Audit Methodology v1
AI Opportunity Audit: Canonical Methodology
Section titled “AI Opportunity Audit: Canonical Methodology”Internal ops doc. Not client-facing. Load this before running any audit engagement.
1. Framing: The AOA Principle
Section titled “1. Framing: The AOA Principle”Every engagement opens from this position: “I don’t automate broken processes. Automating a broken process makes the inefficiency run faster. We audit how you do it today, optimize the steps (your 12 are probably 7), then automate what’s left.”
This framing does three things: sets realistic scope, positions the consultant as a professional rather than a tool salesperson, and prevents the client from treating the audit as a ticket to “just automate everything.”
2. The 7-Dimension Framework
Section titled “2. The 7-Dimension Framework”Weighting
Section titled “Weighting”- Strategy and Leadership carries 1.5x weight in the scoring model.
- All other dimensions: 1x weight.
- Overall maturity is NOT the weighted average. See Section 3 (Binding-Constraint Logic).
Dimension 1: Strategy and Leadership (1.5x weight)
Section titled “Dimension 1: Strategy and Leadership (1.5x weight)”Definition: Is there a named AI strategy, a designated owner, and visible exec or board sponsorship? Is AI a funded priority or a “we should look into that”?
| Score | What it looks like |
|---|---|
| 1 | No AI strategy. Leadership has not discussed it or explicitly deprioritized it. |
| 3 | AI comes up in leadership conversations. No written strategy, no owner, no budget. |
| 5 | Written AI strategy reviewed quarterly. Named owner with budget authority. Board awareness or sponsorship. Outcomes are tracked. |
Evidence sources: leadership interviews, board decks, org chart, any AI committee or working-group evidence, stated budget allocation.
Dimension 2: Data Readiness
Section titled “Dimension 2: Data Readiness”Definition: Is operational data captured digitally, structured, accessible, and clean enough to automate against? Can systems talk to each other, or is data moved manually?
| Score | What it looks like |
|---|---|
| 1 | Data lives in spreadsheets, people’s heads, or paper. No integration between systems. High error rate. |
| 3 | Data is partially digital. Some systems integrated. Copy-paste workflows are common. Confidence in accuracy is moderate. |
| 5 | Operational data fully captured, centralized, clean, and accessible via API or structured schema. Integration layer exists. Near-zero manual data movement. |
Evidence sources: systems inventory from interviews, integration map, sample data pull, copy-paste frequency estimate, last data error incident.
Dimension 3: Technology and Tooling
Section titled “Dimension 3: Technology and Tooling”Definition: Modernity of the tech stack, API availability, integration maturity, and current AI tool adoption.
| Score | What it looks like |
|---|---|
| 1 | Legacy or siloed systems. No APIs. No AI tools in use. |
| 3 | Mix of modern and legacy. Some Zapier-level integrations. Experimental AI tool use by 1-2 people. |
| 5 | Modern API-first stack. Integration layer (iPaaS or custom). AI tools embedded in daily workflows for most of the team. |
Evidence sources: software systems list, API availability check, integration architecture (if any), which AI tools are used in production vs. experimentally.
Dimension 4: Process and Automation Opportunities
Section titled “Dimension 4: Process and Automation Opportunities”Definition: How much of the weekly work is repetitive and rules-based vs. judgment-heavy? What is already automated vs. still manual?
| Score | What it looks like |
|---|---|
| 1 | Processes undocumented, entirely in people’s heads. High manual burden across all functions. Nothing automated. |
| 3 | Core processes partially documented. Some automation in place (email templates, basic Zapier flows). 30-50% of weekly work is repetitive. |
| 5 | Processes documented and version-controlled. Significant automation already live. Repetitive work is explicitly measured and continuously reduced. |
Evidence sources: process documentation (if any), manual task inventory from interviews, current automation stack, hours-per-week estimates on top tasks.
