ISQM 1 evaluation cycle ACTIVE lobal

FRC / PCAOB inspections 2026 PLANS FILED

SOCPA peer review UNDERWAY

PDPL fully enforceable — SAR 5M exposure

EU audit reform oversight RAMPING

IRBA, ICPAK, FRC Nigeria QR CYCLES LIVE

Audit firms live on falconry.one across 4 REGIONS

ISQM 1 evaluation cycle ACTIVE — global

FRC / PCAOB inspections 2026 PLANS FILED

SOCPA peer review UNDERWAY

EU audit reform oversight RAMPING

IRBA, ICPAK, FRC Nigeria QR CYCLES LIVE

Audit firms live on falconry.one across 4 REGIONS

ISQM 1 evaluation cycle ACTIVE lobal

FRC / PCAOB inspections 2026 PLANS FILED

SOCPA peer review UNDERWAY

PDPL fully enforceable — SAR 5M exposure

EU audit reform oversight RAMPING

IRBA, ICPAK, FRC Nigeria QR CYCLES LIVE

Audit firms live on falconry.one across 4 REGIONS

ISQM 1 evaluation cycle ACTIVE — global

FRC / PCAOB inspections 2026 PLANS FILED

SOCPA peer review UNDERWAY

EU audit reform oversight RAMPING

IRBA, ICPAK, FRC Nigeria QR CYCLES LIVE

Audit firms live on falconry.one across 4 REGIONS

The Platform

Twenty-one modules. One governance spine.

falconry.one isn't three products lashed together. It's one system, with one data model, one identity layer, one evidence repository — and three connected workspaces for the three jobs partners actually need to do. Below: every module, what it replaces, and where it lives in the stack.

production modules

regional builds

to first live engagement

0 wks

SYSTEM ARCHITECTURE

One data model, three workspaces

Govern · Quality & Independence

Protect · Risk, Cyber & Data

Perform · Performance & Economics

falconry.one governance spine — evidence, identity, audit trail

Integrations layer · practice mgmt · HR · email

Regional residency · GCC · UK · EU · Africa

Built once. Localised per market. ISO 27001-aligned. Every action evidenced; every export inspector-ready.

§01 / PILLAR · GOVERN

Quality & Governance the spine of ISQM 1.

The eight components of an ISQM 1 SoQM evaluation, the ISQM 2 EQR workflow, IESBA-aligned independence, AML / UBO client acceptance, CPD compliance and root-cause remediation — all running off one evidence repository. Refreshable continuously, not rebuilt annually.

09

modules in this pillar

01.01 · GOVERN

ISQM 1 SoQM evaluation

All eight components. Risk-based assessment, control mapping, deficiency identification and partner sign-off — refreshable across the cycle, not just at year-end.

01.02 · GOVERN

Engagement quality review (EQR)

The ISQM 2 workflow your reviewers actually want to use. Threshold rules, file routing, reviewer notes, partner response, sign-off audit trail — embedded, not bolted on.

01.03 · GOVERN

Independence monitoring

Partner and staff confirmations, restricted entity register, prohibited services screening, and personal-relationship declarations — live, monitored, and auto-flagged.

01.04 · GOVERN

Client acceptance & continuance

AML / UBO checks, sanctions screening, conflict review, ethical-fit scoring, and continuance reassessment. The full pre-engagement file, structured and timestamped.

01.05 · GOVERN

CPD & learning compliance

Course tracking against ICAEW, ACCA, SOCPA, IRBA and ICPAK requirements. Personal CPD wallet per professional, firm-wide rollups, exception alerts before institute deadlines.

01.06 · GOVERN

Root cause analysis & remediation

Inspection findings, internal review observations, EQR matters — captured, themed, root-cause-coded, and tracked through to remediation evidence. The piece firms most often skip.

01.07 · GOVERN

Cold file review & archival

Internal cold review programme management, archival deadline enforcement, and the file-status register that survives partner turnover and inspection cycles alike.

01.08 · GOVERN

Firm-level monitoring & SoQM dashboard

The Quality Partner's standing view of the SoQM — component status, deficiency trend, remediation aging, and the partner-level evidence log. The screen the inspector eventually asks for.

01.09 · GOVERN

Network firm reporting

For audit firms inside an international network — the upward reporting cycle: quality data, independence confirmations, methodology compliance. Mapped to the network's template, exported on schedule.

§02 / PILLAR · PROTECT

Risk, Cyber & Data the bar that regulators set.

Audit firms hold concentrated client financial, personal and transactional data — and partners now carry personal liability. The Protect pillar covers enterprise risk, data protection across GDPR / PDPL / POPIA / UK DPA, breach notification, cyber control attestation, and third-party risk in one register.

06

modules in this pillar

02.01 · PROTECT

Enterprise risk register

The firm-wide risk register your audit committee reviews — operational, regulatory, strategic, financial. Linked to controls, owners, treatments, and quarterly partner sign-off.

