Since it is your client's audit process then it's more of a hard requirement than something you can decide. You can always forward the charges to your client and present them with a list of third party vendors to pick from. Also, it will be these third parties's asses on the line if the site is penetrated later after deployment.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Since it is your client's audit process then it's more of a hard requirement than something you can decide. You can always forward the charges to your client and present them with a list of third party vendors to pick from. Also, it will be these third parties's asses on the line if the site is penetrated later after deployment.