runbookify
← All plans
Compliance, Quality & Risk / Audit Management

Audit Sampling & Record Pull Tool: A Defensible, Reproducible Sample Every Time

Import any population of records, pull a random or stratified audit sample with the size, method, and random seed logged, and lock it after the auditor reviews — so your selection is reproducible, tamper-evident, and easy to defend.

BeginnerAn afternoonBuilds onNext.jsSupabaseResend
What you'll build

A web tool where you import a population (transactions, files, employees, lots), choose simple-random or stratified sampling and a sample size, let the agent draw the sample with a logged random seed, review and lock it, then export the sample CSV plus a selection memo recording population size, method, seed, date, and who pulled it.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.

Before you start

  • A Supabase account (free)
  • A Vercel account (free)
  • A Resend account (free)
  • Your population as a CSV or Google Sheet
  • Claude Code or any AI coding agent

The problem this kills

You need to test a control, so you pull a sample. You sort the spreadsheet, eyeball a few hundred rows, highlight the ones you'll test, and copy them to a new tab. Then the reviewer asks the question that sinks the whole thing: "How did you pick these? Can you prove it was random? Could someone have nudged the selection?" And you can't — because there's no record of the method, no seed, and no way to redraw the exact same sample if a workpaper gets lost.

Manual sampling is slow, it's not reproducible, and it's quietly indefensible. RAND() in a spreadsheet recalculates every time you blink, so the selection you documented isn't the selection you can reproduce tomorrow. Stratifying by a field — region, dollar band, owner — means more tabs and more chances to fat-finger it. You don't need a statistics degree or a developer to fix this. You need a tool that draws a clean sample, writes down exactly how it did it, and locks it.

What you'll build

A simple internal web tool. You import your population — any CSV or Google Sheet of transactions, files, employees, lots, whatever you're testing, with any columns. You pick a method (simple random, or stratified by a field like region or dollar band) and either a sample size or a confidence/precision target the tool turns into a size. The tool warns you about duplicate keys and blank keys in the population, then draws the sample with a logged random seed so the exact same draw can be reproduced later. It dedupes so the same record can't be selected twice. You review the proposed sample, and either lock it as the official selection or redraw with a fresh, newly-logged seed. On lock, the tool exports the sample CSV and a selection memo — population size, method, seed, sample size, date, and who pulled it — so the whole thing is reproducible and tamper-evident.

What's inside the Implementation Plan

The downloadable plan is a step-by-step file you paste into an AI coding agent. It opens by interviewing you about your business — what kind of records you sample, where the population comes from, exactly what your columns and unique key are named, your typical and peak population sizes, the sampling methods and sizes your methodology requires, how you stratify, and the messy edge cases — and then it tailors the data model, the validations, and every later step to your answers. This is not a generic template; the agent reflects a short spec back to you and waits for your thumbs-up before it builds anything. From there it walks the agent through importing the population, checking for duplicate and blank keys, drawing the sample with a logged seed, the reviewer's lock-or-redraw gate, and the sample + memo export — each step with a ready-to-copy prompt. There's also a fallback so you can build the whole thing today with just a CSV in and a CSV out, no integration to your audit system required.

The governance it includes (this is the point)

This is audit tooling, so it ships with the controls a control-testing team needs: login so only your team can use it, row-level security so you only ever see your own organization's populations and samples, a complete audit trail of who imported, drew, redrew, and locked which sample and when, a hard human-in-the-loop gate so a sample isn't official until the auditor reviews and locks it, and duplicate guards so the same record can't land in a sample twice and the same population can't be imported twice. Every draw records its random seed, sample size, method, timestamp, and user — that's what makes the selection reproducible and tamper-evident, which is the whole point of defensible sampling.

Who it's for

Internal auditors, control testers, SOX testers, and quality auditors who need a clean, explainable sample and are tired of defending a spreadsheet highlight. If you can describe the records you test and how your methodology says to sample them, you can build this.

You've got this — start with the plan, paste the first prompt, answer the interview, and you'll see your first reproducible sample drawn the same afternoon.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.