Periodic Compliance Attestation & Control Sign-off
Run your recurring compliance attestations on autopilot: schedule each item, email owners when their sign-off is due, collect attestations with evidence, branch to a reason form on any 'not performed,' let your compliance manager review exceptions and close the period, and export an auditor-ready attestation log.
A private, login-protected web tool that schedules recurring attestations, emails each owner when their sign-off is due, collects 'performed / not performed' responses with attached evidence, routes exceptions to a compliance manager for review, closes each period behind a human approval gate, and exports an auditor-ready attestation log — with a full audit trail.
Before you start
- A CSV (or Google Sheet) of your attestation items: statement, owner, frequency, and the evidence required
- A list of who owns each control or process and their email addresses
- Free accounts on Vercel, Supabase, and Resend (all have generous free tiers)
- No coding experience required — you'll paste the plan into an AI coding agent and answer its questions
The problem this kills
Your controls don't fail on the day someone reviews them. They fail in the long, quiet stretches between — the month nobody ran the reconciliation, the quarter the access review got skipped, the training that lapsed without anyone noticing. By the time an auditor or regulator asks "show me proof this happened every period," you're reconstructing the past from memory, chasing people for evidence that may no longer exist, and hoping the gaps were small.
The usual fix is a spreadsheet of "who owes what attestation this month" plus a flurry of reminder emails you send by hand. It's exhausting, it's easy to lose track of who hasn't responded, and the evidence ends up scattered across inboxes and shared drives. Worst of all, a spreadsheet can't prove anything: there's no tamper-evident record of who attested, exactly when, and what they attached.
Compliance should be continuously affirmed, not assumed. This tool turns your attestation calendar into a system that prompts the right person on schedule, captures their sign-off and evidence in one place, makes exceptions impossible to ignore, and hands you a clean, time-stamped record an auditor can trust.
What you'll build
A small, private web app that runs your recurring attestation cycle for you and keeps a human firmly in control of closing each period:
- Load your attestation items — each statement, its owner, how often it's due, and what evidence is required — from a CSV or Google Sheet.
- Schedule each item by frequency (monthly, quarterly, annually, or your own cadence) and open an attestation "instance" for each owner when a period comes due.
- Prompt owners by email (with reminders) and give them a one-click page to attest performed or not performed, attach evidence, and add a note.
- Branch automatically: a "not performed" answer opens a short reason form and becomes an exception.
- Review exceptions and any "no" responses as the compliance manager, route follow-ups, and close the period behind a human approval gate.
- Export an auditor-ready attestation log — every statement, owner, response, evidence link, and timestamp — plus completion-percent-by-area reporting.
This is your living compliance calendar, not a one-off survey. It never silently assumes a control was done; it asks, records the answer, and keeps the proof.
What's inside the Implementation Plan
The plan is a complete, paste-and-go runbook for an AI coding agent. The very first thing it does is interview you about your business — your attestation items and how they're worded, who owns each control, your real frequencies and period boundaries, what "evidence" means for each item, your escalation and reminder rules, and the messy exceptions you actually run into. It reads a short tailored spec back to you and waits for your thumbs-up before it builds anything, so the tool fits your real compliance program — not a generic template.
From there it walks you, step by step, through:
- Standing up the Next.js app, Supabase database, and login.
- Designing the data model around your attestation items, owners, and frequencies.
- Importing your attestation items (with duplicate guards) and your owner list.
- Generating attestation instances per period and emailing owners with reminders.
- The owner's attest page — performed / not performed, evidence upload, and the reason-form branch.
- The compliance manager's exception review and the period-close approval gate.
- Completion-percent-by-area dashboards and the auditor-ready attestation log export.
Every build step ends with a ready-to-copy prompt you paste into your agent.
The governance it includes (this is the point)
This isn't a throwaway survey tool — it's a compliance control, so it's built like one:
- Login so only your compliance team and owners can use it.
- Row-level security so each organization only ever sees its own attestations and evidence.
- A complete audit trail — who attested what, who reviewed it, who closed the period, and exactly when (timestamps you can defend to an auditor).
- A human-in-the-loop gate: owners attest and the tool tallies, but a period isn't closed until the compliance manager reviews the exceptions and approves the close. Exceptions are routed for follow-up the manager also approves.
- Duplicate guards so the same attestation item can't be processed twice in the same period (the dedupe key is attestation-item + period).
Who it's for
Compliance and risk managers — and quality leads who own recurring controls — who need recurring, defensible proof that obligations and controls are actually being met, period after period. If you can list your attestation items and who owns each one, you can build this — no developer required.
You've got this. Open the Implementation Plan, paste the first prompt, and let the agent interview you.