Are You an Accorp Partners Client? Here Is What You Need to Know About Your SOC 2.

If your company holds a SOC 2 attestation issued by Accorp Partners, you are about to be asked some uncomfortable questions by enterprise customers, by your legal counsel, and by your board. The short version: investigative reporting on the Delve compliance scandal named Accorp as one of the audit firms used for the bulk of Delve's 400+ clients, with operations reportedly traced to Indian staff using virtual US and UAE office addresses. If that report sits in your trust center, you need to know what it actually represents and what you are going to do about it.

This post is a checklist for Accorp clients. Read it once, then schedule the calls.

What we know about Accorp Partners

Accorp Partners has been publicly identified across multiple investigative pieces as one of the SOC 2 attestation firms used by the now-disgraced Delve compliance platform for the majority of Delve's client base. The reporting indicates that Accorp's operations were largely conducted by staff in India using virtual US-based and UAE-based office addresses, raising substantive questions about the independence and rigor expected of a US-licensed CPA-issued SOC 2 attestation.

Lorikeet Security has covered the underlying Delve scandal in detail elsewhere — see the Delve scandal writeup and how to spot a fake SOC 2 report — and we have removed Accorp from every promotional position on this site. We are not a neutral party in saying this. We are saying it because we believe the evidence is strong enough that any company holding an Accorp-issued SOC 2 should be re-evaluating whether that report would survive sophisticated enterprise diligence today.

Questions you need to answer right now

Before you talk to a customer or a regulator about the validity of your report, you need crisp answers to these questions internally:

• Which Accorp entity signed the report? Accorp has had multiple LLC and CPA entity structures across jurisdictions. The exact legal entity matters for any compliance or legal next step.
• Which licensed CPA is the engagement partner? SOC 2 attestations must be signed by a licensed CPA. Verify that person's license is active in the state of issuance and that they are listed on AICPA's database. If you cannot find them, that alone is a red flag.
• What was the sampling methodology? A real SOC 2 Type II audit samples evidence across the audit period for each in-scope control. Ask for the working papers showing which controls were tested, when, and against how many sample artifacts.
• How were the in-scope controls actually validated? Was control evidence inspected by a human, or was it auto-collected and signed off via templated workflow? The difference matters enormously to enterprise reviewers.
• Was an independent penetration test relied on as audit evidence? If so, who performed it, when, and against what scope? Verify the testing firm exists and that the test was real.
• Does the report align with your actual controls today? Run a gap assessment against your real environment. If the report describes controls you do not actually have, you have a much bigger problem than a questionable audit firm.

What to do if your report does not survive these questions

Several paths, in order of urgency:

1. Get legal counsel involved before you say anything publicly

You may have notification obligations to enterprise customers under your MSAs, to your board under directors' duties, and potentially to regulators depending on your sector. Do not get ahead of legal counsel on what you say or to whom — but do not delay engaging counsel either. The clock starts when you have reason to believe your attestation may be unreliable, not when it becomes public.

2. Plan a re-audit with a credibly independent CPA firm

The instinct to "just renew with Accorp" is the wrong one even if Accorp is willing to issue you another report. The right move is to engage a CPA firm with verifiable US-licensed engagement partners, real testing rigor, and no ties to the Delve ecosystem. A credible re-audit costs more and takes longer, but it produces an attestation that will survive enterprise diligence.

3. Coordinate the re-audit with a real penetration test

Most enterprise SOC 2 reviewers expect to see a recent, independent penetration test report referenced in or alongside the SOC 2. If your prior pentest was performed by an in-house Delve "service" or by a firm whose independence is now in question, plan for a fresh, independent pentest as part of the re-audit process. Lorikeet Security performs SOC 2-aligned penetration testing through our PTaaS platform and partners with licensed CPA audit firms for the attestation side — we can scope a coordinated remediation engagement if useful.

4. Update your trust center and your enterprise diligence package

Once you have a credibly independent SOC 2 in hand, replace the Accorp-issued report in your trust center, in your sales-enablement collateral, and in the diligence packages your team sends to prospects. Keep the prior report archived for legal and audit-history purposes — but do not lead with it.

What we are not saying

We are not telling you to panic. We are not telling you that every Accorp-issued SOC 2 is necessarily worthless. We are not the regulator and we are not your lawyer.

We are telling you that the public reporting on Accorp's role in the Delve scandal is substantive enough that an enterprise customer doing real vendor diligence in 2026 will likely flag an Accorp-issued SOC 2 for additional scrutiny. The cost of getting ahead of that scrutiny — with a verified working-papers review, a re-audit plan, and a coordinated communications posture — is small compared to the cost of having a Fortune 500 prospect discover this in the middle of their procurement cycle.

Lorikeet Security Team

Penetration Testing & Cybersecurity Consulting

We've completed 170+ security engagements across web apps, APIs, cloud infrastructure, and AI-generated codebases. Everything we publish here comes from patterns we see in real client work.