SOC 2 Type II evidence collection — how do you automate the audit trail for access reviews?

We are preparing for our second SOC 2 Type II audit and the access-review evidence collection is still largely manual. Our DPO also wants the same process to satisfy GDPR Art. 22 documentation requirements for automated decision-making oversight. Specifically: how does your team handle quarterly access reviews across cloud providers (AWS IAM, GCP, Azure AD)? Do you use a dedicated GRC tool (Drata, Vanta, Secureframe) or did you build something on top of Terraform state + audit logs? What surprised you most during the auditor's evidence sampling? Any gaps that seemed obvious internally but the auditor flagged anyway? Jurisdiction context: EU / DE — we operate under BDSG-neu and need to reconcile SOC 2 controls with EU-DSGVO Art. 32 technical measures. Peer experience exchange only — not looking for legal advice.