runbookify
← All plans
Compliance, Quality & Risk / Internal Controls & SOX Testing

Management Sub-certification Collector (SOX 302)

Replace the quarterly sub-cert email round with a tracked tool that collects, branches on exceptions, and rolls up management sub-certifications to support the executive SOX 302 certification.

BeginnerAn afternoonBuilds onNext.js (App Router) on VercelSupabase (Postgres + Auth + RLS + Storage)Resend (email)
What you'll build

A private internal tool that launches a quarterly sub-certification round, emails each certifier a statement bound to the exact period, branches to a disclosure form on any exception, tracks and escalates who hasn't responded, and produces a consolidated, manager-approved evidence package and CSV that supports the executives' SOX 302 certification.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.

Before you start

  • A free Supabase account
  • A free Vercel account
  • A free Resend account (for sending sub-cert requests and reminders)
  • Your sub-certifier list (owner, area) and your certification statements/questions as a CSV or Google Sheet

The problem this kills

Every quarter you fire off the same round of sub-certification emails to process and business-unit owners, asking them to confirm their controls operated and to disclose any deficiencies or changes. Then the real work starts: chasing the people who never reply, deciphering "yes but" answers buried in email threads, hunting for the one owner who flagged an exception, and stitching it all into something an executive can stand behind when they sign the 302 certification.

It's a tracking and evidence problem dressed up as an email problem. Spreadsheets and inboxes lose the thread - you can't easily prove who certified, against which exact statement, for which period, and what they disclosed. When the auditors ask for the consolidated record, you're rebuilding it from memory.

This plan gives you a single tool that runs the whole round: launch the quarter, send the requests, collect clean certifications, force a disclosure form whenever someone reports an exception, see exactly who's outstanding, and hand the SOX program manager one consolidated package to review and approve before it rolls up to the executive certification.

What you'll build

A private web app, just for your team, that:

  • Lets you launch a quarterly sub-cert round tied to a specific period (e.g., Q2 2026).
  • Loads your sub-certifier list (owner + area) and your certification statements/questions.
  • Emails each certifier (via Resend) a link to certify against the exact statement, bound to that period.
  • Records a clean "I certify" / "I cannot certify" response - and branches to a disclosure form the moment anyone reports an exception, a control change, or a deficiency.
  • Shows a live status board: who has certified, who's outstanding, who disclosed an exception - with one-click reminders and escalation.
  • Gives the SOX program manager a review gate to read every sub-cert (especially exceptions and "cannot certify" responses) and approve the consolidated package before it supports the executive certification.
  • Exports a consolidated sub-cert evidence CSV - the auditable record of who certified what, when, against which statement, for which period.

What's inside the Implementation Plan

  • A copy-paste runbook you feed to an AI coding agent (Claude Code) - it builds the tool with you, step by step.
  • It opens by interviewing you about your business - your current sub-cert process, who certifies, your area/owner naming, your statement wording, your quarterly volumes, your approval and escalation rules, and your messy edge cases - then tailors the data model, the disclosure branching, and every later step to your answers. You confirm a short spec before anything gets built. This is not a generic template.
  • Ready-to-paste prompts for each step, written so a non-coder can follow along.
  • The exact build order: data model, secure login, the launch + email round, the certify and disclosure forms, the status/escalation board, the manager review-and-approve gate, and the evidence export.
  • A "No API yet?" fallback so you can build the whole thing today from a Google Sheet / CSV and export a clean CSV in the columns your GRC or workpaper system expects - no integration required.

The governance it includes (this is the point)

This isn't a survey form - it's a controls artifact, so the controls are built in:

  • Login so only your compliance team and certifiers can use it.
  • Row-level security so each organization only ever sees its own data, and certifiers only see their own areas.
  • A complete audit trail: who certified, who disclosed, who approved, and exactly when.
  • A hard human-in-the-loop approval gate: the AI assembles and drafts the consolidated package, but the SOX program manager reviews every exception and approves it before it's treated as evidence supporting the executive certification.
  • Duplicate guards: each certification is bound to certifier + period + exact statement, so the same sub-cert can't be recorded twice.

Who it's for

SOX program managers and finance compliance teams who gather management sub-certifications each quarter to support the executives' overall 302 certification - and who are tired of running it out of an inbox and a spreadsheet.

You've got this - paste the first prompt and let the agent interview you.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.