Who this is for
| Company type | Enterprise GRC, internal audit, operational risk |
| Connector | Supabase (PostgreSQL) |
| Teams | Risk management, internal audit, compliance, vendor risk |
Get started
Connect Supabase
Add a Supabase connector with your project pooler host, database, and credentials. See Add connectors.
Index your schema
Run indexing on the
public schema. Mark the important tables listed below. See Index your data.Build the dashboards below
Combine saved charts into audit committee and risk committee views. See Create dashboards.
See it in Vizkraft
Your data
A typical risk and controls warehouse on Supabase includes thirteen related tables:| Table | What it holds |
|---|---|
audit_findings | Findings from audits — title, severity, status, due date |
business_processes | Processes in scope for controls and testing |
control_tests | Test results — pass/fail, tester, test date |
controls | Control definitions linked to business processes |
departments | Org units and cost centers |
employees | Staff — role, department, contact details |
key_risk_indicators | KRI definitions with red and amber thresholds |
kri_readings | Time-series KRI values and notes |
policy_exceptions | Approved or pending policy exceptions |
risk_register | Enterprise risks — likelihood, impact, owner, score |
sod_conflicts | Segregation-of-duties conflicts by employee and role |
vendor_risk_assessments | Third-party risk reviews |
vendors | Vendor master — country, category, tier |
Tables to mark during indexing
- Audit findings — open and closed findings, severity, remediation status
- Risk register — active risks, scores, and ownership
- KRI readings and key risk indicators — threshold breaches and trends
- Control tests — pass/fail rates over time
- SoD conflicts — open conflicts by department
- Vendors and vendor risk assessments — third-party risk tier and concentration
Dashboards to build
Audit findings overview
Answers: What is the status of our audit program and control testing? Include open and closed finding KPIs, policy exception counts, average exception risk level, control tests passed, severity breakdown, control test pass/fail trend, findings opened over time, and a findings detail table.Operational risk exposure
Answers: Where is the organization most exposed right now? Include open SoD conflict KPIs, KRI red-threshold breaches, active risk count, conflicts by department, likelihood-versus-impact heatmap, vendor tier breakdown, red and amber KRI trend, KRI values against thresholds, and a table of high-scoring active risks.Questions to ask by role
| Role | Questions to try |
|---|---|
| Chief audit executive | How many audit findings are open versus closed? What is the severity mix? |
| Risk manager | Which risks in the register have a score of 12 or above? How many KRIs are breaching red thresholds? |
| Compliance officer | How many policy exceptions are pending approval? What is the average risk level of approved exceptions? |
| Vendor risk analyst | What is the breakdown of vendors by risk tier? Which vendors are Critical or High? |
| SoD analyst | How many open segregation-of-duties conflicts do we have by department? |
Example conversations
Vendor risk tier breakdown
Ask: What is the breakdown of our vendors by risk tier — show how many vendors fall into Critical, High, Medium, and Low as a pie chart. Vizkraft returns a pie chart with tier counts and insight notes on concentration in High and Critical tiers and whether any tier has zero vendors. Try next: Which Critical-tier vendors have assessments older than twelve months?Control testing trend
Ask: Show control test pass and fail counts by month for the last year. Use this to spot months with elevated failures before audit committee meetings. Try next: Which controls had the most failed tests in the last quarter?Metrics worth defining
Add to Connector memory so definitions stay consistent across your org:- Risk score — likelihood × impact (or your enterprise formula)
- KRI breach — reading at or above red threshold
- Open finding — status not equal to Closed
- SoD conflict — unresolved segregation-of-duties exception
- Vendor risk tier — Critical, High, Medium, Low classification rules