Overview
SOC 2 is not a security questionnaire. It's an operations audit. The Trust Services Criteria that auditors examine most rigorously, availability, change management, processing integrity, are the controls that depend on repeatable, evidenced execution across many people and teams. If your processes aren't structured, your evidence won't hold up.
The controls that break most often in SOC 2 reviews are not the ones that were never built. They're the ones built but never consistently executed. Change requests that closed without legal sign-off logged. Access reviews that happened but left no evidence. Vendor continuity assessments with no named owner and no attached documentation. The policy existed. The execution record didn't.
Control 1: Change management approvals
Change management fails in audits for a specific reason: approvals happened informally. A Slack message, a calendar note, an email reply, none of those produce a timestamped, attributed record tied to a specific change. Each deployment should move through technical review, security assessment, and post-deployment validation as named approval gates with evidence attached. No gate cleared means no deployment marked complete.
The run's activity log shows exactly who approved what and when, which is the answer to 'I think legal saw it' becoming 'here's the timestamp and the reviewer's name.' That distinction is the difference between reconstructing an audit trail and retrieving one.
Control 2: Logical access review
Quarterly access reviews are mandated by most SOC 2 scopes, but the failure isn't usually skipping them, it's performing them without any audit trail. In Cadenio, the scheduled review run opens automatically, tasks are assigned to system owners, and the run cannot close without documented decisions on each account reviewed. The SLA ensures no review quarter passes unstarted.
The evidence requirement matters here: each account decision must be recorded as keep, revoke, or modify, not just a sign-off that the review happened. Auditors want to see individual decisions, not a certificate that someone looked at a spreadsheet.
Control 3: Incident response timelines
Detection-to-containment timing is measured in SOC 2 audits. When incident response runs through Slack, timestamps are soft and context is scattered. In Cadenio, detection logging is a required task with a hard timestamp. Containment actions have owners and SLA windows. If the timeline from detection to initial containment exceeds the policy target, the SLA alert fires and lands in the run's record.
The post-incident review is equally important for SOC 2. Root cause documentation, corrective action assignments, and closure evidence are tasks within the same run, not a separate document created weeks later when memory has faded.
Control 4: Vendor risk assessments
Vendor continuity assessments are one of the most common gap areas in SOC 2 reviews. The assessment was done once. Renewal was never scheduled. In Cadenio, each critical vendor has a recurring assessment run with a 90-day renewal alert. Required questionnaire attachments and named reviewer approval prevent the run from closing without evidence.
Sub-processor tracking is the next layer: cloud vendors that process your customer data must be reviewed and re-evaluated on a defined cadence. The same Flow structure handles this, with conditional logic activating additional privacy and data processing requirements for sub-processors specifically.
Control 5: Business continuity testing
Business continuity plans that are never tested produce a specific type of audit finding: 'control exists but effectiveness unverified.' Testing evidence requires a structured run, test scenario, execution record, identified gaps, corrective actions. Each element is a task with an owner, not a section in a document.
Recovery time objective (RTO) and recovery point objective (RPO) validation are evidence-gated tasks in the continuity test run. The test does not close until RTO and RPO were measured against target and results were documented by the named system owner.
Control 6: Security training records
Security awareness training tracked per spreadsheet creates the same problem every cycle: someone has to manually verify completion across the organization, chase exceptions, and compile a report for auditors. In Cadenio, security training is a recurring Flow with one run per training cycle. Each employee is a task. Completion requires an attached certificate or attendance record. The run cannot close until all tasks are resolved.
When auditors arrive, the evidence package for each control cycle is not reconstructed from emails. It's retrieved from run history. Each completed run carries the full activity log: who executed, what was approved, when each gate cleared, what was attached. The time from auditor request to complete evidence response drops from days to minutes for controls managed through Cadenio.