Risk Advisory

Pragmatic risk advisory, built around your control environment.

CFGI’s Risk Advisory practice brings a strategy-first mindset to governance, risk, and compliance. SOX, IT Risk, ERM, ESG, and Internal Audit run under one practice leadership, delivered by senior practitioners who have sat in the auditor seat and the operator seat. Independent, audit-conflict free, and built to scale up or down with your business.

Explore the six capabilities See the engagement archetypes

What we’re seeing in the risk landscape

Four forces reshaping the modern audit function.

Internal audit and SOX leaders are being asked to do more with less, against faster-moving risks, with talent that is harder to recruit and retain. Four shifts are showing up across nearly every Risk Advisory conversation we are in right now.

Audit is shifting from assurance to insight

The function is moving past pure compliance checking into business partnership: enterprise risk, ESG readiness, cyber, and strategic risk are all landing on internal audit’s plate. Stakeholders want value, not just opinions.

Talent and generational shifts are real

Smaller and mid-size companies feel it the most. Hiring, vetting, and retaining audit and SOX talent has become harder, and the skills demanded (cyber, data privacy, ESG) keep widening faster than the resume pool.

Speed of risk outpaces static methodologies

Cyber incidents, vendor failures, regulatory shifts, and ESG requirements move faster than traditional annual audit planning. The function has to react in real time, not defer to the next cycle.

SOX cost pressure keeps rising

Audit committees want quality and lower spend at the same time. The right answer is the “sustainable” quadrant on CFGI’s SOX Optimization Model: optimal balance between quality and cost of compliance.

How CFGI helps

Six capabilities. One Risk Advisory practice.

SOX, IT Risk, Enterprise Risk Management, ESG, Internal Audit, and Third-Party Risk all run under one practice with shared leadership. Engagements scale from a single test plan up to a fully outsourced Internal Audit function with a fractional Chief Audit Executive.

SOX Compliance

ICFR design, first-year SOX implementations, control testing, material weakness remediation, SOC-1 Type II reviews, and ongoing SOX 404(a) and 404(b) support.

IT Risk & Cybersecurity

IT General Controls, segregation of duties, identity and access management, cybersecurity risk assessments, data privacy compliance, and incident response readiness.

Enterprise Risk Management

Enterprise Risk Assessments, ERM program build and maturity benchmarking, fractional CRO support, and ongoing risk monitoring with KRI dashboards.

ESG & Sustainability

SEC, CSRD, and California ESG reporting, materiality assessments, greenhouse gas Scope 1, 2, and 3 mapping, ESG software selection, and disclosure controls.

Internal Audit

Full outsource and co-source of the IA function, fractional Chief Audit Executive, operational audits, Audit Committee reporting, and Third-Party / vendor risk reviews.

Strong Control Environment

SOX program design for emerging growth and accelerated filers
Risk and control matrices, narratives, and flowcharts
Material weakness remediation and audit committee reporting
SOC-1 Type II reviews and SOC issuance support
SOX 404(a) and 404(b) testing, full outsource or co-source

IT Risk & Cyber Resilience

IT General Controls, IT automated controls, IT dependencies
Segregation of Duties evaluation and access management
SOC 1 / SOC 2 readiness and ISO 27001 alignment
Cybersecurity risk and data privacy assessments
SDLC, system implementation, and incident response support

Audit-Ready Operations

Full IA outsource and co-source models
Fractional Chief Audit Executive for private companies
7-step IA methodology from risk assessment to remediation
Operational audits with process improvement recommendations
Audit Committee decks and Management dashboards

Enterprise & ESG Risk

Enterprise Risk Assessments with quantitative scoring
ERM program build, maturity benchmarking, and KRI dashboards
ESG reporting for SEC, CSRD, California, ISSB, ESRSs
Materiality assessments and Scope 1, 2, 3 emissions mapping
Board training and ESG governance policy support

Sourcing model

Fully Outsourced

CFGI runs your entire SOX or Internal Audit function as a managed service. Rapid implementation, scalable cost structure, and access to subject matter expertise across cyber, ESG, ERM, and IT Risk in one team.

Best for: growth-stage and smaller to mid-size companies, IPO readiness, and acquisitions that need IA stood up fast.

