You’ve invested in Vanta or Drata to automate the infrastructure side of SOC 2. That’s the right call. But roughly 40–60% of SOC 2 controls require a human to actually do something — a quarterly access review, an annual security training completion for every employee, a vendor security assessment, a tabletop exercise, a new hire background check before system access. Your GRC platform tells you when they’re due. It doesn’t run them for you.
CheckFlow is the execution layer for the human side of SOC 2. Build recurring task checklists for every control that needs a person to complete it, assign named owners, enforce deadlines, and capture timestamped evidence of completion automatically. When your auditor samples your Type 2 observation period, every month shows consistent execution. Because it was.
“We’d been on Drata for a year and still tracked quarterly access reviews in a Google Sheet. We had two exceptions in our first Type 2 audit. CheckFlow fires the review automatically every quarter, assigns it to the right person, and gives us a timestamped record. No exceptions since.”
- Head of Engineering, B2B SaaS Platform
“We grew from 12 to 40 people in 18 months. Every new hire needed a background check before system access, and annual security training. We were missing people every cycle. Now it’s a checklist that runs itself. The auditor asked for training completion records for all 40 employees for the full year — we had every single one.”
- VP of Operations, SaaS Company
68% of qualified SOC 2 opinions stem from access control weaknesses (CC6)
— Bastion, citing Schneider Downs / CountSure data
40–60% of SOC 2 controls require human processes that no GRC automation platform handles
— Truvocyber / Vanta analysis
SOC 2 Type 2 audits don’t grade on intent. They grade on evidence. A quarterly access review that was “nearly done” is a gap. An employee who was “going to complete” their annual training is a gap. A vendor assessment that lives in a Slack thread instead of a timestamped record is a gap. And each gap is potentially an exception — on an audit report you’ve paid $15,000–$50,000 to produce.
SOC 2 Type 2 auditors sample across your entire observation period. Miss your Q3 access review and you have a documented exception — even if Q1, Q2, and Q4 were completed perfectly. A single missed cycle in a 12-month period is all it takes.
Vanta connects to your AWS, Okta, and GitHub. It doesn’t conduct your quarterly access review, assess your vendors, or track whether every employee finished their annual training. That last 40–60% of controls still requires a person to do the work and document it.
The engineer who owned your quarterly access reviews left. They took their calendar reminders and their institutional knowledge with them. Nobody knows the task exists until the auditor finds the gap six months later and the observation period has already captured the miss.
The policy says quarterly access reviews happen. The reality is they happen when someone remembers — or they don’t happen at all. Type 2 auditors don’t grade on your policy documentation. They grade on timestamped evidence that each control was executed consistently across the full observation period.
“Someone in IT handles that.” Without a named assignee and a deadline, controls that require human action get deprioritised when the team is busy shipping product. Then they don’t happen. Then they show up as exceptions in your audit report.
A single missed training completion, one undocumented emergency change, or one quarterly access review that slipped can produce an audit exception. A qualified report is as commercially damaging as no report when the enterprise deal you’re trying to close is contingent on a clean SOC 2 certification.
Map your recurring controls once. They run automatically every quarter, every year — with a full evidence trail for every cycle.
List every control that requires a human to execute it — quarterly access reviews, monthly vulnerability scan documentation, annual security training, vendor assessments, policy reviews, new hire background checks. Build a CheckFlow checklist for each. Takes an afternoon to set up.
Set each checklist to recur on the right cadence — quarterly for access reviews, annually for risk assessments and training, per-hire for new employee controls. CheckFlow auto-assigns to the right team member and sends reminders before deadlines. The cycle runs itself — even through personnel changes.
Every completed task creates a timestamped record with the assignee’s name, completion date, and any attached evidence — screenshots, reports, certificates. When your auditor samples your observation period, you have complete, dated records for every control, every cycle, every month.
SOC 2 has two layers: the infrastructure layer that GRC platforms automate, and the human execution layer that someone on your team has to actually do. Quarterly access reviews. Annual training completions. Vendor assessments. New hire background checks. Incident response documentation. CheckFlow is designed for exactly this layer — recurring tasks, named owners, documented completion, and a permanent evidence trail that survives team changes, audit cycles, and Type 2 renewals year after year.
The most common SOC 2 exception. CheckFlow auto-fires your quarterly access review every quarter, assigned to the right owner, with a structured checklist: pull the active user list, verify each access level is appropriate to the current role, document any changes made, record reviewer name and completion date. Timestamped evidence for every quarter — no more gaps.
Learn MoreEvery employee, every year. CheckFlow assigns the training completion task to each team member on the annual cycle, tracks who’s done and who hasn’t, and creates a per-employee, per-year record. When your auditor asks for proof that all 40 employees completed security awareness training this year, you have it — instantly.
