“There is hardly anything in the world that someone cannot make a little worse and sell a little cheaper, and the people who consider price alone are that person’s lawful prey. It’s unwise to pay too much, but it’s worse to pay too little. When you pay too much, you lose a little money — that is all. When you pay too little, you sometimes lose everything, because the thing you bought was incapable of doing the thing it was bought to do. The common law of business balance prohibits paying a little and getting a lot — it can’t be done. If you deal with the lowest bidder, it is well to add something for the risk you run, and if you do that you will have enough to pay for something better.” ~John Ruskin
The Hollow Victory of the “Check-the-Box” Economy
Ruskin’s warning is not merely an old adage; it is an indictment of the current state of cybersecurity compliance. We are witnessing the systematic hollowing out of the SOC 2 audit, a standard designed to be a rigorous stress test of organizational security that has been reduced to a retail commodity.
The market is currently flooded with startups and enterprise vendors desperate to “get a SOC 2” to unblock sales pipelines. They do not seek security; they seek a certificate. And, inevitably, a parasitic sub-industry has emerged to feed this demand. We see audit firms engaging in a race to the bottom, competing aggressively on price and speed while completely abandoning the rigor that gives an audit its value.
This is not a victimless crime. When an audit is treated as a transactional hurdle rather than an investigative process, the resulting report is worse than useless—it is a deception. We have normalized the idea that a comprehensive review of a company’s risk posture can be accomplished in days, for pennies, with zero friction. This is a lie. You cannot buy a fortress for the price of a shack, and pretending otherwise creates a dangerous delusion of safety that pervades the entire supply chain.
The Invisible Divide in Quality
The most dangerous aspect of this commoditization is the opacity of the market. To the uninitiated procurement manager, all SOC 2 reports look identical. They invoke the name of the AICPA, cite the same trust services criteria, and carry the signature of a licensed CPA. But beneath the surface, the industry is fractured into two distinct and irreconcilable bands of quality.
- The High Assurance Tier: We are not alone in valuing quality. Across the industry, there are many reputable firms—competitors we respect—who refuse to sell out. These firms treat the audit as a craft. They operate with professional skepticism, interrogating evidence and challenging management’s assertions. They refuse to accept screenshots at face value. We stand alongside these peers in the belief that an audit must be rigorous to be relevant. This work is difficult and often expensive, but that is because verification is inherently difficult.
- The Certification Mills: Conversely, there exists a growing tier of “volume mills.” These firms have industrialized the rubber stamp. They operate on thin margins, relying on templates and unchecked automation to churn out reports. They do not investigate; they strictly compile. They create a veneer of legitimacy over chaotic security environments.
The tragedy is that the “lawful prey” Ruskin speaks of are the downstream customers—the businesses that trust these vendors based on a report that isn’t worth the pixels it’s displayed on.
The Systemic Erosion of Public Trust
This race to the bottom is not just an economic issue; it is an ethical breach that endangers the public trust. The role of the independent auditor is to serve as the conscience of the market. When auditors compromise their integrity to secure volume business, they become complicit in the security failures that follow.
We are seeing a disturbing trend of third-party breaches occurring at vendors holding “clean” SOC 2 reports. This is the direct result of “check-the-box” auditing. When an auditor signs off on a control they didn’t truly test, they are effectively leaving the back door unlocked while hanging a “Secure” sign on the front. This negligence allows vulnerabilities to metastasize. When the inevitable breach occurs, the damage extends far beyond the compromised vendor; it erodes faith in the entire concept of third-party assurance.
The Independence Failure of “Bundled” Compliance
The most egregious manifestation of this corruption is the rise of software-bundled audits, a practice that flouts the fundamental principles of auditor independence.
We have seen the proliferation of compliance automation platforms that market themselves as a “one-stop shop,” offering software subscriptions that include an audit from a “preferred partner” for a bundled fee. This arrangement presents a glaring, unmanageable conflict of interest.
- The Conflict: When an audit firm relies on a software vendor for their deal flow, their client is no longer the company being audited, nor is it the public trust—it is the software vendor feeding them leads. They are financially disincentivized to find fault with the software’s evidence collection or the client’s implementation.
- The Consequence: This model reduces the auditor to a subsidiary of the software tool. We see instances where the software marks a control as “passing” based on rudimentary logic (e.g., “MFA is toggled on”), and the partner auditor signs off without ever testing the implementation’s effectiveness or coverage.
It creates a closed loop of validation where the software says “Good,” the auditor nods, and the client remains dangerously exposed.
The Reality of the “Discount” Experience
Beyond the ethical conflicts, we frequently hear from clients who have fled these low-quality firms. Their stories paint a consistent, grim picture of what happens when you view an audit as a commodity.
- Incompetence by Design: Clients report being paired with auditors who are woefully inexperienced, often lacking a basic understanding of the specific controls they are auditing and the technologies and processes leveraged by the client. You are not paying for expertise; you are paying for a junior staff member to learn on your dime.
- The “Ghost” Auditor: Communication is often poor to non-existent. We hear of engagements where the client never once speaks to a human being. The entire “audit” is conducted via Slack messages or impersonal email exchanges. It is a transaction, not a relationship.
- The Revolving Door: The turnover in these firms is staggering (but not surprising at all). Clients complain that they never have the same auditor twice. Worse, auditors often rotate off the engagement mid-stream, forcing the client to waste hours “training” a new auditor on their business halfway through the project.
- Dismal Report Quality: Finally, the deliverable itself is often embarrassing. We have seen reports that appear to be the result of a “Find and Replace” error—generic templates that contain absolutely nothing relevant to the organization other than the name and logo on the cover page.
