Episode 23: Nobody read the report

Episode 23: Nobody read the report

From Distilled Security Podcast by Justin Leapline, Joe Wynn, and Rick Yocum

April 14, 2026 · 2h 10m · Episode 23

About this episode

The episode discusses the Delve scandal and its implications for compliance-as-a-service, featuring insights on auditor accountability and the differences between SOC 2 and ISO 27001.

In this episode of the Distilled Security Podcast , we break down the Delve scandal—flawed SOC 2 reports, copy-pasted content, and oversight failures that expose deeper issues in compliance-as-a-service. Joined by Matthew J. Schiavone, we examine auditor accountability, quality review gaps, and key differences between SOC 2 and ISO 27001. We also cover what companies should demand from auditors, the role of automation, and whether this scandal will drive real change in the industry. Topics Covered The Delve scandal—leaked reports, copy-pasted audits & pervasive deficiencies The AICPA peer review process & AC Corp's adverse findings SOC 2 vs ISO 27001—oversight models, witness audits & accreditation The incentive structure driving compliance to the bottom Compliance automation — what works, what doesn't & AI's real role What to ask your auditor before signing anything Trust centers — done right vs. compliance theater Is SOC 2 dead? What needs to change & who has to change it Hosts Justin Leapline – @justinleapline Joe Wynn – @wynnjoe Rick Yocum – @rickyocum Hosts Matthew J. Schiavone - (Sikich) Connect with Us Website: distilledsecuritypodcast.com X: @DisSecPod…

People in this episode

Hosts: Justin Leapline, Joe Wynn, Rick Yocum

Guest: Matthew J. Schiavone

Topics covered

  • Delve scandal
  • auditor accountability
  • SOC 2 vs ISO 27001
  • compliance automation
  • oversight failures
  • copy-pasted content
  • industry change

Keywords

  • Delve scandal
  • SOC 2
  • ISO 27001
  • auditor accountability
  • compliance automation
  • oversight failures
  • copy-pasted audits
  • AICPA
  • AC Corp
  • industry change

Mentioned in this episode

Organizations: AICPA, AC Corp, Sikich

Books & works: SOC 2, ISO 27001

More episodes of Distilled Security Podcast

Explore listener stats, chart rankings, contacts and more on the Distilled Security Podcast podcast page.