A / B / C readiness: what an auditor-comprehensible tier rubric actually looks like
A buyerβs guide to compliance scoring
PDF version
Download a printable copy.
Same content as this page, in a sealed PDF you can hand to a colleague or auditor.
A / B / C readiness: what an auditor-comprehensible tier rubric actually looks like
A buyer's guide to compliance scoring. Why the 0-100 dashboards that every SaaS compliance vendor ships fail at the executive table, and what a working readiness rubric looks like when you need to make real decisions about audit-day exposure.
Key 102 Consulting Β· 2026 Β· Veteran-owned. Practitioner-led readiness across HIPAA, PCI DSS v4.0.1, CMMC L1/L2, and surface transportation.
The board meeting that exposes vanity metrics
Tuesday afternoon, quarterly board meeting. The compliance officer pulls up the compliance vendor's dashboard. It shows "85/100." The CFO asks the question the score forces:
"Eighty-five β is that good? Are we ready for an audit, or not?"
The compliance officer looks at the dashboard. The 85 sits on a gradient bar. Green at 100, yellow somewhere in the middle, red at the bottom. 85 is in the green zone. So "good." But then a follow-up:
"If we have a HIPAA breach next week and OCR investigates, does 85 protect us?"
There is no defensible answer. The 85 was assembled by averaging weighted control coverage across the platform's checklist. Some of those controls are blocking for the audit. Some are informational. The score doesn't distinguish. The dashboard doesn't translate the number into a decision.
This is the vanity-metric problem. 0-100 compliance scores optimize for executive comfort and vendor differentiation. They don't translate to the binary outcomes auditors actually deliver.
This paper covers why scores fail at the executive table, what an audit-day-comprehensible rubric looks like, and why Key 102 ships A / B / C tier labels β with words β instead of numbers.
What an auditor actually decides
OCR investigators, QSAs, C3PAOs, DCMA auditors, TSA inspectors β across every framework β deliver categorical outcomes, not score curves:
- HIPAA breach investigation: the entity was compliant / was not compliant / had partial findings requiring corrective action plan
- PCI DSS assessment: the SAQ-D or ROC results in an AoC (passed) / requires remediation (POA&M-style continuation) / fails (notification to acquirer)
- CMMC L2 assessment: practice is Met / Not Met / Not Applicable; cumulative score per DoD Assessment Methodology determines certification + POA&M eligibility
- TSA SD compliance: the operator is in compliance / out of compliance / under a corrective action notice
- DCMA contract audit: the contractor meets / does not meet DFARS 252.204-7012 obligations
None of these is "you scored 85." The auditor's deliverable is a finding, and the finding has consequences that scale with severity, not with score increments.
When a compliance vendor's dashboard shows 85, the entity doesn't know which controls are in the 15 missing points. They don't know whether those 15 are blocking findings or informational notes. They don't know what a real auditor would do at 85 β and neither does the dashboard, because no real auditor uses the dashboard's scoring system.
What audit-day boring looks like at each tier
The Key 102 readiness rubric labels three tiers with words. Each word maps to a specific audit-day experience:
Compliance Ready (tier A). Every control in scope has implementation evidence + a recent review attestation. Audit chain integrity is verifiable end-to- end. Quarterly readiness report is current and practitioner- signed. The customer has nothing material in the POA&M; what's there is in active remediation with target dates inside the window. On audit-day, the assessor finds what the customer attested to. Result: pass with no findings or notational findings only.
The audit-day experience: boring. The assessor reads, asks clarifying questions, validates a sample, leaves. Time-to-pass is measured in hours of the assessor's attention.
Material Gaps (tier B). Most controls are implemented but specific control families have evidence that's stale, attestation that's overdue, or implementation gaps that haven't been remediated. The audit chain is intact but the operational discipline isn't fully consistent across the assessment scope. The POA&M is honest but has items that have aged past comfortable. On audit-day, the assessor finds material discrepancies β not catastrophic, but the kind that lead to findings + corrective action plans + follow-up assessments.
The audit-day experience: stressful but survivable. The assessor asks deeper questions. Some findings require POA&M items the entity didn't expect. The certification or attestation issues, but with conditions.
Significant Work (tier C). Multiple control families have implementation gaps or evidence gaps. The customer's actual control posture diverges meaningfully from what their compliance documentation describes. The audit chain may have gaps, the POA&M is reactive rather than predictive, and the practitioner who signs the next readiness report would do so with explicit caveats. On audit-day, this is the customer who isn't ready.
The audit-day experience: high-risk. Findings are likely. Remediation conversations begin during the assessment rather than after. Re-assessment is probably necessary. For frameworks with high-stakes immediate consequences (TSA Stop Movement Orders, CMMC certification denial blocking new contracts), "Significant Work" is the tier you don't want when the clause lands.