02.02 · PROTECT

Data protection programme

Records of processing, lawful-basis register, DPIA library, data-subject rights workflow, and consent ledger — one programme, regional rules engine, every applicable law.

02.03 · PROTECT

Incident response & breach

Incident triage, severity scoring, regulator-specific notification timers (72-hour where applicable), client comms templates, and post-incident root cause feeding RCA.

02.04 · PROTECT

Cyber control framework

Control library mapped to ISO 27001, NIST CSF, NCA ECC, NCSC CAF and SAMA CSF. Attestation cycles, evidence collection, deficiency tracking — the cyber spine of the SoQM.

02.05 · PROTECT

Third-party & vendor risk

Outsourced provider register, due diligence workflow, risk scoring, contract evidence, periodic reassessment. Includes service organisation reliance and SOC report tracking.

02.06 · PROTECT

Regulatory change monitoring

Live regulatory horizon scanning across every market the firm operates in. Issuer-tagged, partner-routed, with impact triage and adoption deadline tracking.

§03 / PILLAR · PERFORM

Performance & Efficiency the view partners check.

Engagement health, WIP, recovery, utilisation, partner KPIs, staff calibration — the practice-management view that sits next to the quality view, not in another system. Includes localised workforce compliance for KSA Nitaqat, UK CIPD, and Africa labour regulators.

06

modules in this pillar

03.01 · PERFORM

Engagement monitoring & WIP

Live engagement health: budget vs. actual, partner-level WIP, recovery trajectory, milestone slippage, write-off risk. The number partners check before they pour the coffee.

03.02 · PERFORM

Time capture & approvals

Native timesheet with engagement codes, mobile capture, manager approval, and a rules engine for chargeability and recovery thresholds. Connected to engagement WIP, not parked beside it.

03.03 · PERFORM

Resource planning & utilisation

Capacity heatmaps across grades and partners, conflict resolution between engagements, utilisation forecasts and resourcing decisions evidenced for the SoQM resources component.

03.04 · PERFORM

Partner / leadership dashboards

The single Monday-morning view: quality, risk, WIP, recovery, people. Configurable per partner, exportable to board pack format. No second login, no second system.

03.05 · PERFORM

Staff performance & calibration

The performance-evaluation workflow ISQM 1 actually requires: evidence of feedback, calibration meetings, quality-linked promotion criteria, and partner pool reviews — recorded.

03.06 · PERFORM

Workforce compliance localisation

Saudi Nitaqat tracking, UK right-to-work, GCC residency rules, African work-permit registers, and IFAC member-body professional licensing — wherever the firm operates.

FOUNDATION

Built like the firms it serves.

Audit firms run on evidence. So does the platform underneath them. Below — the technical posture firms ask about during procurement, before the legal review.

01 · SECURITY

ISO 27001-aligned

Information security management aligned to ISO 27001. SOC 2 Type II in progress. Penetration tested quarterly by an external firm.

02 · DATA RESIDENCY

Regional, by default

Data resident in your region, not shipped to a single global cluster. KSA, UAE, UK, EU and South Africa availability today.

03 · INTEGRATIONS

Wired into your stack

Open API, native connectors to the practice-management, HR and identity systems audit firms actually use.

LANGUAGES & UI

Bilingual where it counts

Arabic and English first-class interfaces. Localised regulator terminology — not machine-translated.

INTEGRATIONS

Doesn't replace your stack connects to it.

Most firms have a practice-management system, an HR platform, an identity provider and an email tenant. falconry.one is designed to read from all four and to be the single layer above them — the governance OS that sits where the audit committee actually looks.

Practice mgmt

Identity & access

HR & people

Document & collab

Risk & cyber feeds

Comms & alerts

§06 / NEXT STEPS

The 45-minute conversation
that pays for itself.

A live walkthrough of an ISQM 1 SoQM evaluation on the platform — against your firm's existing manual and inspection history. You see exactly what the partner view looks like, what the evidence pack contains, and what the 8-week deployment would mean for your cycle.

The Platform

Twenty-one modules. One governance spine.

falconry.one isn't three products lashed together. It's one system, with one data model, one identity layer, one evidence repository — and three connected workspaces for the three jobs partners actually need to do. Below: every module, what it replaces, and where it lives in the stack.

§01 / PILLAR · GOVERN

Quality & Governance the spine of ISQM 1.

The eight components of an ISQM 1 SoQM evaluation, the ISQM 2 EQR workflow, IESBA-aligned independence, AML / UBO client acceptance, CPD compliance and root-cause remediation — all running off one evidence repository. Refreshable continuously, not rebuilt annually.

09

ISQM 1 SoQM evaluation

All eight components. Risk-based assessment, control mapping, deficiency identification and partner sign-off — refreshable across the cycle, not just at year-end.