Dimension 5: Talent and AI Literacy
Section titled “Dimension 5: Talent and AI Literacy”Definition: Can the team actually use AI tools? Is there fear, curiosity, or fluency? Is there an upskilling path?
| Score | What it looks like |
|---|---|
| 1 | Team avoids AI tools. Active fear or resistance. No training. |
| 3 | Mixed: some curious self-learners, majority untrained. No formal AI literacy program. |
| 5 | Most team members fluent in relevant AI tools. Structured training program exists. AI adoption tracked as a KPI. Change management is proactive. |
Evidence sources: direct question on team comfort, observed tool usage, training history, any stated fear about job displacement (this is a binding constraint signal, not a dismissal).
Dimension 6: Governance and Compliance
Section titled “Dimension 6: Governance and Compliance”Definition: Data privacy controls, acceptable-use policy for AI tools, regulatory awareness, shadow AI risk.
| Score | What it looks like |
|---|---|
| 1 | No AI usage policy. Team puts customer data into public LLMs without guardrails. No regulatory awareness. |
| 3 | Informal data handling norms. Some awareness of compliance requirements. No written AI policy. Shadow AI is suspected but unmeasured. |
| 5 | Written AI usage policy, signed by all staff. Data classification schema. Vendor sub-processor agreements reviewed. Regulatory requirements (DPA, GDPR, NIST AI RMF, EU AI Act where applicable) mapped and addressed. |
Evidence sources: policy documents (if any), direct question on whether team uses ChatGPT with customer data, compliance requirements from the industry.
Dimension 7: Value and ROI
Section titled “Dimension 7: Value and ROI”Definition: Does the organization measure AI/automation outcomes? Is there a baseline to prove savings against?
| Score | What it looks like |
|---|---|
| 1 | No measurement of any automation or AI impact. No baseline data. |
| 3 | Informal sense of time saved. No structured tracking. Some awareness that ROI should be measured but no mechanism in place. |
| 5 | Formal measurement framework for automation ROI. Baselines established before each initiative. Actual-vs-projected tracking live. Decision-making is evidence-based. |
Evidence sources: current reporting dashboards, any existing automation ROI data, stated confidence in measuring AI value.
3. Binding-Constraint Scoring Logic
Section titled “3. Binding-Constraint Scoring Logic”Rule: Overall maturity is gated by the two lowest-scoring dimensions, not the average (even after weighting).
Why this matters: A roadmap full of sophisticated automation opportunities fails if Data Readiness is 1.5. You cannot automate data you don’t have. A team with strong data and great tools fails if Governance is 1 and a compliance incident shuts down the AI program in month two. The binding constraints are the ceiling on everything.
How to apply it:
- Score all 7 dimensions after analysis passes.
- Identify the two lowest scores (ties go to the one with the most downstream dependencies).
- Label them binding constraints in the output.
- Phase 1 of the roadmap MUST address both binding constraints before anything else. No exceptions.
- Any opportunity in the matrix that depends on a binding constraint gets flagged as “blocked” with an explicit prerequisite.
Stating the constraint to the client: “Your two weakest dimensions are X and Y. That’s actually where the biggest wins are hiding, because fixing them unlocks everything above them. The roadmap starts there.”
4. The 4-Pass Data Audit Protocol
Section titled “4. The 4-Pass Data Audit Protocol”Run this within Dimension 2 (Data Readiness). It produces a per-source verdict that feeds the opportunity matrix directly.
Pass 1: Source Inventory
Section titled “Pass 1: Source Inventory”List every system where operational data lives. For each: system name, data type, owner, access method (API / export / manual), approximate record count, update frequency.
Verdict per source: Mapped (proceed to Pass 2) or Unknown (needs investigation before automation can be scoped).
Pass 2: Quality Probe
Section titled “Pass 2: Quality Probe”For each mapped source, assess: How accurate is it? When was it last cleaned? What is the error rate (ask the interview subject directly)? Is there a single source of truth, or are there conflicting copies?
Verdict per source: Ready (usable as-is), Fix-First (identifiable issues that can be corrected), or No-Go (fundamentally unreliable; do not base automation on this source until remediated).
Pass 3: Integration Map
Section titled “Pass 3: Integration Map”How do the sources connect today? Manual exports, Zapier/n8n, custom API, direct DB connection, or no connection at all? Identify every manual data-movement step and the cost in time per week.
