Essential Eight Audit

Your firm's security. Held to the highest standard.

Most accounting firms can't say with a straight face that their client data is properly protected. Worktopia fixes that. We're the Essential Eight consultants who work only with accounting firms, and we'll show you exactly where you stand before anyone else makes you find out.

Maturity Scorecard
Sample
ACSC Essential Eight · mid-size accounting firm
Application control
ML0
Patch applications
ML2
Office macro settings
ML1
User app hardening
ML1
Restrict admin privileges
ML0
Patch operating systems
ML2
Multi-factor authentication
ML3
Regular backups
ML2
Overall todayML0
Our targetML2
Xero-fluent Essential Eight-led Curated for Australian accountants
One sensible baseline

Essential Eight security controls.

The Essential Eight is the same model the Australian Government holds its own agencies to, which tells you it's not a marketing gimmick. At Worktopia, alignment is the starting line, not an upsell we float six months in.

01
Application control
Only approved software runs, so malware can't just launch.
02
Patch applications
Apps kept current, closing the holes attackers look for.
03
Configure Office macros
Risky Microsoft Office macros blocked or tightly controlled.
04
User application hardening
Browsers and apps stripped of the features attackers abuse.
05
Restrict admin privileges
Admin rights limited to who needs them, and reviewed often.
06
Patch operating systems
Windows and devices updated on schedule, not "eventually".
07
Multi-factor authentication
A second factor on logins, the single biggest quick win.
08
Regular backups
Critical data backed up, isolated, and tested for recovery.
How it's scored

Four maturity levels. One honest picture.

Each control is rated against the ACSC Maturity Model, and your overall maturity is only as strong as your weakest control, which is exactly what the audit reveals. We work accounting firms toward Level 2 as standard.

ML0
Exposed
Gaps an attacker could walk straight through. Where many firms quietly sit.
ML1
Baseline
Defends against common, opportunistic attacks. A defensible floor.
Your target
ML2
Strengthened
Stronger controls against deliberate, targeted attackers. Our standard for firms holding client data.
ML3
Hardened
Resilient against adaptive, sophisticated adversaries.
What we put a stop to

How firms get caught.

Most data breaches at accounting firms don't start with a clever hacker. They start with a shared password, an unmanaged laptop, or an account nobody bothered to lock down. We close those gaps.

!Staff logging in from personal devices
Masked credentials and managed devices mean staff log in without ever seeing the password or taking it home.
!Apps and systems left unpatched for months
Patching on a schedule shuts the known holes before anyone walks through them.
!Macros running with nobody watching
We configure Microsoft Office macros to block the most common way malware gets in.
!No record of who can access what
Restricted access and identity controls mean access is deliberate, logged, and reversible.
The practical entry point

What the audit covers.

A time-boxed, paid audit that maps your firm against the Essential Eight, and checks the wider posture around it, then leaves you a document you can act on, whether or not you ever sign with us.

Against the Eight
Scored to Level 2
How your firm measures up on each control, with the evidence behind every rating.
Essential Eight gap analysis
Every one of the eight controls rated against your environment, benchmarked to Maturity Level 2.
Prioritised remediation roadmap
The order to fix things in, ranked by effort against impact.
Findings report & debrief
A plain-English document, walked through with your practice manager and partners.
And the wider posture
Part of your defence, beyond the Eight
These sit outside the Essential Eight itself, but they're where accounting firms are most exposed, so we check them in the same audit.
Xero & app stack exposure
Shared logins, and the ability to sign in from anywhere, on any device.
Data sovereignty
Where your client data physically lives, and whether that's documented.
AI use
What staff paste into ChatGPT, Claude and Copilot, and what client data those tools are connected to.
{{ ctaLabel }}
How it runs

From hello to roadmap in about a week.

01
Scoping call
A quick 15 minutes so we understand your setup, size and tools.
02
Assessment
We review identity, devices, backups and configuration against all eight.
03
Findings & debrief
We walk you and your partners through the scorecard, in plain English.
04
Roadmap
You leave with a prioritised plan, yours to action, with us or without.
When your firm is aligned

What alignment actually gets you.

A straight answer on data security
When a client asks how their financial records are handled, you have a documented answer instead of a guess.
Insurance renewals stop being a gamble
Cyber insurers ask harder questions every year. A documented posture answers most of them before they're asked.
Breach exposure cut before it bites
Most reportable incidents are preventable. Closing the common gaps means fewer reasons to ever make that call.
One named owner for every risk
Not a responsibility passed around the office until it lands on whoever's nearest.
Why us

Most MSPs do the bare minimum. We go further.

Accountant-native expertise
We don't dabble in accounting; it's the industry we know best. Our team speaks XPM, SuiteFiles and workflow, so you're not translating your business for us.
One accountable partner
IT, ongoing Essential Eight managed services, and compliance under one roof. Your practice manager doesn't have to own any of it.
All-inclusive pricing
No line items, no surprise charges, no quarterly bill shocks. When we upgraded every client's email security this year, nobody got a bill.
Essential Eight compliance FAQ

Questions, answered plainly.

What is the ACSC Essential Eight?
Eight security controls developed by the Australian Signals Directorate and published through the Australian Cyber Security Centre. The Government holds its own agencies to it, a fair signal it's worth holding your firm to as well. It covers the basics that stop most breaches: patching, multi-factor authentication, access control and backups among them.
What is the Essential Eight Maturity Model?
It grades each control from Level 0 (not implemented) to Level 3 (fully hardened against targeted attacks). We work accounting firms toward Level 2 as standard, because that's the level that properly protects a firm holding client financial data.
Does the audit look beyond the Essential Eight?
Yes. Things like Xero and practice-management exposure, where your client data physically lives (data sovereignty), and what staff paste into ChatGPT, Claude and Copilot aren't Essential Eight controls in themselves, but they're part of your wider defence, so we review them in the same audit.
Where does my firm's client data live?
For accounting firms, data sovereignty matters: keeping client records in Australian regions with their location documented. The audit checks this and flags anything sitting somewhere it shouldn't.
Is the audit really no-strings?
Yes. It's fixed-price, and the report and roadmap are yours to keep and action however you like, with us, your current provider, or in-house. If you bring us on to handle it, the fee is credited.
How long does it take?
A few hours of our time and minimal disruption to yours, then a clear report and a debrief with your partners. Most firms are done inside a week.
Kip, the Worktopia mascot, holding a coffee

One review. One report. Zero strings.

Most firms don't know whether they're exposed until something forces the question. Our Essential Eight Audit puts you in front of that: a few hours of our time, a clear report, and a roadmap you own outright.

{{ ctaLabel }} or call 1300 856 912
Fixed-price, and fully credited back to you if you come on as a managed client.