Six months.
From boutique to audit-ready.
How a 28-person Calgary specialty completions firm built professional operational foundations in six months to satisfy a Middle Eastern national operator’s vendor compliance framework - and turned the foundations into a permanent platform for international growth.
FOR: Operators · 20–50 people · international vendor compliance window
Quick answer
A 28-person Calgary specialty completions firm had six months to build professional operational foundations that would satisfy a Middle Eastern national operator's vendor compliance framework. Identity, accounting platform, cyber baseline, backup integrity, documented procedures - the full audit-ready stack - built in six months and turned into a permanent platform for international growth. The contract closed. The foundations stayed.
A 28-person Calgary specialty firm with a transformative international contract.
28 people. A specialty completions firm with a proprietary technique that produced measurably better fracture efficiency. Calgary-headquartered. Had just signed a multi-year deployment contract with a Middle Eastern national oil company - a contract that would more than triple revenue over twelve months and would activate audit clauses that the company’s current systems were not ready for.
The CEO of the company - we will call her Priya, though she could have been any of the founder-CEOs we have worked with through this exact moment - called us in late January. She had spent eight months negotiating a deployment contract with the technical procurement team of a state-controlled operator. The contract was signed three weeks before she called us. Mobilization to the deployment region was supposed to start in eight months. The first audit review under the contract was scheduled for month six.
The contract was transformative. The annual contract value alone was larger than the company’s previous three years of revenue combined. The technical work was a strong fit for the team. The financial structure was favorable. The audit clause was the part that was keeping Priya up at night. The counterparty’s vendor compliance framework required documented controls across cyber, data handling, identity, financial integrity, and cross-border data residency - a framework that was standard for Middle Eastern national operators but that the company had never had to satisfy before.
The company’s operational reality was Cloud-Only by accident rather than by design. Microsoft 365 for everything. QuickBooks Online for accounting. Personal laptops and phones, almost no company-issued devices. No on-site servers. No file servers. No formal IT setup at all. They had been small enough that none of it had been necessary. The previous three years of growth had not changed the operational footprint, because the work was being done in the field and the office work was simple enough to handle in M365 and QuickBooks.
The new contract changed everything. Priya knew it. Her CFO knew it. The team in the field did not yet know it. Priya’s question to us was: “How do I build a real operational backbone in six months without breaking the company we already have?”
Six months. Foundations the company had never needed. International audit at the end.
The audit clause specified controls in five categories. Working through it with the counterparty’s vendor compliance team, the requirements broke down as follows:
- Cyber baseline. A specific list of controls roughly equivalent to the 12 we cover in The Operating System Chapter 6, but with documentation requirements specific to international vendor compliance frameworks. The company met three of the controls. Twelve more were required.
- Identity and access management. Documented onboarding, offboarding, role-based access, and quarterly access reviews. The company had been operating on first-name-basis trust because everyone knew everyone. That was about to stop being sufficient.
- Financial system integrity. QuickBooks Online was not going to satisfy the counterparty’s audit requirements for a contract of this size. They would need a mid-tier oil and gas accounting platform with documented controls, segregation of duties, and audit trail.
- Cross-border data residency. The deployment country had specific requirements about where certain types of operational data could be stored and who could access it. Not just “in the cloud” - specifically which cloud, in which region, with what access controls.
- Documented operational runbooks. Written procedures for every critical operational process, signed by named owners, with version control and quarterly review. The company had been running on tribal knowledge. That had worked for 28 people. It would not work for the audit.
The constraint that mattered most was time. The team was about to be in field deployment mode for most of the year. The window to build the foundations was the next six months, while everyone was still in the office and could be pulled into design conversations. After that, every required hour of senior-team attention would compete directly with operational delivery in the field.
The transformative contract scenario covered in Chapter 10 of The Operating System applies to roughly one in five boutique specialists at this size range. The trigger is usually a customer asking the boutique to do something the boutique has not had to do before - satisfy a vendor compliance framework, pass a SOC-type audit, or meet documentation requirements that scaled customers take for granted. The audit clause is rarely the obstacle the contract negotiation focuses on. It is the obstacle the operation will spend six to nine months solving.
For Canadian boutique specialists pursuing international contracts, the audit requirements typically include cross-border data handling considerations that domestic-only operators do not face. Where the data lives, who can access it, what jurisdiction’s privacy law applies, what the counterparty’s home regulator requires - these are operational questions, not just legal ones. Getting them right requires an IT partner with cross-border operational footprint, not just legal counsel.
A Fractional engagement, sequenced in six monthly milestones.
Vencer engaged at the Fractional tier - appropriate for the company’s size, with project work layered on top to handle the audit-readiness build. The Fractional baseline covered ongoing identity hygiene, security monitoring, and quarterly business review. The project work covered the foundations build itself. We structured the six months as six sequential monthly milestones, each one ending with a deliverable that the counterparty’s compliance team would be able to verify.
Month 1 - foundations of the foundations.
The first month was about getting the basics in place that everything else would build on. Enforced multi-factor authentication across the entire company (the requirement to confirm a sign-in with a code from a phone or app). Documented onboarding and offboarding procedures, signed by Priya and the operations lead. A written incident response plan covering who gets called, what gets shut down, who tells the counterparty. Boring work. Critical work. None of it was hard. All of it was overdue.
Month 2 - the accounting platform decision.
QuickBooks Online was not going to satisfy the audit. The question was which mid-tier oil and gas accounting platform would. We ran a structured evaluation of PakEnergy, WolfePak, and OGSYS against the specific requirements of the contract - including the cross-border data residency considerations. PakEnergy was the right answer for this specific company because of how its data architecture handled multi-jurisdiction work, and because of the strength of its audit trail features. The CFO had not seen any of these platforms before; we put her in front of demos with all three before the decision was made. Implementation kickoff happened in month three.
