The implementation arm for Melbourne audit firms.
Fixed-price post-audit remediation for Melbourne mid-tier audit and risk-advisory firms. Essential 8, ISO 27001, SOC 2, Privacy Act. We never compete with your assurance work — we only deliver the hands-on remediation you'd rather not.
The problem we solve
The audit ends. The hard work starts.
You complete an Essential 8 assessment, ISO 27001 gap analysis, or SOC 2 readiness review. Your report lists 30–80 specific findings. The client takes it to their board, the board allocates budget, and they turn back to you and ask:
"So who actually fixes this?"
If — like most mid-tier firms — you don't want to do hands-on implementation (because it conflicts with your independence on the next year's audit), you need a reliable implementation partner. We're built for exactly that role.
The independence problem
Why your own standards say don't build it yourself.
There's a structural reason most firms don't take remediation in-house, and it sits in your own professional standards. APES 110 treats implementing the controls your firm will later assess as a self-review threat: recommend the fixes, build the fixes, then sign the re-assessment — and your independence on that client is compromised, along with the assurance fee stream that depends on it.
Mid-tier firms resolve the tension one of two ways. The first is standing up a separate delivery practice behind an ethical wall — workable at top-tier scale, expensive and awkward below it. The second is keeping a referral bench of implementation specialists who never touch assurance work. We're built to be that bench for Melbourne: BlueStone doesn't sell audit, assurance or attestation services — not as a business line, not as a favour — so a referral to us never circles back as a competitor pitching your client.
The remediation is also documented for your benefit, not just the client's: every change is mapped to the original finding number and evidenced per control, in the format your working papers expect. When you re-assess, you're verifying our workpapers rather than reconstructing what happened.
Three partnership models
Pick the structure that fits your firm's policy.
Model 1
Referral
You introduce, we sign separately
You hand the client to us, we sign and execute the engagement independently, and we pay 5–10% of the project value back to your firm (optional). The cleanest model when your conflict-of-interest framework rules out direct revenue share.
Model 2
Co-engagement
Joint contract, two invoices
Both names appear on the engagement letter. You retain the client relationship and any post-uplift assurance follow-up; we deliver the implementation. Two invoices, no cross-billing, clear scope split written into the SOW.
Model 3
White-label / sub-contract
We deliver under your brand
We deliver under your firm's brand, you remain the only client touchpoint. Best when you want full ownership of the client experience but lack internal delivery capacity. Standard NDA + sub-contract agreement covers the relationship.
Flagship offer · designed for audit-firm referrals
Essential 8 ML2 Uplift Sprint — $22,000 fixed, 12 weeks.
A productised delivery built specifically for the audit-firm referral scenario. Your client at ML0/ML1 needs to reach ML2 — we get them there in 12 weeks.
- For 25–75 staff businesses
- All 8 controls covered: app control, patching, MS Office macros, user app hardening, restricted admin, OS patches, MFA, regular backups
- Weekly status report formatted for the audit firm
- Bound evidence pack at sprint completion — ready for re-assessment
- Seamless handover to BlueStone Standard or Secure+ monthly retainer
Why fixed price
Audit firms hate referring vendors who scope-creep mid-delivery — it damages your client relationship. Our fixed price + fixed scope means your referral risk is contained. If we go over, that's our cost, not the client's, and not your reputation.
Client only needs Maturity Level 1? The smaller program — $7,500, 90 days — is the fit: see Essential 8 for Melbourne small business.
Request the ML2 Sprint template (PDF)What a referral looks like
The standard playbook, week by week.
Every referral runs the same sequence, so you know exactly what your client will experience before you put your name behind an introduction. This is the delivery playbook we contract to — not a hypothetical.
-
Three-way scoping
A scoping call with you, the client, and our engineer. The SOW lists each finding from your report, the control it maps to, and the deliverable that closes it — and you see the SOW before your client signs it.
-
Read-only validation
We validate each finding against the live environment and capture baseline evidence, changing nothing. If a finding has drifted since your fieldwork, you hear it from us first — with evidence, not opinion.
-
Remediation in weekly increments
Controls land in an order that keeps the client working. Every Friday you and the client receive the same one-page status: findings closed, in progress, blocked and why. Anything outside the SOW becomes a written change order both of you see before work proceeds.
-
Re-score & handover
Maturity re-scored, evidence bound per control — screenshots, configuration exports, attestations — each mapped back to your original finding numbers, plus a leadership readout. Your re-assessment starts from our workpapers, not a blank page.
Audit findings → fixed-price remediation
Whatever your report flags — we have a fixed-price line item.
Every line item is productised: fixed price, fixed scope, published. The full list — 29 published prices — is on the pricing page, and several identity-layer items are also packaged as stand-alone fixed-price identity projects a client can commission piecemeal.
Partnership principles
The boundaries — written down up front.
These six commitments are in our partner agreement template. We expect you to hold us to them and to walk away if we breach.
- 01
We don't do audit or assurance work. We will never compete with you.
- 02
The client relationship is yours. We deliver, we do not poach.
- 03
Fixed price + fixed scope. No mid-engagement add-ons or scope creep.
- 04
Weekly status reports go to you. Any client escalation comes to you first.
- 05
Sprint-end deliverable is a bound evidence pack — for your re-assessment or next year's audit.
- 06
If we underdeliver or the client is unhappy, we absorb the cost. Your referral reputation stays clean.
Credentials · what to verify before referring
What your vendor on-boarding team needs.
Audit-firm FAQ
What partners actually ask in the first coffee.
Why would I refer to you instead of one of the boutique cyber consultancies?
What insurance do you carry, and can I see the certificates?
How do you handle a scope-creep risk on the first delivery?
Do you white-label?
What is your conflict-of-interest framework?
Can we co-brand the deliverable?
No commitment · 30 minutes
A 30-minute coffee in Bourke Street or CBD.
You don't need to commit to anything. We meet, you decide whether we're a credible partner. If yes, we follow up with the partnership pack.
Looking for IT support for your own practice, rather than an implementation partner for client findings? Different engagement, different page — see IT support for Melbourne accountants and the 2026 accounting-firm IT pricing guide.