Episode 23: Nobody read the report
In this episode of the Distilled Security Podcast, we break down the Delve scandal—flawed SOC 2 reports, copy-pasted content, and oversight failures that expose deeper issues in compliance-as-a-service. Joined by Matthew J. Schiavone, we examine auditor accountability, quality review gaps, and key differences between SOC 2 and ISO 27001.
We also cover what companies should demand from auditors, the role of automation, and whether this scandal will drive real change in the industry.
Topics Covered
Topics Covered
- The Delve scandal—leaked reports, copy-pasted audits & pervasive deficiencies
- The AICPA peer review process & AC Corp's adverse findings
- SOC 2 vs ISO 27001—oversight models, witness audits & accreditation
- The incentive structure driving compliance to the bottom
- Compliance automation — what works, what doesn't & AI's real role
- What to ask your auditor before signing anything
- Trust centers — done right vs. compliance theater
- Is SOC 2 dead? What needs to change & who has to change it
Hosts
- Justin Leapline – @justinleapline
- Joe Wynn – @wynnjoe
- Rick Yocum – @rickyocum
Hosts
- Matthew J. Schiavone - (Sikich)
Connect with Us
- Website: distilledsecuritypodcast.com
- X: @DisSecPod
- Email: hello@distilledsecuritypodcast.com
Creators and Guests
Guest
Matthew J. Schiavone
I’m a Third-Party Assurance Leader with a focus on SOC 2, ISO 27001, and CMMC. I enjoy helping organizations navigate complex compliance landscapes by building scalable, practical programs that not only meet requirements but also support broader business goals.
