There is a common scenario that plays out in finance teams across Saudi Arabia every year. A bank, a government authority, a grant administrator, or a contractual counterparty asks the company for an “audit” of something specific. The finance team calls their audit firm, requests a full audit, and ends up paying significantly more, waiting significantly longer, and receiving a deliverable that often does not actually match what the requesting party wanted in the first place. The disconnect comes down to a simple but widely misunderstood distinction. The requesting party may not have wanted a full audit at all. They may have needed an agreed-upon procedures engagement, which is a fundamentally different service governed by a fundamentally different professional standard.
This blog breaks down what these engagements actually are, how they differ from a full audit, when each makes sense, the Saudi-specific context that affects the choice, and how to determine which type of engagement your stakeholders actually need. It also covers the most common mistakes companies make in selecting between the two and how to avoid spending audit fees on a service that does not match the requirements.
The Core Distinction
The difference between an audit and a targeted verification engagement comes down to one word: assurance.
A full audit, governed by the International Standards on Auditing (ISA) as adopted by SOCPA, produces an opinion. The auditor evaluates financial statements against a recognized financial reporting framework, typically IFRS, and concludes whether those statements present a true and fair view. The resulting opinion is a form of reasonable assurance that any stakeholder can rely on to make decisions. The auditor takes professional responsibility for that opinion.
An agreed-upon procedures engagement, governed by International Standard on Related Services (ISRS) 4400 (Revised) as adopted by SOCPA, produces something completely different. The practitioner performs specific procedures that have been agreed in advance with the engaging party and any other relevant users, then reports only the factual findings. The practitioner does not provide an opinion, does not give assurance, and does not conclude. The responsibility for interpreting the findings and reaching conclusions stays with the user of the report.
What These Engagements Actually Look Like
In a targeted verification engagement, the engaging party and the practitioner sit down before the work begins and define exactly what will be done. The engagement letter specifies the nature of the engagement, the stated purpose, the specific information the procedures will be applied to, the exact procedures to be performed, the anticipated form of the report, and any limitations on use and distribution.
The procedures themselves are concrete and verifiable. Examples might include reconciling specific account balances to supporting documentation, confirming receivables with selected customers, recalculating specific computations such as zakat or VAT figures, verifying that certain documents exist and contain specified information, or testing whether transactions in a sample meet defined criteria. The practitioner does the work, documents what was found, and reports the factual findings without interpretation.
The output is a report of factual findings, not an audit opinion. The report typically lists each procedure that was performed and the corresponding finding. There is no conclusion stating whether anything is true and fair, free of material misstatement, or compliant with any framework. The user of the report draws their own conclusions from the factual findings.
Why Saudi Stakeholders Increasingly Request AUP Engagements
The Saudi Organization for Certified Public Accountants adopted the revised ISRS 4400 to align with international developments and to respond to the growing demand for agreed-upon procedures in the Kingdom. The revised standard expands the scope to include both financial and non-financial subject matter, makes the report clearer and more concise, and enhances consistency in how these engagements are performed. The result is a service that is well-suited to the kinds of specific verification needs that arise constantly in the Saudi business environment.
There are several common Saudi use cases where focused verification engagements are now preferred over a full audit.
Local content certification. The local content program in Saudi Arabia requires companies to demonstrate their local content percentage to qualify for certain government contracts and incentives. Practitioner reports are now commonly used to measure and support local content certificates, providing factual verification of the underlying data without the cost and scope of a full audit.
Grant and funding compliance. Government grants, industrial development funding, and similar programs often require verification that funds were used in accordance with grant terms. A focused engagement on the relevant transactions is more efficient than a full audit of the recipient organization.
Regulatory compliance reviews. Various Saudi regulatory bodies request specific verifications as part of their oversight activities. Rather than requiring a full audit, they may engage a practitioner to perform specific procedures on defined compliance items.
Legal and dispute support. These reports are sometimes used in legal disputes by being presented to judicial authorities to support a specific point of view. They can also be submitted to law enforcement or the Public Prosecution as independent reports supporting investigations.
Contractual verification between counterparties. When parties to a contract need to verify specific items such as revenue calculations for royalty payments, cost-sharing arrangements, or covenant compliance, a targeted engagement verifies without the overhead of a full audit.
Pre-investment or pre-acquisition verification. Buyers may request specific verification of items like inventory counts, receivables aging, or contract balances without commissioning a full due diligence audit.
Specific bank or lender requirements. Banks sometimes request verification of specific covenants, security values, or financial ratios rather than a full audited financial statement.
What a Full Audit Actually Covers
A full audit is a much broader engagement. The auditor plans and performs procedures to obtain reasonable assmurance that the financial statements as a whole are free from material misstatement, whether due to fraud or error. This involves understanding the entity and its environment, assessing risks, designing and performing audit procedures responsive to those risks, evaluating the appropriateness of accounting policies, and ultimately forming an opinion on the financial statements.
