ISRS 4400 (Revised): How to Plan, Perform, and Report Agreed-Upon Procedures Engagements

What ISRS 4400 (Revised) actually requires

ISRS 4400 governs engagements where you perform specific procedures and report factual findings. You don’t express an opinion. You don’t provide assurance. The engaging party (and any other intended users) draw their own conclusions from the findings you report.

The revised standard introduced a significant change from its predecessor. Under the old ISRS 4400, the engaging party and all intended users had to formally acknowledge the procedures as appropriate. ISRS 4400 (Revised), paragraph 16(b)(ii), removed this requirement for intended users other than the engaging party. The engaging party still acknowledges that the procedures are appropriate for the purpose of the engagement, but other intended users no longer need to do so. This was the single biggest practical barrier under the old standard (getting a bank or regulator to formally sign off on procedures they hadn’t designed was often impossible), and its removal opened the door to a much wider range of AUPs.

ISRS 4400.14 establishes the scope: you agree on specific procedures and perform them, then report findings of fact. The standard explicitly prohibits expressing an opinion or conclusion (ISRS 4400.14(b)). The procedures must be sufficiently clear that they can be understood and performed consistently. Vague procedures like “check whether the revenue figures seem reasonable” don’t qualify. The standard requires that procedures be described in a way that doesn’t involve subjective interpretation (ISRS 4400.A20).

Professional judgment still applies. ISRS 4400.18 requires professional judgment throughout, and ISRS 4400.24 requires you to exercise it when performing the procedures. That judgment operates within strict boundaries. You decide how to apply a procedure efficiently, not whether the procedure is sufficient to answer the question the engaging party actually has.

Independence is another area where the revised standard changed the rules. Under ISRS 4400 (Revised), paragraph 22 no longer requires the practitioner to be independent of the entity, unless independence is required by law, regulation, or the engagement terms. This is a departure from the old standard and from many national requirements. In the Netherlands, the NBA’s VGBA (Verordening Gedrags- en Beroepsregels Accountants) may impose independence requirements beyond what ISRS 4400 itself requires, depending on the nature of the engagement and the entity. Check your national requirements before assuming that ISRS 4400’s position on independence is the whole picture.

ISRS 4400.35 also introduced a requirement to apply quality management at the engagement level. For firms subject to ISQM 1, this means the AUP falls within the firm’s quality management system. The EP accepts responsibility for quality, and the firm’s monitoring policies apply. For smaller firms, this can feel disproportionate for a half-day subsidy check, but the standard doesn’t carve out exceptions based on engagement size. Nobody enjoys scoping these, but getting it wrong is how you end up issuing the wrong report.

How to agree on the procedures

The engagement letter is where most AUPs succeed or fail. ISRS 4400.19 sets out the preconditions. You need a rational purpose for the engagement and the procedures must be appropriate for that purpose. The engaging party must acknowledge the procedures as appropriate.

Start with the purpose. ISRS 4400.A8 provides guidance: the purpose should be specific enough that the intended users can understand why the procedures were performed. “To verify the client’s financial position” is too broad. “To compare the subsidy expenditure reported in the Q3 2025 declaration against underlying purchase invoices and bank statements” is specific enough.

Then define the procedures themselves. Each procedure must describe what you will do and what subject matter information it applies to, along with the nature of the expected findings. ISRS 4400.A19 through A21 give practical direction here. A well-defined procedure reads like an instruction that a competent accountant could follow without asking clarifying questions. “Recalculate the totals in Appendix A of the subsidy declaration and compare them to the trial balance as at 30 June 2025” works. “Review the subsidy declaration for accuracy” does not, because “review” and “accuracy” both involve subjective assessment.

ISRS 4400.21 adds a critical requirement: you must agree on the form and content of the report before starting the work. If the intended user is a regulator or funding body, this step avoids the situation where you complete the procedures and then discover the report format doesn’t match what the user expects.

