Trust in a World Where Abuse Seems to Reign

What Increases and Decreases Trust in SOC 2 and ISO 27001

Four years ago, I wrote an article on how to trust an auditor’s report. I asked: how do you assess the auditor’s independence, competence, and rigour? The problem was already real. In 2026, it has been industrialized.

What Happened

In March 2026, an anonymous whistleblower published a devastating analysis of Delve, a Y Combinator-funded startup that raised $32 million. The dossier is damning: 493 of 494 SOC 2 reports contain identical text, the same grammatical errors, and the same copy-pasted descriptions. Only the company name and logo change. Audit conclusions were written before clients even submitted their information. All 259 SOC 2 Type II reports claim zero security incidents — without exception — for all clients, across the entire observation period.

Y Combinator has since asked Delve to leave its program. The AICPA confirmed it is investigating. Auditors presented as “U.S. CPA firms” were actually operating from India via virtual office addresses.

This is not an isolated case. In May 2024, the SEC charged BF Borgers CPA PC and its owner Benjamin Borgers with deliberate, systematic failures in more than 1,500 SEC filings between January 2021 and June 2023. The SEC called it a “sham audit mill.” The charges are precise: fabrication of audit documentation, false statements to clients about PCAOB compliance, false reports in more than 500 public company filings. Penalty: $12 million for the firm, $2 million personally for Borgers, permanent suspension. BF Borgers counted Trump Media & Technology Group among its clients.

The Delve case is different from BF Borgers: we’re no longer talking about startups seeking rapid growth, but an established CPA firm that methodically falsified its work for two and a half years. Both scandals share the same logic: volume over rigour, and nobody verifies until someone pulls the alarm.

What It Reveals

The market created this. When demand is “SOC 2 in a few weeks for as cheap as possible,” someone will always answer. The problem isn’t the standard itself — it’s commercial pressure that turns an instrument of trust into a badge to buy.

SOC 2 and ISO 27001 are delegations of trust. Your client trusts you because a qualified third party verified your controls on their behalf. When that third party fabricates its conclusions, the entire chain is compromised. And clients who used those reports to demonstrate due diligence face real consequences. In Quebec, Bill 25 requires organizations to seriously assess their vendors’ personal information protection practices. A fabricated SOC 2 report does not constitute a serious assessment. If an incident occurs and the Commission d’accès à l’information (CAI) determines your diligence rested on a worthless document, you are responsible — not your vendor.

What Actually Increases Trust

A SOC 2 Type 2 report covering 6 to 12 months is significantly more solid than a Type 1. The auditor must be enrolled in the AICPA peer review program, with no business relationship with the client’s GRC platform. A report with well-documented exceptions is often more credible than a perfect report on all points. An auditor who actually tested controls will find some.

For ISO 27001, verification is simple: the certificate must be searchable in the IAF CertSearch database (iafcertsearch.org). The certification body must be accredited by an IAF MLA member. And the certification scope must actually cover what matters to you.

What Should Put You on Guard

Beware of a report with no exceptions. Beware of a firm you can’t physically verify. Beware of certification obtained in a few days. Beware of the ISO logo displayed everywhere on a site, when ISO doesn’t certify anyone directly.

The right question isn’t “does this vendor have a SOC 2?” The right question is “does this vendor actually do what their SOC 2 claims?”

These two questions don’t always have the same answer.

The AICPA responded with new requirements (SSAE 23) and an annual questionnaire for enrolled firms. That’s good. It’s not enough as long as the market keeps rewarding speed over rigour.

In 2022, I suggested validating the auditor’s independence and evaluating their report. Today, that’s no longer a best practice. It’s an obligation.

👉 Does your organization systematically verify your vendors’ auditors? I’m curious how you approach this question.

Sources

• SOC 2 Is Broken. The Delve Scandal Is Showing Us How.
• SEC Charges Audit Firm BF Borgers and Its Owner with Massive Fraud
• SEC charges Trump Media auditor with ‘massive fraud’ (CNBC)
• AICPA – SOC Suite of Services Resources
• IAF CertSearch – ISO Certification Verification