About Stephen Alaekwe & Co
SAC supports organisations at the intersection of regulatory compliance, digital trust, assurance, cybersecurity resilience, and financial advisory — delivering outcomes that hold under scrutiny, not just under internal review.
SAC enables institutions to convert regulatory obligations into governance capability, operational confidence, and stakeholder trust.
Most organisations face a governance paradox: the obligations placed on them by the NDPA, the CBN, their auditors, and their boards require coordinated action across privacy, cybersecurity, financial governance, and institutional assurance — but the advisory market is structured around separate specialisms that rarely communicate.
Stephen Alaekwe & Co was established to address this precisely. SAC operates as a single, integrated advisory model — holding licences and accreditations across five disciplines simultaneously, so that the relationships between data protection obligations and cyber risk, between financial governance and independent assurance, and between regulatory compliance and board accountability are addressed in one coordinated engagement rather than across three separate advisory relationships.
The result is advisory that is structurally different, not just rhetorically integrated. Our NDPA work accounts for financial implications. Our cybersecurity assurance feeds directly into board governance. Our financial advisory is calibrated to regulatory scrutiny. Our training builds capability that reduces long-term advisory dependency.
SAC is not a firm that does compliance. SAC is a firm that builds the institutional infrastructure — governance frameworks, documentation standards, evidence disciplines, and board reporting structures — through which compliant operation becomes a sustainable organisational capability.
Organisations should understand exactly what their regulatory obligations require — not a general sense of compliance direction, but the specific provisions of the NDPA, GAID, CBN guidelines, and sector frameworks that apply to their processing activities and governance structures.
Compliance must be demonstrable — not merely asserted. Every SAC deliverable is structured to the documentation standard that NDPC inspectors, external auditors, and board scrutiny committees apply: timestamped, attributed, formatted, and retrievable.
The obligations placed on Nigerian institutions by the NDPA, CBN, and corporate governance frameworks are board-level obligations — not operational management tasks. SAC's work produces board-reportable outputs: dashboards, KPIs, governance frameworks, and audit committee briefings.
Compliance that is technically correct but commercially disconnected fails organisations at the decision-making layer. SAC's advisory is designed for how institutions actually operate — calibrated to sector context, leadership capacity, and the commercial consequences of regulatory exposure.
Documentation is not compliance. Evidence is.
Most organisations produce documentation that satisfies internal review. SAC produces evidence that satisfies external scrutiny. The distinction is not semantic — it is the difference between a compliance posture that holds under NDPC inspection and one that does not.
SAC designs compliance frameworks as evidence systems — structured so that every processing record, DPIA, breach log, and governance report can be retrieved, attributed, and presented under inspection without preparation time.
Compliance that depends entirely on external advisers is fragile. SAC builds the internal governance structures — board reporting frameworks, DPO operational workflows, compliance calendars, and assurance cycles — that make compliance self-sustaining between advisory engagements.
SAC's deliverables are designed to be operated by the client's own team after the engagement closes — templates, registers, workflows, and dashboards that build institutional muscle rather than creating perpetual advisory dependency.
The NDPC's inspection framework does not distinguish between organisations that were compliant last year and those that are compliant today. SAC builds continuous compliance infrastructure — not a posture that degrades between annual audit cycles.
SAC's credentials are not marketing claims. Each is a current licence, accreditation, or professional certification issued by a named regulatory authority — with a reference number, an issuing body, and ongoing obligations that SAC meets and upholds. Every credential on this list is verifiable with its issuing body.
Licensed by the Nigeria Data Protection Commission under Section 33 of the NDPA 2023. Authorises SAC to deliver data protection advisory, audit, and compliance services — and to file Compliance Audit Returns with the NDPC on behalf of data controllers and processors.
Accredited by the Institute of Information Management (IIM) Africa and recognised by the NDPC as an Authorised Training Organisation for the IIM Certified Data Protection Officer (CDPO) programme. Graduates receive an IIM qualification — verifiable with IIM Africa and recognised by the NDPC for DPO registration.
Certified by ISACA as a Digital Trust Ecosystem Framework Adoption Facilitator and Trainer. Authorises delivery of DTEF assessments across all seven trust domains — Trustworthy Behaviour and Capability, Governance, Operations, Technology and Architecture, Ecosystem, Assurance and Transparency, and Ethics. Nigeria's only currently certified DTEF Facilitator in professional advisory services.
Financial advisory practice led by Fellows of the Institute of Chartered Accountants of Nigeria, registered with the Financial Reporting Council of Nigeria. FRCN registration is a legal requirement for signing financial reports in Nigeria. FCA designation requires examination, experience, and continuing professional development.
Principal-level CISA certification — the global standard for information systems audit and assurance professionals. Authorises IS audit, assurance, and control engagements at the governance layer. Verifiable with ISACA International.
Privacy solutions engineering certification — applied to technical NDPA compliance architecture, data protection by design implementations, and privacy-preserving systems. Verifiable with ISACA International.
Sir Stephen Ifeanyi Alaekwe is a Fellow Chartered Accountant, information systems assurance professional, and one of Nigeria's most credentialled practitioners at the convergence of digital trust, data protection, cybersecurity governance, and financial advisory.
He founded Stephen Alaekwe & Co to fill the structural gap in Nigeria's professional services market — the absence of an advisory firm that held both the regulatory licences and the disciplinary depth to address the full scope of institutional accountability obligations that Nigerian boards and regulated entities now face.
As an NDPC-Licensed Data Protection Compliance Organisation principal, he oversees the delivery of NDPA compliance programmes, Compliance Audit Returns, DPO enablement, and privacy governance frameworks. As Nigeria's ISACA DTEF Certified Facilitator, he leads digital trust maturity assessments and board governance programmes across all seven DTEF trust domains. As an FCA-credentialled financial advisory principal registered with the Financial Reporting Council of Nigeria, he provides financial governance advisory, transaction due diligence, and capital structuring support.
His approach to advisory is institutional in orientation — designed for the governance layer, structured for board reporting, and calibrated for the documentation standard that regulators apply rather than the standard that internal teams are comfortable with. He does not delegate the engagements he leads.
“Trust is not assumed at Stephen Alaekwe & Co. It is demonstrably earned — through credentials that are verified, delivery that is senior-led, and outcomes that hold under the scrutiny of regulators, boards, auditors, and the organisations we serve.”
Stephen Ifeanyi Alaekwe FCA · CISA · CDPSE — Lead Consultant & CEO, SAC
Every SAC engagement follows the same disciplined sequence — from diagnostic to defensible. The output of each stage is the input to the next. No stage is skipped; no deliverable is issued without senior review.
A structured 20-minute conversation with a named SAC principal — identifying the specific regulatory exposure, governance gap, and institutional context before any engagement is scoped.
A scoped proposal delivered within three business days — naming the deliverables, timeline, credential authority for each element, and the evidence standard each output will meet.
Senior-led programme delivery — the same named practitioner who scoped the engagement leads the implementation. No hand-off to junior teams after the first meeting.
Deliverables structured to NDPC inspection, board reporting, and external audit standards — formatted, timestamped, attributed, and retrievable without preparation time.
Senior quality assurance review before every deliverable is issued. Board-level executive summary and technical detail pack produced as standard. Independent assurance available where required.
SAC engagements begin with a 20-minute diagnostic call — with a named senior principal, no screening, no sales process. The diagnostic is the first stage of the methodology, not a pre-sales activity. It is substantive, specific, and produces a clear view of what the engagement requires.
If you have read this far, you are conducting due diligence on SAC as a potential adviser. The next step is a 20-minute conversation with a named senior principal — substantive, specific, and at no obligation.