Document the agreed terms in an engagement letter. ISRS 4400.22 lists the required elements. These include the purpose of the engagement, the procedures to be performed, the intended users, a statement that the engagement is not an audit or review and no assurance will be expressed, and the form the report will take.

One thing worth getting right at the engagement letter stage is the level of threshold or tolerance the procedures will use. If Procedure B says “for all expenditure items above €10,000,” that threshold needs to be agreed with the engaging party and stated in the terms. Changing it after the fact (because you realise there are too many items below €10,000 to check efficiently) requires a formal amendment to the agreed procedures under ISRS 4400.27. Setting the right threshold upfront saves a round of renegotiation mid-engagement.

Performing the procedures and documenting findings

Once the procedures are agreed, execution follows ISRS 4400.24 through 4400.28. Each procedure is performed exactly as described in the engagement terms. If a procedure cannot be performed as described (because the information doesn’t exist, or access is restricted), ISRS 4400.27 requires you to either agree on an alternative procedure with the engaging party or note in the report that the procedure could not be performed and explain why.

The quality of your findings depends entirely on the quality of the procedure descriptions. A procedure that says “check whether payroll costs are reasonable” will produce a finding like “we reviewed the payroll costs and found them reasonable,” which is an opinion, not a finding. A procedure that says “recalculate gross salary costs for the 10 highest-paid employees by multiplying monthly salary per employment contract by 12 and compare to the payroll register total” produces a finding like “for 9 of 10 employees, the recalculated annual salary agreed to the payroll register. For 1 employee (Employee ID 4412), the recalculated annual salary was €78,000 versus the payroll register amount of €84,500, a difference of €6,500.” The first is useless. The second is defensible. This is the finding that generates the most RNs in file review.

Documentation follows ISRS 4400.36. The WPs must show the procedures performed and the findings obtained, along with any communications with the engaging party about changes to the agreed procedures. There’s no prescribed format, but the documentation needs to be sufficient for an experienced practitioner to understand what was done and what was found. In our experience, the file should tell a story even to a reviewer who wasn’t in the planning meeting.

Factual findings are exactly that: facts. ISRS 4400.28 makes clear that findings should not include opinions, conclusions, or recommendations unless the terms of the engagement specifically include reporting recommendations (which ISRS 4400 (Revised) now permits under paragraph 30(m)). “We recalculated the total in Schedule A and found a difference of €4,312 between the reported total of €892,450 and the recalculated total of €888,138” is a factual finding. “The total in Schedule A appears to be overstated” is a conclusion, and it doesn’t belong in the report unless the engagement terms allow it.

ISRS 4400.25 adds a requirement that practitioners sometimes overlook. If, during the performance of the procedures, you identify matters that you believe should be communicated to the engaging party, ISRS 4400.25 permits (but does not require) such communication. The standard draws a line here. Communication is permitted. Expanding scope is not. If you find something unexpected (for instance, while tracing invoices to bank statements you notice a payment to an entity that appears related to the client’s director), you don’t add procedures on your own. ISRS 4400.26 permits you to communicate this to the engaging party, but the standard doesn’t require or permit you to perform additional procedures beyond those agreed. Scope expansion requires a new agreement.

One practical consideration for Dutch practitioners is worth flagging. The NBA (Koninklijke Nederlandse Beroepsorganisatie van Accountants) issued guidance on applying ISRS 4400 (Revised) in the Dutch context. The NBA’s Practice Note 1135 addresses situations commonly encountered in the Netherlands, including subsidy engagements and government-mandated AUP work. If you’re performing AUPs under Dutch regulation, this practice note is worth reading alongside the standard itself.

Worked example: AUP on a government subsidy reconciliation

Client: Dekker Bouw B.V., a mid-sized Dutch construction company (€38M revenue) that received a €620,000 government subsidy for sustainable building materials under the SDE++ scheme.

Engagement: The Province of South Holland requires an independent accountant to perform agreed-upon procedures on Dekker Bouw’s subsidy expenditure declaration for the period January to June 2025. Total declared expenditure: €487,200.

