Austin Yin
63 posts
Austin Yin
@yinthisgame
cpa building an ai-native firm that issues soc 2 | ex deloitte
Texas Katılım Ekim 2025
56 Takip Edilen118 Takipçiler
Welcome any feedback.
Austin Yin@yinthisgame
You can now run your entire SOC 2 audit inside your Claude Code. Research preview is available now. Public launch in July 2026. Looking for a few SaaS startups as research partners to run it with at no cost. DM me or visit chiarohq.com/x for free research access. Welcome any feedback! #soc2 #claudecode
English
You can now run your entire SOC 2 audit inside your Claude Code.
Research preview is available now. Public launch in July 2026.
Looking for a few SaaS startups as research partners to run it with at no cost.
DM me or visit chiarohq.com/x for free research access. Welcome any feedback!
#soc2 #claudecode
English
@stkenned @christinacaci Then I’d use the term they “prepped” your configuration for audit, instead of they audited. This is a legal word that carries weight.
English
@yinthisgame @christinacaci Vanta is not the auditor, but it is the platform we use to facilitate the entire process (including the audit).
English
Just because you can build it cheaper and faster does not mean you should.
The real cost is not the build. It is what you give up to do it.
Every hour and every resource you pull into something you could do is an hour and resource not spent on what only you can do best. That trade off compounds.
Comparative advantage is what actually wins over time. So people will still pay for softwaresfor decades to come.
English
@andrewchen Yes. Looking forward to seeing more people pursuing their dreams
English
Founder-Led Coding:
Something that I think we’re about to see pretty often with the massive increase of entrepreneurial but non-technical founders who can use AI code gen to build their v1 products we’re about to see founder led coding.
Founder led sales: this is where you just do all the selling, at the beginning, even if you’re not that good at it. Worth it to learn and validate the product
Founder led coding is the same:
You just do all the coding, at the beginning, even if you’re not that good at it. Worth it to learn and validate the product
English
@BryanOnel86 Let’s say $4k. And I bet they do the audit by manually reviewing what was previously collected by the platform without going into the systems to independently verify the security configurations. Hope i was wrong.
English
@chris__sev Yeah! Been using it for the majority of my time. Now i can really get things done anywhere without carrying my laptop.
English
Claude Code remote control always disconnects
Claude Cowork Dispatch asks for permissions on every chat
Claude Code Channels is finally the most OpenClaw thing. It's been fantastic. Doesn't disconnect. Responds fast. Never bothers you for permissions.
I think we have a winner 🤌
English
@augeeidos @BryanOnel86 It's all about trust. What if SOC 2 becomes fully transparent where everyone can see what auditors tested and found exactly during the audit with details, instead of just a SOC 2 stamp?
English
I don’t think anything will really change. These certifications have always been more about appearances than actual security. The same people who built the compliance industry are the ones who looked the other way through every major financial collapse. SOC2, HIPAA, and ISO all sound official until you look at how easily bad actors can game them. None of it means anything if the people doing the audits have no real technical understanding or independence.
Most of the US economy runs on this kind of performance. How many companies with shiny SOC2 badges have already leaked data or mishandled user information? The whole system exists to fund itself through consultants, auditors, and assessors while pretending it is about trust. The paperwork gets thicker, the risk stays the same, and everyone keeps collecting their fees. Nothing changes because the illusion is what everyone is paid to maintain.
English
Wow. Delve just took down all of their customer logos as well as the entire testimonials tab and page. Never seen a company die in realtime before.
English
@FeHa The question is whether the change comes from inside (cpa firms that do real work) or from regulators doing it for us. I'd rather it come from inside.
English
The interesting thing with the whole telenovela of SOC 2 this weekend is that everyone's awake, and it drags down the whole industry. including the auditor. Including the AICPA, and many many more stakeholders in this industry.
Let's see if something positive would come out after this in the coming months.
If nothing really change, then what's the point of viralling an issue.