The audit deliverable is an audit report containing an opinion on the financial statements. This opinion gives stakeholders general-purpose assurance they can rely on for a wide variety of decisions, including investment, lending, regulatory compliance, and strategic partnerships. The audit report is a public-facing document that supports broad reliance, unlike a targeted report,t which is restricted to specific users.
When Each Engagement Type Makes Sense
The choice between an audit and a focused verification engagement depends on what the user of the report actually needs to know and how they intend to use the information. Here is a practical framework for making the right choice.
Choose a Full Audit When
The financial statements as a whole need to be reliable for broad use. If the report will be filed with the Ministry of Commerce, CMA, or another regulator that requires audited financial statements, only a full audit will satisfy the requirement.
Multiple stakeholders with different needs will rely on the report. When banks, investors, tax authorities, and contractual counterparties all need to use the same financial information, the broad assurance of an audit opinion is what enables that shared reliance.
Statutory requirements apply. Listed companies, banks, insurance companies, joint stock companies, and other entities with statutory audit requirements have no choice. The audit is mandatory regardless of cost or scope considerations.
Investor or lender confidence at the financial statement level is the primary need. When a company is raising capital, seeking a major loan, preparing for an IPO, or attracting strategic investors, the credibility of audited financial statements is essential.
Ongoing annual reliance is expected. Audits provide consistent year-over-year assurance that supports continuous business relationships and stakeholder confidence.
Choose Targeted Verification When
The need is for verification of specific items rather than overall financial statement assurance. If a stakeholder wants to verify a specific calculation, a specific population of transactions, or a specific compliance requirement, this approach is faster, cheaper, and more focused than an audit.
The engaging party can clearly specify what they need verified. This service works when the procedures can be defined precisely in advance. Vague requirements like “tell us whether everything looks okay” are not suitable for this engagement type.
The users of the report are limited and known. These reports are typically restricted to specified users who understand the procedures and can interpret the findings themselves. Wide public distribution is not the goal.
The subject matter is narrow. If only a slice of the financial information needs verification, this is the appropriate tool. Auditing the whole entity to verify one line item is wasteful.
The user wants factual findings rather than an opinion. Some stakeholders, particularly regulators and litigation support users, specifically want factual verification without the practitioner’s interpretation or conclusion.
Cost and time matter, er and the scope can be narrowed. These engagements are generally faster and less expensive than full audits because the scope is targeted rather than comprehensive. MFD Services regularly helps clients determine whether their actual need can be met with a more focused engagement before committing to a full audit.
The Saudi Regulatory Context
Both audit and focused verification engagements in Saudi Arabia operate within a tightly regulated professional framework. Understanding this context helps companies make better decisions about which engagement type to request.
The Saudi Organization for Certified Public Accountants (SOCPA) is the governing professional body. SOCPA has adopted both ISA for audits and ISRS 4400 Revised for agreed-upon procedures, ensuring consistency with international standards while adding Saudi-specific implementation guidance. Only practitioners licensed by SOCPA and registered with the Ministry of Commerce can perform either type of engagement.
The Ministry of Commerce governs company registration and supervises the registry of licensed auditors. It requires businesses to file financial data within six months of the fiscal year end and maintains the audit licensing framework.
The Capital Market Authority (CMA) regulates listed companies. CMA’s corporate governance regulations require audit committees in listed companies, set limits on auditor tenure, and create additional reporting requirements that interact with both engagement types.
Common Mistakes Companies Make
The wrong engagement choice creates real problems. Here are the most common mistakes and how to avoid them.
Requesting a Full Audit When a Targeted Engagement Would Suffice
This is the most common and most expensive mistake. A bank requests verification of a specific covenant calculation, and the finance team reflexively engages auditors to perform a full audit instead of a targeted review. The result is paying audit-level fees for a service that produces more than the bank actually needs. MFD Services frequently sees this pattern and works with clients to translate stakeholder requirements into the appropriate engagement type.
Requesting AUP When an Audit Is Actually Required
Some requirements legally mandate a full audit. Listed company filings, joint stock company annual statements, and certain regulatory submissions cannot be satisfied with factual finding reports regardless of cost or convenience. Companies that try to substitute the wrong engagement type for a required audit find themselves redoing the work later at additional cost.
Vague Procedure Specifications
Focused verification engagements depend on a precise specification of the procedures to be performed. When the engaging party cannot clearly articulate what they want verified, the resulting engagement either fails to meet the actual need or balloons in scope. Spending time upfront defining procedures clearly is essential.
Confusing AUP With Limited Assurance Reviews
A review engagement governed by ISRE 2400 provides limited assurance, which is different from both audit (reasonable assurance) and factual findings (no assurance). Some stakeholders ask for a “review” when they actually want either an audit or a targeted engagement. Clarifying which level of assurance the user actually needs avoids miscommunication.
