Regulatory – Falconry.one – The operating system for professional services firms

4 regions · 35+ regulators

Pre-mapped to the regulators in every market the firm operates.

ISQM 1 is the global spine. Everything else localises. falconry.one ships with the quality, privacy, and cyber obligations of each jurisdiction already built in — not added on as professional services. Below: the global spine, the regional layers, and our update cadence.

One spine. Refreshable. Inspector-ready.

The five frameworks on the right are the constants — what every audit firm in every IFAC-member territory is now expected to evidence. falconry.one imports them as control libraries, then maps them to your firm-specific quality manual and your engagement workflow.

What that means in practice: when a regulator updates ISQM 1 guidance, or IESBA revises an independence rule, or NIST publishes CSF 2.0, your control library and evidence templates update with it. You don’t have to commission a re-mapping project — that’s our job.

Every clause-to-control link is timestamped. Every regulatory revision triggers a partner-level alert with a “what changed and what to do” summary, written by Falconry’s regulatory team — not a vendor newsletter.

GLOBAL FRAMEWORKS · ALL TIERS

ISQM 1

System of Quality Management — eight components, mandatory for IFAC-member firms
ISQM 2

Engagement Quality Reviews — workflow, threshold rules, sign-off
ISA 220 (R)

Quality Management for an audit of financial statements
IESBA

International Code of Ethics for Professional Accountants — independence, conflicts
ISO 27001

Information security management — control library mapping
NIST CSF 2.0

Cyber Security Framework — Govern function included
ISO 31000

Risk management principles — enterprise risk register
ISO 22301

Business continuity — for the resilience module

§02 / REGIONAL LAYERS

The local layer is where most platforms fail audit firms.

Generic GRC tools handle ISO 27001 well. They fall over when the firm is also subject to SOCPA peer review, NCA ECC controls, SAMA CSF, PDPL, ECCTA, FRC AQR, IRBA inspection, ICPAK practice review, NIS2, and EU audit reform. falconry.one is built for the audit firm that has all of those open at the same time.

REGION / GCC

Gulf Cooperation Council

KSA · UAE · Qatar · Oman · Bahrain · Kuwait — Arabic + English UI

Audit & Quality

SOCPA

Saudi Organization for Chartered Professional Accountants — peer review, ISQM 1, CPD

UAE MoE

UAE Ministry of Economy auditor licensing requirements

QFCRA

Qatar Financial Centre auditor regulation

CMA

KSA Capital Market Authority — listed entity audit oversight

Data & Privacy

PDPL (KSA)

Personal Data Protection Law — enforceable, regulator-active

UAE PDPL

UAE Federal Decree-Law on data protection

QFC DPL

Qatar Financial Centre Data Protection Regulations

Cyber & Resilience

NCA ECC

Saudi National Cybersecurity Authority Essential Controls 2024/25

SAMA CSF

Saudi Central Bank Cyber Security Framework — financial sector

UAE SIA

UAE Signals Intelligence Agency cyber controls

SDAIA

Saudi AI & Data Authority — AI governance guidance

REGION / UK & IRELAND

United Kingdom

England & Wales · Scotland · Ireland — UK GDPR + ICAEW spine

Audit & Quality

FRC AQR

Financial Reporting Council — Audit Quality Review regime

ICAEW

Institute of Chartered Accountants — practice assurance, CPD

ACCA

Association of Chartered Certified Accountants — monitoring, CPD

IAASA (IE)

Irish Auditing and Accounting Supervisory Authority

Data & Privacy

UK GDPR

Post-Brexit UK General Data Protection Regulation

DPA 2018

UK Data Protection Act 2018 — DPO, RoPA, DPIA

PECR

Privacy and Electronic Communications Regulations

Cyber & Corporate Governance

NCSC CAF

National Cyber Security Centre — Cyber Assessment Framework

ECCTA

Economic Crime & Corporate Transparency Act — failure to prevent

SMCR (FCA)

Senior Managers and Certification Regime — for regulated audit firms

REGION / AFRICA

Africa

Kenya · Nigeria · South Africa · Egypt · Ghana · Rwanda

Audit & Quality

IRBA (SA)

Independent Regulatory Board for Auditors — South Africa

FRC Nigeria

Financial Reporting Council of Nigeria — auditor oversight

ICPAK

Institute of Certified Public Accountants of Kenya — practice review

EFSA

Egyptian Financial Supervisory Authority — listed entity audit

Data & Privacy

POPIA (SA)

Protection of Personal Information Act — South Africa

NDPR (NG)

Nigeria Data Protection Regulation — NITDA-supervised

DPA Kenya

Kenya Data Protection Act 2019 — ODPC enforcement

Cyber & AML

SARB CYBER

South African Reserve Bank cyber resilience standards

FATF

FATF-aligned AML programmes — across the region

REGION / EASTERN EUROPE

Eastern Europe

Poland · Czech Republic · Romania · Hungary · Bulgaria — EU spine

Audit & Quality

CEAOB

Financial Reporting Council — Audit Quality Review regime

PANA / KIBR

Poland: PANA + Polish Chamber of Statutory Auditors

RVH

Czech Republic — Audit Public Oversight Council

ASPAAS

Romanian Authority for Public Oversight of Statutory Audit

Data & Privacy

EU GDPR

European General Data Protection Regulation

DSA / DMA

Digital Services Act / Digital Markets Act — where in scope

Cyber & Audit Reform

NIS2

EU Network & Information Security Directive 2 — in scope

EU AR

EU Audit Reform regime — PIE rotation, fee caps, NAS prohibitions

DORA

Digital Operational Resilience Act — for financial sector audits

§03 / WHAT MAPS TO WHAT

How regional regimes connect to platform modules.