Engagement quality review (EQR)

The ISQM 2 workflow your reviewers actually want to use. Threshold rules, file routing, reviewer notes, partner response, sign-off audit trail — embedded, not bolted on.

Independence monitoring

Partner and staff confirmations, restricted entity register, prohibited services screening, and personal-relationship declarations — live, monitored, and auto-flagged.

Client acceptance & continuance

AML / UBO checks, sanctions screening, conflict review, ethical-fit scoring, and continuance reassessment. The full pre-engagement file, structured and timestamped.

CPD & learning compliance

Course tracking against ICAEW, ACCA, SOCPA, IRBA and ICPAK requirements. Personal CPD wallet per professional, firm-wide rollups, exception alerts before institute deadlines.

Root cause analysis & remediation

Inspection findings, internal review observations, EQR matters — captured, themed, root-cause-coded, and tracked through to remediation evidence. The piece firms most often skip.

Cold file review & archival

Internal cold review programme management, archival deadline enforcement, and the file-status register that survives partner turnover and inspection cycles alike.

Firm-level monitoring & SoQM dashboard

The Quality Partner's standing view of the SoQM — component status, deficiency trend, remediation aging, and the partner-level evidence log. The screen the inspector eventually asks for.

Network firm reporting

For audit firms inside an international network — the upward reporting cycle: quality data, independence confirmations, methodology compliance. Mapped to the network's template, exported on schedule.

§02 / PILLAR · PROTECT

Risk, Cyber & Data the bar that regulators set.

06

Enterprise risk register

The firm-wide risk register your audit committee reviews — operational, regulatory, strategic, financial. Linked to controls, owners, treatments, and quarterly partner sign-off.

Data protection programme

Records of processing, lawful-basis register, DPIA library, data-subject rights workflow, and consent ledger — one programme, regional rules engine, every applicable law.

Incident response & breach

Incident triage, severity scoring, regulator-specific notification timers (72-hour where applicable), client comms templates, and post-incident root cause feeding RCA.

Cyber control framework

Control library mapped to ISO 27001, NIST CSF, NCA ECC, NCSC CAF and SAMA CSF. Attestation cycles, evidence collection, deficiency tracking — the cyber spine of the SoQM.

Third-party & vendor risk

Outsourced provider register, due diligence workflow, risk scoring, contract evidence, periodic reassessment. Includes service organisation reliance and SOC report tracking.

Regulatory change monitoring

Live regulatory horizon scanning across every market the firm operates in. Issuer-tagged, partner-routed, with impact triage and adoption deadline tracking.

§03 / PILLAR · PERFORM

Performance & Efficiency the view partners check.

Engagement health, WIP, recovery, utilisation, partner KPIs, staff calibration — the practice-management view that sits next to the quality view, not in another system. Includes localised workforce compliance for KSA Nitaqat, UK CIPD, and Africa labour regulators.

06

Engagement monitoring & WIP

Live engagement health: budget vs. actual, partner-level WIP, recovery trajectory, milestone slippage, write-off risk. The number partners check before they pour the coffee.

Time capture & approvals

Native timesheet with engagement codes, mobile capture, manager approval, and a rules engine for chargeability and recovery thresholds. Connected to engagement WIP, not parked beside it.

Resource planning & utilisation

Capacity heatmaps across grades and partners, conflict resolution between engagements, utilisation forecasts and resourcing decisions evidenced for the SoQM resources component.

Partner / leadership dashboards

The single Monday-morning view: quality, risk, WIP, recovery, people. Configurable per partner, exportable to board pack format. No second login, no second system.

Staff performance & calibration

The performance-evaluation workflow ISQM 1 actually requires: evidence of feedback, calibration meetings, quality-linked promotion criteria, and partner pool reviews — recorded.

Workforce compliance localisation

Saudi Nitaqat tracking, UK right-to-work, GCC residency rules, African work-permit registers, and IFAC member-body professional licensing — wherever the firm operates.

FOUNDATION

Built like the firms it serves.

Audit firms run on evidence. So does the platform underneath them. Below — the technical posture firms ask about during procurement, before the legal review.

ISO 27001-aligned

Information security management aligned to ISO 27001. SOC 2 Type II in progress. Penetration tested quarterly by an external firm.

Regional, by default

Data resident in your region, not shipped to a single global cluster. KSA, UAE, UK, EU and South Africa availability today.

Wired into your stack

Open API, native connectors to the practice-management, HR and identity systems audit firms actually use.

Bilingual where it counts

Arabic and English first-class interfaces. Localised regulator terminology — not machine-translated.

INTEGRATIONS

Doesn't replace your stack connects to it.

Most firms have a practice-management system, an HR platform, an identity provider and an email tenant. falconry.one is designed to read from all four and to be the single layer above them — the governance OS that sits where the audit committee actually looks.

§06 / NEXT STEPS

The 45-minute conversation that pays for itself.

The 45-minute conversation
that pays for itself.