Audit-firm partnerships · implementation partner

You audit. We implement.

Fixed-price post-audit remediation for Melbourne mid-tier audit and risk-advisory firms. Essential 8, ISO 27001, SOC 2, Privacy Act. We never compete with your assurance work — we only deliver the hands-on remediation you'd rather not.

Request the partnership pack (PDF) Or book a 30-min intro

Pty Ltd registered company$5m Professional Indemnity + $2m Cyber LiabilitySMB1001 Gold self-attestationMicrosoft Solutions Partner: Modern WorkNo conflict with your assurance work

The problem we solve

The audit ends. The hard work starts.

You complete an Essential 8 assessment, ISO 27001 gap analysis, or SOC 2 readiness review. Your report lists 30–80 specific findings. The client takes it to their board, the board allocates budget, and they turn back to you and ask:

"So who actually fixes this?"

If — like most mid-tier firms — you don't want to do hands-on implementation (because it conflicts with your independence on the next year's audit), you need a reliable implementation partner. We're built for exactly that role.

Three partnership models

Pick the structure that fits your firm's policy.

Model 1

Referral

You introduce, we sign separately

You hand the client to us, we sign and execute the engagement independently, and we pay 5–10% of the project value back to your firm (optional). The cleanest model when your conflict-of-interest framework rules out direct revenue share.

Model 2

Co-engagement

Joint contract, two invoices

Both names appear on the engagement letter. You retain the client relationship and any post-uplift assurance follow-up; we deliver the implementation. Two invoices, no cross-billing, clear scope split written into the SOW.

Model 3

White-label / sub-contract

We deliver under your brand

We deliver under your firm's brand, you remain the only client touchpoint. Best when you want full ownership of the client experience but lack internal delivery capacity. Standard NDA + sub-contract agreement covers the relationship.

Flagship offer · designed for audit-firm referrals

Essential 8 ML2 Uplift Sprint — $22,000 fixed, 12 weeks.

A productised delivery built specifically for the audit-firm referral scenario. Your client at ML0/ML1 needs to reach ML2 — we get them there in 12 weeks.

For 25–75 staff businesses
All 8 controls covered: app control, patching, MS Office macros, user app hardening, restricted admin, OS patches, MFA, regular backups
Weekly status report formatted for the audit firm
Bound evidence pack at sprint completion — ready for re-assessment
Seamless handover to BlueStone Standard or Secure+ monthly retainer

Why fixed price

Audit firms hate referring vendors who scope-creep mid-delivery — it damages your client relationship. Our fixed price + fixed scope means your referral risk is contained. If we go over, that's our cost, not the client's, and not your reputation.

Request the ML2 Sprint template (PDF)

Audit findings → fixed-price remediation

Whatever your report flags — we have a fixed-price line item.

Finding from your assessment

Our productised remediation

Essential 8 ML0/ML1 → ML2 gap

ML2 Uplift Sprint ($22,000 fixed)

Missing MFA / Conditional Access

M365 Security Baseline ($3,500–$7,000)

Backup not tested / not immutable

DR/BCP Foundation ($4,500) + ongoing backup

No documented incident response

IR Retainer ($7,500/yr)

Privacy Act / NDB compliance gap

Privacy compliance project (scoped)

Server 2016 EOL exposure

Quick Lift / Modern Workplace ($6,900–$14,500)

ISO 27001 / SOC 2 readiness work

Joint delivery with Siege Cyber

Ongoing compliance maintenance

Secure+ monthly retainer ($169/user/mo)

Partnership principles

The boundaries — written down up front.

These six commitments are in our partner agreement template. We expect you to hold us to them and to walk away if we breach.

01
We don't do audit or assurance work. We will never compete with you.
02
The client relationship is yours. We deliver, we do not poach.
03
Fixed price + fixed scope. No mid-engagement add-ons or scope creep.
04
Weekly status reports go to you. Any client escalation comes to you first.
05
Sprint-end deliverable is a bound evidence pack — for your re-assessment or next year's audit.
06
If we underdeliver or the client is unhappy, we absorb the cost. Your referral reputation stays clean.

Credentials · what to verify before referring

What your vendor on-boarding team needs.

Credential

Status

Documentation

Company structure

Pty Ltd

ASIC certificate (on request)

Professional Indemnity

$5m · Emergence Insurance

Certificate of Currency

Cyber Liability

$2m · bundled with PI

Certificate of Currency

SMB1001 alignment

Gold · Q3 2026 self-assessment

Self-assessment report

Microsoft Solutions Partner

Modern Work designation

Verification link

Reference clients

2 Melbourne SMBs · contactable

Reference list (on request)

Audit-firm FAQ

What partners actually ask in the first coffee.

Why would I refer to you instead of one of the boutique cyber consultancies?

Most boutiques have been acquired (CyberCX → Accenture; Hivint → Trustwave; The Missing Link → Infosys $98m) and now run their own delivery — so they compete with your assurance arm rather than supplement it. We don't do audit/assurance work; we deliver the implementation against the findings you produced. Different lane, same client. The two boutiques still partner-friendly are Siege Cyber and StickmanCyber — we happily co-deliver with them on ISO 27001 / SOC 2 scope, but for Essential 8 ML2 remediation we're priced + sized for the SMB segment they often skip.

What insurance do you carry, and can I see the certificates?

We hold $5m Professional Indemnity and $2m Cyber Liability through Emergence Insurance, both bundled. Certificates of Currency available on request before the first engagement is signed. Most audit firms include verification of these in their vendor on-boarding — we expect that.

How do you handle a scope-creep risk on the first delivery?

Two ways. First, the ML2 Sprint is genuinely fixed-scope — the SOW lists exactly which controls and which deliverables. Anything outside that scope generates a separate written change order that you and the client both see before any work proceeds. Second, we send you a weekly status report. If we sense scope is drifting in client conversations, you hear about it from us before you hear about it from the client.

Do you white-label?

Yes. About 30% of our audit-firm engagements are white-label or sub-contract. We deliver under your brand, you remain the only touchpoint. The trade-off is your firm carries the warranty exposure on what we deliver — most firms prefer co-engagement for that reason, but white-label is available when the client experience requires it.

What is your conflict-of-interest framework?

We will never bid on assurance, audit, or independent attestation work. If a referred client subsequently asks us to provide an opinion on something audit-adjacent, we decline and refer them back to you (or to a separate audit firm if you have a conflict). This is in writing in our partner agreement and we expect you to hold us to it.

Can we co-brand the deliverable?

Yes — both ML2 Sprint and DR/BCP Foundation deliverables can carry both logos and a co-signed leadership readout. We use a templated structure so the deliverable is recognisably the same artefact every time, makes your re-assessment work faster.

No commitment · 30 minutes

A 30-minute coffee in Bourke Street or CBD.

You don't need to commit to anything. We meet, you decide whether we're a credible partner. If yes, we follow up with the partnership pack.

Email to set up coffee Or use the calendar directly