Connective cuts SOC 2 audits from 5 months to 5 weeks with Drata
Challenge
- Manual SOC 2 prep ran through spreadsheets, SharePoint, calendar reminders, and emails, making evidence hard to manage and easy to miss.
- Audit preparation became an annual fire drill: a Trello board with ~500 cards and audits that took four to five months to complete.
- Limited control visibility created gaps: “We had no way to monitor our controls effectively,” and teams were often “back to square one” at audit time.
Solution
- Implemented Drata to centralize SOC 2 evidence, assign control owners across HR, legal, compliance, and engineering, and track tasks in one place.
- Adopted daily monitoring using Drata’s dashboard so control owners can remediate immediately when readiness drops.
- Expanded beyond SOC 2 by managing additional frameworks in Drata, including the NIST AI RMF and Australia’s Essential Eight, while also centralizing the risk register, policy management, and vendor tracking.
- Published a Drata Trust Center to streamline recurring lender and partner audits and reduce repeat requests.
Impact Highlights
- 75% reduction in SOC 2 audit duration SOC 2 audits were reduced from four to five months down to just five weeks total, shifting audit prep from a prolonged annual disruption to a predictable, contained process.
- 2 hours to 100% Essential Eight readiness with cross-mapped controls By applying cross-mapped controls and daily dashboard checks, Connective reached “100 percent ready to go” for Essential Eight in just two hours.
- 30 seconds to respond to lender audit requests via Trust Center Lender and third-party audit requests dropped from approximately 2.5–3 hours of manual work to about 30 seconds by directing reviewers to Connective’s Trust Center instead.
- 2 months from kickoff to first audit using Drata Connective went from onboarding to its first SOC 2 audit in under two months, replacing a historically manual, months-long setup with a fast, execution-driven implementation.
Background
Connective Broker Services is an Australian mortgage aggregator that provides business support services and a CRM platform used by mortgage brokers to facilitate home loans and other finance options end to end. As a financial services company handling sensitive identity and financial information, maintaining customer and partner trust is foundational.
In 2022, Connective achieved its first SOC 2 attestation. But for the following two years, audit readiness was “manual,” “cumbersome,” and run through spreadsheets, file shares, and email, making it difficult to consistently monitor controls and assemble evidence when auditors arrived. As Ashley Jackson, Chief Information Officer, put it: “We treat data as hazardous material,” and the team needed a more reliable way to maintain trust and compliance day to day.
After a particularly exhausting audit cycle, Ashley searched for a better path. Drata provided a unified platform to maintain continuous readiness, centralize evidence, and scale ownership beyond a single person so the organization could stay audit-ready without the annual scramble.
Replacing annual SOC 2 fire drills with daily readiness
Before Drata, SOC 2 prep was a once-a-year sprint that relied on spreadsheets, SharePoint, and manual follow-ups. Evidence lived across emails and file shares, and it was easy for “the weeds” to grow when teams got busy.
With Drata, Connective moved to a daily operating rhythm. The team checks the dashboard every day, and when readiness drops, the responsible control owner investigates and remediates immediately. They’ve turned compliance into an ongoing practice instead of a yearly project, giving the business confidence that issues are identified and addressed long before an audit begins.
“The time to maintain compliance has gone from spot checking once a year to basically day-by-day compliance monitoring.”
Scaling governance with shared ownership and a single system of record
Connective initially adopted Drata to manage SOC 2, but the program quickly expanded. What began as a one-person effort no longer depended on a single owner. With Drata, Connective distributed responsibility across HR, legal, compliance, and engineering, effectively putting ownership with the teams closest to the controls themselves.
Over time, Drata became the central place to manage governance. The compliance team maintains the full risk register in Drata, and policies and evidence are organized in one location, reducing fragmentation and helping teams stay aligned on what’s required.
“We’ve actually consolidated our risk management… and we’ve been able to farm out the different control owners for our SOC 2.”
