Skip to main content
This cookbook is for risk, audit, and compliance teams tracking internal controls, audit findings, key risk indicators, segregation-of-duties conflicts, and third-party risk. The examples use Veridian Group, a fictional diversified enterprise with a central risk and controls function.

Who this is for

Company typeEnterprise GRC, internal audit, operational risk
ConnectorSupabase (PostgreSQL)
TeamsRisk management, internal audit, compliance, vendor risk

Get started

1

Connect Supabase

Add a Supabase connector with your project pooler host, database, and credentials. See Add connectors.
2

Index your schema

Run indexing on the public schema. Mark the important tables listed below. See Index your data.
3

Ask your first question

Try: How many open audit findings do we have by severity?
4

Build the dashboards below

Combine saved charts into audit committee and risk committee views. See Create dashboards.

See it in Vizkraft

Your data

A typical risk and controls warehouse on Supabase includes thirteen related tables:
TableWhat it holds
audit_findingsFindings from audits — title, severity, status, due date
business_processesProcesses in scope for controls and testing
control_testsTest results — pass/fail, tester, test date
controlsControl definitions linked to business processes
departmentsOrg units and cost centers
employeesStaff — role, department, contact details
key_risk_indicatorsKRI definitions with red and amber thresholds
kri_readingsTime-series KRI values and notes
policy_exceptionsApproved or pending policy exceptions
risk_registerEnterprise risks — likelihood, impact, owner, score
sod_conflictsSegregation-of-duties conflicts by employee and role
vendor_risk_assessmentsThird-party risk reviews
vendorsVendor master — country, category, tier

Tables to mark during indexing

  • Audit findings — open and closed findings, severity, remediation status
  • Risk register — active risks, scores, and ownership
  • KRI readings and key risk indicators — threshold breaches and trends
  • Control tests — pass/fail rates over time
  • SoD conflicts — open conflicts by department
  • Vendors and vendor risk assessments — third-party risk tier and concentration

Dashboards to build

Audit findings overview

Answers: What is the status of our audit program and control testing? Include open and closed finding KPIs, policy exception counts, average exception risk level, control tests passed, severity breakdown, control test pass/fail trend, findings opened over time, and a findings detail table.

Operational risk exposure

Answers: Where is the organization most exposed right now? Include open SoD conflict KPIs, KRI red-threshold breaches, active risk count, conflicts by department, likelihood-versus-impact heatmap, vendor tier breakdown, red and amber KRI trend, KRI values against thresholds, and a table of high-scoring active risks.

Questions to ask by role

RoleQuestions to try
Chief audit executiveHow many audit findings are open versus closed? What is the severity mix?
Risk managerWhich risks in the register have a score of 12 or above? How many KRIs are breaching red thresholds?
Compliance officerHow many policy exceptions are pending approval? What is the average risk level of approved exceptions?
Vendor risk analystWhat is the breakdown of vendors by risk tier? Which vendors are Critical or High?
SoD analystHow many open segregation-of-duties conflicts do we have by department?

Example conversations

Vendor risk tier breakdown

Ask: What is the breakdown of our vendors by risk tier — show how many vendors fall into Critical, High, Medium, and Low as a pie chart. Vizkraft returns a pie chart with tier counts and insight notes on concentration in High and Critical tiers and whether any tier has zero vendors. Try next: Which Critical-tier vendors have assessments older than twelve months?

Control testing trend

Ask: Show control test pass and fail counts by month for the last year. Use this to spot months with elevated failures before audit committee meetings. Try next: Which controls had the most failed tests in the last quarter?

Metrics worth defining

Add to Connector memory so definitions stay consistent across your org:
  • Risk score — likelihood × impact (or your enterprise formula)
  • KRI breach — reading at or above red threshold
  • Open finding — status not equal to Closed
  • SoD conflict — unresolved segregation-of-duties exception
  • Vendor risk tier — Critical, High, Medium, Low classification rules