Learn MoreSOC 2 CC9.2 requires documented vendor risk reviews. CheckFlow assigns a structured vendor assessment checklist per vendor per cycle: verify their SOC 2 or ISO 27001 certificate, complete the security questionnaire, assign a risk rating, record reviewer and completion date. A timestamped record per vendor, per annual cycle — the evidence your auditor needs for CC9.2.
Learn MoreBackground check before system access. Security policy acknowledgment before tools are provisioned. Security training completed within 30 days. Each step fires in the correct sequence, assigned to the right person, with a permanent completion record. SOC 2 CC6.1 access provisioning controls — executed the same way for every new hire, every time.
Learn MoreWhen an incident occurs, the documentation checklist opens: detection, containment, scope assessment, stakeholder notification, timeline documentation, post-mortem. Every incident response produces a complete, timestamped record. Your Type 2 evidence package for incident management controls is built automatically.
Learn MoreAnnual policy review is a known gap. CheckFlow schedules your policy review cycle, assigns each step to the right owner, and tracks employee attestation — individual acknowledgment that each policy has been read and understood. For Type 2 renewals, this cycle is already documented. Year after year.
Learn MoreDon’t start from a blank page. Pick a proven compliance template, customise it to your framework, controls, and audit scope, and run it for your next assessment in minutes. Each one is fully editable in the CheckFlow template designer.
These are the recurring tasks your GRC platform tells you about but doesn’t run for you — and the ones most likely to generate exceptions in a Type 2 audit.
CheckFlow’s free SOC 2 control templates cover quarterly, annual, vendor, and per-hire requirements — ready to run for your next access review cycle in minutes.
Get the Free Templates
Vanta, Drata, and Secureframe automate the infrastructure evidence collection layer — connecting to your AWS, Okta, GitHub, and other tools via API to continuously monitor configurations and collect automated evidence. They’re excellent for that. CheckFlow handles what they don’t: the human-executed controls that require a person to conduct a review, complete training, or perform a task and document it. Research suggests that roughly 40–60% of SOC 2 controls require human processes that no automation platform handles. CheckFlow and your GRC platform are complementary — not competing. Most SOC 2 teams use both.
CheckFlow adds the most value for Type 2. Type 1 is a point-in-time audit — it verifies your controls exist today. Type 2 covers a 6–12 month observation period and verifies that controls operated consistently throughout. That consistent execution over time is exactly what CheckFlow provides: recurring tasks fire on schedule, are completed by named individuals, and produce a timestamped evidence trail across the full observation period. For Type 1, you might get by with a one-time checklist run. For Type 2, you need a system that runs every quarter, every year, without gaps.
Every completed checklist task produces a timestamped record: who completed it, when, and what the outcome was. Reviewers can attach evidence — screenshots, reports, signed documents, certificates — directly to checklist items. The completed run is stored permanently and exportable as a PDF. When your auditor requests evidence of your Q2 access review, your annual security training completion, or your vendor assessment for a specific supplier, you pull it from CheckFlow and export it immediately. The record shows the reviewer’s name, the completion date, and any attached documentation.
Yes. Each checklist can have steps assigned to different roles — security team, IT, HR, management. A new hire onboarding checklist might have steps for IT (provision access), HR (background check confirmation), and the manager (security policy briefing). Each person receives their assigned steps and automatic reminders. The compliance owner sees full completion status across all steps. Ownership is explicit and documented — critical for Type 2 audits that assess whether controls have clear owners.
Quarterly user access reviews (CC6.2, CC6.3), annual security awareness training completion tracking (CC1.4), vendor security assessments (CC9.2), new hire background check and access provisioning workflows (CC6.1), incident response documentation, and annual policy review and attestation cycles. These are the controls most frequently cited in SOC 2 audit exceptions — 68% of qualified audit opinions stem from access control gaps alone — and all of them require human execution with documented evidence.
Yes. ISO 27001 has nearly identical recurring operational control requirements: access reviews, risk assessments, security training, vendor security assessments, and policy reviews. If you’re pursuing SOC 2 and ISO 27001 simultaneously — which is common for SaaS companies selling internationally — the same CheckFlow templates cover both frameworks. Build the checklist once; it generates the evidence for multiple audits. The two frameworks overlap significantly on the human execution side.
Vanta starts at approximately $10,000 per year; Drata at $7,500–$15,000 per year. CheckFlow is $10 per user per month — a 10-person team managing SOC 2 compliance tasks pays $100 per month, or $1,200 per year. CheckFlow doesn’t replace your GRC platform if you have one — it fills the execution gap those platforms leave open on the human control side. Most teams that add CheckFlow for manual control execution spend $100–500 per month depending on team size.
Build the recurring control checklists your SOC 2 Type 2 programme needs — quarterly access reviews, annual training, vendor assessments, new hire controls — and generate the timestamped evidence trail that makes your next audit clean.
