runbookify
← All plans
Compliance, Quality & Risk / Internal Controls & SOX Testing

Control Deficiency & Remediation Tracker

Log control deficiencies from testing, audit, or self-assessment, rate their severity with a reviewed human gate, assign remediation owners and dates, and track every one to a verified, retest-passed closure - with overdue digests and a clean register export for your audit committee.

BeginnerAn afternoonBuilds onNext.js (App Router) on VercelSupabase (Postgres + Auth + Storage, RLS on)Resend (email digests)
What you'll build

A private, login-protected web app where you log control deficiencies, rate severity behind a reviewer gate, assign and track remediation to a verified retest-passed closure, get overdue reminders by email, and export the full deficiency register as CSV.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.

Before you start

  • A free Supabase account
  • A free Vercel account
  • A free Resend account
  • Your current deficiency list as a CSV or Google Sheet (optional but helpful)

The problem this kills

Control deficiencies show up everywhere - from your own controls testing, from a self-assessment, from internal audit, from the external auditors. And they end up everywhere too: a tab in a spreadsheet, an email thread, a sticky note, someone's memory. When the audit committee asks "what's open, how bad is it, and who owns it?" you spend a weekend reconciling versions instead of answering in five minutes.

The dangerous part isn't the tracking - it's the closing. A control owner marks their own deficiency "remediated" because the new procedure is written, but nobody actually retested it. Three deficiencies that each looked minor were never aggregated, and together they're a material weakness nobody flagged. Severity ratings drift depending on who typed them in.

This tool fixes the discipline, not just the list. Severity is rated, then reviewed and approved by you - the controls leader. Nothing self-closes: a deficiency only closes after a retest passes and you approve it. And related deficiencies get grouped so a "combination that's material" can't hide.

What you'll build

A small private web app - only your team can log in - that does the whole deficiency lifecycle:

  • Log a deficiency with its source (testing / self-assessment / audit), the control it relates to, a description, and the impact.
  • Rate severity - deficiency, significant deficiency, or material weakness - against your own rating guidance, with the reviewer (you) approving the rating before it sticks.
  • Assign remediation - an owner and a target date.
  • Track to retest - record the remediation work and the retest result.
  • Approve verified closure - you close it, and only after a retest has passed. No self-closing.
  • Aggregate related deficiencies so a cluster around the same control or process can be evaluated together for a combined rating.
  • Get an overdue digest by email so nothing rots silently.
  • Export the deficiency register and remediation status as a CSV in the exact columns you need.

What's inside the Implementation Plan

The plan is a single file you paste into an AI coding agent (Claude Code). It builds the whole thing with you, step by step, and each step ends with a ready-to-paste prompt.

It opens by interviewing you about your business. This is the important part: before it writes a line of code, the plan has the agent ask you about your testing cycle, your control framework and naming, your exact severity-rating guidance, your approval rules, your typical and peak volumes, and your messiest edge cases. It reflects a short tailored spec back to you and waits for your thumbs-up. You get a tracker shaped around how your controls function actually works - not a generic template you have to bend yourself into.

From there it walks through the database, the login, the logging screen, the severity-rating gate, remediation tracking, the retest-before-closure rule, aggregation of related items, the overdue email digest, and the CSV export - with a "No API yet?" path so you can start today from a spreadsheet, no integration required.

The governance it includes (this is the point)

This isn't a glorified spreadsheet - the controls are baked in:

  • Login so only your team can see or touch anything.
  • Row-level security so each organization only ever sees its own deficiencies.
  • A full audit trail - who logged it, who rated it, who approved the rating, who verified the retest, who closed it, and when.
  • A human-in-the-loop gate - severity ratings and closures are drafted, then a reviewer approves. Nothing is committed to the register on autopilot, and nothing self-closes: a passed retest plus leader approval are required before a deficiency closes.
  • Duplicate guards - a deficiency ID dedupe key so the same finding can't be logged twice.

Who it's for

SOX and internal-controls leads who own the deficiency population, have to defend severity ratings, and report remediation status to the audit committee. Quality and risk managers running a control self-assessment program. Anyone who today lives in a fragile deficiency-tracking spreadsheet and wants the discipline of a real tool without hiring a developer.

You've got this - paste the first prompt and let the agent interview you.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.