If your SOC 2 attestation came through the Delve compliance platform, you are part of a 400+ company population who is now in the middle of a slow-motion enterprise-trust event. The longer you wait to address it, the worse the eventual customer conversation gets.
This is not a panic post. This is a checklist for the next 90 days.
The honest framing: Your Delve-issued SOC 2 is technically valid until it is formally retracted by the issuing CPA firm. In practice, sophisticated enterprise reviewers in 2026 are flagging Delve-issued reports for additional scrutiny, and several have begun rejecting them outright during vendor diligence. The right move is to get ahead of that conversation with a credible remediation plan.
What happened, in one paragraph
Public investigative reporting in late 2025 and early 2026 documented that the Delve compliance platform was generating SOC 2 audit conclusions through templated, automation-heavy workflows, and routing the formal attestation through audit firms whose independence and operational substance were substantially in question. The bulk of Delve's 400+ clients were audited through firms including Accorp, Gradient, and Glocert, several of which had operations traced to overseas staff using virtual US and UAE office addresses. A smaller set of higher-profile Delve clients were audited through firms including Prescient Security, which has stated it formally disengaged from Delve in September 2025. We have covered the underlying scandal in detail in the Delve scandal writeup, how to spot a fake SOC 2 report, the Prescient client guidance, and the Accorp client guidance.
The 90-day playbook for Delve clients
Treat the next 90 days as a project with four parallel workstreams: verify, communicate, re-audit, and re-test. They are not sequential — you should start all four this week.
Workstream 1: Verify what you actually have (Week 1)
Verification checklist
- Identify the exact CPA firm that signed your attestation (Accorp, Gradient, Glocert, Prescient, Aprio, or other)
- Identify the licensed CPA who is the engagement partner; verify their CPA license is active in the state of issuance via the AICPA database and the relevant state board
- Request the complete working-paper package from the audit firm
- Request the methodology documentation: how were controls sampled, what evidence was inspected, by whom, and over what audit period
- Request the independent penetration test report referenced in or alongside the SOC 2; verify the testing firm exists and has demonstrable engagements outside the Delve ecosystem
- Run a gap assessment of your actual current controls against what the Delve-issued report describes — does the report match reality?
The verification step is what produces the factual basis for everything else. If the working papers are sparse, the engagement partner's license is hard to verify, or the described controls do not match your actual environment, you have moved from "questionable" to "untenable."
Workstream 2: Communicate (Weeks 1-4)
The communications strategy is built around three audiences:
- Legal counsel. Engage them this week. They will tell you what notification obligations you have under existing customer MSAs and any sector regulators (HIPAA, PCI, state breach notification statutes). Do not get ahead of legal counsel publicly.
- Board and exec team. Brief them with what you know, what you do not yet know, and the planned remediation timeline. Boards do not like discovering material trust events from a customer email.
- Enterprise customers and prospects. Once legal has signed off, proactive disclosure to material customers is almost always the right call. The script is: "We were a Delve customer. The recent reporting on Delve has surfaced concerns about audit methodology. We are conducting a re-audit through an independent CPA firm and an independent pentest, expected to complete by [date]. We will share the new attestation when it is issued. In the interim, here is what we have done to validate our actual controls."
Customers will respect a proactive, calm, plan-in-hand disclosure far more than they will respect being asked about it cold by their own security team.
Workstream 3: Re-audit through an independent firm (Weeks 2-16)
Engage a US-licensed CPA firm with no operational ties to Delve. The bar for "credibly independent" includes: a verifiable office, a US-licensed engagement partner whose name appears on the AICPA database, a published methodology document, and a willingness to walk you through their working papers if asked. Expect a real Type II re-audit to take 6 to 16 weeks depending on the complexity of your in-scope controls and how much remediation work you have to do based on the gap assessment.
Cost will be higher than what you paid Delve. That is structural — Delve's pricing only worked because of the templating and the offshoring; a real audit by a real CPA firm has a different cost structure.
Workstream 4: Re-test through an independent pentest (Weeks 2-6)
If your prior penetration test was performed in-house by Delve or by a firm whose independence is now in question, plan an independent pentest scoped to the same systems in your SOC 2 boundary. The pentest report becomes audit evidence for the re-audit and goes into your trust center as the sales-enablement artifact alongside the new attestation.
Lorikeet Security delivers SOC 2-aligned penetration testing through our PTaaS platform and partners with licensed CPA audit firms for the formal attestation side. We can scope a coordinated pentest plus re-audit pathway in a single engagement if useful — that is the point of the booking link below.
What not to do
Do not just renew with Delve, Accorp, Gradient, or Glocert. Even if a renewal is offered at attractive pricing, the next attestation from the same source has the same fundamental problem your current one has. The cost of two questionable reports in a row is materially higher than the cost of one questionable report plus one credible replacement.
Do not pretend it didn't happen. Trust events are corrosive, and the corrosion accelerates the longer the silence runs. Customers who ask and get a clean factual answer (with a remediation plan) will keep buying from you. Customers who ask and get a defensive non-answer will quietly start the vendor-replacement project.
Do not skip the gap assessment. If your actual controls do not match the SOC 2 description, no replacement audit will help — you have a controls problem, not a paperwork problem. Find out which it is before you spend the money on a re-audit.
The honest framing for the conversation with your team
You did not do anything wrong. Hundreds of competent, well-run companies trusted a compliance platform that turned out to have failed at the basics. The right response is the same response any good engineering organization gives to any production incident: assess the blast radius, communicate clearly, remediate the underlying issue, and ship a better answer faster than the people watching expect.
Most of the Delve-affected companies we have spoken with are 90 days from a credibly independent SOC 2, and most of them will end up with a stronger compliance posture and stronger customer relationships than they had before. The companies that drag this out are the ones that turn it into a real trust crisis.
Need a Pentest + Re-Audit Pathway in One Engagement?
Lorikeet Security delivers SOC 2-aligned penetration testing through our PTaaS portal and coordinates the attestation through licensed CPA audit firm partners. If you are a Delve client trying to get to a credibly independent SOC 2 in 90 to 180 days, we can scope the pentest plus re-audit pathway in a single intake call.
