Webflow Input Enhancer
For the best experience, this project uses the Webflow Input Enhancer extension. We highly recommend installing it. Click here to download (use preview mode to access link)
The worst compliance mistake companies can possibly make — and I'm not saying this in a clickbaity way at all — is attempting to check the box with compliance and rushing through it so that they can go to their prospect and say "look, we received the certification."
We've onboarded a number of those customers. We found that the program was stood up on shaky sand, and we've had to redeploy their entire program from scratch. All of their policies were templatized. Listen, using a template is fine — but the things that the policy says you must be doing must actually be true, and they must be actioned. If you're just trying to rush through it and everything is surface level, the only people that are going to pass you for an audit are rubber-stamping firms. We've seen this quite a bit, and we refuse to work with any of those auditors.
When we come on board, we often have to rebuild everything from scratch and start a brand new observation period. Or in some cases, if they're ISO certified, a brand new certification from the ground up — because we don't trust the program and we certainly don't trust the auditors.
A lot of rubber-stamping auditors are based in India — nothing wrong with India, but that's what the data suggests. They all tend to have the same kind of corporate addresses. We do our research as soon as we see a report: we check if there are any complaints against them, what their reputation is. Pretty quickly you'll see user-driven complaints online around that particular organization and the quality of their work.
The moment we see the same address for a shell company headquarters, it's automatically a red flag. We like to see US-based companies with US-based CPAs doing the audits, with a very strong reputation.
We can't continue with a brand new audit for a program we're not confident in — because first, you won't pass. But more importantly, it's not about passing an audit. It's about actually having the controls in place that satisfy the audit and give you good, practical security.
Treating certification as a box to check. Companies that rush through the process to get the badge — without building real controls behind it — end up with programs that don't hold up when it matters. And fixing them costs more than doing it right the first time.
This one comes up more often than it should. And it's not a mistake that looks like a mistake when it's happening — it looks like efficiency. A company needs a SOC 2 report to close a deal. They find a fast path to certification. They get the report. The deal closes. Problem solved.
Until it isn't.
The pattern is consistent. A company is under pressure — a prospect is asking for a SOC 2 report, a contract is contingent on it, the sales team is pushing. Someone finds a firm that can get them certified quickly. Policies get templated from a platform. Controls get marked as complete because the workflow says to mark them complete. The auditor — a firm that isn't looking too closely — signs off. The report lands in thirty days.
On paper, the company is SOC 2 compliant. In practice, the program is built on a foundation that doesn't reflect how the organization actually operates. The policies say the right things. The things the policies say aren't happening.
This is what David calls building on shaky sand. And the problem with shaky sand is that it holds until something puts real weight on it.
There are a few moments where a program built this way tends to fall apart.
The first is a serious enterprise prospect. Large companies with dedicated security teams don't just look at your certification — they look at the observation period length, the auditor, and sometimes the controls themselves. A report from a firm with a pattern of rubber-stamping, a three-month observation period, and policies that read like they came directly from a template doesn't inspire confidence. It raises questions. And the questions it raises are harder to answer than the original security questionnaire.
The second is the renewal. When a company that rushed through the initial certification tries to renew twelve months later, the auditors are reviewing a year of operation. If the controls weren't actually running — if the access reviews didn't happen, if the vendor assessments were skipped, if the policies were never updated — the evidence isn't there. The renewal fails or gets delayed. The observation period restarts. Now the company is in a worse position than if they'd done it right from the beginning.
The third is when they hire a real compliance partner. This happens more often than most companies expect. They bring in a firm like Rovally because they're adding a new framework, or because a major prospect flagged concerns, or because they've grown to the point where the original program clearly isn't sufficient. The partner looks at what exists — the policies, the controls, the audit history — and finds that it doesn't hold up. Everything has to be rebuilt from scratch. A new observation period starts. The time and money spent on the original certification is effectively written off.
This pattern only works because a certain category of auditor enables it. These are firms that are incentivized to get clients through the audit — not to verify that the program behind it is real. They exist, they're not hard to find, and they produce reports that look identical to the ones issued by rigorous firms.
The difference becomes visible when someone looks closely. Enterprise buyers with sophisticated security teams research auditors. They check reputation, look for complaints, and recognize the names that come up repeatedly in the context of programs that didn't hold up. A report from one of those firms can actually hurt more than not having a certification at all — because it signals that the company knows what a real program requires and chose the shortcut anyway.
The companies that go through this cycle — rush to certification, program falls apart, rebuild from scratch — end up paying twice. They pay for the initial certification that didn't produce a real program. They pay for the rebuild, which takes longer and costs more because it starts with the overhead of dismantling what's already there. And they pay in sales cycles — deals delayed or lost during the period when the program is being rebuilt and the report they have isn't one they can confidently stand behind.
The shortcut isn't cheaper. It's a deferred cost with interest.
A real compliance program starts with a real gap assessment — an honest look at what exists and what doesn't, without the pressure of marking controls green to move through a workflow. It uses bespoke policies that reflect how the organization actually operates, not templates that describe how a generic organization might operate. It works with auditors who are going to look at the controls, ask hard questions, and issue a report that means something.
And it treats the observation period as what it is: a sustained operational commitment, not a waiting room before the audit. The companies that build programs this way tend to find that certification becomes a reliable asset in the sales process rather than a question mark. Enterprise buyers aren't just looking for a badge — they're trying to understand whether your security program is real. A program built correctly answers that question clearly.
The badge is easy to get. The program behind it is what takes work. And the difference between the two is exactly what serious buyers are trying to determine.
.svg)
