Agreed Upon Procedures
Assessment firms use the Agreed Upon Procedures (AUPs) to perform objective and consistent evaluations under each service provider control area. An AUP report does not provide an opinion on control objectives. Instead, it provides the service provider a detailed report based on the procedures performed. The service provider may then share the report with an unlimited number of clients, who may use the report to evaluate the controls in the context of their use of the service provider and industry risk management and regulatory requirements.
The AUP standards address control objectives for:
- Risk management
- Information security policy
- Organization of information security
- Asset management
- Human resources security
- Physical and environmental security
- Communications and operations management
- Access control
- Information systems acquisition
- Development and maintenance
- Incident and event management
- Business continuity management
- Compliance
- Privacy
Typical flow of an AUP engagement
The diagram below summarizes the high-level flow of the typical AUP engagement.
The scope of the engagement must be determined before any AUPs are executed. Under the Shared Assessments Program, the scope is generally defined as the target systems. Once the target systems are defined, the hardware, software and processes that support the target systems comprise the population to be tested. Scoping discussions should also determine the applicability of each question and assist the practitioner in:
- Obtaining an understanding of the service provider's environment
- Identifying the documentation to be provided by the service provider
- Determining the order in which AUPs will be executed
Specific tests should be performed in a manner consistent with the procedures listed. When the procedures are completed, the assessment firm provides a report of findings. This report does not express an opinion and covers only those procedures performed under the scope of the agreement.
After reviewing the report, service providers are strongly encouraged to respond to those institutions that receive the report. The service provider should: