Report the SOBs to the certifying agencies (Score 2, Interesting)

This is a very bad business model. In order to sell themselves to the clients, they generally need to have GIAC or CISSP certifications. Those certifying bodies have codes of ethics. What you have described does not fit into those general codes of ethics. If anyone representing the outsource firm is a CPA, CISA, or CIA (the accounting world certifications for this sort of work), they have broken a really basic ethical requirement. This is followed more in the breech, but accounting firms that audit for security are not supposed to advise clients on how to fix the problems. The idea is that you cannot honestly audit a company for which you have provided or will provide other services. If they represented the work they did as a SAS70 or other public assurance audit and then took over the jobs of people they assessed, they can be censured by any number of regulatory bodies. The biggest problem today is that there are flocks of us security folks out of work. I have 10 yrs experience, but no CISSP or CISA, and am considered "too senior" for the jobs that don't require certs. Charitably, I assume that they are referring to me having opinions about process and procedures. Privately, I am less naive.