A detailed investigative exposé of Delve, a Y Combinator-backed GRC automation startup that raised $32M. The investigation reveals Delve fabricates compliance evidence, generates pre-written auditor conclusions before any independent review, and uses Indian certification mills posing as US-based CPA firms to rubber-stamp
Table of contents
Prospect and Client advice1.1 The parties involved and named in this article1.2 What is compliance?1.3 Who is Delve?1.4 The auditing piece2.1 Sales2.2 Post-Sales2.3 Post-Compliance4.1 Summary of Delve’s Claims vs Reality4.2 Background Context - Regular Process vs. Delve’s Process4.3 Background Context - The structure of a SOC 2 reportSection 5 - Other Information Provided5.1 Background - Who Actually Writes What5.2 Sign that Delve breaks independence rules - Conclusions present before customer signs or provides info5.3 Sign that reports are generated from Delve-owned template - Section 3 similarity5.4 Sign that reports are generated from Delve-owned template - Content similarity comparison5.5 Sign that reports are generated from Delve-owned template - Always same test procedures and conclusions5.6 Sign that reports are generated - Test values5.7 Sign that reports are generated - Different firms with same report5.8 Sign that reports are generated - Errors5.9 Sign that reports are generated - Subservice Providers5.10 Temporal Clustering of Identical Reports5.11 Signs of who was involved - Selin Kocalar’s involvement5.12 Signs of who was involved - Taher Lokhandwala’s involvement5.13 Delve Defense #1 - Draft reports are only a starting point - No difference between drafts and final reports5.14 Delve Defense # 2 - Refuting claim that most reports are custom - The exceptions6.1 Frauditor #1 - Accorp6.2 Frauditor #2 - Gradient Certification6.5 Frauditor #3 Accorian6.6 Frauditor #4 Glocert6.7 Misled auditor - Prescient7.1 Fake Integrations7.2 Delve == Forms7.3 Pathways7.4 No customized programs7.5 Security like its the 90s8.1 Trust pages are a lie8.2 Every Delve client misrepresents their compliance stateSort: