What Increases and Decreases Trust in SOC 2 and ISO 27001

Trust in a world where abuse seems to reign

Four years ago, I wrote an article on how to trust an auditor’s report. I asked: how do you assess an auditor’s independence, competence, and rigour? The problem was already real. In 2026, it has become industrialized.

What happened

In March 2026, an anonymous whistleblower published a devastating analysis of Delve, a Y Combinator–backed startup that had raised $32 million.

The situation is horrible: 493 out of 494 SOC 2 reports contain identical text, the same grammatical errors, and the same copy-pasted descriptions. Only the company name and logo change. The audit conclusions were drafted before clients had even submitted their information. All 259 SOC 2 Type II reports claim zero security incidents, without exception, for every client, across the entire observation period.

Y Combinator has since asked Delve to leave its program. The AICPA has confirmed it is investigating. The auditors presented as “American CPA firms” were actually operating from India via virtual office addresses.

This is not an isolated case. In May 2024, the SEC charged BF Borgers CPA PC and its owner Benjamin Borgers with deliberate, systematic failures across more than 1,500 SEC filings between January 2021 and June 2023.

The SEC called it a “sham audit mill.” The charges are precise: fabrication of audit documentation, false statements to clients about PCAOB standards compliance, fraudulent reports in more than 500 public company filings. Penalty: $12 million for the firm, $2 million personally for Borgers, permanent suspension. BF Borgers counted Trump Media & Technology Group among its clients.

This case differs from Delve: we are no longer talking about startups chasing rapid growth, but an established CPA firm that methodically falsified its work for two and a half years.

Both scandals share the same logic: volume trumps rigour, and nobody checks until someone sounds the alarm.

What it reveals

When the demand is “SOC 2 in a few weeks for as cheap as possible,” someone will always step up to deliver. The problem is not the standard itself; it is the commercial pressure that turns an instrument of trust into a badge to buy.

SOC 2 and ISO 27001 are delegations of trust. Your client trusts you because a qualified third party has verified your controls on their behalf. When that third party fabricates its conclusions, the entire chain is compromised. And clients who used those reports to demonstrate due diligence face real consequences.

In Quebec, Bill 25 requires organizations to seriously assess their suppliers’ personal information protection practices. A fabricated SOC 2 report does not constitute a serious assessment. If an incident occurs and the Commission d’accès à l’information (CAI) determines that your due diligence rested on a worthless document, you are responsible — not your supplier.

What actually increases trust

A SOC 2 Type 2 report covering 6 to 12 months is more solid than a Type 1. The auditor must be enrolled in the AICPA peer review program, with no business relationship to the GRC platform used by the client. See: https://peerreview.aicpa.org/

A report with well-documented exceptions is often more credible than a perfect report on every point. An auditor who has actually tested controls will find some.

The Canadian problem

SOC 2 is an American framework (AICPA). A Canadian CPA firm performing SOC 2 audits should theoretically follow AICPA standards and enroll in the Peer Review Program, but nothing obliges a Canadian firm to do so. That is the blind spot: a Quebec firm that is a CPA Canada member can offer “SOC 2 audits” without ever being reviewed under AICPA standards.

For ISO 27001

Verification is simple: the certificate must be searchable in the IAF CertSearch database (iafcertsearch.org). The certification body must be accredited by an IAF MLA member. And the certification scope must actually cover what matters to you.

What should put you on guard

Beware of the report with no exceptions at all.

Beware of the firm you cannot verify physically.

Beware of the certification obtained in a few days.

Beware of the ISO logo displayed everywhere on a website, when ISO does not certify anyone directly.

The right question is not “does this supplier have a SOC 2?” The right question is “does this supplier actually do what its SOC 2 claims?”

These two questions do not always have the same answer.

The AICPA has responded with new requirements (SSAE 23) and an annual questionnaire for enrolled firms. That is good. It is not enough as long as the market keeps rewarding speed over rigour.

In 2022, I suggested validating the auditor’s independence and evaluating their report. Today, that is no longer a best practice. It is an obligation.

Sources

• SOC 2 Is Broken. The Delve Scandal Is Showing Us How.
• SEC Charges Audit Firm BF Borgers and Its Owner with Massive Fraud
• SEC charges Trump Media auditor with ‘massive fraud’ (CNBC)
• AICPA – SOC Suite of Services Resources
• IAF CertSearch – ISO certification verification