| ▲ | preinheimer a day ago | ||||||||||||||||||||||||||||||||||||||||||||||
Looking at our SOC 2 report (we don't use Delve, our auditor isn't on their list) I don't think this is quite the smoking gun it might look like if you're not reading SOC 2 reports for a living. There's a fair amount of boiler plate language in these reports, and a bunch of re-stating the SOC 2 controls. I'd expect two reports (same auditors, same platforms) to be nearly identical. If they're both using AWS, Github, Stripe, Vetty, they're subbing a lot of the exact same thing out to the same companies, referencing the same set of internal controls. Reading ours. There's a section titled $Company's Controls, followed by 20 pages listing the various SOC 2 controls. e.g. --- CC9.0 Common Criteria Related to Risk Mitigation CC9.1 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. IR-01 A Security Incident Response Plan that outlines the process of identifying, prioritizing, communicating, assigning, and tracking confirmed incidents through to resolution is accessible to all relevant employees and contractors and is reviewed annually. --- Then there's another 20 pages of those same controls being listed, some language about how they tested the controls, and hopefully "No Exceptions Noted". That's not going to change much between companies. | |||||||||||||||||||||||||||||||||||||||||||||||
| ▲ | ecshafer a day ago | parent | next [-] | ||||||||||||||||||||||||||||||||||||||||||||||
This mirrors my thoughts. A page of boiler play text with some check boxes, with some checked vs unchecked is going to be 99.8% similar between companies as well. A lot of audits are very much forms with boiler plate and fill in the blank. There is no point rewriting everything from scratch. | |||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||
| ▲ | salomonk_mur 19 hours ago | parent | prev | next [-] | ||||||||||||||||||||||||||||||||||||||||||||||
The main issue isn't about the reports being copy-pasted - it's about they are created with no audit ever being done. You literally paid to get your cert without ever getting audited. | |||||||||||||||||||||||||||||||||||||||||||||||
| ▲ | baxtr a day ago | parent | prev | next [-] | ||||||||||||||||||||||||||||||||||||||||||||||
But maybe you shouldn’t raise so much money and make a big fuss about it when all you’re selling is a template? | |||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||
| ▲ | fadijob 16 hours ago | parent | prev [-] | ||||||||||||||||||||||||||||||||||||||||||||||
yes. I think some overlap is normal, but this is not that, eg. seen: • same pagination across hundreds of reports → 100% template output • same auditor license everywhere → either extreme concentration or just rubber stamping • zero exceptions across all clients → unrealistic, real audits always find something.. right? • system descriptions pulled from marketing sites → .. copy paste at one point you’re really looking at reports that were never really produced per each company and that’s the problem | |||||||||||||||||||||||||||||||||||||||||||||||