runbookify
← All plans
Compliance, Quality & Risk / Audit Management

Audit Findings Register & Closure Tracker

Build an internal tool that holds every audit finding - major, minor, observation, or opportunity - in one register, with an owner, a due date, the agreed action, and a clean closure trail. The owner submits closure evidence and the audit manager approves it before anything is marked closed, so nothing slips between one audit and the next.

BeginnerAn afternoonBuilds onNext.js (App Router) on VercelSupabase (Postgres, Auth, Storage, RLS)Resend (overdue email digests)
What you'll build

A secure findings register where you log or import findings, assign an owner and due date, have the owner submit closure evidence, have the audit manager approve or reject the closure, watch status update automatically, get an overdue digest by email, and export the register in your own finding-log columns.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.

Before you start

  • A free Vercel account
  • A free Supabase account
  • A free Resend account
  • Your past audit findings or finding-log spreadsheet (CSV is fine)

The problem this kills

The audit wraps up, you get a list of findings, and everyone nods along. Then real life happens. The findings live in a spreadsheet that someone copies, renames, and emails around. Owners "remember" they'll fix their bit. Due dates pass quietly. And when the next audit rolls around, you're scrambling to prove that last year's findings ever got closed - digging through inboxes for the evidence, guessing whether "closed" really meant closed, and discovering a couple of findings that were marked done with nothing to back them up.

Worse, the same finding sometimes gets entered twice from two copies of the sheet, a finding gets quietly reopened with no record of why, and nobody can tell you how many times a given issue has come back.

This tool ends that. Every finding from every audit lives in one register with an owner, a due date, and a status you can trust - because nothing gets marked closed until the owner attaches evidence and the audit manager approves it. No self-closing, no lost trail.

What you'll build

An internal web app - login-protected, just for your team - that runs the full finding lifecycle:

  • Log or import findings: audit, clause/standard, severity (major / minor / observation / opportunity), description, owner, and due date. Enter them as an audit closes or import a batch from past audits.
  • Auto-set due dates by severity: a major finding gets a tighter deadline than an observation, using your own rules.
  • Assign and track: every finding has an owner, an agreed action, and a clear status (open / in-progress / awaiting approval / closed / reopened).
  • Submit closure with evidence: the owner proposes closure and attaches the proof - no evidence, no closure.
  • Approve the closure: the audit manager reviews the evidence and approves or rejects. Only an approval marks the finding closed.
  • Track reopens: if a closed finding comes back, the register keeps a reopened-count so repeat offenders are visible.
  • Stay ahead of due dates: an overdue digest emails the right people so findings don't slip silently.
  • Link to CAPA when needed: reference a corrective-action record by number when a finding requires one.
  • Export: a clean findings register in the exact columns your existing finding log uses.

What's inside the Implementation Plan

The plan is a single file you paste into an AI coding agent (Claude Code), and it builds the tool with you step by step.

The best part: it opens by interviewing you about your business. Before it writes a line of code, the plan has the agent ask how your audits and findings work today - your severity levels and what they mean, your due-date rules per severity, how you name audits and number findings, who owns closures, who approves them, your volumes, and your messy edge cases (reopened findings, findings spanning multiple sites, partial closures, CAPA links). Then it reads back a short tailored spec, you give a thumbs-up, and it builds a tool shaped to your register - not a generic template.

Inside you'll find: the discovery interview, a clear definition of done, the exact accounts to set up, a data model tuned to your answers, and a sequence of copy-paste prompts that build each piece - the finding form, the register view, the evidence-based closure gate, the audit trail, the overdue email digest, and the CSV import/export.

The governance it includes (this is the point)

This isn't a toy. The plan bakes in the controls a real audit program needs:

  • Login so only your team can open the tool.
  • Row-level security so each organization (or site) only ever sees its own findings.
  • A complete audit trail - who logged the finding, who proposed closure, who approved it, and exactly when.
  • A hard human-in-the-loop approval gate - the owner drafts the closure with evidence, the audit manager reviews, and only the manager's approval marks a finding closed. No self-closing.
  • Duplicate guards so the same finding can't be entered twice (dedupe key = audit-id + finding-number).

Who it's for

Quality and compliance managers who track findings across multiple audits and sites - and who are tired of chasing closures by email, rediscovering "lost" findings during the next audit, and trusting "closed" without proof. If you want a real, auditable findings register without waiting on IT or buying another module, this is for you.

You've got this - paste the first prompt and let the agent interview you.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.