TPL-AUP — Agreed-Upon Procedures (ISRS 4400)
No assurance. No opinion. The auditor performs specific procedures the client + intended user agreed to in writing, and reports factual findings. Common for cost claims, reconciliations, royalty checks, JV settlements, regulatory single-statement compliance.
What AUP is — and isn't
| Aspect | AUP | Audit |
|---|---|---|
| Procedures defined by | Client + user agreement | Auditor (per ISA standards) |
| Output | Factual findings report ("we performed X, found Y") | Opinion / conclusion |
| Assurance | None | Reasonable / limited |
| Distribution | Restricted to named user | Listed entities: public; SME: restricted |
| Hours | 10-50 | 30-500 |
Template metadata
| code | TPL-AUP |
| requires_workpapers | 0 |
| est_total_hours | 10-50 |
| typical duration | 1-3 weeks |
| deliverables | AUP report (factual findings) · evidence file |
Step-by-step
Agree the procedures in writing
The engagement letter must list every specific procedure (e.g. "trace 25 invoices to bank receipt"). Both client + intended user (e.g. lender) sign. This list IS the work scope.
Perform exactly what was agreed
No more, no less. If you spot a problem outside the agreed procedures — note it but don't extend without amending the agreement.
Document factually
Each procedure → finding. "We selected 25 invoices and traced to bank receipt. 24 matched; 1 had OMR 250 difference (Inv #4521)."
Draft the report
Use ISRS 4400 wording. Procedure-by-procedure findings table. No conclusion / opinion / recommendation. Restricted Use paragraph.
Issue + invoice
Sent only to the named user. Client + intended user are typically copied.
Resist the urge to write "in our opinion" or "we conclude". AUP gives no assurance — your report says only what you did and what you found. Drafting an opinion in an AUP report exposes you to claims of unintended assurance.
AUP is fee-per-procedure. If client adds 5 more procedures mid-engagement, amend the engagement letter + raise an additional invoice. Don't absorb scope creep — the explicit-procedure design makes "out of scope" easy to justify.
Common AUP scenarios you'll see in Oman
| Scenario | Typical procedures | Intended user |
|---|---|---|
| Cost-claim verification (lender or grant) | Trace claimed costs to invoices · check VAT correctness · agree to bank statement | Lender / grant authority |
| Royalty / commission audit (franchise / distributor) | Recompute royalty per contract clause · sample sales invoices · check exclusions | Royalty owner |
| JV settlement / partner exit | Verify capital account · trace contributions/distributions · agree closing TB | Outgoing partner / JV co |
| Single-statement compliance (e.g. revenue cert) | Sample revenue · trace to ledger · agree to filed VAT | Regulator / lender |
| Tenant rent-share audit | Recompute landlord's share per lease · sample tenant sales · agree to deposits | Landlord |
Worked example — royalty audit
Engagement: Verify 2025 royalty payable by Distributor X to Brand Y per
distribution agreement clause 7.2 (8% of net sales).
Procedures (signed by both):
P1. Obtain audited 2025 P&L. Compute "net sales" per agreement
definition (gross sales − returns − discounts).
P2. Recompute royalty = net_sales × 8%.
P3. Sample 25 sales invoices; trace to general ledger.
P4. Trace royalty payments made during 2025 to bank statements.
P5. Reconcile balance owed at year-end.
Findings:
P1. Net sales OMR 1,247,300.
P2. Royalty owed = 99,784.
P3. 24 of 25 traced; 1 invoice (Inv #2847, OMR 4,200) not in GL —
noted as exception.
P4. Royalty payments in 2025: OMR 75,000 (4 quarterly).
P5. Balance owed at 31-Dec-2025: OMR 24,784 (excluding P3 exception).
Report restricted use: Brand Y management only.
No conclusion expressed. No assurance provided.
The 3 seeded tasks (system task list)
| # | Task | Phase | Days |
|---|---|---|---|
| 1 | Define + agree procedures with client & intended user | Planning | 2-3 |
| 2 | Perform agreed procedures · gather evidence · document findings | Fieldwork | 7-10 |
| 3 | Draft & issue factual-findings report (ISRS 4400 wording) | Reporting | 2-3 |
Common pitfalls
"Review revenue" is too vague. Write "Sample 25 invoices, trace to GL, check VAT, recompute net of returns." Each procedure must be testable + specific.
Don't write "in our opinion", "we conclude", "we are satisfied". Just "we performed X. We found Y." That's it.
The report is restricted-use. If the client wants to share it with their bank, the bank needs to be added to the engagement letter as an additional intended user — and likely re-perform some procedures.
Hours per procedure should match the engagement-letter estimate. Material overruns mean the procedures were under-scoped — record + invoice the variance.
AUP engagements use the same job RBAC matrix: super_admin/partner all-scope, manager department-scope, senior+staff_auditor 'assigned' scope (only the team member sees the job). The intended user typically does NOT get system access — they receive the final factual-findings PDF only.