Agreed-Upon Procedures (AUP): Scope, Standards & How It Differs from an Audit
A lender asks for confirmation that a specific revenue figure used in a loan covenant is accurate. An investor wants verification of a single financial metric before releasing the next tranche of funding. A regulator requires confirmation that grant funds were spent according to the terms of the grant. None of these situations call for a full statutory audit; they call for an Agreed-Upon Procedures (AUP) engagement, a narrower, faster, and more targeted form of professional verification that is frequently misunderstood as a lighter version of an audit. It is not. The distinction matters, and getting it wrong creates real risk for whoever relies on the report.
What Are Agreed-Upon Procedures (AUPs)?
An Agreed-Upon Procedure (AUP) is a professional engagement where an independent practitioner performs specific procedures that have been mutually agreed upon by the client and the relevant stakeholders.
- The practitioner reports factual findings only.
- No opinion, conclusion, or assurance is provided.
- Users interpret the results themselves based on their purpose.
Is an Agreed-Upon Procedure an Audit?
No, an agreed-upon procedure is not an audit. The table below explains how AUP and audit differ:
| Basis | Agreed-Upon Procedure | Audit |
| Objective | Perform specific agreed procedures and report findings | Express an opinion on financial statements |
| Scope | Narrow and defined by agreement | Broad and governed by auditing standards |
| Assurance | No assurance provided | Reasonable assurance |
| Reporting Format | Factual findings only | Opinion-based report |
| Intended Users | Restricted to specified parties | Intended for general users (e.g. shareholders) |
Why This Distinction Matters
The most consequential mistake in this area is not technical it is interpretive. Because an AUP report is prepared by an independent professional and looks, on the surface, like an audit report, recipients sometimes assume it carries the same weight. It does not. An AUP report provides no opinion and no assurance of any kind; it states only what was found when specific, pre-agreed procedures were carried out. If a bank, investor, or regulator treats an AUP report as if it were audited financial confirmation, they are extending trust the report was never designed to support. This is precisely why AUP reports are restricted to the specified parties who agreed to the procedures in the first place. Restricting distribution limits the risk of this exact misinterpretation.
When Are Agreed-Upon Procedures Used?
Organizations typically commission AUPs when investors and lenders require confirmation of specific financial metrics without requiring complete financial statement assurance. Common engagement types include:
- Confirmation of a specific financial metric for use in a transaction, such as investor or lender approval of financing related to an acquisition.
- Submission to a regulatory authority that requires confirmation of certain data points.
- Testing of specific financial metrics for a defined purpose, such as revenue or expense verification.
- Testing internal controls associated with specific processes.
- Confirming transactions or activity between related parties.
- Determining whether funds from a grant or other source have been spent according to the terms of the funding agreement.
AUPs are also commonly performed as a component of broader financial due diligence work, where a specific data point rather than the full financial position of a target company needs independent verification within a tight transaction timeline.
Who Defines the Procedures in an AUP Engagement?
Procedures in an AUP engagement are defined by:
- The client
- Any third parties involved
The practitioner’s role is to:
- Evaluate the appropriateness of the proposed procedures
- Perform them independently and objectively
- Report factual results without offering assurance
What Does an Agreed-Upon Procedures Report Contain?
An AUP report usually consists of the following:
- Description of the agreed procedures
- Detailed factual findings
- A statement clarifying that no opinion or assurance is being provided
- Limitations on how the report may be used
Standards Governing Agreed-Upon Procedures
AUP engagements are regulated by two professional frameworks:
- ISRS 4400 (Revised): An international standard on related services issued by the IAASB, which revised AUP guidance and clarified the responsibilities of practitioners.
- AT-C Section 215 (formerly AT Section 201) in the U.S.A.: Part of the AICPA’s attestation standards framework, governing AUP engagements for U.S. practitioners.
Agreed-Upon Procedures vs Audit vs Review
| Feature | Agreed-Upon Procedures | Audit | Review |
| Assurance Level | None | Reasonable assurance | Limited assurance |
| Scope | Predefined and specific | Comprehensive | Analytical and inquiry-based |
| Opinion Provided? | No | Yes | Conclusion |
| Users | Specified parties | General users | General users |
| Purpose | Targeted verification | Overall financial statement reliability | Plausibility check |
Limitations of Agreed-Upon Procedures
While an AUP engagement provides genuine utility, it carries serious limitations that both clients and report recipients should understand:
- It is not appropriate for statutory assurance where the law requires an audit.
- It poses a risk that users may misinterpret the report based on an assumption of assurance that was never provided.
- It is not designed for general-purpose reporting and should not be distributed beyond the specified parties.
- Due to the limited scope of an AUP, other financial or operational risks outside the agreed procedures may go undetected.
How Firms Use Agreed-Upon Procedures
In practice, professional services firms deploy AUP engagements where the cost, time, or scope of a full audit isn’t proportionate to the specific question being asked. Lenders use AUPs to verify a single covenant metric without commissioning a full audit cycle. Private equity investors use them post-acquisition to confirm completion accounts or earn-out metrics within a defined window. Corporations use them internally to test compliance with a specific contractual clause such as a related-party transaction limit without triggering a broader internal audit. Grant-funded organizations use them to satisfy a funder’s requirement for independent verification of fund utilization, often as a condition of receiving the next disbursement. In each case, the value of the engagement lies precisely in its narrow, well-defined scope: it answers one specific question with factual precision, rather than forming a broader opinion the stakeholder did not ask for and may not need.
Related Reading
For a broader understanding of how AUP engagements fit within the wider landscape of financial reporting and assurance services, see our overview on financial reporting and assurance services and the differences between them. For a closer look at how practitioners support their factual findings, see our insight on audit evidence.
MBG’s Agreed-Upon Procedures Services
If your business, lender, or investor requires independent verification of a specific financial metric, control, or transaction, MBG’s Agreed-Upon Procedures and management reporting services bring together practitioners with statutory audit, transaction advisory, and forensic accounting experience to scope and deliver the engagement with precision and to make sure the report you receive is fit for exactly the purpose you need it for.





