SOP Review & Attestation Tracker: Prove Every Procedure Is Reviewed and Read

The problem this kills

In any ISO-certified or regulated shop, two questions come up every audit and never have a clean answer: Are your SOPs actually reviewed on the schedule you promised? and Can you prove the right people read the current version? Today that proof lives in a tangle of spreadsheets, a "read receipts" folder, and a quality manager's memory. SOPs quietly go past their review date. Someone updates a procedure but half the team is still working off last quarter's PDF. When the auditor asks for attestation on the live version of SOP-014, you're forwarding old emails and hoping the dates line up.

It's tedious, it's risky, and a single gap — an un-reviewed procedure, a reader who never acknowledged the new revision — is a finding waiting to happen. You don't need a six-figure GRC platform to fix this, and you don't need to be a developer.

What you'll build

A simple internal web tool built around your real SOP library. You import your SOP list (each with a review interval and the staff who must read it) and your owner/reader roster. The tool sets a review schedule for every SOP and reminds each owner when a review is coming due. The owner reviews and either confirms "no change" or publishes a new version — and that approval is a hard gate. Once approved, the tool launches an attestation campaign: it emails the required readers via Resend, shows them the current version, and records each reader's "I have read and understood" acknowledgment against that exact version and timestamp. It chases anyone who hasn't acknowledged, shows the owner a live coverage % per SOP, and — crucially — when a new version supersedes the old one, prior acknowledgments stop counting and readers are asked to re-attest.

What's inside the Implementation Plan

The downloadable plan is a step-by-step file you paste into an AI coding agent. It opens by interviewing you about your business — how your SOPs are numbered and versioned, where they live today, your review intervals and who owns each procedure, exactly how staff are grouped into reader sets, your typical and peak SOP/reader volumes, your approval rules, and your messy edge cases (contractors, multi-site readers, an SOP with no owner) — and then it tailors the data model, the validations, and every later step to your answers. This is not a generic template; the agent reflects a short spec back to you and waits for your thumbs-up before it builds anything. From there it walks the agent through the import, the review-schedule and reminder logic, the owner review-and-approve screen, the version-aware attestation campaign, the reader acknowledgment flow, the non-attester chase, and the coverage export — each step with a ready-to-copy prompt. There's also a fallback so you can build the whole thing today even with no integration to your document system.

The governance it includes (this is the point)

This is compliance tooling, so it ships with the controls a quality team needs to survive an audit: login so only your team can use it, row-level security so you only ever see your own organization's SOPs and people, a complete audit trail of who reviewed, approved, and attested to what and when, a hard human-approval gate so no attestation campaign goes out until the owner has approved the reviewed SOP, and duplicate guards keyed on reader + SOP + version so the same person can't double-count and a stale acknowledgment can't be passed off as coverage of the live version. Re-attestation on supersession is built in, so "100% read" always means read this version.

Who it's for

Quality and compliance managers in ISO or otherwise regulated environments who have to demonstrate, on demand, that procedures are reviewed on a cycle and read by the people who do the work. If you can describe how your SOPs are numbered and who has to read each one, you can build this.

You've got this — start with the plan, paste the first prompt, answer the interview, and you'll watch your first SOP coverage dashboard light up the same afternoon.