SOC 2 Type II evidence automation: which controls did you successfully automate vs. still collecting manually?

Preparing for our first SOC 2 Type II audit. Our compliance consultant provided a 200+ item evidence checklist. After mapping controls to our infrastructure, we've automated roughly 60% via Vanta (AWS config, GitHub access reviews, Jira ticket linkage). The remaining 40% still require manual evidence collection: - Annual security awareness training attestations (HR system doesn't integrate) - Vendor risk assessment questionnaires (manual review process) - Physical access logs for the co-location rack (paper-based from the facility) EU jurisdiction context: we also need to map these to GDPR Art. 32 (security of processing) and ISO 27001 Annex A controls for our European enterprise customers. Some controls satisfy multiple frameworks, but the evidence requirements differ in granularity. Peer experience exchange questions: 1. Which controls surprised you as being harder to automate than expected? 2. How do you handle the evidence gap between SOC 2 (point-in-time + period) and ISO 27001 (continuous)? 3. Did you find that audit firms accept API-exported evidence, or do they still want screenshots? Note: this is not a request for legal advice — looking for operational experiences from teams who have been through the process.