The Rot is Industry-Wide
Do not mistake this for a critique solely of the SOC 2 framework. In fact, despite the abuse it suffers, SOC 2 remains one of the most accessible and adaptable mechanisms for demonstrating trust—if you can find a provider who respects the craft.
The problem is not the framework; it is the mindset of the market. And this rot extends far beyond the AICPA’s jurisdiction.
The “Blinders” of Prescriptive Frameworks
While SOC 2 suffers from commoditization, other rigid frameworks (e.g., ISO 27002 or FedRAMP) suffer from bureaucratic myopia. These frameworks are often so excessively prescriptive that they encourage auditors to wear blinders. We see auditors so obsessed with checking a specific, microscopic compliance box that they step right over a gaping security hole because it technically falls “out of scope.” A prescriptive framework often creates a false sense of order, where the paperwork is perfect, but the house is burning down.
The Penetration Testing Mirage
This race to the bottom plagues technical testing just as severely. We frequently see automated vulnerability scans sold under the guise of “penetration tests.” Let us be clear: running a commercial scanner and printing a PDF is not a penetration test. That is a commodity service that could be performed by an intern on their first day. A true penetration test requires a career’s worth of offensive security knowledge, advanced tooling, and human intuition to chain together complex exploits. We frequently find ourselves as the bearer of bad news, informing a client that the “comprehensive test” they paid for was nothing more than a surface-level scan that missed every meaningful attack vector.
The HIPAA “Wild West”
If SOC 2 has a quality band, HIPAA is a free-fall. It is a completely unregulated space. There is no oversight board. There is no certification body. Unlike SOC 2, which requires a licensed CPA firm, anyone can issue a HIPAA assessment. The quality variance here is extreme. We see “assessments” sold for peanuts by unqualified generalists that are effectively legal hallucinations. They offer zero protection and zero validity, yet they are sold to healthcare startups as a “compliance solution.”
The “Pay-to-Play” Gatekeeping
Finally, we have the proprietary frameworks that hide their standards and assessment models behind massive paywalls. These organizations charge exorbitant fees just to access the rulebook, treating safety protocols as intellectual property rather than public necessities. Security must be democratized to be effective. By hoarding best practices behind a cash register, these frameworks deny the community the ability to peer-review, challenge, and improve the standards. True resilience is born in the open, where knowledge is shared freely to create a collective defense; locking that knowledge away weakens the entire ecosystem for the sake of profit.
Our Line in the Sand—Linford’s Approach to Radical Independence
In an industry racing toward the bottom, we have chosen to run in the opposite direction. We refuse to participate in the commoditization of security. We believe that an audit is only as valuable as the independence of the firm performing it. Therefore, we have drawn a hard line in the sand regarding how we operate.
1. Zero “Partner” Entanglements
We do not, and will not, enter into formal or informal “partner” agreements or arrangements with software vendors or automation platforms. We are auditors, not resellers. We neither accept nor pay referral fees, kickbacks, or volume guarantees. When we recommend a path forward, it is because it is the correct solution for the client’s specific needs—not because a vendor is padding our margins. In many cases, we find that expensive automation software is unnecessary bloat; a well-structured manual process is often more effective and less expensive. We preserve the freedom to tell you that truth.
2. Fiercely Tool-Agnostic
We do not force our clients into a box. We are strictly tool-agnostic. If you have already invested in a GRC platform or compliance automation tool, we will work with you to leverage that investment to the fullest extent allowed by AICPA guidance. We audit the control environment you have, not the one a vendor wants you to buy.
3. No Forced Ecosystems
Unlike firms that mandate the use of proprietary portals to lock you into their service, we do not require clients to use any specific tooling—including our own. While we provide advanced tools to facilitate a smooth engagement, their use is entirely optional. We believe you should hire us because of our expertise and our rigor, not because your data is held hostage in our software.
We charge for the risk we run and the value we provide, just as Ruskin advised. We offer the “something better” that comes from paying the right price for uncompromised integrity.
A Call to Standards
It is time for the industry to take a hard look in the mirror. We are losing our way, trading the sanctity of the public trust for the quick revenue of the commodity market, or in other words, selling our souls to feed our bellies. We challenge our peers to remember why this profession exists: not to sell paper, but to validate truth.
This introspection must extend to our regulators. We call upon the AICPA and the State Boards of Accountancy to end the era of passivity. It is time to sharpen the teeth of the peer review program and stop tolerating negligence under the guise of professional courtesy. We demand the aggressive identification and immediate revocation of licenses for auditors who treat independence as a suggestion rather than a mandate. The CPA credential is a promise of objectivity and independence; allowing firms to commoditize that promise without consequence devalues the license for us all. If an auditor cannot respect the rules of professional conduct, they have forfeited the right to practice.
To our prospective clients, we offer this invitation: Join us in maintaining the highest standards of integrity.
We are not the firm for everyone, and we are comfortable with that. We do not pursue clients who are looking for the path of least resistance. If your goal is a rubber stamp, a “check-the-box” exercise, or the absolute lowest bidder, we are not the right fit for you. The market is full of vendors who will happily take your money to tell you what you want to hear.
But if you are a leader who values the craft of security, if you are looking for experienced auditors who will shepherd your team through the complexity of compliance, and if you are committed to actually improving your information security practices year over year—then let’s talk.
We are here to serve the public trust. We hope you will join us.
Richard Rieben is a Partner and HITRUST practice lead at Linford & Co., where he leads audits and assessments covering various frameworks including HITRUST, SOC, CMMC, and NIST. With over 20 years of experience in IT and cybersecurity and various certifications including PMP, CISSP, CCSFP, GSNA, and CASP+, Richard is skilled in helping growing organizations achieve their information security and compliance goals. He holds a Bachelor of Science in Business Management and an MBA from Western Governors University.