Agreed-upon procedures (AUP) represent a distinct type of engagement in which an independent practitioner performs specific, predefined factual procedures on a subject matter, reporting only on the factual findings without providing an opinion or assurance. Unlike a full audit, the scope and nature of the procedures are mutually determined and explicitly agreed upon by the practitioner, the engaging party, and often relevant third parties. The practitioner's role is strictly limited to executing these agreed-upon steps and documenting the factual results.

Within cybersecurity, governance, compliance, and privacy frameworks, AUPs serve as a precise mechanism for targeted verification. Organizations leverage AUPs to confirm the implementation or operational effectiveness of specific security controls, such as data handling procedures, access management, vulnerability management, or incident response protocols. This highly customizable approach allows stakeholders to obtain objective evidence regarding particular aspects of their cybersecurity posture or compliance with regulatory requirements, enabling them to evaluate the findings and draw their own conclusions based on the verified facts.