Services Global Taxation Deal Advisory (M&A) Risk & Governance GAAP / IFRS & Accounting Advisory Bookkeeping & CAS Outsourced Controller FP&A & Fractional CFO Markets United States United Kingdom Canada Australia New Zealand United Arab Emirates Saudi Arabia Qatar Kuwait Pakistan More Pakistan Taxation Calculators Insights Pay an invoice About Contact Book a call
Home/Services/Risk & Governance

Risk & Governance

SOX 404, internal audit, controls, audit readiness and governance frameworks built to withstand scrutiny.

What's included

The full scope, in plain English.

The complete list of what we can deliver under this line. Every item is a real service — tell us which you need.

SOX 404 & internal controls over financial reporting

Designing, documenting and testing the controls US-listed (and pre-IPO) companies must certify — scoped so the effort matches the risk.

Internal audit (outsourced / co-sourced)

A full internal audit function — plan, fieldwork, reporting — for companies that need the assurance without a department.

Audit-readiness assessments

A dry run before your external auditors arrive: reconciliations, support files and positions checked so the audit doesn't become an archaeology project.

Enterprise risk management

A practical risk register and response plan — the version a board actually uses, not a shelf document.

Policy & process design

Finance policies (delegation of authority, procurement, expense, close) and SOPs written for how your company actually works.

Fraud risk reviews

Segregation, access and payment-flow reviews that find the gaps before someone else does — plus support when something has already gone wrong.

Regulatory compliance mapping

The finance-relevant obligations in each market you operate in, mapped to owners and calendars so nothing is discovered late.

IT general controls coordination

The ITGC layer (access, change, backup) documented and tested in step with your financial controls.

Corporate governance reviews

Board structures, charters and reporting lines benchmarked and tightened — especially ahead of investment or listing.

Board & audit-committee reporting

Clear, decision-ready reporting packs for boards and audit committees, on a fixed cadence.

How we deliver

Process, tools & quality control.

01

Scoping & risk assessment

We agree which processes and controls matter — materiality first, checklists second.

02

Documentation

Narratives, flowcharts and control matrices in a format your auditors accept.

03

Testing

Design and operating-effectiveness testing with clearly stated samples and results.

04

Remediation & reporting

Gaps ranked by risk, with owners, deadlines and retest dates.

ToolsYour GRC tooling where it exists; otherwise structured workpapers your auditors can rely on.
TurnaroundPrograms are scheduled around your audit and reporting calendar.
Quality controlEvery conclusion traceable to tested evidence; nothing signed off that wasn't sampled.
Who it's for

Scaling and pre-IPO companies that need controls auditors trust, and established firms whose control environment has lagged their growth.

Pricing approach

Fixed fee per program phase (scoping, documentation, testing), sized to the number of in-scope processes.

What you get
  • Control matrices & process narratives
  • Test plans and results
  • Remediation tracker
  • Risk register
  • Board-ready reporting
Questions

Frequently asked questions

We're not listed — is SOX relevant to us? +
The full SOX regime only binds US-listed companies, but the underlying discipline — documented, tested controls — is exactly what acquirers, lenders and auditors look for at any size.
Will our external auditors accept your work? +
The documentation follows the standards external auditors use themselves, and we coordinate with them directly so reliance is agreed up front.
How disruptive is the testing? +
Most evidence is pulled from systems and shared folders; management time is concentrated in short, scheduled walkthrough sessions.
Can you fix the gaps you find? +
Yes — remediation design is part of the service, though we keep designer and tester roles separate so independence holds.
Do you sit on-site? +
Engagements run remotely by default with scheduled on-site phases where the work genuinely needs them.

Big 4 quality is closer
than you think.

See exactly what you'd save, then talk to a founding partner who can make it real.