SOC 2 Type II evidence collection: how do engineering teams automate the control testing trail

We're preparing for our first SOC 2 Type II audit (12-month observation period). The auditor wants evidence for ~60 controls across Security, Availability, and Confidentiality trust service criteria. The manual approach (screenshots, Jira exports, Slack message exports for incident response) is clearly unscalable for a 12-month window with 45 engineers. We're looking at automated evidence collection: Controls we're tackling: - CC6.1 (logical access): automated user provisioning/deprovisioning logs from Okta + GitHub org audit - CC7.2 (monitoring): CloudWatch alarm history + PagerDuty incident logs, exported monthly - CC8.1 (change management): PR-to-deployment trail via GitHub Actions + ArgoCD sync status - A1.2 (availability): uptime reports from our own healthcheck aggregator (not third-party, which raises independence questions) Where we're stuck: - Evidence independence: our own monitoring tools are not "independent" per auditor standards. How are teams handling this without paying for a dedicated observability platform just for audit purposes? - Sampling vs full evidence: does the auditor expect every single PR to have an approval trail, or is statistical sampling acceptable? - The 12-month retrospective problem: we didn't have these automation scripts in place 8 months ago. How are teams handling the gap between "controls designed" and "controls operated" dates? This is a peer experience exchange — looking for how other teams handled the same operational challenges. Not seeking legal advice.