IFAC notes that: AUP engagements have the potential to be an attractive and fast growing service offering to SMEs. Clients may not need an audit, but may greatly benefit from an AUP engagement to satisfy banking or vendor needs.
They say that: According to ISRS 4400, the objective of an AUP engagement is to carry out procedures of an audit nature to which the practitioner, the entity, and any appropriate third parties have agreed and to report on factual findings. These engagements may entail the practitioner performing certain procedures concerning individual items of financial data (for example, accounts payable, accounts receivable, purchases from related parties, and sales and profits of a segment of an entity), a financial statement (for example, a balance sheet) or even a complete set of financial statements. While directed toward engagements regarding financial information, ISRS 4400 may provide useful guidance for engagements regarding non-financial information, provided the auditor has adequate knowledge of the subject matter in question and reasonable criteria exist on which to base their findings.
I see that these will also be especially useful to verify to funders that their money has been spent as specified - for much less cost and effort than an Audit or Review Engagement. Other examples might be:
- Due diligence when buying or selling a business
- Verifying cash balances
- Checking security balances
- Income tax provisions
- Accounts receivable/payable processes
- Special reviews of loan portfolios
- Reviews of internal control and environmental management systems
- Royalty agreements compliance
- Employer compliance/payroll audits
- Purchasing department compliance
We have received a number of enquiries regarding creating a template for Agreed-upon Procedures (AUP) engagements recently. We are pleased to report that these are now available to use (go to the "Other" tab to create).
There are two options: one where the AUP is likely to be an annual job, and the other where is it is a one-off job. In the second case the date entered on setup is the "appointment date" rather than "year ending". Otherwise the two are identical, and of course may be swapped over if the nature of the engagement changes.
In NZ we base our AUP work on APS-1 issued by the NZ Society of Accountants issues by NZSA in 1992 and amended in 2013. There is also a guidance statement APG-1. These are both very brief but do contain helpful information. Internationally there is the IAASB’s ISRS 4400, Engagements to Perform Agreed-Upon Procedures Regarding Financial Information.
CAANZ have released (on 18/2/2018) an exposure draft (ED APS-1 Revised) that updates APS-1 and APG-1 and expands on some of what was less clear to ensure that users are aware that this is reporting on factual data, it is not an audit or review (reasonable assurance or limited assurance) engagement.
We have based the new template on the ED, but referencing back to the original APS-1 where applicable (as the final revised version may vary). So once the ED process is complete our current template should substantially cover the requirements.
Our templates include an engagement letter, report, and a range of confirmation letters and work-papers to fit many common agreed-upon procedures.
The ICAEW says that: The procedures and tests should be sufficiently detailed so as to be clear and unambiguous, and discussed and agreed in advance with the engaging parties so that the factual findings are useful to them and, depending upon the engagement, others to whom the report is made available. The practitioner’s report does not express a conclusion, and therefore it is not an assurance engagement in the technical sense.
The interesting part of an AUP engagement is that we must take off our auditors hat somewhat - and stop constantly evaluating risk and materiality, and instead just concentrate on doing what we agreed to do in the engagement letter - nothing more and nothing less.
Our report expresses the procedures and our findings. For example:
A large party of the planning work is to determine who the users are. This is likely to be either the engaging entity, this entity plus a third party (for instance the funding suppliers), or the entity plus a regulator or representative of a group of users. These users must be identified and addressed in the engagement letter and the final report and the report is specifically restricted to these users.