Treating the Findings Report as an Audit Opinion
Some users of factual findings reports try to use them as if they were audit opinions. This misuse can mislead third parties and damage the credibility of the report. These reports contain factual findings, not opinions, and should be presented and used accordingly.
Failing to Document the Engagement Properly
Both audits and focused engagements require formal engagement letters that document the scope, responsibilities, fees, and deliverables. Skipping this step or using inadequate documentation creates disputes later. SOCPA standards and Saudi law require proper engagement letters for both engagement types.
Choosing the Wrong Practitioner
Not every SOCPA-licensed firm handles these engagements equally well. The revised ISRS 4400 standard has specific requirements that not all firms apply consistently. Working with practitioners who understand both the technical standards and the Saudi-specific applications produces better outcomes.
How to Determine What Your Stakeholders Actually Need
When a stakeholder asks for an “audit” of something, the first step is to translate that request into the appropriate engagement type. Here is the practical questioning framework that resolves most situations.
What decision will the report support? If the answer is broad reliance on financial statements as a whole, that points to a full audit. If it is a specific decision about a specific item, that often points to a targeted engagement.
Who needs to be able to rely on the report? Wide public reliance generally requires an audit. Limited reliance by specified users can be supported by a focused engagement.
Is the requirement statutory or contractual? Statutory requirements often specify the engagement type. Contractual requirements give more flexibility to choose the most efficient and appropriate engagement.
Can the verification be defined precisely? If yes, a focused engagement is feasible. If the requirement is vague or evolving, an audit may be more appropriate.
What level of assurance does the user actually need? Reasonable assurance points to audit. Factual verification points to a targeted engagement. Limited assurance points to a review engagement.
What is the budget and timeline? Targeted engagements are generally faster and less expensive. If those constraints matter and the scope allows, this option may be preferable.
Are there cross-cutting requirements? Sometimes a company needs both an audit for statutory purposes and one or more focused engagements for specific stakeholder needs. These can be coordinated to share underlying work where appropriate.
MFD Services helps Saudi companies navigate exactly these questions, working with clients to clarify stakeholder requirements before any engagement is commissioned. The goal is to match the engagement to the actual need, not the perceived need.
Cost and Time Implications
The practical differences between the two engagement types translate into high cost and time differences.
A full audit of a mid-sized Saudi company typically takes weeks to months, depending on complexity, with fees ranging from tens of thousands to hundreds of thousands of riyals based on entity size, complexity, and industry. Audits require substantial planning, risk assessment, internal control evaluation, substantive testing, and quality review. The scope is comprehensive.
For stakeholders whose needs can be met with a targeted engagement, the cost and time savings can be substantial. For stakeholders whose needs require a full audit, the comprehensive scope and broad assurance justify the higher investment. The mistake is not in choosing one over the other in general but in choosing the wrong one for the specific situation.
Conclusion
The distinction between an audit and an agreed-upon procedures engagement is one of the most practically important pieces of professional services knowledge a Saudi company can have. The two engagements are not interchangeable. They are governed by different professional standards, produce different deliverables, support different decisions, and carry different costs and time implications. Choosing the wrong one wastes money on engagements that exceed the requirement, or worse, produces deliverables that fail to meet stakeholder needs.
MFD Services helps Saudi companies make these decisions correctly, working with clients to clarify stakeholder requirements, structure engagements appropriately, and coordinate with SOCPA-licensed practitioners to deliver the right service for each situation. The goal is to ensure that companies pay for the assurance they actually need rather than overpaying for assurance they do not need or underpaying for assurance the situation requires. In a regulatory environment as structured as Saudi Arabia’s, getting this choice right is part of basic financial discipline.
Note: The above-mentioned services are provided via network firms if not provided directly.
Frequently Asked Questions
- Are the agreed-upon procedures recognized in Saudi Arabia? Yes, SOCPA has adopted the revised ISRS 4400 standard governing this type of engagement. Licensed SOCPA practitioners can perform these engagements for a wide range of Saudi business and regulatory purposes.
- Can a factual findings report be used instead of a full audit for statutory filings? Generally, no, statutory audit requirements for listed companies, banks, insurance companies, and joint stock companies require a full audit. Targeted reports cannot substitute for where the law mandates an audit opinion.
- How much cheaper are agreed-upon procedures compared to a full audit? Costs vary widely based on scope, but these engagements are typically significantly less expensive because they cover specific procedures rather than the entire financial statements. MFD Services can help estimate cost differences based on specific needs.
- Who can rely on a focused verification report? Only the parties specified in the engagement letter who agreed to the procedures can rely on the report. Unlike audit opinions, these reports are not designed for broad public reliance and have restricted distribution.
- What are common Saudi use cases for these engagements? Common uses include local content certification, grant and funding compliance verification, contractual covenant testing, regulatory compliance reviews, litigation and dispute support, and specific bank or counterparty verifications.