A direct view of which regulator obligations are evidenced by which falconry.one modules — across the four regions. ● Native module · ◐ Localisation pack required.

REGULATOR / OBLIGATION

GCC

AFRICA

E. EUROPE

ISQM 1 / SoQMSystem of quality management evaluation

Native

ISQM 2 / EQREngagement quality review workflow

Native

Independence (IESBA)Confirmations, restricted entity register

Native

Local audit regulatorSOCPA / FRC / IRBA / CEAOB peer + AQR

Native (SOCPA)

Native (FRC)

Native (IRBA, ICPAK)

Localisation

Local data protectionPDPL / UK GDPR / POPIA / EU GDPR

Native (PDPL)

Native (UK GDPR)

Native (POPIA)

Native (EU GDPR)

Local cyber controlsNCA ECC / NCSC CAF / NIS2 / SARB

Native (NCA, SAMA)

Native (NCSC)

Localisation

Native (NIS2)

Listed entity auditCMA / FCA / DTI / EU AR oversight

Native (CMA)

Native

Localisation

Native (EU AR)

Sectoral cyber (financial)SAMA CSF / DORA / SARB

Native (SAMA)

Add-on

Localisation

Native (DORA)

AI governanceSDAIA / EU AI Act / NIST AI RMF

Native (SDAIA)

Add-on

Roadmap

Native (EU AI)

AML / UBOFATF aligned client acceptance

Native

§04 / UPDATE CADENCE

The mappings stay current.

Regulators update guidance constantly. The control library inside falconry.one updates with them — operated by Falconry's regulatory intelligence team, not a vendor mailing list.

№ 01 · WEEKLY

Horizon scan

Every Monday, the regulatory team reviews the previous week's issuances across the markets we serve. Material items are tagged, summarised, and routed to affected customer firms.

№ 02 · MONTHLY

Control library refresh

Mapping refreshes are pushed monthly to all customer instances. Material changes are accompanied by a partner-level alert with "what changed and what to do" guidance.

№ 03 · QUARTERLY

Regional briefing

A 30-minute quarterly briefing per region for customer Quality Partners. Covers the live regulator pipeline, expected enforcement themes, and platform updates that respond.

№ 04 · ON-DEMAND

Inspection support

When an FRC, SOCPA, IRBA, ICPAK or AQR letter lands, the regulatory team is on standby. Available as standard support for Networks tier; retainer-activated for other tiers.

NEXT STEPS

The 45-minute conversation
that pays for itself.

A live walkthrough of an ISQM 1 SoQM evaluation on the platform — against your firm's existing manual and inspection history. You see exactly what the partner view looks like, what the evidence pack contains, and what the 8-week deployment would mean for your cycle.

4 regions · 35+ regulators

Pre-mapped to the regulators in every market the firm operates.

ISQM 1 is the global spine. Everything else localises. falconry.one ships with the quality, privacy, and cyber obligations of each jurisdiction already built in — not added on as professional services. Below: the global spine, the regional layers, and our update cadence.

One spine. Refreshable. Inspector-ready.

GLOBAL FRAMEWORKS · ALL TIERS

ISQM 1

ISQM 2

ISA 220 (R)

IESBA

ISO 27001

NIST CSF 2.0

ISO 31000

ISO 22301

§02 / REGIONAL LAYERS

The local layer is where most platforms fail audit firms.

REGION / GCC

Gulf Cooperation Council

KSA · UAE · Qatar · Oman · Bahrain · Kuwait — Arabic + English UI

Audit & Quality

Data & Privacy

Cyber & Resilience

REGION / UK & IRELAND

United Kingdom

England & Wales · Scotland · Ireland — UK GDPR + ICAEW spine

Audit & Quality

Data & Privacy

Cyber & Corporate Governance

REGION / AFRICA

Africa

Kenya · Nigeria · South Africa · Egypt · Ghana · Rwanda

Audit & Quality

Data & Privacy

Cyber & AML

REGION / EASTERN EUROPE

Eastern Europe

Poland · Czech Republic · Romania · Hungary · Bulgaria — EU spine

Audit & Quality

Data & Privacy

Cyber & Audit Reform

§03 / WHAT MAPS TO WHAT

How regional regimes connect to platform modules.

A direct view of which regulator obligations are evidenced by which falconry.one modules — across the four regions. ● Native module · ◐ Localisation pack required.

§04 / UPDATE CADENCE

The mappings stay current.

Regulators update guidance constantly. The control library inside falconry.one updates with them — operated by Falconry's regulatory intelligence team, not a vendor mailing list.

№ 01 · WEEKLY

Horizon scan

№ 02 · MONTHLY

Control library refresh

№ 03 · QUARTERLY

Regional briefing

№ 04 · ON-DEMAND

Inspection support

NEXT STEPS

The 45-minute conversation that pays for itself.

The 45-minute conversation
that pays for itself.