In this episode of the Distilled Security Podcast, we break down the Delve scandal—flawed SOC 2 reports, copy-pasted content, and oversight failures that expose deeper issues in compliance-as-a-service. Joined by Matthew J. Schiavone, we examine auditor accountability, quality review gaps, and key differences between SOC 2 and ISO 27001.

We also cover what companies should demand from auditors, the role of automation, and whether this scandal will drive real change in the industry.

 Topics Covered

• The Delve scandal—leaked reports, copy-pasted audits & pervasive deficiencies
• The AICPA peer review process & AC Corp's adverse findings
• SOC 2 vs ISO 27001—oversight models, witness audits & accreditation
• The incentive structure driving compliance to the bottom
• Compliance automation — what works, what doesn't & AI's real role
• What to ask your auditor before signing anything
• Trust centers — done right vs. compliance theater
• Is SOC 2 dead? What needs to change & who has to change it

Hosts

• Justin Leapline – @justinleapline
• Joe Wynn – @wynnjoe
• Rick Yocum – @rickyocum

Hosts

• Matthew J. Schiavone - (Sikich) 

Connect with Us

• Website: distilledsecuritypodcast.com
• X:  @DisSecPod
• Email: hello@distilledsecuritypodcast.com