Learning Outcomes
After reading this article, you will be able to distinguish the responsibilities of management and auditors regarding compliance with laws and regulations under ISA 250. You will learn to identify sources of non-compliance risk, describe required audit procedures, explain reporting requirements when breaches are found, and analyse scenarios for how non-compliance affects the auditor’s report. You will also be prepared to avoid common exam mistakes about the boundaries of the auditor’s responsibilities.
ACCA Audit and Assurance (AA) Syllabus
For ACCA Audit and Assurance (AA), you are required to understand how compliance with laws and regulations is considered in an audit. This article focuses on the following areas:
- The distinction between management’s and the auditor’s responsibilities regarding compliance with laws and regulations (ISA 250).
- The audit procedures used to identify and assess risks of non-compliance.
- How auditors respond when non-compliance is identified or suspected, including investigation, communication and reporting.
- The effect of non-compliance on the audit opinion and the auditor’s report.
- Documentation and ethical considerations, including confidentiality and public interest disclosure.
Test Your Knowledge
Attempt these questions before reading this article. If you find some difficult or cannot remember the answers, remember to look more closely at that area during your revision.
- Who is primarily responsible for ensuring an entity’s compliance with applicable laws and regulations?
- What audit procedures should be performed to identify possible non-compliance that could impact the financial statements?
- If an auditor discovers material non-compliance affecting the financial statements and management refuses to correct it, what type of audit opinion may be appropriate?
- Name TWO examples of audit steps when there is suspicion, but not confirmation, of non-compliance with laws or regulations.
Introduction
Compliance with laws and regulations is critical for all entities and underpins the integrity of financial statements. While management is ultimately responsible for legally compliant operations, auditors must consider legal compliance when conducting an audit. International Standard on Auditing (ISA) 250 guides auditors in identifying, assessing, and responding to possible non-compliance and explains how such situations affect the audit report.
Key Term: non-compliance
Acts of omission or commission, either intentional or unintentional, by the entity that are contrary to prevailing laws or regulations and could have a material impact on the financial statements.
Auditor and Management Responsibilities
Responsibilities of Management
Management, with oversight from those charged with governance, is responsible for establishing systems and controls to ensure compliance with relevant laws and regulations. This includes:
- Ensuring operations are lawful.
- Preparing financial statements in line with applicable legal and regulatory requirements.
- Disclosing instances of known or suspected non-compliance to the auditor.
Key Term: those charged with governance
Individuals or groups with responsibility for overseeing an entity’s strategic direction and obligations related to accountability, including financial reporting.
Auditor’s Responsibilities
Auditors are required to plan and perform audits to obtain reasonable assurance about whether the financial statements are free from material misstatement, including those caused by non-compliance. However, auditors are not responsible for preventing non-compliance or for identifying all possible breaches.
Key Term: reasonable assurance
A high level of confidence, but not absolute certainty, that the financial statements are free of material misstatement.
Types of Laws and Regulations
ISA 250 distinguishes two categories:
- Direct-effect laws and regulations:
Those that impact numbers or disclosures in the financial statements (e.g., tax, pension, financial reporting requirements). - Other laws and regulations:
Do not directly affect the statements but might jeopardize the business (e.g., health and safety, environmental, data protection).
Auditors must obtain sufficient, appropriate evidence for direct-effect laws and regulations. For other laws and regulations, auditors must remain alert to possible undisclosed or undetected non-compliance that could have major consequences (such as license withdrawal or significant fines).
Audit Procedures for Compliance
The auditor must:
- Acquire a basic understanding of the legal and regulatory framework relevant to the entity and industry.
- Understand how the entity maintains compliance.
- Perform the following procedures:
- Enquire with management and those charged with governance about compliance and possible breaches.
- Review correspondence with regulators or authorities.
- Inspect board minutes and other internal documents for evidence of non-compliance discussions.
- Obtain written representations confirming all known events of non-compliance have been disclosed.
If suspicion arises during the course of other audit procedures, the auditor must investigate further to ascertain possible impacts on the financial statements.
Worked Example 1.1
Scenario:
During an audit of Delta Co, the auditor notices references to a regulatory fine in the board minutes, but the fine is not disclosed in the draft accounts.
Answer:
The auditor should enquire with management about the nature of the fine, inspect supporting correspondence and legal advice, and evaluate whether the omission materially affects the statements. If material, management should amend disclosures; if not, consider the impact on the opinion.
Investigating and Responding to Non-Compliance
Where potential non-compliance is suspected, auditors must:
- Understand the exact circumstances and obtain further information.
- Evaluate the impact on the financial statements (e.g., additional liabilities, impairment, or going concern).
- Enquire with management and in-house lawyers.
- Inspect additional correspondence and seek confirmation of key facts.
- Consider direct communication with external legal counsel where necessary.
If non-compliance is confirmed or likely, determine whether management’s response is adequate and the implications for the audit opinion.
Reporting Requirements
Internally
Report identified or suspected non-compliance to management and, if necessary, to those charged with governance, unless they are implicated.
If management is involved, escalate to higher authorities within the entity, such as the board or audit committee.
Externally
The auditor generally has a duty of confidentiality but may have legal or professional obligations to report certain non-compliance to external authorities (e.g., regulatory breach, money laundering, or public safety issues).
Key Term: public interest disclosure
Disclosure of information to an external party because withholding endangers the public or breaches legal/ethical duties.
Impact on the Audit Opinion
If a material effect on the financial statements exists and management does not correct it:
- Issue a qualified or adverse opinion for material misstatement.
- If sufficient evidence about the effect of non-compliance cannot be obtained, consider a qualified opinion or disclaimer of opinion for a limitation on scope.
If the non-compliance does not materially affect the financial statements but is fundamental to users’ understanding, an Emphasis of Matter or Material Uncertainty paragraph may be included.
Worked Example 1.2
Scenario:
An audit client has an unrecorded legal penalty for breaching employment law. The amount is material. The directors refuse to adjust the accounts or disclose the breach.
Answer:
The auditor should qualify the opinion due to material misstatement, since the financial statements are not in accordance with the applicable legal requirements and omitting the penalty misstates liabilities.
Exam Warning
Do not confuse the auditor’s responsibilities for preventing non-compliance or for uncovering every legal breach. The auditor is responsible for detecting material misstatements, not for policing all regulatory issues.
Documentation and Ethics
All identified or suspected non-compliance and management’s responses must be documented, including:
- The matter itself and details of discussions.
- The results of any investigations.
- Decisions about communication, both internal and external.
- The rationale for how non-compliance and any consequences for the audit opinion were addressed.
Summary Table – Auditor Response and Reporting
| Nature of Non-Compliance | Audit Action | Impact on Audit Report |
|---|---|---|
| Direct-effect law, material and uncorrected | Require correction; otherwise qualify or modify opinion | Qualified/adverse/disclaimer |
| Other law, no FS impact but significant for business | Inform those charged with governance; consider going concern disclosure | Material Uncertainty or Emphasis |
| Uncertainty, unable to obtain evidence | Attempt further procedures; if unresolved, consider limitation | Qualified/disclaimer |
Key Point Checklist
This article has covered the following key knowledge points:
- Distinguish between direct-effect and other laws and regulations.
- Describe management’s and the auditor’s respective responsibilities for compliance.
- List audit procedures for detecting non-compliance.
- State how to respond and report when instances of (suspected) non-compliance occur.
- Explain the possible impacts on the auditor’s report and types of modified opinion.
- Understand documentation and ethical considerations related to reporting non-compliance.
Key Terms and Concepts
- non-compliance
- those charged with governance
- reasonable assurance
- public interest disclosure