Internal Control Library & Risk-Control Matrix (RACM)

The problem this kills

Your internal controls live in a spreadsheet that has grown for years. Risks in one tab, controls in another, owners half-filled-in, frequencies that say "quarterly" in one cell and "Q" in the next. When SOX testing season starts, you spend the first week just figuring out which controls are real, which risks have no control at all, and which controls have no owner to ask. Nobody is sure which version of the file is the official one, and every "small edit" someone makes to a description quietly changes what gets tested.

A Risk-Control Matrix (RACM) is supposed to be the one structured source that testing and reporting run off of. In a spreadsheet, it never quite is.

What you'll build

A small, private web app - the official home of your RACM - that your controls and SOX team logs into. You import your existing controls list, and the tool structures it into a proper matrix: every control linked to the risk it addresses and the process it supports, classified by type (preventive or detective, manual or automated, key or non-key), with an owner and a testing frequency. It automatically flags the gaps you usually find the hard way - risks with no control, controls with no owner, missing frequencies. Proposed additions and changes wait in a queue until the controls owner approves them, so the official RACM only ever reflects reviewed, signed-off content. Then it emails each owner their own controls and exports the whole matrix as a testing-ready CSV.

What's inside the Implementation Plan

• A copy-paste runbook you hand to an AI coding agent (Claude Code) - it does the building; you steer.
• It opens by interviewing you about your business. Before a single line is built, the plan makes the agent ask how your controls list is structured today, what your control IDs and codes look like, how you name types and frequencies, who the controls owner is, your typical and peak control counts, and your real edge cases. It reads back a short tailored spec, you confirm it, and only then does it build - so you get a RACM shaped to your data, not a generic template.
• Step-by-step build instructions, each ending in a ready-to-paste prompt.
• A "No API yet?" fallback so you can build the entire tool today from a CSV or Google Sheet, with no integration to your GRC system.
• A verification checklist so you can prove it works before you trust it.

The governance it includes (this is the point)

• Login so only your team can open the RACM.
• Row-level security so each organization only ever sees its own controls.
• A complete audit trail - who added or changed which control, what changed, and when.
• A human approval gate - the controls owner reviews every addition and change (description, owner, frequency) before it becomes part of the official RACM used for testing. The AI structures and proposes; a person signs off; only then is it committed.
• Duplicate guards keyed on control ID so the same control can't be imported or created twice.

Who it's for

Internal-controls, SOX, and compliance teams who keep their controls in a sprawling spreadsheet and want one structured, defensible source for testing and reporting - without hiring a developer or buying heavy GRC software.

You've got this. Paste the first prompt and let the agent interview you.