A remote-first process that respects your time.
Most business owners can name the exact moment an audit disrupted their week. Ours is built to avoid that. Here is exactly what happens, in order, from the first call to the final report.
The audit process, step by step
Scoping call (30 minutes)
We confirm the size and shape of your organisation, which systems are in scope, and which framework matters most to you, whether that is the Privacy Act 2020, NIST CSF, an insurer's questionnaire, a customer's due diligence request or, for suppliers to government, NZISM. You get a written scope and a fixed price before anything else starts.
Evidence and read-only access (week 1)
We send a short checklist covering policies, an org chart, and read-only access to the systems being reviewed, such as your Microsoft 365 or Google Workspace admin console. Nothing is installed on your network and no changes are made to production systems.
Technical and policy review (weeks 1 to 2)
Our team works through the six audit areas: governance, access, data protection, backup, incident readiness and vendor risk. Where useful, we run a non-disruptive external scan of internet-facing systems. This stage runs in the background and needs no ongoing input from you.
Interviews (1 to 2 sessions)
Short conversations with whoever manages IT day to day, whether that is an internal person or your outsourced provider, to confirm what the evidence shows and fill any gaps.
Findings workshop
Before the report is finalised, we walk your leadership team through the draft findings. This catches context we might have missed and means nothing in the final report is a surprise.
Report and 90-day roadmap
A written report with an executive summary for the board, detailed findings mapped to your chosen framework, and a prioritised list of fixes ranked by risk and effort, so you know what to do first with the budget and time you actually have.
Process at a glance
Total time from you
Around half a day across the scoping call, evidence handover and interviews for a typical engagement.
Disruption to systems
None. Access is read-only and any external testing is scheduled and non-disruptive.
Who needs to be involved
One decision-maker and whoever manages your IT, whether that is in-house or an outsourced provider.
Book the scoping call.
No obligation, and a written fixed-price quote follows within two working days.
Book an Audit