Month 3 - cyber baseline lift and cross-border data architecture.
The cyber work happened in parallel with the accounting platform implementation. SentinelOne for endpoint protection across all company-issued and personally-owned-but-work-used devices. Proofpoint for email phishing protection. Real 24/7 monitoring through our Singapore and Calgary operations - which mattered specifically for this contract because the Singapore team’s time zone matched the deployment region’s operational hours. When the team was in the field, the monitoring coverage was happening in the time zone where the field work was happening.
The cross-border data architecture was the work that required the most specialized attention. We mapped which categories of data the contract would generate, where each category needed to live, who could access it under what conditions, and how to demonstrate compliance during an audit. The mapping document ran 23 pages. The counterparty’s compliance team reviewed it in month four and approved it without amendments. Priya told us later that single document was what convinced the counterparty’s senior compliance officer that the company was ready to be a real vendor.
Month 4 - PakEnergy implementation and identity rebuild.
PakEnergy implementation completed in month four. The CFO had been training on it through the configuration period, so the transition from QuickBooks Online was less disruptive than it might have been. We rebuilt the Microsoft 365 setup with proper role-based access tied to the new accounting platform’s segregation-of-duties requirements. The number of people with top-level administrator access dropped from five to two, both of which now had documented secondary controls.
Month 5 - backups, runbooks, and the audit-prep dry run.
The Cloud-Only environment had been relying on Microsoft 365’s default retention as if it were a backup. It is not. We deployed Veeam Backup for Microsoft 365 (Veeam is a 2025 Gartner Magic Quadrant Leader) with immutable cloud storage in a region that satisfied the contract’s data residency requirements. We also wrote the operational runbooks: every critical process, who owned it, what version was current, when the next review was due.
At the end of month five, we ran an internal audit-prep dry run. Our team simulated the counterparty’s auditor. We walked through every control category, requested documentation, tested response times, and identified gaps. The dry run found four issues we had not anticipated. Three were paperwork problems - documentation that existed but was not formatted the way the auditor would expect. One was a real gap in how we had structured a specific access control. All four were resolved before month six.
Month 6 - the real audit.
The counterparty’s audit team arrived in Calgary in early August. The audit ran four days. The findings document was issued ten days after the audit ended. The findings showed zero material issues and two minor recommendations, both of which the company implemented within thirty days. The contract’s deployment phase activated on schedule. The first field crew mobilized to the deployment region the following month.
Audit passed. Contract delivering. Foundations now permanent.
Before and after.
The moment it mattered.
The moment that mattered was not the audit itself. It was a phone call Priya took from the counterparty’s senior compliance officer in month four, after the cross-border data architecture document had been submitted. The officer wanted to walk through one specific clause. The conversation lasted thirty-five minutes. By the end of the call, the officer had told Priya that the company’s readiness was higher than most of the vendors his team typically reviewed at this stage.
Priya called us immediately after. She told us that, until that phone call, she had been operating on faith that the work would be sufficient. After the call, she had evidence that it was. The remaining two months of preparation work were the same work she had been doing for the previous four months - but she was doing them with the confidence that comes from external validation, not just internal hope.
The contract is now in its second year of deployment. The company has won two additional international contracts on the strength of the operational backbone built during this engagement, in jurisdictions whose vendor compliance frameworks the foundations also satisfy.
The work covered in Chapter 10 of The Operating System - building professional operational foundations under the pressure of a transformative new contract - applies to roughly one in five boutique specialists at this scale. The contracts that trigger this scenario tend to come with documentation, audit, and counterparty-compliance requirements that the boutique has never had to satisfy before. For Canadian boutiques pursuing international contracts specifically, those requirements include cross-border data residency and jurisdictional access considerations that domestic-only counterparties do not impose.
The Fractional engagement model is structurally well-suited to this scenario because the boutique typically does not need a full-time IT department - it needs targeted depth at specific moments. Vencer’s cross-border operational footprint (Calgary plus Singapore plus four continents of delivery) is what makes the cross-border data architecture work in practice rather than in theory. For boutique specialists with international growth ambitions, the foundations built during the first transformative contract become the platform on which every subsequent international contract is won.
Does this story sound familiar?
The pattern in this case study has played out across dozens of Canadian oil and gas companies in the 10 to 100 person range. If you recognize parts of it in your own operation - or you suspect you might - the next step is a structured conversation with a Vencer engineer.
The IT-and-the-Cycle Assessment is a 3 to 5 day structured review of your specific operational situation. We pressure-test where your IT stands today, where it needs to be for what you intend to become, and what one bad day looks like at current state. You leave with a written report, a 90-day plan, and named owners. No hype. No vendor pitch. Just the truth about where you are and what to do next.
For a faster diagnostic, three free tools at vencergroup.com cover the same territory in less time: the Hidden IT Cost Calculator (12 minutes, quantifies your IT cost burden across three price-cycle scenarios), the Cyber Risk Self-Score (5 minutes, scores your cyber baseline against 12 critical controls), and the IT Myth-Buster sheet (the seven objections you’ll hear from inside your own company and how to think about them).
Vencer operates from Calgary headquarters with delivery teams across four continents. For Canadian-headquartered operators with international exposure - whether that means US basin extension, international service contracts, cross-border M&A, or international counterparties with their own cyber and audit requirements - the cross-border operational capability is built in, not bolted on.
Calgary, AB T2P 3J4
insights@vencergroup.com
One operator's outcome. Your situation has different variables. These numbers are real; the applicability to your operation requires conversation. The 30-min review is where that starts.
→ Book the 30-min review