2017 AUP Bundle
The Shared Assessments Agreed Upon Procedures (AUP) is a holistic tool for performing standardized onsite risk management assessments, including assessments of cybersecurity, IT, privacy, data security and business resiliency controls. Use of this tool facilitates onsite verification of SIG responses. The content aligns to the Shared Assessments Standardized Information Gathering (SIG) questionnaire. The AUP is customizable to an individual organization’s needs and defines 17 critical risk control areas, procedures and an onsite assessment reporting template, all of which enhance the efficiency of the assessment process. The AUP uses a substantiation-based, standardized, efficient methodology for onsite assessments that companies can use to evaluate their own controls, as well as those of their third party service providers. Continuous re-evaluation of content and updates ensure that the AUP and other Program Tools cover all of the necessary components of robust third party risk management, so that the AUP remains up-to-date and relevant in terms of best practice and emerging items that are trending towards becoming new best practices. The AUP evaluates key controls in the following domains of risk management:
- Risk assessment and treatment
- Security policy.
- Organizational security.
- Asset and information management.
- Human resources security.
- Physical and environmental security.
- Operations management.
- Access control.
- Application security.
- Incident event and communications management.
- Business resiliency.
- Network security.
- Treatment management.
- Server security.
- Cloud security.
Some of the enhancements to the 2017 AUP include:
- The Tool allows for execution of a Collaborative Onsite Assessments (COA), a unique and pilot-tested capability, with benefits that include consistency, rigor and efficiency.
- All sections of the AUP have been amended with language that is in alignment with AICPA AT § 201.03: Agreed-Upon Procedures Engagements standards.
- Industry updates, including: HIPAA final ruling modifications and PCI DSS version 3.2 updates.
2017 AUP Report Template
The companion document to the AUP, the AUP Report Template, provides a standardized approach to collecting and reporting onsite assessment results. The template is a mechanism to track “compensating items” and can be used by organizations that do not have a proprietary enterprise risk platform in place to manage onsite assessments results and reporting. Alongside testing for the specific controls identified in the AUP, the AUP Report Template allows an assessor to include any additional mitigating controls (and accompanying documentation) believed to be relevant to providing a sound control environment.
The 2017 AUP Bundle includes the 2017 AUP, 2017 AUP Report Template and AUP Overview
Become a Shared Assessments Program Member
Shared Assessments members are national and international organizations of all sizes that understand the importance of comprehensive standards for managing third party risk. They include financial institutions, healthcare organizations, energy/utility, retailers and telecommunications companies.
They are service providers of all sizes, consulting companies, and assessment firms. They are the best in their class, members of a global community of vendor risk management professionals who understand the value of implementing efficient and effective industry-standard practices.
- Free access to the Shared Assessments Program Tools.
- Working on one of the Program’s Standing Committees (SIG, AUP or VRMMM) to continue to refine the Program’s Tools. Member input is what keeps the Shared Assessments Program Tools on the leading edge of third party risk assurance issues.
- Participate in Special Projects and Interest Groups. Join your peers to identify, discuss and address the issues you (and your management) feel are top priorities for resolution.
- Participants in Shared Assessments committees, projects and special interest groups earn CPE credits while demonstrating risk management and compliance leadership.
- Join the monthly Member Forum and other special interest calls. Listen to key industry and regulatory thought leaders presenting on the latest developments in vendor risk management and regulatory compliance.
- Access to third party risk management training and education, white papers, project documents, and case studies.
- Discounts on registration for Shared Assessments events and educational workshops.
Reminder: If you have already purchased the Shared Assessments Tools, become a Shared Assessments Program member and reduce your annual dues by the total amount of your purchase, if done so within 6 months of your Program Tool Purchase.