All business owners need to work with outside vendors, or third-party business owners, to keep business moving forward. Obviously, right? You can’t perform all tasks yourself, so you need to enlist some services and products through outside entities.

In the course of doing business with these important service and product providers, it is crucial that you keep your company’s information – whether internal information or your customers’ sensitive information – safe when working with third-parties through the adoption of some type of third-party risk management (TPRM) strategy.

Community Banking Connections shares its view of the relationship between the client and the third-party vendor, stating that “Significant effort is required from both the institution and the third-party vendor to maximize the benefits received from the relationship, service, or product, while simultaneously minimizing associated risks.”

Regardless of the efforts that companies put into their respective cybersecurity plans, threats are everywhere, and they are always changing. Security Intelligence confirms the risk, sharing their findings that reveal that any business has a 1-in-4 chance of falling prey to a cyberattack.

In spite of the risks, organizations need to work together for mutual and respective success. Reaching out to a company that provides a specialized service, product or delivery channel under the right terms, can greatly reduce costs. And vendors need to sell their services and wares in a safe environment, so it is important for both businesses to find common ground, for their own business’s sake, as well as for the sake of their customers, stakeholders and brand reputation.

A solid TPRM strategy offers you, as the client, some variation of the following criteria:

  • Guidance.
  • Scope.
  • Assessments.
  • Review.
  • Remediation Plan Support.

Is An Agreed-Upon Procedure or SOC 2 Audit the Right Third-Party Risk Management for Your Organization?

Agreed-upon procedures (AUP) and SOC 2 audits are the two most common tools that businesses use to manage TPRM, but how do business owners know which approach is correct? How do you know which one is right for your business?

What is an Agreed-Upon Procedure?

An AUP engagement is brokered between a client and a licensed CPA firm. The client might choose an AUP when following business procedures that require factual and unbiased information. Further, upon completion, the client will need to issue a report of findings, based on specific procedures that relate to a specific subject matter. The AUP must be performed according to AT Section 201 from the American Institute of Certified Public Accountants (AICPA).

The accountant merely issues a report of their findings without providing an opinion or negative assurance on the matter.

When Would You Use an Agreed-Upon Procedure?

There are several practical reasons a business may choose an AUP engagement over a SOC 2 audit, including the following:

Pursuing a Business Loan.

Banks often need objective and factually based assurances regarding your receivables and inventory, which will serve as collateral for your loan. Your accountant can examine your financial statements in order to generate an objective and candid report for the bank to review.

Maintaining Compliance.

If your organization is a non-profit or government agency, you need to make sure that you meet certain regulatory requirements.

Winning Contracts and Bids.

This is another case where an AUP is ideal for a government contractor that needs an account of your indirect costs during a specific time frame to help determine the rates and costs principles used in SOC 2 compliance with current regulations. A report of a comprehensive indirect cost allocation plan, as well as a job cost accounting system, can help you win and keep government contracts you need.

Compliance questions? Get answers!

Book a free 30-minute consultation with a specialist to find your path to compliance. Secure your spot today.


Verifying Income Tax Revisions.

Most businesses prefer to defer to the expertise of a reliable third-party auditor when it comes to dealing with the IRS. A CPA can go back through your returns, without the stress and anxiety you may be feeling, and find any errors and objectively note what occurred and how you may fix it.

Limiting Scope Reduces Fees.

By focusing one or two aspects of your business, you can save on CPA fees while maximizing the benefits of your review.

What is a SOC 2 Audit?

A SOC 2 audit report ensures the engaging companies that the 5 Trust Service Principles of Security, Availability, Processing Integrity, Confidentiality and Privacy are being addressed and adhered to by their service organization’s controls.

The SOC 2 auditor focuses on reviewing the controls at a service organization, according to the 5 Trust Service Principles:

  • Security.
  • Availability.
  • Processing Integrity.
  • Confidentiality.
  • Privacy.

Types of SOC 2 Audits for Service Organizations:

Type 1.

This audit examines the controls used by service organizations to address any one or all of the 5 Trust Service Principles and provides assurance that controls are designed and operating effectively to meet the desired objectives at a specific point in time.

Type 2.

The Type 2 SOC 2 audit includes all the same information as Type 1, but it includes additional attestation that a service organization’s controls are tested for operating effectiveness over a sustained period of time.

When Would You Use a SOC 2 Audit?

A SOC 2 audit is intended to meet the needs of a broad range of users that require detailed information and assurance regarding the controls at a service organization relating to the security, availability, and processing integrity of the systems used to process users’ data, as well as the confidentiality and privacy of the information processed by the systems.

A few of the most common reasons businesses need a SOC 2 audit include the following:

  • Organizational oversight
  • Vendor management programs
  • Internal corporate government and risk management issues
  • Regulatory compliance oversight

Related article: What’s the Difference? SOC 1 vs. SOC 2 Reporting

Do You Need Help Determining Whether an AUP or SOC 2 Audit Is What You Need?

We understand that the difference between these types of examinations and reports seem subtle and can be confusing. If you need help determining which procedure fits your current needs, our auditors at I.S. Partners, LLC. can help answer your questions.

Call us at 215-675-1400 or request a quote so we can discuss your company’s auditing requirements to help you get the result you need.

SOC 1®, SOC 2® and SOC 3® are registered trademarks of the AICPA (American Institute of Certified Public Accountants). The AICPA® Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy is copyrighted by the Association of International Certified Professional Accountants. All rights reserved.

About The Author

Related Content

Gain Deeper Insights

Get started

Get a quote today!

Fill out the form to schedule a free, 30-minute consultation with a senior-level compliance expert today!

Analysis of your compliance needs
Timeline, cost, and pricing breakdown
A strategy to keep pace with evolving regulations

Great companies think alike.

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.

Scroll to Top