In my previous blog, The SIG – The Swiss Army Knife of Risk Assessment, I commented on the versatility of the SIG, the Shared Assessments Program’s Standardized Information Gathering questionnaire. This month I want to discuss its complementary, on-site assessment tool: the Agreed Upon Procedures (AUP). If the SIG is the “trust” component of the “trust but verify” model key to the Shared Assessments Program, the AUP is the “verify” component. Although it is written to the AICPA attestation standard, the AUP report does not include an assessor’s opinion of the adequacy of the internal controls assessed. Rather, it reports the presence or absence of control attributes contained in each procedure. This lack of an opinion is key to the efficacy of the AUP within a shared environment since it allows each user of the report to review the report within the context of its own risk appetite and the services/functions the entity being assessed provides to it. Also key to the efficacy of the AUP is its objectivity and its clarity. Different assessors properly conducting the procedures will report the same observations. The current version of the AUP contains 72 procedures within 12 ISO-based domains as well as privacy. The AUP domains match those in the SIG.
Each iteration of the AUP is drafted by a committee of Program member volunteers, who respond to user feedback as well as regulatory changes. Draft AUP’s are reviewed by the Big 4 accounting firms to assure they comply with the AICPA standard.
As with the SIG, users apply the AUP in a variety of ways. Some users use a menu approach, taking individual procedures that meet their needs. Others use it to augment their proprietary on-site audit package. And, similar to some SIG users, some service providers use it as a self-assessment tool to help them prepare for their clients’ on-site assessments.
Taken together, then, the SIG and the AUP offer a comprehensive approach to assessing the security and privacy postures of third-party service providers.
Santa Fe Group Consultant Bob Jones has led financial institution fraud risk management programs for more than 40 years. A well-known thought leader in the financial services industry and a sought-after expert in risk management strategy, Bob has devoted his career to innovative financial services fraud reduction and risk management. Today, Bob is a consultant, educator and expert witness, and serves as the principal of RW Jones Associates LLC.