ISRS 4400 (Revised): How to Plan, Perform, and Report Agreed-Upon Procedures Engagements

What ISRS 4400 (Revised) actually requires

ISRS 4400 governs engagements where you perform specific procedures and report factual findings. You don't express an opinion. You don't provide assurance. The engaging party (and any other intended users) draw their own conclusions from the findings you report.

The revised standard, effective for engagements agreed on or after 1 January 2022, introduced a significant change from its predecessor. Under the old ISRS 4400, the engaging party and all intended users had to formally acknowledge the procedures as appropriate. ISRS 4400 (Revised), paragraph 16(b)(ii), removed this requirement for intended users other than the engaging party. This was the single biggest practical barrier under the old standard (getting a bank or regulator to formally sign off on procedures they hadn't designed was often impossible), and its removal opened the door to a much wider range of AUP engagements.

ISRS 4400.14 establishes the scope: you agree on specific procedures, perform them, and report findings of fact. The standard explicitly prohibits expressing an opinion or conclusion (ISRS 4400.14(b)). The procedures must be sufficiently clear that they can be understood and performed consistently. Vague procedures like "check whether the revenue figures seem reasonable" don't qualify. The standard requires that procedures be described in a way that doesn't involve subjective interpretation (ISRS 4400.A20).

ISRS 4400.35 also introduced a requirement to apply quality management at the engagement level. For firms subject to ISQM 1, this means the AUP engagement falls within the firm's quality management system. The engagement partner accepts responsibility for quality, and the firm's monitoring policies apply.

How to agree on the procedures

The engagement letter is where most AUP engagements succeed or fail. ISRS 4400.19 sets out the preconditions. You need a rational purpose for the engagement, the procedures to be performed must be appropriate for that purpose, and the engaging party must acknowledge that the procedures are appropriate.

Start with the purpose. ISRS 4400.A8 provides guidance: the purpose should be specific enough that the intended users can understand why the procedures were performed. "To verify the client's financial position" is too broad. "To compare the subsidy expenditure reported in the Q3 2025 declaration against underlying purchase invoices and bank statements" is specific enough.

Then define the procedures themselves. Each procedure must describe what you will do, what subject matter information it applies to, and what the nature of the expected findings is. A well-defined procedure reads like an instruction that a competent accountant could follow without asking clarifying questions. "Recalculate the totals in Appendix A of the subsidy declaration and compare them to the trial balance as at 30 June 2025" works. "Review the subsidy declaration for accuracy" does not, because "review" and "accuracy" both involve subjective assessment.

ISRS 4400.21 adds a critical requirement: you must agree on the form and content of the AUP report before starting the work. If the intended user is a regulator or funding body, this step avoids the situation where you complete the procedures and then discover the report format doesn't match what the user expects.

Document the agreed terms in an engagement letter. ISRS 4400.22 lists the required elements: the purpose of the engagement, the procedures to be performed, the intended users, a statement that the engagement is not an audit or review and no assurance will be expressed, and the form the report will take.

One thing worth getting right at the engagement letter stage: the level of threshold or tolerance the procedures will use. If a procedure says "for all expenditure items above €10,000," that threshold needs to be agreed with the engaging party and stated in the terms. Changing it after the fact requires a formal amendment to the agreed procedures under ISRS 4400.27.

Performing the procedures and documenting findings

Once the procedures are agreed, execution follows ISRS 4400.24 through 4400.28. Each procedure is performed exactly as described in the engagement terms. If a procedure cannot be performed as described (because the information doesn't exist, or access is restricted), ISRS 4400.27 requires you to either agree on an alternative procedure with the engaging party or note in the report that the procedure could not be performed and explain why.

The quality of your findings depends entirely on the quality of the procedure descriptions. A procedure that says "check whether payroll costs are reasonable" will produce a finding like "we reviewed the payroll costs and found them reasonable," which is an opinion, not a finding. A procedure that says "recalculate gross salary costs for the 10 highest-paid employees by multiplying monthly salary per employment contract by 12 and compare to the payroll register total" produces a finding like "for 9 of 10 employees, the recalculated annual salary agreed to the payroll register; for 1 employee (Employee ID 4412), the recalculated annual salary was €78,000 versus the payroll register amount of €84,500, a difference of €6,500." The first is useless. The second is defensible.

Factual findings are exactly that: facts. ISRS 4400.28 makes clear that findings should not include opinions, conclusions, or recommendations unless the terms of the engagement specifically include reporting recommendations (which ISRS 4400 (Revised) now permits under paragraph 30(m)).

ISRS 4400.25 adds a requirement that practitioners sometimes overlook: if, during the performance of the procedures, you identify matters that you believe should be communicated to the engaging party, ISRS 4400.25 permits (but does not require) such communication. However, the standard doesn't require or permit you to perform additional procedures beyond those agreed. Scope expansion requires a new agreement.

Worked example: AUP on a government subsidy reconciliation

Client: Dekker Bouw B.V., a mid-sized Dutch construction company (€38M revenue) that received a €620,000 government subsidy for sustainable building materials under the SDE++ scheme. The Province of South Holland requires an independent accountant to perform agreed-upon procedures on Dekker Bouw's subsidy expenditure declaration for the period January to June 2025. Total declared expenditure: €487,200.

1. Agree on terms and procedures

The engagement letter specifies four procedures requested by the Province:

• Procedure A: Recalculate the arithmetic totals in the subsidy expenditure declaration.
• Procedure B: For all expenditure items above €10,000 (14 items totalling €312,600), trace each item to the corresponding purchase invoice and verify the invoice date falls within the subsidy period.
• Procedure C: For expenditure items above €10,000, trace invoice payments to bank statements.
• Procedure D: Compare the categories of expenditure reported in the declaration to the eligible categories listed in the subsidy agreement.

