Skip to content
BlueStone Tech
You audit. We implement.

The implementation arm for Melbourne audit firms.

Fixed-price post-audit remediation for Melbourne mid-tier audit and risk-advisory firms. Essential 8, ISO 27001, SOC 2, Privacy Act. We never compete with your assurance work — we only deliver the hands-on remediation you'd rather not.

Pty Ltd registered company$5m Professional Indemnity + $2m Cyber LiabilitySMB1001 Gold self-attestationMicrosoft Solutions Partner: Modern WorkNo conflict with your assurance work

The problem we solve

The audit ends. The hard work starts.

You complete an Essential 8 assessment, ISO 27001 gap analysis, or SOC 2 readiness review. Your report lists 30–80 specific findings. The client takes it to their board, the board allocates budget, and they turn back to you and ask:

"So who actually fixes this?"

If — like most mid-tier firms — you don't want to do hands-on implementation (because it conflicts with your independence on the next year's audit), you need a reliable implementation partner. We're built for exactly that role.

The independence problem

Why your own standards say don't build it yourself.

There's a structural reason most firms don't take remediation in-house, and it sits in your own professional standards. APES 110 treats implementing the controls your firm will later assess as a self-review threat: recommend the fixes, build the fixes, then sign the re-assessment — and your independence on that client is compromised, along with the assurance fee stream that depends on it.

Mid-tier firms resolve the tension one of two ways. The first is standing up a separate delivery practice behind an ethical wall — workable at top-tier scale, expensive and awkward below it. The second is keeping a referral bench of implementation specialists who never touch assurance work. We're built to be that bench for Melbourne: BlueStone doesn't sell audit, assurance or attestation services — not as a business line, not as a favour — so a referral to us never circles back as a competitor pitching your client.

The remediation is also documented for your benefit, not just the client's: every change is mapped to the original finding number and evidenced per control, in the format your working papers expect. When you re-assess, you're verifying our workpapers rather than reconstructing what happened.

Three partnership models

Pick the structure that fits your firm's policy.

Model 1

Referral

You introduce, we sign separately

You hand the client to us, we sign and execute the engagement independently, and we pay 5–10% of the project value back to your firm (optional). The cleanest model when your conflict-of-interest framework rules out direct revenue share.

Model 2

Co-engagement

Joint contract, two invoices

Both names appear on the engagement letter. You retain the client relationship and any post-uplift assurance follow-up; we deliver the implementation. Two invoices, no cross-billing, clear scope split written into the SOW.

Model 3

White-label / sub-contract

We deliver under your brand

We deliver under your firm's brand, you remain the only client touchpoint. Best when you want full ownership of the client experience but lack internal delivery capacity. Standard NDA + sub-contract agreement covers the relationship.

Flagship offer · designed for audit-firm referrals

Essential 8 ML2 Uplift Sprint — $22,000 fixed, 12 weeks.

A productised delivery built specifically for the audit-firm referral scenario. Your client at ML0/ML1 needs to reach ML2 — we get them there in 12 weeks.

  • For 25–75 staff businesses
  • All 8 controls covered: app control, patching, MS Office macros, user app hardening, restricted admin, OS patches, MFA, regular backups
  • Weekly status report formatted for the audit firm
  • Bound evidence pack at sprint completion — ready for re-assessment
  • Seamless handover to BlueStone Standard or Secure+ monthly retainer

Why fixed price

Audit firms hate referring vendors who scope-creep mid-delivery — it damages your client relationship. Our fixed price + fixed scope means your referral risk is contained. If we go over, that's our cost, not the client's, and not your reputation.

Client only needs Maturity Level 1? The smaller program — $7,500, 90 days — is the fit: see Essential 8 for Melbourne small business.

Request the ML2 Sprint template (PDF)

What a referral looks like

The standard playbook, week by week.

Every referral runs the same sequence, so you know exactly what your client will experience before you put your name behind an introduction. This is the delivery playbook we contract to — not a hypothetical.

  1. Three-way scoping

    A scoping call with you, the client, and our engineer. The SOW lists each finding from your report, the control it maps to, and the deliverable that closes it — and you see the SOW before your client signs it.

  2. Read-only validation

    We validate each finding against the live environment and capture baseline evidence, changing nothing. If a finding has drifted since your fieldwork, you hear it from us first — with evidence, not opinion.

  3. Remediation in weekly increments

    Controls land in an order that keeps the client working. Every Friday you and the client receive the same one-page status: findings closed, in progress, blocked and why. Anything outside the SOW becomes a written change order both of you see before work proceeds.

  4. Re-score & handover

    Maturity re-scored, evidence bound per control — screenshots, configuration exports, attestations — each mapped back to your original finding numbers, plus a leadership readout. Your re-assessment starts from our workpapers, not a blank page.

