exceptions across all control areas is not a sign of excellence — it's a sign of template reuse. Legitimate auditors document exceptions, management responses, and remediation timelines. The presence of findings actually increases report credibility.

Ask for a sample report showing how exceptions and management responses are documented.

5. Can you speak directly to the auditor?

In a legitimate engagement, the audit firm is independent. You should be able to contact the signing partner or engagement manager directly. If the vendor insists on mediating all communication with the auditor, or if the "auditor" only communicates through the vendor's sales team, the independence required by AICPA standards is likely affected. This is why our vendor risk management approach emphasizes direct verification with auditors.

Request the engagement partner's direct contact information before signing any contract.

---

Red Flags in SOC 2 Reports: 6 Warning Signs

These are the exact patterns forensic analysts found across the 533 leaked Delve reports. If you spot any of these in a vendor's report, investigate further. Two or more means you should immediately seek an independent re-audit from a verified firm.

Critical: Identical boilerplate across sections

When system descriptions, control narratives, and test procedures use the same generic language regardless of what the company actually does. Delve reports used 99.8% identical text across 533 different companies. If the system description could apply to any tech company, it probably was copied from a template.

High: Zero exceptions in any control test

No audit is perfect. When every single control test passes with no exceptions, no deviations, and no observations across the entire report, it suggests controls weren't actually tested. Real audits find things. A perfect report is suspicious, not impressive.

High: Marketing language instead of technical descriptions

System descriptions should read like architecture documentation, not a sales brochure. Phrases like "industry-leading security" or "best-in-class controls" have no place in an audit report. Look for specific technologies, configurations, and procedures.

Medium: Same page numbering across different reports

Different companies with the same table of contents structure and identical page numbers is a clear sign of template reuse. Legitimate reports have varying lengths based on the complexity of the organization's systems and controls.

Medium: "Unable to test" without explanation

When an auditor notes they were "unable to test" a control but provides no explanation for why, and no alternative procedures were performed, it suggests the control was simply skipped rather than genuinely inaccessible.

Critical: Auditor not in AICPA/PCAOB databases

If you cannot find the audit firm in the AICPA Peer Review database or PCAOB registration, the firm may not have the qualifications to issue SOC 2 reports. This was a key indicator with Delve-associated firms like Accorp Partners.

---

What Real Compliance Looks Like

Understanding what separates genuine audits from template factories will help you evaluate both your vendors and your own compliance program.

Specific findings with remediation timelines

Legitimate auditors document exactly what they found, when the issue was identified, what the management response was, and the expected remediation date. Specificity is a hallmark of genuine work.

Example from a real report: "During testing, we identified that 3 of 25 sampled access reviews were completed 12 days past the quarterly deadline. Management has committed to implementing automated reminders by Q3 2025."

Unique test procedures per control

Each control objective should have a test procedure tailored to how that specific company implements the control. Cookie-cutter test procedures across unrelated controls indicate template reuse.

Example from a real report: "We selected a sample of 15 change requests from the Jira backlog, verified each had peer review approval in GitHub, and confirmed deployment logs matched the approved changes."

Technical system descriptions

The system description section should read like architecture documentation: specific cloud providers, regions, database technologies, network configurations, and authentication mechanisms.

Example from a real report: "The system operates on AWS us-east-1 and us-west-2 using EKS clusters with pod-level network policies. Authentication is handled via Okta SSO with FIDO2 MFA enforced for all administrative access."

Evidence of actual control testing

Look for specific sample sizes, date ranges, population descriptions, and testing methodologies. The auditor should describe how they selected samples, what they inspected, and what they concluded from each test.

Example from a real report: "We selected a random sample of 25 terminated employees from a population of 47 terminations during the audit period and verified that access was revoked within 24 hours for 23 of 25 (92%)."

---

If You've Been Affected: A 5-Step Action Plan

Concrete steps to assess exposure and rebuild trust with your stakeholders.

1. Identify which vendor reports may be affected

Gather all SOC 2 and ISO 27001 reports from your vendors. Cross-reference the audit firm against known problematic entities. Use report scanning tools to check if any of your vendors appear in the leak.

2. Request an independent audit from a verified firm

For any vendor whose report is flagged, request they undergo a fresh audit from an AICPA-registered firm. Provide them with a list of pre-approved audit firms (Big 4, or recognized mid-tier firms like Schellman, A-LIGN, or Coalfire). Set a clear deadline for the new report. Our third-party risk assessment services can help you evaluate vendor certifications.

3. Review your own vendor risk management process

The Delve situation exposed gaps in how organizations validate third-party audit reports. Update your vendor management policy to include audit firm verification as a mandatory step. Add AICPA/PCAOB database checks to your onboarding checklist. See our compliance resources for vendor assessment templates.

4. Document the gap for your board and compliance team

Prepare a brief for your board, CISO, or compliance committee. Document which vendors are affected, the potential risk exposure, and your remediation timeline. Transparency here protects the organization and demonstrates good governance.

5. Consider switching to a vetted alternative

If your current compliance vendor was involved in questionable practices, it may be time to switch. Evaluate platforms that use established, independently verifiable audit firms and provide genuine evidence-based compliance.

---

Putting It All Together

The Delve leak was a reminder that the compliance industry, like any other, has bad actors. But it also reinforced a fundamental truth: real security and compliance is specific, rigorous, and independently verified.

When vetting vendors, trust but verify. Ask the hard questions. Demand specific evidence. And when something feels off, investigate further. Your organization's security posture is only as strong as the weakest link in your vendor ecosystem.

The vendors who emerge from this situation with clean, verifiable certifications will be the ones who were doing compliance the right way all along — and they'll be the partners worth having.