Documentation note: File the signed engagement letter referencing each procedure by letter code. Record the Province's acknowledgement that the procedures are appropriate (ISRS 4400.16(b)(ii)).

2. Perform Procedure A: arithmetic recalculation

Recalculate all totals in the declaration. The declared total is €487,200. The recalculated total is €487,200. No difference found.

Documentation note: Attach the recalculation working paper. Cross-reference to the declaration page and line numbers.

3. Perform Procedure B: trace to purchase invoices

For each of the 14 items above €10,000, obtain the purchase invoice and verify: (a) the amount matches the declaration, and (b) the invoice date falls within 1 January 2025 to 30 June 2025. Result: 13 of 14 items agreed without exception. One item (€18,400, supplier: Vos Materialen B.V., invoice dated 14 July 2025) has an invoice date outside the subsidy period.

Documentation note: Prepare a schedule listing each item, the invoice reference, the invoice date, and whether it agreed. Attach copies of all 14 invoices. Flag the exception with the specific invoice number and date.

4. Perform Procedure C: trace to bank statements

For the same 14 items, trace invoice payments to Dekker Bouw's bank statements. Result: 14 of 14 payments traced to ING bank statements. All payment dates fall within the subsidy period.

Documentation note: Attach the bank statement extracts with the relevant payment lines highlighted. Note the payment reference for each item in the schedule from Procedure B.

5. Perform Procedure D: compare categories to subsidy agreement

Compare the expenditure categories in the declaration (insulation materials, solar panel components, recycled steel, energy-efficient glazing) to the eligible categories in Annex 2 of the subsidy agreement. All four categories appear in Annex 2.

Documentation note: Attach a side-by-side comparison of the declaration categories and the Annex 2 eligible categories.

The working paper file contains four procedure schedules, each cross-referenced to source documents. One exception identified (invoice date outside the subsidy period for €18,400). The AUP report states this finding without concluding whether the expenditure is or isn't eligible. The Province draws that conclusion.

How to write the AUP report

ISRS 4400.30 lists the mandatory report elements. Missing any of them creates a non-compliant report that a regulator will flag.

The report must include: a title indicating it is a report of factual findings from agreed-upon procedures, the addressee, a description of the purpose and a statement that the procedures are those agreed with the engaging party, identification of the subject matter information, a description of each procedure performed and each factual finding, a statement that the engagement is not an audit or a review and that no assurance is expressed, a statement that the report is restricted to the engaging party and the intended users, the date of the report, and the practitioner's signature.

The restriction on distribution (ISRS 4400.30(k)) is a practical protection. Because the procedures were designed for a specific purpose, the findings may not make sense (or could be misleading) to someone who doesn't understand that purpose.

Findings are reported procedure by procedure, not summarised. Each procedure gets its own section in the report with the procedure described, followed by the finding. The language of each finding matters. Avoid any words that imply judgment or evaluation. "We found" is fine. "We noted" is fine. "We determined" implies a conclusion. "We observed that the amount was reasonable" implies assurance.

Under the revised standard, ISRS 4400.30(m) now permits the practitioner to include recommendations in the report if the engagement terms provide for it. This was not permitted under the old standard. Without that provision in the engagement terms, the recommendation stays out of the report.

Practical checklist for your next AUP engagement

1. Before accepting: confirm the engagement has a rational purpose (ISRS 4400.19(a)) and that the engaging party acknowledges the procedures as appropriate (ISRS 4400.16(b)(ii)). If the engaging party can't articulate why the procedures will answer their question, push back before signing the engagement letter.
2. Define each procedure so that a competent practitioner who wasn't in the planning meeting could perform it without asking clarifying questions. If you have to explain what "review" means in context, the procedure isn't specific enough (ISRS 4400.A20).
3. Agree the report format before starting work (ISRS 4400.21). Check whether the intended user has a prescribed template. Many Dutch provinces and funding bodies do.
4. Report findings per procedure, not as a summary. Each finding maps one-to-one to a procedure described in the engagement letter. State facts. Reserve conclusions for the engaging party.
5. If you cannot perform a procedure as agreed, document why and either agree an alternative with the engaging party or report the limitation (ISRS 4400.27).
6. Check whether the engagement terms permit recommendations (ISRS 4400.30(m)). If they don't, keep recommendations out of the report regardless of how obvious the fix is.

Common mistakes

• Blurring the line between findings and conclusions. The AFM has noted in its thematic reviews that AUP reports sometimes include language such as "the expenditure appears reasonable" or "no material discrepancies were noted," both of which imply assurance and violate ISRS 4400.14(b). Report what you found, not what you think it means.
• Using vague procedure descriptions. "Verify the completeness of the records" requires professional judgment about what "completeness" means in context. ISRS 4400.A20 requires procedures specific enough to be performed without subjective interpretation. Replace "verify completeness" with "compare the transaction listing to the general ledger and report any items in the ledger not present in the listing."
• Failing to restrict the report. ISRS 4400.30(k) requires a restriction on distribution. Omitting this exposes the firm to liability from unintended users who rely on the report for purposes the procedures weren't designed to address.

Related Ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• IAASB Handbook 2024: The authoritative source for the complete ISRS 4400 (Revised) text.
• NBA Practice Note 1135: Dutch-specific guidance on applying ISRS 4400 (Revised) in the Netherlands, including subsidy engagements and government-mandated AUP work.
• ISRS 4410 (Revised): Compilation engagements. The other non-assurance standard, for when the client needs compiled financial information rather than factual findings.
• ISQM 1: Quality management requirements applicable to firms performing AUP engagements (ISRS 4400.35).