What Is a Stamp Audit?

TL;DR
  • A stamp audit is a SOC 2 report issued without real testing behind it. The same template gets reused, and only the logo changes.
  • The clearest tell is zero findings. On a first audit, a clean report with nothing flagged usually means nobody looked.
  • Other signs: vague, copy-paste testing language, evidence samples you were never asked about, and a junior auditor learning your stack as they go.
  • The Delve case showed this at scale: 493 of 494 reports were reported to be nearly identical (Delve has denied the allegations, which remain contested).

Why stamp audits exist

A stamp audit usually isn't fraud. It's economics. A buyer demands a SOC 2 report from a vendor, the vendor wants the cheapest report that clears the gate, and somewhere a firm agrees to do it for a fee that can't really cover the testing, often bundled in next to a compliance monitoring subscription so the all-in price looks like a bargain. The report comes out clean because nobody had the hours to find anything.

I spent five years doing tech audit fieldwork at a Big 4 firm. Here is what that taught me: the waste in an audit isn't in the testing itself. It's in everything around it. Coordination, re-requests, waiting on people, review loops. So when a fee gets squeezed, the testing is the first thing to disappear, because it's the part the client never sees.

A few forces tend to produce the stamp:

  • Budget pressure. Clients push fees down every year. The firm absorbs the extra hours, working 60 and billing 30, and quality erodes quietly. Those uncharged hours are what I call ghost hours, and they're the hidden subsidy behind a cheap audit.
  • Cherry-picked samples. To test a control, an auditor pulls a sample from a population. For example, 25 of your 50 terminated employees, to check that each one's access was actually removed. If a firm pulls more than it needs, quietly sets aside the ones that failed, and keeps only the clean ones, the report reads spotless. Since nobody re-reviews the underlying evidence, nobody catches it.
  • Asking without checking. Under the AICPA's attestation standards (the rules CPAs follow when they examine and give a formal opinion on a company's controls, specifically AT-C section 205), simply asking someone "do you do this?" is never enough on its own. That kind of asking is called inquiry, and every control also needs a corroborating procedure to back up the answer: inspecting a document, observing the process, or re-performing the step yourself. A stamp audit stops at the conversation and writes it up as if it were tested.

The result is a PDF that looks like an audit and wasn't quite one.

How to tell you got a stamp audit

You don't need to be a CPA to spot the pattern. Five tells:

SignalWhat it means
Zero findingsA first-time SOC 2 with no exceptions and no observations of any kind. (An exception is just a specific instance where a control didn't work as intended.) Real first-year audits surface gaps. A perfectly clean report usually means untested, not flawless.
Copy-paste testing languageSection IV is the part of the report that describes what the auditor actually tested and found. If it reads in vague generalities like "inspected relevant documentation," with no populations, no sample sizes, and nothing specific to your stack, there may not be much behind it.
Samples you never sawYou were never asked which terminated employees, which change tickets, or which access reviews the auditor pulled. If they tested real evidence, you'd usually know, because they'd have asked you for it.
A junior who'd never seen your stackYou spent the engagement explaining your own architecture to the person grading it. That's paying for someone to learn on your dime.
The black boxYou handed over evidence, waited, and got a PDF, with no window into what was actually tested or found.

Any one of these is worth a second look. Two or more together, and it's fair to wonder how much testing happened.

Why "we found issues" is the mark of a real audit

This is the part that feels backwards. A report full of clean checkmarks looks better than one with exceptions, so it's natural to assume that zero findings means a great control environment. For a company getting SOC 2 for the first time, it almost never does.

First-time audits surface gaps. Missing formal risk assessments, untested disaster recovery, no vulnerability scanning, change management that lives in people's heads. Those gaps are normal, and a good auditor names them. The whole point of the exercise is to find the things that aren't working yet, so you can fix them before a breach does.

That's why I keep coming back to a simple line: if your auditor never found an issue, the audit probably wasn't real. Either they didn't look, or they looked and decided not to write it down. Neither is the thing you paid for. A handful of well-documented exceptions, each with a management response (a short note from the company explaining what happened and what it's doing about it), is actually a stronger signal of trust than a flawless report, because it's evidence that someone genuinely did the work.

The post-Delve reality

For a long time this was an inside-baseball complaint among auditors. Then it went public.

In March 2026 an analysis of reports from one compliance startup, Delve, reported that 493 of 494 SOC 2 reports were nearly identical. The same paragraphs, the same grammatical errors, the same nonsensical descriptions, with only the company name, logo, and signature changed. All 259 Type II reports reportedly carried word-for-word identical auditor conclusions, and the allegations went further: pre-written conclusions and test procedures sitting in draft reports before clients had submitted any evidence. Delve has denied the allegations, which remain contested. Y Combinator removed the company from its public directory.

If those accounts hold up, that's a stamp audit at industrial scale. One template, hundreds of logos, not much testing underneath.

The useful consequence is that buyers and vendor-risk teams are no longer treating a SOC 2 PDF as an automatic green light. Legal and compliance advisories now openly tell procurement teams to read past the cover page, to check the testing detail, the exceptions, and the auditor's actual procedures, not just that a report exists. A logo on a trust page used to be enough on its own. Increasingly, it isn't.

Which is the right instinct. The value of a SOC 2 was never the stamp. It's the data underneath. What got tested, what got found, and whether any of it is verifiable. Trust the data, not the stamp.

Frequently asked questions

What is a stamp audit?
A stamp audit is a SOC 2 audit where the firm checks boxes and issues a report without meaningfully testing your controls. The same template gets reused across clients, with only the logo and company name swapped. The defining tell is zero findings. If nothing was flagged as wrong, there's a good chance nothing was actually tested.
How do I know if I got a stamp audit?
Look for a few signs together: a first-time report with zero findings, vague copy-paste testing language with no sample sizes or populations, evidence samples you were never asked to provide, and a junior auditor who needed you to explain your own tech stack. Read Section IV, the part of the report that describes what was tested. If it never gets specific about what was actually examined, you may well have a stamp.
Why would an auditor not find any issues?
Often it's because they didn't look hard enough to find any. Under budget pressure, a firm may skip real testing, rely on just asking (inquiry) instead of also checking corroborating evidence, or keep the clean samples and set aside the ones that failed. For a company's first SOC 2, a flawless report almost always means untested, not perfect.
Is a cheap SOC 2 audit always a stamp audit?
Not always, though price is a meaningful signal. Industry audit fees commonly run from roughly $7,500 to $50,000-plus for Type II, and the total first-year SOC 2 cost often lands in the $25,000 to $50,000 range. A report priced far below the cost of real testing hours had to cut the testing somewhere. The number on the invoice isn't the whole story, but it's worth weighing against what the auditor actually did.
What's the difference between a stamp audit and a real one?
A stamp audit produces a clean-looking PDF with little real testing behind it, the same template with only the logo changed. A real audit tests controls against documented evidence, names the gaps it finds, and shows its work: populations, sample sizes, exceptions, and management responses. The clearest mark of a real audit is that it found something.

Keep reading

Sources
  1. AT-C 205: inquiry alone is never sufficient; a control needs a corroborating procedure such as inspection, observation, or reperformance.
  2. Journal of Accountancy: promises of 'fast and easy' threaten SOC credibility.
  3. SOC 2 is an examination performed by a CPA under the AICPA's SOC for Service Organizations framework, producing the CPA's report, not a certification.