Agreed-upon procedures (AUP)

Agreed-upon procedures (AUP) are a type of engagement in which an independent practitioner performs specific, predefined factual procedures on a subject matter and reports only on the factual findings—without providing an opinion or assurance conclusion. The scope and nature of the procedures are mutually determined and explicitly agreed upon by the practitioner, the engaging party, and often relevant third parties, making AUPs a highly customizable verification mechanism.

In cybersecurity, governance, compliance, and privacy contexts, organizations leverage AUPs to verify targeted aspects of their security posture or regulatory adherence. Common use cases include confirming the implementation or operational effectiveness of controls related to data handling, access management, vulnerability management, or incident response protocols. Unlike a full audit, AUPs focus narrowly on predefined steps, and the practitioner's role is strictly limited to executing those steps and documenting factual results. Stakeholders then evaluate the findings and draw their own conclusions based on the verified evidence, making AUPs an efficient tool for addressing specific compliance verification needs or security concerns.