ISQM 1 evaluation cycle ACTIVE lobal

FRC / PCAOB inspections 2026 PLANS FILED

SOCPA peer review UNDERWAY

PDPL fully enforceable — SAR 5M exposure

EU audit reform oversight RAMPING

IRBA, ICPAK, FRC Nigeria QR CYCLES LIVE

Audit firms live on falconry.one across 4 REGIONS

ISQM 1 evaluation cycle ACTIVE — global

FRC / PCAOB inspections 2026 PLANS FILED

SOCPA peer review UNDERWAY

EU audit reform oversight RAMPING

IRBA, ICPAK, FRC Nigeria QR CYCLES LIVE

Audit firms live on falconry.one across 4 REGIONS

Book a Demo
Book a Demo
CO-SOURCE · ENGAGEMENT TEAMS

The specialists your audit teams call when the client says "IT."

Audit firms are increasingly asked to opine on systems they don't run, controls they don't operate, and journal entries that flow through ERPs they didn't implement. Falconry's audit delivery team plugs into your engagement — under your firm's letterhead, your methodology, your QC review — and delivers the IT audit work that earns the opinion. Looking for vCISO, DPO, or SoQM cycle support inside your firm? See Managed services.

§01 · SCOPE

Three services we deliver under your engagement letter.

Audit firms are not technology firms. The talent market for Quality Partners, DPOs and CISOs is thin, and getting thinner. Some functions are easier to source as a service than to recruit, train, and retain.

Service · 01

IT general controls testing

The four ITGC domains, scoped to the financial assertions that depend on them. Tested every year you rely on the controls, walked through every year you don't.

  • Logical access — user provisioning, privileged access, segregation of duties
  • Change management — programme changes, emergency fixes, configuration
  • Computer operations — batch processing, backup & recovery, incident handling
  • Programme development — SDLC, testing, deployment, post-implementation review

Coverage: SAP · Oracle · MS Dynamics · cloud-native

Service · 02

Application controls testing

Automated and configurable controls embedded in the financial-reporting flow. Mapped to your assertions. Tested with evidence the inspector can follow.

  • Automated controls — calculations, validations, three-way matches, tolerance checks
  • Configurable controls — approval workflows, segregation of duties, posting rules
  • Interface controls — integrity between feeder systems and the GL
  • Reports & queries — the IPE that populates substantive testing

Calibrated to: your firm's audit methodology

Service · 03

Journal-entry testing

Risk-based JE selection, completeness reconciliations, period-end manual review. Built around your audit methodology's JE testing framework, not a one-size template.

  • Population completeness — reconciliation from GL to working trial balance
  • Risk-based selection — criteria-driven sampling tuned to fraud risk
  • Manual JE focus — period-end, top-side, override-prone entries
  • Documentation — selection rationale, testing results, exceptions tracked to disposition

Tools: IDEA · ACL · client-system extracts

§02 · HOW IT WORKS

Inside your engagement not next to it.

A four-step rhythm from scoping to deliverable. Falconry sits inside the engagement — under your firm's planning lead and Quality Partner. Working papers route through your firm's review trail.

STEP 01

Scope & methodology

Engagement-team kick-off. Risk discussion with your audit partner. Methodology alignment to your firm's audit manual — not ours.

STEP 02

Plan under your letter

Planning memo and testing strategy go through your firm's planning review. Independence declarations filed. Restricted entities checked.

STEP 03

Fieldwork & testing

Falconry team on-site or remote — your call. Daily check-ins with the engagement manager. Issues escalated through your engagement partner.

STEP 04

Deliver in your format

Working papers in your firm's working-paper structure. Reviewed by your audit team. Filed in your engagement file. Opinion is yours.

ERP & PLATFORM COVERAGE

SAP S/4 HANA

FICO · MM · SD · basis

Oracle Fusion

Cloud ERP · EBS · security

MS Dynamics

F&O · Business Central · BC365

NetSuite

Cloud ERP · access · SuiteCloud

Mid-market

QuickBooks · Sage · Xero · cloud

§03 · WHY FIRMS CALL

Three situations we hear most.

Each one is a real call from an audit partner. Each one is fixable inside the engagement — not by punting the work back to the client or by trying to hire IT auditors mid-cycle.

Situation · 01

We won the engagement, but we don't have IT audit bench depth in country.

In-region IT audit specialists. Across KSA, UAE, Cairo, Nairobi, Lagos and Johannesburg — our team works on-site or hybrid. CISA, CISSP, CRISC credentials. Native or fluent Arabic where needed.

Coverage · GCC + Africa
Situation · 02

Our IT audit specialist left mid-engagement.

Continuity team within five business days. Pick up the working papers, complete the fieldwork, hand back a finished file. We've done it for three firms in the last 18 months. Discreet, no client-facing handover.

Response · 5 business days
Situation · 03

Client is on SAP S/4 HANA — we don't have specialists.

ERP-specialist coverage. SAP S/4 HANA, Oracle Fusion, NetSuite, Dynamics F&O. Not just controls testing — we know the security model, the segregation-of-duties matrix, and the upgrade pitfalls.

Specialism · major ERPs
§04 · INDEPENDENCE

We operate inside your independence framework.

When we co-source IT audit work for your engagement, our team is part of your engagement team — and the same independence rules apply to us as apply to your firm's staff. IESBA Section 600, FRC Ethical Standard, SOCPA Code, IRBA Rules — all enforced through your firm's framework, with our compliance.

Declarations

Independence declarations filed with your firm at engagement-team formation, refreshed at year-end and on any changes.

Restricted entities

Falconry team checked against your restricted-entity register before any engagement. Conflicts surfaced at scoping, not on day three.

Non-audit services

Cooling-off periods enforced. If our team has provided consulting to a client recently, we don't accept the audit-side mandate — we tell you up front.

Rotation

Partner / specialist rotation tracked alongside your firm's rotation calendar where IT audit specialists are PIE-relevant.

§05 · COMMERCIAL

Three ways firms buy this.

Most firms start with the day-rate framework on a single engagement, then move to a fixed-fee or retainer once they've seen us work. We don't push.
Shape · 01

Day-rate framework

Per-day rates by grade (specialist / senior / manager / partner). Used for scoping unknowns and one-off engagements. Master services agreement signed once, drawn on per engagement.

Best for: first-time co-source, exploring fit

Shape · 02

Fixed-fee scoping

Once the work is known — a defined client, a defined ERP, a defined controls scope — we'll fix the fee. Firm gets predictability. We absorb scope-stable risk.

Best for: recurring annual engagements, known clients

Shape · 03

Annual retainer

For firms with a steady IT audit pipeline — multi-engagement, multi-client, multi-quarter. Dedicated pool of specialists, priority allocation, monthly drawdown.

Best for: mid-tier networks running 8+ engagements/year

NEXT STEPS

The 45-minute conversation
that pays for itself.

A live walkthrough of an ISQM 1 SoQM evaluation on the platform — against your firm's existing manual and inspection history. You see exactly what the partner view looks like, what the evidence pack contains, and what the 8-week deployment would mean for your cycle.

Book an ISQM 1 walkthrough