SOC 2 Guide

What Is a Stamp Audit?

Yuanlun Yin, CPA · Texas & California · Y Assurance PLLC · Updated June 3, 2026
A stamp audit is a SOC 2 where the firm checks boxes and issues a report without meaningful testing. Same template across clients, only the logo and company name change. The tell: zero findings. If your auditor never found a single issue, the audit wasn't real. The Delve scandal was this at industrial scale.

Why stamp audits exist

A stamp audit isn't usually fraud. It's economics. A buyer demands SOC 2 from a vendor, the vendor wants the cheapest report that clears the gate, and somewhere a firm agrees to do it for a fee that can't cover real testing. The report comes out clean because nobody had the hours to find anything.

I spent five years doing tech audit fieldwork at a Big 4 firm. The waste isn't in the testing — it's in everything around it. Coordination, re-requests, waiting on people, review loops. When a fee gets squeezed, the testing is the first thing to disappear, because it's the part the client never sees.

A few forces produce the stamp:

  • Budget pressure. Clients push fees down every year. The firm "eats hours" — works 60, bills 30 — and quality erodes quietly. Those uncharged hours are what I call ghost hours, and they're the hidden subsidy behind a cheap audit.
  • Cherry-picked samples. An auditor pulls a sample from a population — say 25 of 50 terminated employees — to test a control. If the firm over-samples, quietly discards the failures, and keeps the clean ones, the report reads spotless. Nobody re-reviews the underlying evidence, so nobody catches it.
  • Inquiry without corroboration. Under AICPA attestation standards (AT-C section 205), asking someone "do you do this?" is never enough on its own. Every control needs a corroborating procedure — inspection, observation, reperformance. A stamp audit stops at the conversation and writes it up as tested.

The result is a PDF that looks like an audit and wasn't one.

How to tell you got a stamp audit

You don't need to be a CPA to spot the pattern. Five tells:

SignalWhat it means
Zero findingsA first-time SOC 2 with no exceptions, no observations, nothing. Real first-year audits surface gaps. Clean usually means untested.
Boilerplate testing languageSection IV reads in vague generalities — "inspected relevant documentation" — with no populations, no sample sizes, no specifics about your stack.
Samples you never sawYou were never asked which terminated employees, which change tickets, which access reviews got pulled. The auditor didn't actually look.
A junior who'd never seen your stackYou spent the engagement explaining your own architecture to the person grading it. You paid for them to learn on your dime.
The black boxYou handed over evidence, waited, got a PDF. No window into what was actually tested or found.

Any one of these is a yellow flag. Two or more, and you bought a stamp.

Why "we found issues" is the mark of a real audit

This is the part that feels backwards. A report full of clean checkmarks looks better than one with exceptions, so people assume zero findings means a great control environment. For a company getting SOC 2 for the first time, it almost never does.

First-time audits surface gaps — missing formal risk assessments, untested disaster recovery, no vulnerability scanning, change management that lives in people's heads. Those gaps are normal, and a real auditor names them. The point of the exercise is to find the things that aren't working yet, so you can fix them before a breach does.

If your auditor never found an issue, the audit wasn't real. Either they didn't look, or they looked and decided not to write it down. Neither is the thing you paid for. A handful of well-documented exceptions, with management responses, is a stronger signal of trust than a flawless report — because it's evidence somebody actually did the work.

The post-Delve reality

For a long time this was an inside-baseball complaint. Then it went public.

In March 2026 an analysis of reports from one compliance startup, Delve, found that 493 of 494 SOC 2 reports were nearly identical — the same paragraphs, the same grammatical errors, the same nonsensical descriptions, with only the company name, logo, and signature changed. All 259 Type II reports carried word-for-word identical auditor conclusions. The allegations went further: pre-written conclusions and test procedures sitting in draft reports before clients had submitted any evidence. Y Combinator removed the company from its directory.

That's a stamp audit industrialized — vibe compliance at scale. One template, hundreds of logos, no testing underneath.

The useful consequence is that buyers and vendor-risk teams are no longer treating a SOC 2 PDF as a green light. Legal and compliance advisories now openly tell procurement teams to read past the cover page — to check the testing detail, the exceptions, the auditor's actual procedures, not just that a report exists. A logo on a trust page used to be enough. It isn't anymore.

Which is the right instinct. The value of a SOC 2 was never the stamp. It's the data underneath — what got tested, what got found, and whether any of it is verifiable. Trust the data, not the stamp.

“If your auditor never found a single issue on your first SOC 2, the audit wasn't real — either they didn't look, or they looked and decided not to write it down.”

Frequently asked questions

What is a stamp audit?
A stamp audit is a SOC 2 audit where the firm checks boxes and issues a report without meaningful testing of your controls. The same template gets used across clients, with only the logo and company name swapped. The defining tell is zero findings — if nothing was wrong, nothing was actually tested.
How do I know if I got a stamp audit?
Look for these signs: a first-time report with zero findings, vague boilerplate testing language with no sample sizes or populations, evidence samples you were never asked to provide, and a junior auditor who needed you to explain your own tech stack. Read Section IV — if it never gets specific about what was tested, you likely got a stamp.
Why would an auditor not find any issues?
Usually because they didn't look hard enough to find any. Under budget pressure, firms skip real testing, rely on inquiry alone instead of corroborating evidence, or cherry-pick clean samples and discard the failures. For a company's first SOC 2, a flawless report almost always means untested, not perfect.
Is a cheap SOC 2 audit always a stamp audit?
Not always, but price is a strong signal. Industry audit fees commonly run from roughly $7,500 to $50,000-plus for Type II, and total first-year SOC 2 cost often lands in the $25,000-$50,000 range. A report priced far below the cost of real testing hours had to cut the testing somewhere. For your specific number, use the pricing calculator on chiarohq.com or book a call.
What's the difference between a stamp audit and a real one?
A stamp audit produces a clean-looking PDF with no real testing behind it — same template, only the logo changes. A real audit tests controls against documented evidence, names the gaps it finds, and shows its work: populations, sample sizes, exceptions, and management responses. The mark of a real audit is that it found something.

Keep reading

What is SOC 2?
What SOC 2 is, what it costs, and how to get a real one.
Can a solo founder pass SOC 2?
How a one-person company passes, and how controls get right-sized.
What is vibe compliance?
Compliance that looks finished on paper but was never tested.
Is your auditor a real CPA?
Two steps to confirm your SOC 2 auditor is a licensed CPA.
What does a first-time audit find?
The gaps a first-time SOC 2 turns up almost every time.

Want a SOC 2 that actually holds up?

Get a fixed price in two minutes, or talk to the CPA who would run your engagement.

See pricing →Book a call →

Sources

  1. Analysis of Delve found 493 of 494 SOC 2 reports were nearly identical, with the same paragraphs and grammatical errors, only the company name, logo, and signature changed; all 259 Type II reports had word-for-word identical auditor conclusions.
  2. Delve was removed from Y Combinator's directory in April 2026; allegations included pre-written conclusions and test procedures in draft reports before clients had submitted any evidence.
  3. Most startups spend between $25,000 and $50,000 for first-year SOC 2; audit fees alone commonly run $7,500 to $100,000+, with Type II audits typically $20,000-$50,000.
  4. SOC auditors select a sample from a documented population (e.g., 25 of 50 terminated employees) and the selection should be representative of the period; exceptions are deviations from expected test results.
  5. Post-Delve, legal and compliance advisories urge vendor-management and procurement teams to scrutinize SOC 2 reports rather than treat them as a check-the-box exercise.