What Is a Stamp Audit?
- A stamp audit is a SOC 2 report issued without real testing behind it. The same template gets reused, and only the logo changes.
- The clearest tell is zero findings. On a first audit, a clean report with nothing flagged usually means nobody looked.
- Other signs: vague, copy-paste testing language, evidence samples you were never asked about, and a junior auditor learning your stack as they go.
- The Delve case showed this at scale: 493 of 494 reports were reported to be nearly identical (Delve has denied the allegations, which remain contested).
Why stamp audits exist
A stamp audit usually isn't fraud. It's economics. A buyer demands a SOC 2 report from a vendor, the vendor wants the cheapest report that clears the gate, and somewhere a firm agrees to do it for a fee that can't really cover the testing, often bundled in next to a compliance monitoring subscription so the all-in price looks like a bargain. The report comes out clean because nobody had the hours to find anything.
I spent five years doing tech audit fieldwork at a Big 4 firm. Here is what that taught me: the waste in an audit isn't in the testing itself. It's in everything around it. Coordination, re-requests, waiting on people, review loops. So when a fee gets squeezed, the testing is the first thing to disappear, because it's the part the client never sees.
A few forces tend to produce the stamp:
- Budget pressure. Clients push fees down every year. The firm absorbs the extra hours, working 60 and billing 30, and quality erodes quietly. Those uncharged hours are what I call ghost hours, and they're the hidden subsidy behind a cheap audit.
- Cherry-picked samples. To test a control, an auditor pulls a sample from a population. For example, 25 of your 50 terminated employees, to check that each one's access was actually removed. If a firm pulls more than it needs, quietly sets aside the ones that failed, and keeps only the clean ones, the report reads spotless. Since nobody re-reviews the underlying evidence, nobody catches it.
- Asking without checking. Under the AICPA's attestation standards (the rules CPAs follow when they examine and give a formal opinion on a company's controls, specifically AT-C section 205), simply asking someone "do you do this?" is never enough on its own. That kind of asking is called inquiry, and every control also needs a corroborating procedure to back up the answer: inspecting a document, observing the process, or re-performing the step yourself. A stamp audit stops at the conversation and writes it up as if it were tested.
The result is a PDF that looks like an audit and wasn't quite one.
How to tell you got a stamp audit
You don't need to be a CPA to spot the pattern. Five tells:
| Signal | What it means |
|---|---|
| Zero findings | A first-time SOC 2 with no exceptions and no observations of any kind. (An exception is just a specific instance where a control didn't work as intended.) Real first-year audits surface gaps. A perfectly clean report usually means untested, not flawless. |
| Copy-paste testing language | Section IV is the part of the report that describes what the auditor actually tested and found. If it reads in vague generalities like "inspected relevant documentation," with no populations, no sample sizes, and nothing specific to your stack, there may not be much behind it. |
| Samples you never saw | You were never asked which terminated employees, which change tickets, or which access reviews the auditor pulled. If they tested real evidence, you'd usually know, because they'd have asked you for it. |
| A junior who'd never seen your stack | You spent the engagement explaining your own architecture to the person grading it. That's paying for someone to learn on your dime. |
| The black box | You handed over evidence, waited, and got a PDF, with no window into what was actually tested or found. |
Any one of these is worth a second look. Two or more together, and it's fair to wonder how much testing happened.
Why "we found issues" is the mark of a real audit
This is the part that feels backwards. A report full of clean checkmarks looks better than one with exceptions, so it's natural to assume that zero findings means a great control environment. For a company getting SOC 2 for the first time, it almost never does.
First-time audits surface gaps. Missing formal risk assessments, untested disaster recovery, no vulnerability scanning, change management that lives in people's heads. Those gaps are normal, and a good auditor names them. The whole point of the exercise is to find the things that aren't working yet, so you can fix them before a breach does.
That's why I keep coming back to a simple line: if your auditor never found an issue, the audit probably wasn't real. Either they didn't look, or they looked and decided not to write it down. Neither is the thing you paid for. A handful of well-documented exceptions, each with a management response (a short note from the company explaining what happened and what it's doing about it), is actually a stronger signal of trust than a flawless report, because it's evidence that someone genuinely did the work.
The post-Delve reality
For a long time this was an inside-baseball complaint among auditors. Then it went public.
In March 2026 an analysis of reports from one compliance startup, Delve, reported that 493 of 494 SOC 2 reports were nearly identical. The same paragraphs, the same grammatical errors, the same nonsensical descriptions, with only the company name, logo, and signature changed. All 259 Type II reports reportedly carried word-for-word identical auditor conclusions, and the allegations went further: pre-written conclusions and test procedures sitting in draft reports before clients had submitted any evidence. Delve has denied the allegations, which remain contested. Y Combinator removed the company from its public directory.
If those accounts hold up, that's a stamp audit at industrial scale. One template, hundreds of logos, not much testing underneath.
The useful consequence is that buyers and vendor-risk teams are no longer treating a SOC 2 PDF as an automatic green light. Legal and compliance advisories now openly tell procurement teams to read past the cover page, to check the testing detail, the exceptions, and the auditor's actual procedures, not just that a report exists. A logo on a trust page used to be enough on its own. Increasingly, it isn't.
Which is the right instinct. The value of a SOC 2 was never the stamp. It's the data underneath. What got tested, what got found, and whether any of it is verifiable. Trust the data, not the stamp.
Frequently asked questions
What is a stamp audit?
How do I know if I got a stamp audit?
Why would an auditor not find any issues?
Is a cheap SOC 2 audit always a stamp audit?
What's the difference between a stamp audit and a real one?
Keep reading
Will AI make SOCĀ 2 prep tools obsolete?
AI agents can now do the prep work a compliance subscription used to sell. What gets cheap, and what doesn't.
Can a once-a-year audit keep up with AI?
Snapshots and samples were workarounds for the cost of looking. AI collapsed that cost. What independent verification looks like next.
Does the name on your SOCĀ 2 report matter?
The famous logo is a stand-in for what the report will not show you. Here is how to read past it.
Why can't an auditor just take your word?
The rules make the auditor inspect the real evidence, not just ask. A green checkmark is not proof.
Sources
- AT-C 205: inquiry alone is never sufficient; a control needs a corroborating procedure such as inspection, observation, or reperformance.
- Journal of Accountancy: promises of 'fast and easy' threaten SOC credibility.
- SOC 2 is an examination performed by a CPA under the AICPA's SOC for Service Organizations framework, producing the CPA's report, not a certification.