[preinheimer]

Looking at our SOC 2 report (we don't use Delve, our auditor isn't on their list) I don't think this is quite the smoking gun it might look like if you're not reading SOC 2 reports for a living.

There's a fair amount of boiler plate language in these reports, and a bunch of re-stating the SOC 2 controls. I'd expect two reports (same auditors, same platforms) to be nearly identical. If they're both using AWS, Github, Stripe, Vetty, they're subbing a lot of the exact same thing out to the same companies, referencing the same set of internal controls.

Reading ours. There's a section titled $Company's Controls, followed by 20 pages listing the various SOC 2 controls. e.g.

---

CC9.0 Common Criteria Related to Risk Mitigation

CC9.1 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.

IR-01 A Security Incident Response Plan that outlines the process of identifying, prioritizing, communicating, assigning, and tracking confirmed incidents through to resolution is accessible to all relevant employees and contractors and is reviewed annually.

---

Then there's another 20 pages of those same controls being listed, some language about how they tested the controls, and hopefully "No Exceptions Noted".

That's not going to change much between companies.

[ecshafer]

This mirrors my thoughts. A page of boiler play text with some check boxes, with some checked vs unchecked is going to be 99.8% similar between companies as well. A lot of audits are very much forms with boiler plate and fill in the blank. There is no point rewriting everything from scratch.

[netsharc]

And those headlines read like Gemini's "punchy" writing.

[jiveturkey]

boilerplate is one word. sorry for the nit, feel free to backpfeifengesicht

[ecshafer]

I don't think that is an important point.

[jiveturkey]

it does highlight the efficiency value of boilerplate. you only have to proof it once, really well of course. all downstream instances get the benefit of that one very good review.

[fadijob]

boilerplate overlap is expected, no one rewrites these from scratch

though when everything lines up the same way across hundreds of reports, it gets weird...

I mean look at those reports; same pagination, same auditor showing up almost everywhere, no exceptions across all clients.. not even efficient templates should be like that

you still expect variation in scope, findings, structure, even if the base language is reused

big signal

[paulnpace]

One word is two words.

[salomonk_mur]

The main issue isn't about the reports being copy-pasted - it's about they are created with no audit ever being done.

You literally paid to get your cert without ever getting audited.

[fadijob]

yes. I think some overlap is normal, but this is not that, eg. seen:

• same pagination across hundreds of reports → 100% template output • same auditor license everywhere → either extreme concentration or just rubber stamping • zero exceptions across all clients → unrealistic, real audits always find something.. right? • system descriptions pulled from marketing sites → .. copy paste

at one point you’re really looking at reports that were never really produced per each company

and that’s the problem

[baxtr]

But maybe you shouldn’t raise so much money and make a big fuss about it when all you’re selling is a template?

[preinheimer]

I mean it’s a template, but in theory someone went and checked stuff. Did you actually have a quarterly security team meeting? Was there minutes? Was there an invite?

Did someone actually go and confirm your role based access control matrix is up to date and user accounts have the right access? Were all of those screenshots watermarked with timestamps?

There is work to do, whether or not auditors are doing it is another question.

[hobofan]

Why not?