AU-C Section 250: Consideration of Laws and Regulations in an Audit of Financial Statements

"Introduction

Scope of This Section

.01 This section addresses the auditor's responsibility to consider laws and regulations in an audit of financial statements. This section does not apply to other assurance engagements in which the auditor is specifically engaged to test and report separately on compliance with specific laws or regulations.

Effect of Laws and Regulations

.02 The effect on financial statements of laws and regulations varies considerably. Those laws and regulations to which an entity is subject constitute the legal and regulatory framework. The provisions of some laws or regulations have a direct effect on the financial statements in that they determine the reported amounts and disclosures in an entity's financial statements. Other laws or regulations are to be complied with by management, or set the provisions under which the entity is allowed to conduct its business, but do not have a direct effect on an entity's financial statements. Some entities operate in heavily regulated industries (such as banks and chemical companies). Others are subject only to the many laws and regulations that relate generally to the operating aspects of the business (such as those related to occupational safety and health and equal employment opportunity). Noncompliance with laws and regulations may result in fines, litigation, or other consequences for the entity that may have a material effect on the financial statements.

Objectives

.10 The objectives of the auditor are to

a. obtain sufficient appropriate audit evidence regarding material amounts and disclosures in the financial statements that are determined by the provisions of those laws and regulations generally recognized to have a direct effect on their determination (see paragraph .06a),

b. perform specified audit procedures that may identify instances of noncompliance with other laws and regulations that may have a material effect on the financial statements (see paragraph .06b), and

c. respond appropriately to noncompliance or suspected noncompliance with laws and regulations identified during the audit."

"Responsibility of Management

.03 It is the responsibility of management, with the oversight of those charged with governance, to ensure that the entity's operations are conducted in accordance with the provisions of laws and regulations, including compliance with the provisions of laws and regulations that determine the reported amounts and disclosures in an entity's financial statements.

Responsibility of the Auditor

.04 The requirements in this section are designed to assist the auditor in identifying material misstatement of the financial statements due to noncompliance with laws and regulations. However, the auditor is not responsible for preventing noncompliance and cannot be expected to detect noncompliance with all laws and regulations.

.05 The auditor is responsible for obtaining reasonable assurance that the financial statements as a whole are free from material misstatement, whether caused by fraud or error. In conducting an audit of financial statements, the auditor takes into account the applicable legal and regulatory framework. Because of the inherent limitations of an audit, an unavoidable risk exists that some material misstatements in the financial statements may not be detected, even though the audit is properly planned and performed in accordance with generally accepted auditing standards (GAAS). In the context of laws and regulations, the potential effects of inherent limitations on the auditor's ability to detect material misstatements are greater for the following reasons:

• Many laws and regulations relating principally to the operating aspects of an entity typically do not affect the financial statements and are not captured by the entity's information systems relevant to financial reporting.

• Noncompliance may involve conduct designed to conceal it, such as collusion, forgery, deliberate failure to record transactions, management override of controls, or intentional misrepresentations made to the auditor.

• Whether an act constitutes noncompliance is ultimately a matter for legal determination, such as by a court of law. Ordinarily, the further removed noncompliance is from the events and transactions reflected in the financial statements, the less likely the auditor is to become aware of, or recognize, the noncompliance.

.06 This section distinguishes the auditor's responsibilities regarding compliance with the following two categories of laws and regulations:

a. The provisions of those laws and regulations generally recognized to have a direct effect on the determination of material amounts and disclosures in the financial statements, such as tax and pension laws and regulations (see paragraph .13)

b. The provisions of other laws and regulations that do not have a direct effect on the determination of the amounts and disclosures in the financial statements but compliance with which may be

i. fundamental to the operating aspects of the business,

ii. fundamental to an entity's ability to continue its business, or

iii. necessary for the entity to avoid material penalties (for example, compliance with the terms of an operating license, regulatory solvency requirements, or environmental regulations); therefore, noncompliance with such laws and regulations may have a material effect on the financial statements (see paragraph .14).

.07 In this section, differing requirements are specified for each of the previously mentioned categories of laws and regulations. For the category referred to in paragraph .06a, the auditor's responsibility is to obtain sufficient appropriate audit evidence regarding material amounts and disclosures in the financial statements that are determined by the provisions of those laws and regulations. For the category referred to in paragraph .06b, the auditor's responsibility is limited to performing specified audit procedures that may identify noncompliance with those laws and regulations that may have a material effect on the financial statements.

.08 The auditor is required by this section to remain alert to the possibility that other audit procedures applied for the purpose of forming an opinion on financial statements may bring instances of identified or suspected noncompliance with laws and regulations to the auditor's attention. Maintaining professional skepticism throughout the audit, as required by section 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance With Generally Accepted Auditing Standards, is important in this context, given the extent of laws and regulations that affect the entity."

