You need to enable JavaScript in order to use the AI chatbot tool powered by ChatBot
Home
 >  
Case Studies
 >  

Lapzo Automated SOC 2 Access Reviews and Cut Audit Prep Time

"Every SOC 2 cycle we spent two weeks pulling access evidence manually, exporting lists, chasing managers for sign-offs, reconciling spreadsheets. CloudEagle automated the reviews and produced the evidence packets in a day. Our last audit had zero access-related findings. That had never happened before."

- Pedro Sors, Chief Operating Officer, Lapzo

1 day
to produce SOC 2-ready logs
220+
excessive admin privileges eliminated
3x
more access reviews completed per quarter

1 day

to produce SOC 2-ready logs

220+

excessive admin privileges eliminated

3x

more access reviews completed per quarter
Problems
Challenge
  • Access reviews were run manually ahead of each SOC 2 audit, with the security team spending two weeks chasing managers and reconciling spreadsheets.
  • Review completion rates were low as managers treated access review requests as low priority and often rubber-stamped them
  • Admin-level privileges had accumulated across critical systems with no regular process to identify them.

Solutions
Solution
  • CloudEagle.ai automated access review campaigns across all SOC 2 in-scope systems, routing each review to the right manager based on HRIS data with automatic reminders.
  • Evidence packets for each review cycle were generated automatically, with every decision logged and exportable in the format auditors required.
  • Privileged Access Visibility surfaced every admin-level account across the stack, with over-provisioned access flagged and routed for review.

Profit
Result
  • SOC 2 access reviews shifted from a manual, audit-driven exercise to a continuous, automated process.
  • Over 220 excessive admin privileges were not just identified but removed, significantly reducing standing access risk across critical systems.
  • Access reviews completed 3x more per quarter than before automation, with completion rates no longer dependent on manual follow-up.

Challenge

Lapzo operated under SOC 2 Type II requirements across its healthcare technology platform. Every audit cycle brought the same preparation problem. 

The security team spent the weeks before each audit manually pulling user access lists from each in-scope system, sending review requests to managers by email, chasing responses, and reconciling completed reviews into evidence packets the auditors could work from. 

Review completion was a persistent problem. Managers received access review requests during busy periods and treated them as low priority. Follow-ups took days. 

Outside of audit cycles, access reviews did not happen at all, which meant admin privileges accumulated between audits with no regular check. By the time the next audit arrived, the team was starting from scratch.

Solution
  • User Access Reviews automated review campaigns across all SOC 2 in-scope systems, routing each review to the right manager with automatic reminders.
  • Audit evidence generated automatically as a byproduct of every review cycle, with every approval, rejection, and access change logged.
  • Privileged Access Visibility surfaced every admin-level account across critical systems, with over-provisioned access flagged for review and removal.
  • Continuous review cadence replaced the annual pre-audit scramble, so access was reviewed regularly rather than once before each audit window.
  • Risk Correlation flagged accounts where access had grown beyond what the role required, prioritising the highest-risk entitlements for review first.

Why CloudEagle.ai?

Lapzo evaluated several solutions and chose CloudEagle.ai for these reasons:

  • One view of every reviewer's progress, see which managers are done and who hasn't started, without chasing anyone.
  • Risky users surfaced first, roles, permissions, SSO, and HRIS status, and elevated access all flagged, so reviewers focus on what matters.
  • End-to-end automation, reviewer assignment, offboarding rejected users, evidence attachment, and auditor report are all handled automatically.
  • Continuous reviews year-round, audit evidence is always current, never pulled together in a rush before the auditor arrives.

Impact

Audit Prep Transformed

  • Time to produce SOC 2-ready access evidence reduced from 2 weeks to 1 day.
  • Evidence packets generated automatically at the close of each review cycle, with no manual compilation required.
  • Last SOC 2 audit completed with zero access-related findings, the first time that outcome had been achieved.

Privilege Hygiene Restored

  • 220+ excessive admin privileges identified and eliminated across critical systems.
  • Every admin-level account reviewed against the principle of least privilege, with over-provisioned access removed through a documented workflow.
  • Privileged access now reviewed on a continuous cadence rather than discovered as an audit finding.

More Reviews, Less Effort

  • Access reviews completed 3x more per quarter than before automation.
  • Review completion rates improved as automatic reminders replaced manual email follow-up.
  • Security team time previously spent on evidence gathering reallocated to higher-priority security work.

The Transformation

Before CloudEagle
Access reviews run manually in the weeks before each SOC 2 audit, with evidence compiled by hand from multiple systems.
Two weeks of security team time spent producing evidence for a single audit cycle.
Review completion dependent on managers responding to email requests, with low and inconsistent response rates.
Admin privileges accumulating between audit cycles with no regular review process in place.
Access-related findings appearing in every SOC 2 audit cycle.
After CloudEagle
Check box
Access reviews run continuously across all SOC 2 in-scope systems throughout the year.
Check box
SOC 2-ready evidence produced in 1 day, generated automatically as a byproduct of each review cycle.
Check box
Review completion driven by automated routing and reminders, with 3x more reviews completed per quarter.
Check box
220+ excessive admin privileges eliminated and privileged access reviewed on a continuous cadence.
Check box
Zero access-related findings in the last SOC 2 audit.

Achieve similar success with CloudEagle!

Book a demoContact us

Other case studies

How Coherus Oncology Enforced Just-in-Time Access for Contractors and Eliminated Ghost Accounts
How Domo Got Usage and Spend Visibility into Claude, Gemini, and Cursor
How Plex Surfaced Shadow AI Tools and Built a Defensible AI Governance Program