Audit findings → fixed-price remediation

Whatever your report flags — we have a fixed-price line item.

Every line item is productised: fixed price, fixed scope, published. The full list — 29 published prices — is on the pricing page, and several identity-layer items are also packaged as stand-alone fixed-price identity projects a client can commission piecemeal.

Essential 8 ML0/ML1 → ML2 gap
ML2 Uplift Sprint ($22,000 fixed)
Missing MFA / Conditional Access
M365 Security Baseline ($3,500–$7,000)
Backup not tested / not immutable
DR/BCP Foundation ($4,500) + ongoing backup
No documented incident response
IR Retainer ($7,500/yr)
Privacy Act / NDB compliance gap
Privacy compliance project (scoped)
Server 2016 EOL exposure
Quick Lift / Modern Workplace ($6,900–$14,500)
ISO 27001 / SOC 2 readiness work
Joint delivery with Siege Cyber
Ongoing compliance maintenance
Secure+ monthly retainer ($169/user/mo)

Partnership principles

The boundaries — written down up front.

These six commitments are in our partner agreement template. We expect you to hold us to them and to walk away if we breach.

  1. 01

    We don't do audit or assurance work. We will never compete with you.

  2. 02

    The client relationship is yours. We deliver, we do not poach.

  3. 03

    Fixed price + fixed scope. No mid-engagement add-ons or scope creep.

  4. 04

    Weekly status reports go to you. Any client escalation comes to you first.

  5. 05

    Sprint-end deliverable is a bound evidence pack — for your re-assessment or next year's audit.

  6. 06

    If we underdeliver or the client is unhappy, we absorb the cost. Your referral reputation stays clean.

Credentials · what to verify before referring

What your vendor on-boarding team needs.

Company structure
Pty Ltd
ASIC certificate (on request)
Professional Indemnity
$5m · Emergence Insurance
Certificate of Currency
Cyber Liability
$2m · bundled with PI
Certificate of Currency
SMB1001 alignment
Gold · Q3 2026 self-assessment
Self-assessment report
Microsoft Solutions Partner
Modern Work designation
Verification link
Reference clients
2 Melbourne SMBs · contactable
Reference list (on request)

Audit-firm FAQ

What partners actually ask in the first coffee.

Why would I refer to you instead of one of the boutique cyber consultancies?
Most boutiques have been acquired (CyberCX → Accenture; Hivint → Trustwave; The Missing Link → Infosys $98m) and now run their own delivery — so they compete with your assurance arm rather than supplement it. We don't do audit/assurance work; we deliver the implementation against the findings you produced. Different lane, same client. The two boutiques still partner-friendly are Siege Cyber and StickmanCyber — we happily co-deliver with them on ISO 27001 / SOC 2 scope, but for Essential 8 ML2 remediation we're priced + sized for the SMB segment they often skip.
What insurance do you carry, and can I see the certificates?
We hold $5m Professional Indemnity and $2m Cyber Liability through Emergence Insurance, both bundled. Certificates of Currency available on request before the first engagement is signed. Most audit firms include verification of these in their vendor on-boarding — we expect that.
How do you handle a scope-creep risk on the first delivery?
Two ways. First, the ML2 Sprint is genuinely fixed-scope — the SOW lists exactly which controls and which deliverables. Anything outside that scope generates a separate written change order that you and the client both see before any work proceeds. Second, we send you a weekly status report. If we sense scope is drifting in client conversations, you hear about it from us before you hear about it from the client.
Do you white-label?
Yes. About 30% of our audit-firm engagements are white-label or sub-contract. We deliver under your brand, you remain the only touchpoint. The trade-off is your firm carries the warranty exposure on what we deliver — most firms prefer co-engagement for that reason, but white-label is available when the client experience requires it.
What is your conflict-of-interest framework?
We will never bid on assurance, audit, or independent attestation work. If a referred client subsequently asks us to provide an opinion on something audit-adjacent, we decline and refer them back to you (or to a separate audit firm if you have a conflict). This is in writing in our partner agreement and we expect you to hold us to it.
Can we co-brand the deliverable?
Yes — both ML2 Sprint and DR/BCP Foundation deliverables can carry both logos and a co-signed leadership readout. We use a templated structure so the deliverable is recognisably the same artefact every time, makes your re-assessment work faster.

No commitment · 30 minutes

A 30-minute coffee in Bourke Street or CBD.

You don't need to commit to anything. We meet, you decide whether we're a credible partner. If yes, we follow up with the partnership pack.

Looking for IT support for your own practice, rather than an implementation partner for client findings? Different engagement, different page — see IT support for Melbourne accountants and the 2026 accounting-firm IT pricing guide.