English
5 years at Deloitte. Led 30+ SOC 2 audits across the US and Canada. Here's what I learned.
The whole system runs on black boxes.
Your customer can't see inside your company. That's why they ask for a SOC 2. The report is supposed to open the box.
But here's the problem. The report itself is another black box.
Open any SOC 2 report. Find the testing section. Here's what you'll see for almost every control:
"We selected a sample of users and noted no exceptions."
That's it. No sample size. No methodology. No detail on what "noted no exceptions" actually means. Even Big Four reports read like this.
Now compare two versions of the same test result:
Version A:
"We inspected the access list and noted no exceptions."
Version B:
"We sampled 25 of 312 users. 1 terminated contractor retained read-only access for 3 days past offboarding. The Company revoked access within 24 hours of notification and added an automated deprovisioning trigger. We re-tested 2 weeks later and confirmed the control operated as intended."
Version A is what 99% of SOC 2 reports say. Version B is what actually happened during the audit. Both are AICPA compliant. Only one is useful.
The standard requires almost nothing in terms of disclosure. That's not a feature. That's the vulnerability.
Fast doesn't mean bad. Slow doesn't mean good. The only thing that matters is whether someone actually tested your controls and told you what they found.
Trust the data, not the stamp.
English
The monitoring window doesn’t mean that the auditors need to sit there and watch your systems for 6 months. If companies have good records, logs, and data that can be verified by auditors, there wouldn’t be “waiting” for a type ii audit. But if a startup that is completely 0 ready is looking to pass type ii in days, that is bullshit.
English
Just to spell out how bad this is:
- It is not possible for any US auditor to issue SOC 2 Type II certifications with less than 3 months of monitoring window (6 is typical)
- Delve issued a certificate in 2 weeks!!
This also means 11x (the customer) is likely not compliant...
English
Damning evidence suggesting that compliance certificates issued by Delve (a startup founded in 2023) are fraudlent + worthless
I never understood how eg Cluely could be GDPR, SOC2, HIPAA compliant in ~a week. Now we know: they probably aren't.
Just wild
substack.com/home/post/p-19…
English
@Lovable When I was a small startup CTO I was in charge of our SOC 2 Type 2 process. We hired a company paid thousands of dollars- until this day I am not sure why we needed them.
You follow the rules, you write it down, you are compliant.
This SOC 2 was always a scam
English
We're aware of recent reporting about Delve’s compliance practices. Lovable is not a Delve customer. We proactively moved to Vanta in late 2025, before any of this came to light.
Our SOC 2 Type II was independently audited by Prescient Assurance. We’re currently undergoing an independent internal audit of our ISMS, recertifying ISO 27001, and have our next SOC 2 Type II scheduled for Q3 2026.
Security is not an afterthought at Lovable. It's a company-wide commitment backed by a dedicated team and continuous investment. Our current compliance practices are all here: trust.lovable.dev
English
@antoniospiezia Also guilty is the cpa firms who rubber stamped the report. Eventually Delve is just a soc 2 prep SaaS.
English
@shravvmehtaa Congrats. But wondering how Secureframe does the soc2 prep differently than Delve.
English
Many Secureframe employees have volunteered to work the weekend to help those affected by the Delve situation. Please reach out to us if you need any help, we’ll be online and taking calls.
English
Yes, you can park in your own driveway. No, your car cannot block the sidewalk.
Through PermitSF, we passed legislation to get rid of outdated laws that prohibited San Francisco residents from parking cars in their own driveways.
Just follow these guidelines:
✅ You can park in the driveway in front of your house.
✅ No part of your car can overhang onto the sidewalk.
✅ You may park parallel to the curb in front of your own driveway, if your vehicle is registered to that address and the building has two or fewer units.
When in doubt, visit SFMTA.com/ParkLegally to review parking rules. With PermitSF, we’re making life easier for residents, small businesses, and all San Franciscans through common-sense changes.
English