runbookify
← All plans
Accounting & Finance / Audit, Controls & Compliance

Internal Controls Testing Tracker

Build an internal tool that runs your controls (SOX-style) program end to end - load your controls matrix, auto-schedule tests by frequency, let testers record results and attach evidence, require a reviewer to sign off each result, and track every exception through remediation to closure.

IntermediateA weekendBuilds onNext.js (App Router) on VercelSupabase (Postgres, Storage, Auth + RLS)Resend (test-due reminders, sign-off requests, exception alerts)
What you'll build

A login-protected controls testing tracker: load your controls matrix, auto-generate test instances by frequency with due dates, let testers record pass/exception results and upload evidence to secure Storage, require a reviewer to sign off each result, track open exceptions to remediation owners and dates, watch pass rate and overdue tests on a live dashboard, and export a controls status report plus an exceptions log in the columns your audit team expects.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.

Before you start

  • A free Vercel account
  • A free Supabase account
  • A free Resend account (and a sender address you can use)
  • Your controls matrix as a CSV (control id, description, owner, frequency, test procedure)
  • The test evidence your testers will upload (screenshots, PDFs, sample reconciliations)

The problem this kills

Your controls program lives in a giant spreadsheet, and keeping it honest is a part-time job that never ends. The controls matrix is one tab. The testing calendar is another - if it exists at all. Evidence is scattered across an email folder, a shared drive, and a few people's downloads. Every quarter you become the human scheduler: which controls are due this period, who's testing them, did they actually do it, where's the screenshot that proves it, and who reviewed the result?

Then an exception turns up - a control that failed its test - and the spreadsheet has no good place to put it. So it goes in a comment, or a new row, or a side email to the control owner. Three weeks later nobody can tell you whether it's been fixed, who owns the fix, or when it's due. When the external auditors ask for your testing population and your exceptions log, you spend two days reconstructing a story your tools should have been telling you all along.

The real risk isn't the work - it's that "tested" and "signed off" blur together. A tester marks something done, but nobody independent looked at the evidence. An exception gets quietly closed because the period ended. This tool draws a hard line: a test isn't complete until a reviewer has looked at the evidence and signed off, and an exception isn't resolved until someone approves the remediation as closed.

What you'll build

A small internal web app, just for your audit/controls team, that:

  • Loads your controls matrix from a CSV (control id, description, owner, frequency, assertion, test procedure) and dedupes on the control id so the same control can't land twice.
  • Auto-schedules tests by frequency - it reads each control's cadence (daily, monthly, quarterly, annual, or your own scheme) and generates the test instances for the period with due dates, deduped on control + test period so you never get two tests for the same control in the same window.
  • Gives testers a simple screen to record a result (pass or exception), write what they did, and upload evidence straight into the test - stored in secure file Storage, not an email folder.
  • Puts a hard review gate on every result: a reviewer opens the test, reads the evidence, and signs off as pass or confirms an exception. Nothing counts as tested until that sign-off happens.
  • Turns every confirmed failure into a tracked exception linked to a remediation owner and a due date, and won't let it close until a reviewer approves the remediation as resolved.
  • Shows a live dashboard: test status, pass rate, tests overdue, and exceptions open vs. closed.
  • Sends reminders for tests coming due, sign-off requests to reviewers, and alerts when an exception is opened or a remediation goes overdue.
  • Exports a controls status report and an exceptions log in the exact columns and naming your audit team or external auditors expect.

What's inside the Implementation Plan

The plan is a single markdown file you paste into Claude Code (a free AI coding agent). It walks the agent through building the whole tool step by step, and every step ends with a ready-to-paste prompt.

The most important part: the plan opens by interviewing you about your controls program. Before it writes a single line, the agent asks how your testing works today, what tool you use now (Excel, a GRC platform, an audit workpaper tool), the exact columns and id scheme on your controls matrix, your real frequency codes and how a "test period" is defined, who tests versus who reviews and signs off, your typical and peak (quarter-end, year-end) volumes, your exception severity and remediation rules, and your messiest edge cases - controls that are "key" versus not, design versus operating effectiveness, controls tested by sampling, rolled-forward results, controls that don't apply this period, and exceptions that span more than one control. It reads a short tailored spec back to you, you confirm it, and only then does it build - so you get a tracker shaped to your program, not a generic template you have to fight.

Inside you'll find:

  • The discovery interview and how the agent turns your answers into the data model.
  • The full build: database, login with tester/reviewer roles, CSV import of the controls matrix with duplicate guards, the frequency-based test scheduler, the tester result-and-evidence screen, evidence upload to secure Storage, the reviewer sign-off gate, the exception-to-remediation tracker, the status/pass-rate/overdue dashboard, and the reminder and alert emails.
  • The hard human-in-the-loop sign-off and remediation-closure gates, plus a complete audit trail of every result, sign-off, and closure.
  • Verification steps so you can prove it works, and the CSV-export fallback so it's fully usable even before you connect it to any GRC system.

The governance it includes (this is the point)

This isn't a toy. The plan builds in the controls a controls program itself demands:

  • Login so only your team can see or touch anything.
  • Row-level security so people only see their own organization's controls, tests, and evidence - never another entity's.
  • A complete audit trail - every test result, evidence upload, sign-off, exception, and remediation closure is logged with who and when, append-only.
  • A hard human-in-the-loop gate - twice. A reviewer must sign off each test result before it counts as tested, and a reviewer must approve a remediation before an exception is considered resolved. The AI schedules and organizes; a person always decides.
  • Duplicate guards so the same control can't be imported twice and the same control can't be tested twice in the same period (deduped on control + test period).
  • Evidence in secure Storage with RLS - test evidence lives behind access rules, served only to people allowed to see that control.

Who it's for

Internal auditors, controls/SOX program managers, controllership and compliance staff, and the ops/BPM folks who run point on the annual controls cycle - anyone tired of herding a testing program through a spreadsheet and an email folder. You don't need to write code. You need your controls matrix, the evidence your testers will upload, and an afternoon-to-a-weekend.

You've got this - paste the first prompt and let the agent interview you.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.