SOC 2 Type II evidence collection: how do you automate the audit trail for access reviews?

Preparing for our annual SOC 2 Type II audit and the access review evidence collection is eating ~40 person-hours per quarter. We need to prove that (a) privileged access was reviewed by management, (b) terminated accounts were disabled within 24h, and (c) role changes followed the approval workflow. For compliance leads who've automated this: what tooling stack works? We're evaluating whether to build on top of our IdP (Okta) audit logs + a custom review workflow, or adopt a dedicated compliance platform (Vanta, Drata). Under GDPR Art. 32 and SOC 2 CC6.1, the requirement is the same — documented, periodic review — but the evidence format differs. How do you handle the cross-mapping without duplicating effort? Jurisdiction context: EU/DE primary, with US customers requiring SOC 2.