Verdict per integration: Native (already integrated), Buildable (connectable with reasonable effort, API available), or Blocked (no integration path without major work).
Pass 4: Risk Profile
Section titled “Pass 4: Risk Profile”For each data source and integration: What is the compliance exposure? Customer PII, financial data, health data? Which regulatory frameworks apply (DPA RA 10173, GDPR, HIPAA, etc.)? What is the shadow AI risk (is this data already flowing into public LLMs without governance)?
Verdict per source: Clean (no elevated risk), Review Required (flag for governance section), or High Risk (do not automate until legal review and policy are in place).
Aggregate Data Readiness score pulls from the distribution of verdicts across all passes. Mostly Ready/Native/Clean sources = high score. Multiple Fix-First or High Risk verdicts = low score, binding constraint.
5. The 5-Stage Engagement Flow
Section titled “5. The 5-Stage Engagement Flow”Stage 1: Scoping Call (15-20 min)
Section titled “Stage 1: Scoping Call (15-20 min)”Qualify and close. The consultant is the expert gatekeeper, not a salesperson.
Key questions (Ganim framework):
- The forking question (routes to their business model and the ROI lever they care about: effectiveness, efficiency, or quality).
- The repetition question: what does your team do over and over that you wish they didn’t?
- The friction question: where does it break or slow down?
- The ROI anchor: if that friction disappeared, what would it be worth?
- The magic wand question: if you could fix one thing, what is it?
Close by naming the intersection of high frequency and high friction as the one bottleneck, then frame the audit as the instrument that maps and prioritizes everything around it.
Decline clients who are too early (no digital data, no team, no budget). A bad case study is worse than no case study.
Stage 2: Deep Intake
Section titled “Stage 2: Deep Intake”After payment and engagement letter:
- Intake questionnaire (Fillout/Tally): 7 sections mapped to the 7 dimensions, plus a use-case inventory form.
- Stakeholder roster: names, roles, and interview scheduling.
- Document collection: any existing process docs, org chart, software list, compliance docs.
Do not start analysis until intake is complete. The clock on delivery starts when intake is submitted.
Stage 3: Stakeholder Interviews (5-8 recorded sessions for premium tier)
Section titled “Stage 3: Stakeholder Interviews (5-8 recorded sessions for premium tier)”Premium tier requirement: 5-8 interviews (vs. 1-2 in baseline offerings). This is a key differentiator that justifies the $7,500-$10,000 price point.
Interviews are:
- 60 minutes each.
- Recorded with consent. Recording goes to transcription immediately.
- Structured using the 60-min script: Section 1 (role/day-to-day warm-up, 5 min), Section 2 (7 dimensions, 35 min), Section 3 (use-case inventory deep-dive, 15 min), Closing (2 min).
After each interview: capture top 3 impressions while fresh, verify recording uploaded, note preliminary binding constraint signals.
After all interviews: skim all notes, identify preliminary binding constraints, compile candidate task list for opportunity matrix, then trigger the 4-pass analysis.
Stage 4: Multi-Pass Analysis
Section titled “Stage 4: Multi-Pass Analysis”Run the 4-pass Claude analysis suite (see analysis-prompts-v1.md). Do not skip Pass 5 (adversarial verification). Review all outputs against the checklist before approving:
- Dimension scores: all 7 scored, each justified with specific interview evidence (not generic). Most businesses score 2-3. If all scores are 4-5, the scoring is too generous.
- Opportunity matrix: 15-20 opportunities, all grounded in tasks the client actually described. No generic “implement a chatbot” without a specific use case. Math must foot.
- Roadmap: Phase 1 addresses binding constraints. Specific enough a competent operator could start Monday.
- ROI: conservative, assumptions listed, money slide headline is correct.
If any output fails the checklist, edit before approving. Your name is on the PDF.
Stage 5: Live Debrief
Section titled “Stage 5: Live Debrief”60-minute structured call. Sequence:
- The score and binding constraints (10 min) - show the radar chart.
- Each of the 7 dimensions (10 min) - 1-2 sentences each, offer to go deeper on any.