1. Agree on terms and procedures with the engaging party

The engagement letter specifies four procedures requested by the Province:

• Procedure A: Recalculate the arithmetic totals in the subsidy expenditure declaration.
• Procedure B: For all expenditure items above €10,000 (14 items totalling €312,600), trace each item to the corresponding purchase invoice and verify the invoice date falls within the subsidy period.
• Procedure C: For expenditure items above €10,000, trace invoice payments to bank statements.
• Procedure D: Compare the categories of expenditure reported in the declaration to the eligible categories listed in the subsidy agreement.

Documentation note: File the signed engagement letter referencing each procedure by letter code. Record the Province’s acknowledgement that the procedures are appropriate for the purpose of the subsidy compliance check (ISRS 4400.16(b)(ii)).

2. Perform Procedure A: arithmetic recalculation

Recalculate all totals in the declaration. The declared total is €487,200. The recalculated total is €487,200. No difference found.

Documentation note: Attach the recalculation working paper. Cross-reference to the declaration page and line numbers.

3. Perform Procedure B: trace to purchase invoices

For each of the 14 items above €10,000, obtain the purchase invoice and verify: (a) the amount matches the declaration, and (b) the invoice date falls within 1 January 2025 to 30 June 2025. Result: 13 of 14 items agreed without exception. One item (€18,400, supplier: Vos Materialen B.V., invoice dated 14 July 2025) has an invoice date outside the subsidy period.

Documentation note: Prepare a schedule listing each item, the invoice reference, the invoice date, and whether it agreed. Attach copies of all 14 invoices. Flag the exception with the specific invoice number and date.

4. Perform Procedure C: trace to bank statements

For the same 14 items, trace invoice payments to Dekker Bouw’s bank statements. Result: 14 of 14 payments traced to ING bank statements. All payment dates fall within the subsidy period.

Documentation note: Attach the bank statement extracts with the relevant payment lines highlighted. Note the payment reference for each item in the schedule from Procedure B.

5. Perform Procedure D: compare categories to subsidy agreement

Compare the expenditure categories in the declaration (insulation materials, solar panel components, recycled steel, energy-efficient glazing) to the eligible categories in Annex 2 of the subsidy agreement. All four categories appear in Annex 2.

Documentation note: Attach a side-by-side comparison of the declaration categories and the Annex 2 eligible categories. Note any categories in the declaration not present in Annex 2 (none in this case).

The file contains four procedure schedules, each cross-referenced to source documents. One exception was identified (invoice date outside the subsidy period for €18,400). The AUP report will state this finding without concluding whether the expenditure is or isn’t eligible. The Province draws that conclusion.

How to write the report

ISRS 4400.30 lists the mandatory report elements. Missing any of them creates a non-compliant report that a regulator will flag.

The report must include a title indicating it is a report of factual findings from agreed-upon procedures, the addressee (typically the engaging party), a description of the purpose of the engagement and a statement that the procedures performed are those agreed with the engaging party, identification of the subject matter information the procedures were performed on, a description of each procedure performed and each factual finding, a statement that the engagement is not an audit or a review and that no assurance is expressed, a statement that the report is restricted to the engaging party and the intended users identified in the engagement terms, the date of the report, and the practitioner’s signature.

The restriction on distribution (ISRS 4400.30(k)) is a practical protection. Because the procedures were designed for a specific purpose, the findings may not make sense (or could be misleading) to someone who doesn’t understand that purpose. If the engaging party wants to distribute the report more widely, ISRS 4400.A48 suggests discussing whether additional procedures or a different form of engagement would be more appropriate.

One structural point is worth emphasising. Findings are reported procedure by procedure, not summarised. Each procedure gets its own section in the report with the procedure described, followed by the finding. The Dekker Bouw report would have four sections matching the four procedures, with the Procedure B section explicitly stating the exception found.