".12 As part of obtaining an understanding of the entity and its environment, in accordance with section 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, the auditor should obtain a general understanding of the following:5 (Ref: par. .A8)

a. The legal and regulatory framework applicable to the entity and the industry or sector in which the entity operates

b. How the entity is complying with that framework

.13 The auditor should obtain sufficient appropriate audit evidence regarding material amounts and disclosures in the financial statements that are determined by the provisions of those laws and regulations generally recognized to have a direct effect on their determination (see paragraph .06a). (Ref: par. .A9–.A11)

.14 The auditor should perform the following audit procedures that may identify instances of noncompliance with other laws and regulations that may have a material effect on the financial statements (see paragraph .06b): (Ref: par. .A12–.A15)

a. Inquiring of management and, when appropriate, those charged with governance about whether the entity is in compliance with such laws and regulations

b. Inspecting correspondence, if any, with the relevant licensing or regulatory authorities (Ref: par. .A16)

.15 During the audit, the auditor should remain alert to the possibility that other audit procedures applied may bring instances of noncompliance or suspected noncompliance with laws and regulations to the auditor's attention. (Ref: par. .A17–.A18)

.16 In the absence of identified or suspected noncompliance, the auditor is not required to perform audit procedures regarding the entity's compliance with laws and regulations, other than those set out in paragraphs .12–.15 of this section and the requirement in section 580, Written Representations, related to requesting written representations from management regarding the entity's compliance with laws and regulations."

".17 If the auditor becomes aware of information concerning an instance of noncompliance or suspected noncompliance with laws and regulations, the auditor should obtain (Ref: par. .A19–.A20)

a. an understanding of the nature of the act and the circumstances in which it has occurred and

b. further information to evaluate the possible effect on the financial statements. (Ref: par. .A21)

.18 If the auditor suspects noncompliance may exist, the auditor should discuss the matter with management (at a level above those involved with the suspected noncompliance, if possible) and, when appropriate, those charged with governance. If management or, as appropriate, those charged with governance do not provide sufficient information that supports that the entity is in compliance with laws and regulations and, in the auditor's professional judgment, the effect of the suspected noncompliance may be material to the financial statements, the auditor should consider the need to obtain legal advice. (Ref: par. .A22–.A23)

.19 If sufficient information about suspected noncompliance cannot be obtained, the auditor should evaluate the effect of the lack of sufficient appropriate audit evidence on the auditor's opinion.

.20 The auditor should evaluate the implications of noncompliance in relation to other aspects of the audit, including the auditor's risk assessment and the reliability of written representations, and take appropriate action. (Ref: par. .A24–.A25)"

"Reporting Noncompliance to Those Charged With Governance

.21 Unless all of those charged with governance are involved in management of the entity and aware of matters involving identified or suspected noncompliance already communicated by the auditor, the auditor should communicate with those charged with governance matters involving noncompliance with laws and regulations that come to the auditor's attention during the course of the audit, other than when the matters are clearly inconsequential. (Ref: par. .A26)

.22 If, in the auditor's professional judgment, the noncompliance referred to in paragraph .21 is believed to be intentional and material, the auditor should communicate the matter to those charged with governance as soon as practicable.

.23 If the auditor suspects that management or those charged with governance are involved in noncompliance, the auditor should communicate the matter to the next higher level of authority at the entity, if it exists. When no higher authority exists, or if the auditor believes that the communication may not be acted upon or is unsure about the person to whom to report, the auditor should consider the need to obtain legal advice.

Reporting Noncompliance in the Auditor’s Report on the Financial Statements

.24 If the auditor concludes that the noncompliance has a material effect on the financial statements, and it has not been adequately reflected in the financial statements, the auditor should, in accordance with section 705A, Modifications to the Opinion in the Independent Auditor's Report, express a qualified or adverse opinion on the financial statements. (Ref: par. .A27)

.25 If the auditor is precluded by management or those charged with governance from obtaining sufficient appropriate audit evidence to evaluate whether noncompliance that may be material to the financial statements has, or is likely to have, occurred, the auditor should express a qualified opinion or disclaim an opinion on the financial statements on the basis of a limitation on the scope of the audit, in accordance with section 705A. (Ref: par. .A27)

.26 If the auditor is unable to determine whether noncompliance has occurred because of limitations imposed by the circumstances rather than by management or those charged with governance, the auditor should evaluate the effect on the auditor's opinion, in accordance with section 705A.

Reporting Noncompliance to Regulatory and Enforcement Authorities

.27 If the auditor has identified or suspects noncompliance with laws and regulations, the auditor should determine whether the auditor has a responsibility to report the identified or suspected noncompliance to parties outside the entity. (Ref: par. .A28–.A29)"

".28 The auditor should include in the audit documentation a description of the identified or suspected noncompliance with laws and regulations and the results of discussion with management and, when applicable, those charged with governance and other parties inside or outside the entity. (Ref: par. .A30)"