The three tiers are mutually exclusive and exhaustive. Customers don't sit between B and C; the rubric forces a choice. The forcing function is intentional β vague answers don't help an executive decide whether to invest in remediation or accept risk.
Five inputs that drive the rubric
Key 102's tier classification draws from five operational signals across the engagement:
Coverage β the percentage of in-scope controls that have implementation evidence linked. A control without linked evidence is a control whose state cannot be verified.
Evidence freshness β the age distribution of evidence artifacts. Logging evidence from six months ago is structurally weaker than logging evidence from this month. Some controls permit older evidence (policies, training records); others demand recency (vulnerability scans, log monitoring).
Audit chain integrity β the structural soundness of the hash-chained audit trail. A chain with no breaks is a chain that can defend itself under cryptographic scrutiny (see Whitepaper #5).
Velocity β the rate at which gaps close once identified. A customer who identifies 20 gaps and closes 15 in 30 days has operational discipline. A customer who identifies 20 gaps and closes 2 in 90 days has a discipline problem.
Hygiene β the day-to-day compliance practices: are tasks being completed on cadence? Are notifications being acknowledged? Are policy adoptions being attested? Hygiene captures the gap between policy text and operational reality.
The five inputs feed into the A / B / C classification through a weighted model. The internal weighting isn't surfaced to the customer or the executive audience β what's surfaced is the tier label and the specific gaps that would move the customer to the next tier up. Words drive decisions; numbers drive discussion of the numbers.
Why words beat numbers for executive communication
Executive audiences make categorical decisions: invest / defer / accept. The compliance dashboard with 85/100 doesn't map to those categories. The CFO can't ask "should we increase remediation budget" because 85 doesn't tell her whether 85 warrants more budget than 78 would have.
Words map to decisions:
- "Compliance Ready" β maintain. The investment is in preservation, not transformation.
- "Material Gaps" β close them. The investment is the cost of remediation, sized to the gap inventory.
- "Significant Work" β invest substantially or accept the risk explicitly. This is not a "do a little more" decision.
The same executive can read the tier label and immediately know what category of decision is in front of them. The follow-up questions (which gaps, what would they cost to close, what's the timeline) flow naturally from the category.
Compare to a 0-100 score. The 85 invites a discussion about the 85 β what does 85 mean, is it improving, is the trend the right direction. The discussion ends with the dashboard, not with a decision.
How Key 102 ships this for all engagements
Every Key 102 engagement carries a Capability Readiness Score that produces the A / B / C tier classification. The score runs daily via cron, builds 30-day and 90-day sparklines, and surfaces on:
- The customer's
/dashboard/engagements/[id]engagement card - The practitioner workbench engagement view
- The Master Audit Report (Audit Co-Pilot tier β recipient- verifiable)
- The monthly executive briefing prepared for Managed and Audit Co-Pilot tiers
The customer always knows their tier in words. The internal score exists for the practitioner's diagnostic use (which input moved, by how much, since when) but is not surfaced to executive audiences. The tier label is the primary signal.
When a board asks "are we ready for an audit?", the Compliance Ready / Material Gaps / Significant Work tier label answers in one phrase. The answer is comprehensible to the auditor too β because the language maps to the categorical outcomes the auditor will deliver.
Start your readiness assessment with Key 102
Key 102 Consulting is veteran-owned, SAM-registered, and based in Phoenix, Arizona. The Capability Readiness Score with A / B / C tier labeling ships on every engagement across HIPAA (Aegis), PCI DSS (Vault), CMMC (Fortress), and surface transportation (Nexus).
Every artifact β including the readiness report itself β carries a named practitioner signature, server-side SHA-256 hash, RFC 3161 TSA timestamp, and a public verify endpoint your assessor or board's external auditor can hit independently of Key 102.
UEI: TXQFV5FJX797 Primary NAICS: 541519 (Other Computer Related Services) Additional NAICS: 541512 Β· 541690 Β· 611420 PSC Codes: DJ10 Β· DJ01 Β· D302 Β· R499 Β· U099
Start with a $674 Mission Brief β
The Mission Brief is a 90-minute diagnostic engagement with Tammie and a practitioner. You walk out with your initial tier classification + the specific gaps that would move you up. The $674 credit converts 1:1 into any annual subscription within 14 days.
More in the Option A series
- #1Why your compliance vendorβs PDF is not assessment evidence
- #232 CFR Part 170: why your CMMC RP and your C3PAO cannot be the same firm
- #3The 72-hour TSA cyber-incident clock: what surface-transport operators need pre-staged
- #4Two-party attestation: how the PCI AoC handoff should work
- #5Cryptographic integrity for HIPAA evidence: hash-anchored audit logs and the OCR question
- #7From DIY SaaS to firm engagement: the missing middle of compliance