Methodology & Assumptions

1. Purpose of RiscLens Tools

RiscLens provides directional planning tools for B2B compliance buyers. Our goal is to reduce the "information asymmetry" between auditors and companies by providing data-driven estimates of readiness, cost, and timeline.

2. Scoring Methodology

Our Readiness Score (0-100) uses a risk-based weighting model mapped to the AICPA Trust Services Criteria (TSC):

• Baseline Controls: Core security practices like MFA, encryption, and access reviews form the foundation of the score.
• Risk Multipliers: Factors like handling PII, financial data, or ePHI increase the "bar" for readiness and decrease the baseline score until specific controls are confirmed.
• Auditor Expectations: Weights are tuned based on practical audit experience and common TSC interpretations.

3. Cost Estimation Logic

Cost estimates are calculated as a range based on three primary drivers:

• Auditor Fees: Estimated based on company size, technical complexity, and required TSCs (typically $15k–$50k).
• Tooling: Estimated costs for GRC and evidence automation platforms (typically $5k–$30k/year).
• Internal Effort: An estimated "man-hour" cost based on the engineering and operational effort required to remediate identified gaps.

4. Assumptions & Variability

Estimates are directional. Actual costs and timelines will vary based on:

• Auditor Choice: Tier 1 firms (Big 4) vs. boutique regional firms have significantly different fee structures.
• Scope Specifics: The number of cloud accounts, production systems, and employees in scope.
• Remediation Speed: How quickly your team can implement required controls and collect evidence.

5. Interpreting Results