
Episode 23: Nobody read the report
From Distilled Security Podcast by Justin Leapline, Joe Wynn, and Rick Yocum
April 14, 2026 · 2h 10m · Episode 23
About this episode
The episode discusses the Delve scandal and its implications for compliance-as-a-service, featuring insights on auditor accountability and the differences between SOC 2 and ISO 27001.
In this episode of the Distilled Security Podcast , we break down the Delve scandal—flawed SOC 2 reports, copy-pasted content, and oversight failures that expose deeper issues in compliance-as-a-service. Joined by Matthew J. Schiavone, we examine auditor accountability, quality review gaps, and key differences between SOC 2 and ISO 27001. We also cover what companies should demand from auditors, the role of automation, and whether this scandal will drive real change in the industry. Topics Covered The Delve scandal—leaked reports, copy-pasted audits & pervasive deficiencies The AICPA peer review process & AC Corp's adverse findings SOC 2 vs ISO 27001—oversight models, witness audits & accreditation The incentive structure driving compliance to the bottom Compliance automation — what works, what doesn't & AI's real role What to ask your auditor before signing anything Trust centers — done right vs. compliance theater Is SOC 2 dead? What needs to change & who has to change it Hosts Justin Leapline – @justinleapline Joe Wynn – @wynnjoe Rick Yocum – @rickyocum Hosts Matthew J. Schiavone - (Sikich) Connect with Us Website: distilledsecuritypodcast.com X: @DisSecPod…
People in this episode
Hosts: Justin Leapline, Joe Wynn, Rick Yocum
Guest: Matthew J. Schiavone
Topics covered
- Delve scandal
- auditor accountability
- SOC 2 vs ISO 27001
- compliance automation
- oversight failures
- copy-pasted content
- industry change
Keywords
- Delve scandal
- SOC 2
- ISO 27001
- auditor accountability
- compliance automation
- oversight failures
- copy-pasted audits
- AICPA
- AC Corp
- industry change
Mentioned in this episode
Organizations: AICPA, AC Corp, Sikich
Books & works: SOC 2, ISO 27001
More episodes of Distilled Security Podcast
- Episode 24: 2 Years, 24 Episodes & The State of Security in the Age of AI · May 14, 2026 · 1h 43m
- Episode 22: Is AI Good for Security, CIRCIA Starts the Clock, and the M&A Problem Nobody's Talking About · March 9, 2026 · 1h 56m
- Episode 21: AI Notetakers Are Illegal, GRC Tools Are Lying, and ISO 42001 Changes Everything · February 18, 2026 · 1h 51m
- Episode 20 : 2026 Kickoff: Security Resolutions, Key Deadlines, and Don’t Mislead the Feds · January 26, 2026 · 1h 20m
- Episode 19: Cloudflare Outage, AI-Powered Attacks & The Rise of GRC Engineering | Distilled Security Podcast · December 8, 2025 · 2h 12m
- Episode 18: TRISS Highlights, Cloud Chaos & SaaS Lessons Learned · November 10, 2025 · 1h 53m
Explore listener stats, chart rankings, contacts and more on the Distilled Security Podcast podcast page.