Control Self-Assessment (CSA) Campaign

The problem this kills

Between formal audits, your controls go dark. You have a RACM full of controls and owners, but no easy way to ask, on a cadence, "did your control actually operate this period?" So you fall back on email threads, a spreadsheet you chase people on, and a scramble before the auditors arrive. Evidence lives in inboxes. "Not operating" answers get buried. And you can never quite say, with a straight face, what percentage of controls were attested this quarter.

A Control Self-Assessment campaign fixes this - but only if it's easy to run, hard to ignore, and produces clean records. Buying a GRC platform for this is overkill. You can build exactly what you need in an afternoon.

What you'll build

A small, private web app for your internal-controls team and your control owners:

• Schedule a CSA period (monthly, quarterly, annually) against your control library.
• Email each owner a prompt through Resend with a secure link to their controls.
• Owners attest - "operated as designed" or "not operating / exception" - and attach evidence (screenshots, reports, sign-offs) right in the tool.
• A "not operating" answer branches to an exception form that captures what went wrong, when, and the impact.
• A live completion dashboard - completion % by process, by owner, by control.
• A manager review + close gate - your controls manager reviews results, scrutinizes every exception, and only then closes the period.
• Exceptions push to your deficiency tracker and the whole CSA result exports as a clean CSV.

What's inside the Implementation Plan

The plan is a single file you paste into Claude Code (a free AI coding agent). It builds the whole tool with you, step by step, in plain language.

It starts by interviewing you about your business - your control IDs and naming, who your owners are, how often each control runs, your attestation wording, your deficiency tracker's exact columns, and your messy edge cases (shared controls, owners on leave, controls that span processes). Then it reads back a short tailored spec, waits for your thumbs-up, and builds the tool around your RACM - not a generic template.

From there it walks through: setting up the database with row-level security, importing your control library, building the owner attestation screens with evidence upload, the exception branch, the completion dashboard, the manager review-and-close gate, the Resend prompts and reminders, and the CSV export. Every build step ends with a ready-to-copy prompt.

The governance it includes (this is the point)

This isn't a survey form - it's an assurance record. The plan bakes in:

• Login so only your team and your named control owners can get in.
• Row-level security so owners only ever see their own controls, and each organization's data stays walled off.
• A complete audit trail - who attested what, when, from where, with every evidence file timestamped.
• A hard human-in-the-loop gate - the AI and the owners draft the results, but nothing closes and nothing flows to the deficiency tracker until your controls manager reviews exceptions and approves the period close.
• Duplicate guards - the dedupe key is control-ID + period, so the same control can't be attested twice in one campaign.

Who it's for

Internal-controls and compliance teams - SOX, ICFR, ISO, internal audit - who want owner-level assurance on a regular cadence without buying a GRC suite. If you own a RACM and chase attestations by email today, this is for you.

You've got this - paste the first prompt and let the agent interview you.