Control Testing & Sampling Workpaper Tool

The problem this kills

Every test round, you rebuild the same fragile spreadsheet. You eyeball a sample size, hand-pick "random" items in a way you can't defend, paste screenshots into a tab, and email the reviewer asking for a thumbs-up. When the external auditor asks "how did you select this sample?" you have no logged seed, no reproducible method, and no proof that the second set of eyes actually reviewed the conclusion. A failed sample item gets quietly smoothed over because nothing forces it into a deficiency. The workpaper lives on one person's laptop.

This tool turns that mess into a controlled, auditable workflow - and you build it yourself, with AI, in a weekend.

What you'll build

A private web app for your internal audit / SOX testing team that:

• Plans a test round - pick the controls to test from your RACM and the period.
• Sets the sample size from the control's frequency using standard SOX sampling, and pulls the sample from the population with a logged random seed so the selection is reproducible and defensible.
• Lets the tester record pass/fail per sample item, attach evidence, and note exceptions.
• Forces a reviewer (a different person) to approve the conclusion - effective or deficient - before it's final.
• Pushes every deficiency to a tracker automatically, so a failed item can never be quietly ignored.
• Sends status emails via Resend and exports the full workpaper and results as CSV.

What's inside the Implementation Plan

• It interviews you first. Before building anything, the plan has the AI agent interview you about your business - your RACM format, how you name controls, your frequencies and the sample sizes you use, your evidence types, your review and sign-off rules, and your messy exceptions. It reflects a short tailored spec back to you and waits for your thumbs-up. You get a tool shaped to how you test, not a generic template.
• A step-by-step build: data model, login, the test-planning screen, the sample-size + seeded-selection engine, the tester results screen with evidence upload, the reviewer sign-off gate, the deficiency tracker push, Resend notifications, and the CSV export.
• Copy-paste prompts at the end of every step - you paste, the agent builds.
• A "No API yet?" fallback: import your population from a Google Sheet / CSV and export results in the exact columns your existing GRC system expects, so it's fully usable today.

The governance it includes (this is the point)

• Login so only your team can open the tool.
• Row-level security so testers only see their own organization's controls and rounds.
• A complete audit trail - who set the sample, who tested, who reviewed, and exactly when.
• A hard human-in-the-loop approval gate: the tester drafts the conclusion, the reviewer (a separate person) must sign off before the result is finalized, and a failed sample item can't be closed without becoming a tracked deficiency.
• Duplicate guards keyed on control-id + test-round so the same control isn't tested twice in the same round.
• A logged sample-selection seed so any selection can be reproduced and defended to an external auditor.

Who it's for

Internal auditors and SOX control testers who run test rounds each period and need a defensible, reviewer-gated workpaper without buying a heavyweight GRC platform.

You've got this - paste the first prompt and let the agent interview you.