Compliance
How to Use Slack for SOC 2 Audit Prep
Most SOC 2 prep dies in a dashboard nobody opens. This guide shows how to run audit prep inside Slack instead: daily readiness briefings, evidence collection over DM, delegation that follows up on its own, and auditor questions answered by email. Vera, the AI compliance officer, does the work in the channel where your team already spends the day.

SOC 2 prep usually lives in a dashboard. Someone buys a GRC tool, connects a few integrations, and 200 checkboxes appear. Then the real work starts: chasing engineers for screenshots, remembering which evidence has gone stale, and answering the auditor's questions by hand. All of that happens outside the dashboard, in Slack DMs and email threads, tracked by whoever became the accidental compliance owner.
You can run the whole loop inside Slack instead. Screenata's AI compliance officer, Vera, posts your readiness briefing every morning, asks the right person for evidence over DM, follows up when they forget, and answers your auditor's email on her own. The dashboard is still there, but it becomes the place an auditor reviews your finished package, not the place your team does daily work.
This guide walks through how that works and how to set it up.
Why Move SOC 2 Prep Into Slack?
Compliance fails for a simple reason. It is a separate workflow that interrupts real work. Every time prep asks a founder to log into another tool, that visit competes with shipping, hiring, and sales. The visit loses, and the checkbox stays red.
Slack is where a 5 to 50 person B2B SaaS team already spends the day. Moving prep there removes the context switch. It also fits the shape of compliance work well:
- Threads map to concerns. One thread per finding, per evidence request, or per auditor question keeps the conversation in one place.
- File upload plus reactions make evidence collection natural. An engineer drops a screenshot in a DM and gets a checkmark back when it passes.
- Action buttons let a founder approve, delegate, or dismiss without opening a browser tab.
The result is that prep stops being a project you manage and starts being a set of short replies in a channel.
Step 1: Connect Slack to Screenata
Setup is a one-time OAuth flow.
- Open Settings, then Integrations, then Slack.
- Click Connect Slack and authorize the Screenata bot in your workspace.
- Pick the channel for briefings, for example
#soc2-compliance. - Optionally add your auditor's email domain so their questions get elevated trust later.
Vera confirms in the channel: "Screenata is connected. I'll post daily briefings here. Try /soc2 status to check readiness anytime."
One shared Screenata app installs across customer workspaces, and each organization keeps its own tokens. Every Slack event carries a workspace ID, so briefings and DMs stay scoped to the right company.
Step 2: Read the Daily Briefing
After the early-morning readiness scan, Vera posts a briefing to your channel. It leads with a readiness score and lists only the items that need a decision, each with buttons.
☀️ Morning Compliance Briefing · July 9, 2026
Readiness: 82% (+2% from last week)
2 items need attention:
✗ S3 bucket "user-uploads" lacks encryption (CC6.1)
Your auditor will flag this. Fix: Enable SSE-S3.
[Ask Vera] [Dismiss]
📊 IAM access review evidence expired (CC6.3)
Last collected 92 days ago. Need a fresh screenshot.
[Delegate to team] [Remind tomorrow]
✓ 14 other checks passed. Repository and code scans clear.
On a quiet day the briefing collapses to a single line:
☀️ Morning Compliance Briefing · July 9, 2026
✅ All agents report clear. Readiness at 92%.
No action needed today. Next full scan: Monday 9 AM.
The default is one briefing per day, findings are batched, and an all-clear is one line. That restraint is deliberate. A noisy bot gets muted, and a muted bot might as well not exist.
Step 3: Ask for Status Anytime
You do not have to wait for the morning post. The /soc2 status slash command returns your readiness from any channel, visible only to you.
🟢 Readiness: 82% | 3 tests passed this week | 1 evidence stale | Next scan: Monday 9 AM
Add --detail for the breakdown by area:
🟢 Readiness: 82%
Cloud Security: 2 issues (S3 encryption, CloudTrail)
Repository: All clear (6/6 passed)
Code Scanner: All clear (4/4 passed)
Evidence: 1 item stale (IAM access review)
Controls: 43/52 mapped
Next scan: Monday 9 AM · Last briefing: Today 6:30 AM
This is the check a founder runs before a sales call when a prospect asks where the SOC 2 report stands.
Step 4: Collect Evidence Over DM
Roughly 70% of SOC 2 evidence comes from API scans of your cloud, code, and identity provider, which Vera collects on her own. The rest lives behind application screens or in a person's head. For those, she goes straight to the owner in a DM.
📋 Evidence Request · CC6.3 Access Control
Hi @sarah! I need a screenshot of your IAM access review
settings for SOC 2 control CC6.3.
What I need:
• Screenshot of your IdP (Okta/Google) user list
• Should show active users and last login dates
• Make sure the browser URL bar is visible
Reply with a screenshot, or say "skip" and I'll remind
you tomorrow.
Due: July 16 · Requested by: @founder
When Sarah replies with an image, Vera scores it and reacts:
- A checkmark means the evidence passed and is filed against the control.