Sourcing model

Co-Sourced

We augment your team with the niche skills that are hardest to recruit and retain. Pay for time on testing, not for downtime. Scale up at year-end, scale down through the rest of the year, and surge specialists in when an audit gets hot.

Best for: established IA functions that need cyber, ESG, SOX, or operational audit depth on demand.

Sourcing model

Fractional CAE

A fractional Chief Audit Executive who can set up the IA department from scratch, including charter, policies, and procedures, in a very short window. Concentrated experience: a fractional CAE has done the stand-up many more times than a typical IA Director hire.

Best for: private companies where a full-time CAE is not the right investment yet.

Why CFGI in Risk Advisory

Auditors and operators on the same team.

Our dedicated team members have experience as both auditors and members of Management, evaluating controls and executing them. That combination is why our recommendations work in the real operating environment, not just on paper.

Strategy first. Execution built in.

Sat in the seatsSenior practitioners with experience as CFOs, Controllers, CIOs, CTOs, CISOs, and CAEs across multiple industries. Empathetic, not theoretical.
External auditor coordinationBig-4 background means we know what your external auditors are looking for. Get ahead of hot-topic areas before they become findings.
One practice, full audit universeCyber, data privacy, ESG, ERM, SOX, IT Risk, and Internal Audit under one roof. No subcontracting to fill out the scope.
Flexible deliveryOutsource, co-source, fractional CAE, or a single project. Functional ownership stays in-house. Scale up at year-end, scale down between cycles.
No audit restrictionsCFGI is not an attestation firm. We can do this work alongside your auditor, with no independence conflict.

Where risk and audit teams get stuck

Six conversations every CFO and CAE is having right now.

Is our SOX program sustainable or cost-heavy?

Quality at unnecessary cost is one quadrant of CFGI’s SOX Optimization Model. Low cost that puts compliance at risk is another. The sustainable quadrant takes deliberate scoping, risk-based testing, and external auditor alignment to land in.

Do we have the right audit sourcing model?

In-house, co-source, or fully outsourced. Each has clear strengths and trade-offs around cost, control, talent, and institutional knowledge. The right answer depends on budget, talent strategy, and leadership capacity, not on a one-size template.

Are we keeping up with cyber and data privacy risk?

A single intrusion can cost millions in downtime, response, identity protection, legal fees, and reputational harm. Cyber risk is now pervasive to SOX and the external audit, not a separate workstream.

Is ESG reporting going to be ready in time?

SEC, CSRD, California, ISSB, ESRSs, TCFD, Greenhouse Gas Protocol. The reporting matrix keeps expanding, and the data infrastructure most companies have was not designed for it. The gap shows up first in disclosure controls.

Where is segregation of duties actually broken?

SoD is a hot topic with auditors because the gaps are often hidden inside complex ERP role design. Insufficient SoD raises questions about the validity, accuracy, and reliability of every downstream financial statement assertion.

Can we stand up an IA function without a permanent CAE?

For many private companies, the answer is yes. A fractional Chief Audit Executive can build the department, write the charter, and run the cycles, with concentrated stand-up reps a typical IA Director candidate would not have.

What a CFGI Risk Advisory engagement covers

A practice built around the full audit universe.

6 capability areasSOX, IT Risk, Enterprise Risk Management, ESG, Internal Audit, and Third-Party Risk run under one practice with shared leadership and one engagement contract.

7-step methodologyRisk Assessment, Walkthroughs, Control Matrix, Gap Listing, Remediation, Control Testing with IPE and SOC support, and Conclude. The same lifecycle runs every engagement.

4 audit phasesPlanning, Fieldwork and Execution, Reporting, and Remediation. Each phase has named deliverables: project plan, test scripts, deficiency assessment, remediation plan, AC decks.

3 sourcing modelsFully Outsourced, Co-Sourced, or Fractional CAE. Picked based on budget, talent strategy, flexibility needs, and the leadership capacity actually available.

Inside a CFGI Risk Advisory engagement

Three engagement archetypes, told end to end.

Archetype 1

SOX program stand-up and remediation

First-year SOX or material weakness remediation

Scenario

A newly public company or recently uplifted filer needs to stand up its SOX program, or an established filer has identified a Material Weakness and the audit committee wants a remediation plan with named owners and dates.