- The opportunity matrix - top 3 opportunities with savings numbers (15 min).
- The 90-day roadmap - Phase 1 through Phase 3 (10 min).
- The money slide (5 min) - let the number land, then silence.
- The pitch (10 min) - three options: team runs it, implementation sprint, fractional CAIO retainer. The audit fee credits 100% against either of the last two within 90 days.
6. Premium-Tier Additions ($7,500-$10,000 Price Point)
Section titled “6. Premium-Tier Additions ($7,500-$10,000 Price Point)”These are the gap-closers between a $3,000-$5,000 audit and a $10,000 one.
Change Management Section
Section titled “Change Management Section”Every premium audit includes a “Sell It Internally” section addressing:
- Stakeholder map: who will champion, who will resist, who needs to be won over.
- Resistance playbook: what objections will surface from department heads (job security, tool cost, IT concerns) and how leadership should address each.
- Optional: staff AI literacy workshop proposal (reuse LMS workshop template), quoted separately.
This is not a soft add-on. Resistance is the number-one reason AI roadmaps stall after delivery. Including it demonstrates that the consultant understands implementation, not just diagnosis.
Vendor Selection Per Opportunity
Section titled “Vendor Selection Per Opportunity”For each opportunity in the matrix, include a recommended tool with reasoning. Draw from:
- Kashef AIOS corpus (loaded from
06-Kaizen/kashef-aios/KASHEF-COMPENDIUM.md). - Printing Press CLI library (printingpress.dev) for CLI-first alternatives.
- The consultant’s own build history (what has been deployed in production, not what sounds good).
Format: tool name, why this one over alternatives, estimated monthly cost, integration path, flags (vendor lock-in risk, PH data residency issue, etc.).
Implementation Cost Model
Section titled “Implementation Cost Model”Real cost estimates, not placeholders. Draw from actual build history:
- n8n automation pipeline: $800-$2,500 (simple) to $3,000-$8,000 (complex, multi-system).
- Supabase schema design and setup: $500-$1,500.
- LLM API integration: $500-$2,000 depending on complexity.
- Custom portal or dashboard: $2,000-$5,000.
- Staff training and change management: $1,000-$3,000.
These estimates get folded into the ROI projection as the implementation cost model. Conservative and defensible.
Governance Policy Drafts
Section titled “Governance Policy Drafts”Premium tier delivers actual policy drafts, not just “you have a governance gap.” Included:
- AI Acceptable Use Policy (who can use which tools, what data can be submitted to which models).
- Data Classification Schema (public / internal / confidential / restricted - maps to which AI tools are allowed for each).
- AI Model Risk Register template (for regulated industries).
Note: all policy drafts require attorney review before the first live client engagement. PH jurisdiction is the default; AU/EU/UAE variants need separate review.
Technical Architecture Review
Section titled “Technical Architecture Review”A technical pass that goes beyond the 7-dimension scoring:
- API surface audit: what APIs are available, which are undocumented or unstable.
- Security posture: auth patterns, data in transit, sub-processor exposure.
- Integration debt: what is duct-taped together and will break when automation load increases.
- Recommended tech stack for the roadmap, with rationale.
Living Portal
Section titled “Living Portal”Client receives a Supabase-backed portal (LMS decision-ledger pattern), not a read-only PDF drop:
- Radar chart live (updates as scores are revised).
- Opportunity heatmap.
- 30/60/90 roadmap tiles the client can mark as completed.
- Append-only decision ledger (rationale for each decision is logged, supersession fields for when decisions change).
- Actual-vs-projected savings tracker: client enters real numbers as they implement, the model updates.
- Magic link, their brand.
7. The 5 Allowed AI Actions Per Opportunity
Section titled “7. The 5 Allowed AI Actions Per Opportunity”When a roadmap opportunity is implemented, the AI systems operating on that workflow are limited to these 5 actions. Any capability beyond this scope requires explicit re-scoping.
| Action | Description |
|---|---|
| Observe | Monitor a process and flag anomalies or thresholds. Read-only. |
| Draft | Generate a first draft of content, communications, reports, or structured output for human review before use. |
| Recommend | Produce ranked options with reasoning for a human to choose from. Does not act. |
| Prepare Update | Assemble a status update or report to be reviewed and sent by a human. |
| Stop | Halt a workflow and alert a human when confidence is below threshold or an edge case is detected. |
What is not on this list: autonomous action (send, execute, commit, pay) without human review. Every client engagement establishes which actions each AI system is authorized to take in each workflow. Governance reviews this list annually.