- A warning means it needs a retake, and Vera says why. For example: "This screenshot is blurry. Can you retake it? Make sure the URL bar is visible so the auditor can verify the source."
- A cross means it does not match the control.
Accepted evidence goes into the vault as a signed artifact with a timestamp, so the chain of custody is intact when the auditor reviews it later. For the full picture of how API and screenshot evidence fit together, see AI agents vs. API integrations.
Step 5: Delegate and Let Follow-Up Run Itself
The part of prep that usually breaks is the follow-up. The founder asks for a screenshot, the engineer forgets, and a week later the founder asks again. Vera runs that follow-up as a state machine so no one has to babysit it.
When a briefing surfaces an evidence need, the founder delegates with a button:
Vera: "IAM access review evidence expired. Who should I ask?"
[Ask @sarah] [Ask someone else] [I'll handle it]
Founder clicks [Ask @sarah]:
Vera: "Got it. I'll DM @sarah with instructions. I'll follow up
if she doesn't respond in 24h and escalate to you after 72h."
From there the request moves through fixed stages on its own:
| Stage | Trigger | What happens |
|---|---|---|
| Assigned | DM sent | Sarah gets the request with instructions |
| Reminded | 24h, no response | Vera sends a second DM |
| Escalated | 48h more, no response | Vera DMs the founder to reassign or step in |
| Resolved | Evidence received | Artifact stored, control updated |
At any point Sarah can upload the evidence to resolve it, or say "skip" to be reminded the next day. The founder spends about 30 seconds to delegate and approve. Sarah spends about two minutes. Nobody keeps a mental to-do list.
Step 6: Answer the Briefing Like a Coworker
Any briefing thread is a conversation. Reply with a question and Vera routes it to the right place and answers in the thread.
Founder: "How do I fix the S3 encryption issue?"
Vera: "Here's how to enable SSE-S3 on your 'user-uploads' bucket:
1. Open AWS Console → S3 → user-uploads → Properties
2. Under 'Default encryption', click Edit
3. Select 'Amazon S3-managed keys (SSE-S3)'
4. Click Save
After you fix it, I'll verify on the next scan (Monday 9 AM)
or you can say 'scan now' and I'll check immediately."
Say "scan now" and she re-runs the check, then reports back whether the fix held. A full morning pass, from reading the briefing to fixing a finding and confirming it, takes about five minutes in Slack with zero dashboard visits.
What About the Auditor?
Auditor questions arrive by email, so that is where Vera meets them. Every organization gets a dedicated address in the form yourcompany@screenata.com. Anyone can write to it, and Vera reads the intent before she answers.
When an auditor emails five questions, she classifies each one, drafts answers that cite your actual policies and evidence, and replies in the same thread. The founder gets a Slack heads-up: "Replied to your auditor's 5 questions. Review the responses here." A follow-up in that email thread carries the full history, so the second answer has the context of the first.
Auditor: "What encryption do you use for data at rest?"
Vera: "Per our Data Management Policy (§4.2), we use AES-256..."
Auditor: "What about data in transit?"
Vera: "Per the same policy (§4.3), all data in transit uses TLS 1.2+.
Evidence: latest vulnerability scan shows no weak cipher suites..."
For anything an auditor or external sender creates, Vera adds a review gate. An external evidence submission goes to the founder before it enters the vault, and an auditor-facing draft is marked as AI-generated with the founder notified to correct it. Answering a batch of auditor questions used to cost two to three hours of research and writing. Here it costs the founder the time to skim the drafts.
Agentic, Not a Chatbot Bolted to a Dashboard
The reason this works is that Slack is a surface over a working agent, not a help widget. Vera runs 26+ compliance tools and a set of scheduled operations: early-morning evidence freshness checks, weekly cloud scans, quarterly access reviews. She scans your GitHub, cloud, and identity provider, writes policies grounded in what she finds, collects evidence, and executes remediation with your approval. Slack, email, the web app, and the CLI are all channels into the same agent.
Two design rules keep it trustworthy:
- Degrade to the dashboard, never to silence. If a Slack token is revoked or the API is down, messages queue and the dashboard shows a banner. No finding is lost because a channel failed.
- Draft, then a human approves. Vera discovers and drafts. On sensitive actions, a person confirms before anything is created or sent.
That second rule matters after the market watched an "AI compliance" vendor ship near-identical boilerplate at scale. Every artifact Vera produces is traceable to a control and cryptographically signed, so the work holds up when an auditor inspects it.
Getting Started
If you already run Vanta or Drata, you can bolt Vera onto them for the Slack workflow and the application-level evidence they miss. See what Drata automates and what you still do by hand. If you are starting from zero, Vera scopes your control matrix, writes your policies, and runs the program between audits from day one. Either way, the daily driver is a channel your team already reads.
For a wider look at how an agent handles evidence across your stack, read how Screenata redefines evidence collection and automating the last mile of compliance evidence beyond GRC tools.
Connect and see
See your SOC 2 with your real systems.
Connect GitHub and cloud read-only. Vera shows your control matrix, policy gaps, and prioritized next actions before you commit to anything.