Action taken

CFGI runs the SOX Optimization Model end to end. Materiality and scoping define key accounts and processes. Risk and control mapping identifies key risks by process and the key controls that mitigate them. Testing strategy then adjusts nature, timing, and extent to land in the sustainable quadrant.

Outcomes

Risk-assessed scope and a defensible materiality threshold for the audit year.
Risk and control matrices, narratives, and flowcharts ready for external audit reliance.
Remediation plan with named owners, milestones, and audit committee reporting cadence.
Sustainable program: quality external auditors can rely on, at a cost the company can carry.

Archetype 2

Internal Audit function build

Fractional CAE plus the 7-step IA methodology

Scenario

A growth-stage or private company needs an Internal Audit function but cannot justify a full-time Chief Audit Executive. The audit universe is wide and the in-house team is small.

Action taken

CFGI provides a fractional CAE who sets up the department, writes the charter and policies, and runs CFGI’s 7-step IA methodology. Functional ownership stays in-house.

Outcomes

Charter, policies, and procedures established within a short stand-up window.
Risk-ranked audit universe with multi-year plan approved by the Audit Committee.
7-step methodology executed across cycles with named deliverables per phase.
Audit Committee reporting cadence and management dashboards in place.

Archetype 3

ERM program and ESG readiness

Enterprise Risk Assessment plus ESG disclosure controls

Scenario

The board wants a defensible view of the enterprise risk landscape and the company is approaching new ESG reporting obligations. The pieces exist in silos: risk register in one place, ESG data in another, controls undocumented.

Action taken

CFGI runs an Enterprise Risk Assessment using surveys, stakeholder interviews, and CFGI’s scoring methodology. In parallel, the ESG team runs a materiality assessment, maps Scope 1, 2, and 3 emissions data, drafts disclosure controls, and aligns to the relevant framework. The two workstreams share governance and reporting cadence.

Outcomes

Top enterprise risks with quantitative scores, owners, and KRI dashboards.
ERM governance policies, SOPs, and validation plan tied to the audit committee.
ESG materiality assessment and roadmap to compliance with named frameworks.
Disclosure controls and Scope 1, 2, 3 data mapping ready for external assurance.

Risk Advisory leadership

Talk to the partners who run CFGI’s Risk Advisory practice.

Daniel Shafrir

Managing Partner | Risk Advisory
Leads CFGI’s Risk Advisory practice across SOX, IT Risk, ERM, ESG, and Internal Audit.

dshafrir@cfgi.com (857) 321-1539

Connect with Daniel

Angela Barcelos

Partner | Risk Advisory Co-Lead
14 years of complex accounting advisory. Leads SOX and Internal Audit engagements.

abarcelos@cfgi.com (508) 692-8788

Connect with Angela

Pajmon Bigdeliazari

Partner | IT Risk Advisory
Governance, risk, and compliance consulting. Experience across financial services, utilities, and technology.

pbigdeliazari@cfgi.com (617) 899-3437

Connect with Pajmon

Michael Morse

Partner | SOX & Process Improvement
10+ years across multiple industries. Specializes in SOX implementations and process improvement.

mmorse@cfgi.com (603) 759-4463

Connect with Michael

Angela DePoy

Partner | SOX & ESG
Leads SOX readiness, control design assessment, and optimization.

adepoy@cfgi.com (202) 412-0175

Connect with Angela

Elaina Coletta

Partner | SOX Program Oversight
11+ years of internal and external audit across financial services, biotech, manufacturing, and energy.

ecoletta@cfgi.com

Connect with Elaina

Mai Jaroudi

Managing Director | IT Risk & ESG
14+ years of IT consulting. Leads IT and SOX-related services and CFGI’s ESG readiness framework.

mjaroudi@cfgi.com (786) 897-5775

Connect with Mai

Brandon Potts

Managing Director | IA & ERM
15+ years across private companies, PE portfolios, and public companies. Internal audit, ERM, IPO, and SOX project leadership.

bpotts@cfgi.com

Connect with Brandon

Xavier Sanchez

Managing Director | Risk Advisory, NY Metro
13+ years across business and technology audits, control design assessment, and process improvement.

New York Metroxsanchez@cfgi.com

Connect with Xavier

Ready to put your audit universe on the same page?

Start with a single SOX test plan, a co-source for year-end, a fractional CAE, or a full Internal Audit outsource. Same practice, sized to fit.

Start a conversation →