Compliance Quality — Delve Tech DD

231

Type 1 (Design Only)

254

Type 2 (Operational)

5.4

Type 1 Avg Score

5.7

Type 2 Avg Score

Type 1 vs Type 2

Type 1 reports evaluate control design at a point in time. Type 2 reports test operating effectiveness over a period (typically 3-12 months). Type 2 is significantly more valuable for due diligence.

254 companies (52%) have Type 2 reports with operational evidence. The remaining 231 (48%) have only Type 1 — their controls may be well-designed but unproven in practice.

Auditor Landscape

The auditor ecosystem is highly concentrated. A single auditor dominates the portfolio.

Concentration risk: When one auditor handles the majority of reports, template re-use is inevitable. This explains the striking similarity across reports — identical control descriptions, same structure, same boilerplate.

Template Artifact Detection

Many reports contain visible template artifacts — placeholder text, sample diagrams, 'Your Name Here' in signing authority, or highlighted instructions that were never removed.

What template artifacts mean: A published SOC 2 report with placeholder text suggests the company rushed through compliance without thorough review. It doesn't necessarily mean controls are absent — but it undermines confidence in the audit's rigor.