SOX Services

Building and Maintaining Strong Control Environments 

A robust internal control over financial reporting (ICFR) environment is crucial for accurate financial statements. If your company is subject to Securities and Exchange Commission (SEC) reporting requirements or planning an initial public offering (IPO), our team of experts can help your organization implement an age- and state-appropriate Sarbanes-Oxley (SOX) program. We have experience partnering with companies from the early stages of planning, implementation, and remediation to preparing the first 10-K, through experienced NASDAQ or NYSE listed filers. 

SOX Program Implementation and Uplift

Design of Internal Controls

We are a team of experts who routinely help new public companies or companies otherwise new to SOX design meaningful internal controls programs. Let us assist your organization in preparing for SOX. We can aid in all stages of SOX documentation, including risk assessment, risk and control matrices (RCM), narratives, flowcharts, and management’s testing of controls sufficient for SOX 404(a) purposes.

We can also assist in preparing operational documents, including policies, procedures, and standard operating procedures. Similarly, we have helped many companies uplift their existing controls documentation from AICPA standards to PCAOB standards to prepare for an IPO or other public offering event.

We have worked with emerging growth companies (EGC), smaller reporting companies (SRC), and non-accelerated filers. Our team also assists companies growing, evolving, and changing filer status to accelerated or large accelerated filers – which may result in an integrated audit and auditor attestation under SOX 404(b).

We have in-depth experience working with every Big 4 and national audit firm. This experience positions us to help companies navigate the additional scrutiny over controls documentation they may face as part of an integrated audit.

Internal Controls Implementation / Material Weakness Remediation

Often, gaps or deficiencies exist in the internal control environment. Newly public companies face numerous compliance requirements, along with challenges of limited staffing and technical expertise to implement controls. We routinely assist companies in putting in place realistic controls to mitigate risks and provide necessary coaching to control performers and reviewers to execute and document controls effectively.

When there are multiple significant deficiencies, they result in a Material Weakness (MW). Our team can help project manage the company’s MW remediation, from developing an MW remediation plan to implementing multiple controls, periodic audit committee status updates, and finally, testing of controls to demonstrate effectiveness.

A common MW we observe is a result of improper Segregation of Duties (SOD). We have a team of experts in the systematic evaluation of SOD who can further help organizations evaluate and navigate inappropriate roles that may result in deficiencies.

SOX Controls Testing
(full outsource or co-source)

To support Management’s Annual Report on Internal Control Over Financial Reporting in Section 9A of the Form 10-K, companies are required to demonstrate that Management has performed an evaluation of ICFR controls and deemed those controls effective.

Our team of professionals can partner with you to perform testing on behalf of the company either as a full outsource, where we manage the company’s entire testing program, or as a co-source, where we can test a portion of the company’s controls. Since CFGI is not an attestation firm, we can support your company with as much or as little help as you may need to meet your ICFR testing objectives.

SOC-1 Type II Reviews

While you can outsource the operations, you cannot outsource the risk. Companies are responsible for monitoring the controls of any third-party applications or service organizations they use. CFGI can help you review any System & Organization Control (SOC) report to evaluate the scope, its opinion, deficiencies, and all Complementary User Entity Controls (CUECs) and Complementary Subservice Organization Controls (CSOCs) to your key controls or those of subservice organizations, respectively. Likewise, if you are planning to issue a SOC-1 report to meet your customers’ SOX needs, our team of experts is ready to assist.

Connect With Our Leaders

Daniel Shafrir 

(857) 321-1539

Angela Barcelos

(508) 692-8788

Pajmon Bigdeliazari


Chris Trudeau

(401) 263-1596

Michael Morse

(603) 759-4463

Angela DePoy

(202) 412-0175

Ready To Get Started?

Ready To Get Started?