Extending the program to new frameworks and recurring third-party reviews
Once SOC 2 was running like a well oiled machine, Connective added new frameworks in Drata, including the NIST AI RMF and Australia’s Essential Eight. Their security team was planning on standing up a project to get to Level 1 maturity for Essential Eight, but Ashley knew they could utilize the Drata cross-mapped controls to accelerate progress. Curious about the level of effort, he took a look one night and was able to close the gap to readiness for Level 1 maturity in about two hours, eliminating the need for the project kickoff altogether. “It’s just that easy!” he said.
Connective also uses the Drata Trust Center to respond to frequent lender and partner audits. Instead of completing repetitive, long audit requests, the team provides a single Trust Center link for access to SOC 2 materials and security information, removing barriers in the sales process and returning significant time back to the team.
What Drata Unlocked for the GRC Team
- A shift from annual audit preparation to continuous, daily compliance monitoring, preventing issues before they arise in an audit.
- Evidence and task tracking that reduces manual chasing and keeps control owners accountable.
- A centralized hub for SOC 2, risk management, vendor workflows, and policies, significantly reducing tool sprawl.
- A Trust Center that deflects repetitive lender audits and accelerates third-party assurance requests.
Future Outlook
As Connective continues to scale, the team is focused on pushing automation further across its GRC program while keeping a human review loop in place. The goal is not hands-off compliance, but predictable, repeatable processes supported by real-time visibility. With Drata as the system of record, Connective is expanding its use of vendor questionnaires, deepening risk workflows, and exploring additional integrations and API-driven automation. The team is continually refining their model where evidence is collected automatically and reviewed daily, allowing the business to stay audit-ready without disrupting day-to-day operations. As new frameworks and regulatory expectations emerge, the team will continue using Drata to assess readiness early, close gaps quickly, and prioritize effort where it matters most. The goal is to keep growing while also maintaining trust across brokers, lenders, and partners.
“We get audited at least 10 times a year… I just say, ‘Here’s our Trust Center URL.’ It takes three hours down to 30 seconds.”
What Drata Unlocked for the GRC Team
- A shift from annual audit preparation to continuous, daily compliance monitoring, preventing issues before they arise in an audit.
- Evidence and task tracking that reduces manual chasing and keeps control owners accountable.
- A centralized hub for SOC 2, risk management, vendor workflows, and policies, significantly reducing tool sprawl.
- A Trust Center that deflects repetitive lender audits and accelerates third-party assurance requests.
Future Outlook
As Connective continues to scale, the team is focused on pushing automation further across its GRC program while keeping a human review loop in place. The goal is not hands-off compliance, but predictable, repeatable processes supported by real-time visibility. With Drata as the system of record, Connective is expanding its use of vendor questionnaires, deepening risk workflows, and exploring additional integrations and API-driven automation. The team is continually refining their model where evidence is collected automatically and reviewed daily, allowing the business to stay audit-ready without disrupting day-to-day operations. As new frameworks and regulatory expectations emerge, the team will continue using Drata to assess readiness early, close gaps quickly, and prioritize effort where it matters most. The goal is to keep growing while also maintaining trust across brokers, lenders, and partners.
“It’s become the central hub… we don’t have disparate platforms anymore.”
Future Outlook
As Connective continues to scale, the team is focused on pushing automation further across its GRC program while keeping a human review loop in place. The goal is not hands-off compliance, but predictable, repeatable processes supported by real-time visibility. With Drata as the system of record, Connective is expanding its use of vendor questionnaires, deepening risk workflows, and exploring additional integrations and API-driven automation. The team is continually refining their model where evidence is collected automatically and reviewed daily, allowing the business to stay audit-ready without disrupting day-to-day operations. As new frameworks and regulatory expectations emerge, the team will continue using Drata to assess readiness early, close gaps quickly, and prioritize effort where it matters most. The goal is to keep growing while also maintaining trust across brokers, lenders, and partners.
“It solves a problem when you first put it in, but then it solves problems you didn’t realize you had down the track and makes life easier.”
Latest Stories
Chart Your Course
Navigate to new worlds of trust with Drata.
Chart Your Course
Navigate to new worlds of trust with Drata.