CFGI’s Risk Advisory practice brings a strategy-first mindset to governance, risk, and compliance. SOX, IT Risk, ERM, ESG, and Internal Audit run under one practice leadership, delivered by senior practitioners who have sat in the auditor seat and the operator seat. Independent, audit-conflict free, and built to scale up or down with your business.
Internal audit and SOX leaders are being asked to do more with less, against faster-moving risks, with talent that is harder to recruit and retain. Four shifts are showing up across nearly every Risk Advisory conversation we are in right now.
The function is moving past pure compliance checking into business partnership: enterprise risk, ESG readiness, cyber, and strategic risk are all landing on internal audit’s plate. Stakeholders want value, not just opinions.
Smaller and mid-size companies feel it the most. Hiring, vetting, and retaining audit and SOX talent has become harder, and the skills demanded (cyber, data privacy, ESG) keep widening faster than the resume pool.
Cyber incidents, vendor failures, regulatory shifts, and ESG requirements move faster than traditional annual audit planning. The function has to react in real time, not defer to the next cycle.
Audit committees want quality and lower spend at the same time. The right answer is the “sustainable” quadrant on CFGI’s SOX Optimization Model: optimal balance between quality and cost of compliance.
SOX, IT Risk, Enterprise Risk Management, ESG, Internal Audit, and Third-Party Risk all run under one practice with shared leadership. Engagements scale from a single test plan up to a fully outsourced Internal Audit function with a fractional Chief Audit Executive.
ICFR design, first-year SOX implementations, control testing, material weakness remediation, SOC-1 Type II reviews, and ongoing SOX 404(a) and 404(b) support.
IT General Controls, segregation of duties, identity and access management, cybersecurity risk assessments, data privacy compliance, and incident response readiness.
Enterprise Risk Assessments, ERM program build and maturity benchmarking, fractional CRO support, and ongoing risk monitoring with KRI dashboards.
SEC, CSRD, and California ESG reporting, materiality assessments, greenhouse gas Scope 1, 2, and 3 mapping, ESG software selection, and disclosure controls.
Full outsource and co-source of the IA function, fractional Chief Audit Executive, operational audits, Audit Committee reporting, and Third-Party / vendor risk reviews.
CFGI runs your entire SOX or Internal Audit function as a managed service. Rapid implementation, scalable cost structure, and access to subject matter expertise across cyber, ESG, ERM, and IT Risk in one team.
Best for: growth-stage and smaller to mid-size companies, IPO readiness, and acquisitions that need IA stood up fast.
We augment your team with the niche skills that are hardest to recruit and retain. Pay for time on testing, not for downtime. Scale up at year-end, scale down through the rest of the year, and surge specialists in when an audit gets hot.
Best for: established IA functions that need cyber, ESG, SOX, or operational audit depth on demand.
A fractional Chief Audit Executive who can set up the IA department from scratch, including charter, policies, and procedures, in a very short window. Concentrated experience: a fractional CAE has done the stand-up many more times than a typical IA Director hire.
Best for: private companies where a full-time CAE is not the right investment yet.
Our dedicated team members have experience as both auditors and members of Management, evaluating controls and executing them. That combination is why our recommendations work in the real operating environment, not just on paper.
Quality at unnecessary cost is one quadrant of CFGI’s SOX Optimization Model. Low cost that puts compliance at risk is another. The sustainable quadrant takes deliberate scoping, risk-based testing, and external auditor alignment to land in.
In-house, co-source, or fully outsourced. Each has clear strengths and trade-offs around cost, control, talent, and institutional knowledge. The right answer depends on budget, talent strategy, and leadership capacity, not on a one-size template.
A single intrusion can cost millions in downtime, response, identity protection, legal fees, and reputational harm. Cyber risk is now pervasive to SOX and the external audit, not a separate workstream.
SEC, CSRD, California, ISSB, ESRSs, TCFD, Greenhouse Gas Protocol. The reporting matrix keeps expanding, and the data infrastructure most companies have was not designed for it. The gap shows up first in disclosure controls.
SoD is a hot topic with auditors because the gaps are often hidden inside complex ERP role design. Insufficient SoD raises questions about the validity, accuracy, and reliability of every downstream financial statement assertion.
For many private companies, the answer is yes. A fractional Chief Audit Executive can build the department, write the charter, and run the cycles, with concentrated stand-up reps a typical IA Director candidate would not have.
A newly public company or recently uplifted filer needs to stand up its SOX program, or an established filer has identified a Material Weakness and the audit committee wants a remediation plan with named owners and dates.
CFGI runs the SOX Optimization Model end to end. Materiality and scoping define key accounts and processes. Risk and control mapping identifies key risks by process and the key controls that mitigate them. Testing strategy then adjusts nature, timing, and extent to land in the sustainable quadrant.
A growth-stage or private company needs an Internal Audit function but cannot justify a full-time Chief Audit Executive. The audit universe is wide and the in-house team is small.
CFGI provides a fractional CAE who sets up the department, writes the charter and policies, and runs CFGI’s 7-step IA methodology. Functional ownership stays in-house.
The board wants a defensible view of the enterprise risk landscape and the company is approaching new ESG reporting obligations. The pieces exist in silos: risk register in one place, ESG data in another, controls undocumented.
CFGI runs an Enterprise Risk Assessment using surveys, stakeholder interviews, and CFGI’s scoring methodology. In parallel, the ESG team runs a materiality assessment, maps Scope 1, 2, and 3 emissions data, drafts disclosure controls, and aligns to the relevant framework. The two workstreams share governance and reporting cadence.
Managing Partner | Risk Advisory
Leads CFGI’s Risk Advisory practice across SOX, IT Risk, ERM, ESG, and Internal Audit.
Partner | Risk Advisory Co-Lead
14 years of complex accounting advisory. Leads SOX and Internal Audit engagements.
Partner | IT Risk Advisory
Governance, risk, and compliance consulting. Experience across financial services, utilities, and technology.
Partner | SOX & Process Improvement
10+ years across multiple industries. Specializes in SOX implementations and process improvement.
Partner | SOX & ESG
Leads SOX readiness, control design assessment, and optimization.
Partner | SOX Program Oversight
11+ years of internal and external audit across financial services, biotech, manufacturing, and energy.
Managing Director | IT Risk & ESG
14+ years of IT consulting. Leads IT and SOX-related services and CFGI’s ESG readiness framework.
Managing Director | IA & ERM
15+ years across private companies, PE portfolios, and public companies. Internal audit, ERM, IPO, and SOX project leadership.
Managing Director | Risk Advisory, NY Metro
13+ years across business and technology audits, control design assessment, and process improvement.
Start with a single SOX test plan, a co-source for year-end, a fractional CAE, or a full Internal Audit outsource. Same practice, sized to fit.