8. Deliverable Package Specification
Section titled “8. Deliverable Package Specification”Every premium audit delivers all five of the following.
1. Cinematic Executive Brief Video
Section titled “1. Cinematic Executive Brief Video”HyperFrames composition, client logo, their numbers animating, ElevenLabs voiceover. 5 minutes. Produced once per client using the HyperFrames brief template. This is the wow-opener that replaces “record a Loom.” Nobody in this market delivers a produced video brief.
2. Living Portal
Section titled “2. Living Portal”Supabase-backed, magic link, client-branded. Contains: radar chart, opportunity heatmap, roadmap tiles, decision ledger, actual-vs-projected savings tracker. See Section 6 above.
3. Board-Grade PDF
Section titled “3. Board-Grade PDF”Carbone or Gotenberg rendering on Hostinger (near-zero marginal cost). Content: per pdf-deliverable-template.md. Pages: cover, executive summary, 7-dimension scorecard with radar chart, opportunity matrix (15-20 opportunities as cards), 30/60/90 roadmap, ROI projection with money slide, governance and risk page (premium tier), next steps, appendix.
Design system: dark navy (#0B1F3A) primary, electric blue (#3B82F6) accent, Inter body font, Plus Jakarta Sans headings. Score band colors: Vulnerable (red), Developing (amber), Strong (green), Leading (indigo). Confidentiality marking and page numbers on every page.
4. Shareable Score Graphic
Section titled “4. Shareable Score Graphic”Placid or Bannerbear render. Two sizes: 1080x1080 (LinkedIn/Instagram) and 1200x627 (LinkedIn article/X). Contains: client score, band label, opportunity count, 24-month savings estimate, referral link. Client posts it; it markets the consultant.
5. Live Debrief Call
Section titled “5. Live Debrief Call”Structured 60-minute call per Stage 5 above. Ends at “Phase 1 of your roadmap is our first retainer sprint.” The debrief is where 25-40% of audits convert to a retainer or implementation sprint.
9. Engagement Tiers Reference
Section titled “9. Engagement Tiers Reference”| Tier | Price | Interviews | Deliverables |
|---|---|---|---|
| Snapshot | $1,500 | 1 (45 min) | 5 opportunities, 30-day plan, PDF, debrief |
| Opportunity Audit | $3,000-$5,000 | 2-3 (60 min each) | 15-20 opportunities, 90-day roadmap, ROI projection, all deliverables |
| Premium Deep Dive | $7,500-$10,000 | 5-8 (60 min each) | All of the above plus change management section, vendor selection, implementation cost model, governance policy drafts, technical architecture review, living portal, cinematic video brief |
Fee credits 100% against any implementation sprint or retainer engagement within 90 days.
10. Quality Gate: Before Anything Ships to a Client
Section titled “10. Quality Gate: Before Anything Ships to a Client”Checklist that the consultant must sign off on manually:
- All 7 dimensions scored with evidence citations (not generic justifications).
- Binding constraints correctly identified and match the consultant’s own read from interviews.
- Every opportunity in the matrix is grounded in a task the client actually described.
- ROI math checked for at least 3 opportunities by hand: hours x loaded cost x 48 weeks x adoption pct = stated savings.
- Phase 1 of the roadmap attacks the binding constraints. No exceptions.
- Money slide number is correct and conservative.
- Pass 5 (adversarial verification) was run and all flagged numbers were either revised downward or supported with evidence.
- No hallucinated tools or processes in the opportunity matrix.
- Governance policy drafts reviewed for accuracy before delivery.
- Portal populated and tested before debrief.
- PDF rendered end-to-end and reviewed on paper. Every merge tag populated.
If any item fails: fix it before the debrief. Your name is on the deliverable.