The language of each finding matters. Avoid any words that imply judgment or evaluation. “We found” is fine. “We noted” is fine. “We determined” implies a conclusion. “We observed that the amount was reasonable” implies assurance. Stick to factual, verifiable language throughout. If the procedure was a recalculation, report the recalculated figure and any difference. If the procedure was a comparison, report what was compared and whether the items agreed or differed (and by how much).

Under the revised standard, ISRS 4400.30(m) now permits the practitioner to include recommendations in the report if the engagement terms provide for it. This was not permitted under the old standard. If Dekker Bouw’s engagement terms included a provision for recommendations, the practitioner could note that the invoice dated 14 July 2025 may need to be replaced or excluded from the next declaration. Without that provision in the engagement terms, the recommendation stays out of the report.

ISRS 4400.A44 gives additional guidance on dating. The report should be dated no earlier than the date on which the practitioner completed the procedures and determined the findings. If there’s a gap between completing the procedures and issuing the report (common when internal review adds a few days), the report date is the completion date, not the issue date. Get this wrong and you create a dating inconsistency that an external reviewer will question.

Practical checklist for your next AUP

1. Before accepting, confirm the engagement has a rational purpose (ISRS 4400.19(a)) and that the engaging party acknowledges the procedures as appropriate (ISRS 4400.16(b)(ii)). If the engaging party can’t articulate why the procedures will answer their question, push back before signing the engagement letter.
2. Define each procedure so that a competent practitioner who wasn’t in the planning meeting could perform it without asking clarifying questions. If you have to explain what “review” means in context, the procedure isn’t specific enough (ISRS 4400.A20).
3. Agree the report format before starting work (ISRS 4400.21). Check whether the intended user has a prescribed template. Many Dutch provinces and funding bodies do.
4. Report findings per procedure, not as a summary. Each finding maps one-to-one to a procedure described in the engagement letter. State facts. Reserve conclusions for the engaging party.
5. If you cannot perform a procedure as agreed, document why and either agree an alternative with the engaging party or report the limitation (ISRS 4400.27).
6. Check whether the engagement terms permit recommendations (ISRS 4400.30(m)). If they don’t, keep recommendations out of the report regardless of how obvious the fix is.

Common mistakes

• Blurring the line between findings and conclusions. The AFM has noted in its thematic reviews that AUP reports sometimes include language such as “the expenditure appears reasonable” or “no material discrepancies were noted,” both of which imply assurance and violate ISRS 4400.14(b). Report what you found, not what you think it means.
• Using vague procedure descriptions. “Verify the completeness of the records” requires professional judgment about what “completeness” means in context. ISRS 4400.A20 requires procedures specific enough to be performed without subjective interpretation. Replace “verify completeness” with “compare the transaction listing to the general ledger and report any items in the ledger not present in the listing.”
• Failing to restrict the report. ISRS 4400.30(k) requires a restriction on distribution. Omitting this exposes the firm to liability from unintended users who rely on the report for purposes the procedures weren’t designed to address.
• Treating the engagement as a tick box exercise on the quality file. Even though ISRS 4400 doesn’t require assurance, ISRS 4400.35 pulls the engagement inside the firm’s ISQM 1 system. The EP still accepts responsibility, and the monitoring team will still look at the file.

Related content

• Agreed-upon procedures. Glossary entry covering the definition and when AUP engagements are used, plus how they differ from audit and review engagements.
• ISA 520 Analytical Review Calculator. While AUP engagements don’t require analytical procedures, this tool is useful when an AUP procedure involves comparing reported figures against benchmarks or prior periods.

Related ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• IAASB Handbook 2024: The authoritative source for the complete ISRS 4400 (Revised) text.
• NBA Practice Note 1135: Dutch-specific guidance on applying ISRS 4400 (Revised) in the Netherlands, including subsidy engagements and government-mandated AUP work.
• ISRS 4410 (Revised): Compilation engagements. The other non-assurance standard, for when the client needs compiled financial information rather than factual findings.
• ISQM 1: Quality management requirements applicable to firms performing AUP engagements (ISRS 4400.35).