ISA 250 Consideration of Laws and Regulations in an Audit

Non-compliance with laws and regulations can be a material audit issue — not because it always affects the numbers directly, but because the consequences (regulatory penalties, licence revocation, litigation) can be severe. ISA 250 sets out what auditors are required to do, and the critical distinction between two very different categories of law.

Two Categories of Laws and Regulations

ISA 250 draws a sharp distinction. Category 1 consists of laws and regulations that have a direct effect on material amounts and disclosures in the financial statements — tax laws, pension legislation, specific sector regulations. For these, the auditor must obtain sufficient appropriate evidence that the entity has complied. Category 2 covers all other laws whose breach could result in significant financial consequences (penalties, litigation, reputational damage) even though they don't directly determine financial statement amounts — health and safety laws, environmental regulations, data protection, licensing requirements. For these, the auditor performs specified procedures but does not provide assurance on compliance. The difference matters: the audit does not provide assurance that the entity has complied with all laws.

Required Procedures

The auditor must obtain a general understanding of the legal and regulatory framework applicable to the entity and the industry. They must identify Category 1 laws and obtain evidence of compliance. They must enquire of management and, where appropriate, those charged with governance about actual or suspected non-compliance. And throughout the audit, they must remain alert to indications of non-compliance in evidence examined for other purposes.

When Non-Compliance Is Identified

When non-compliance is identified or suspected, the auditor must obtain an understanding of the nature and circumstances of the act and evaluate the potential effect on the financial statements. If material and not properly disclosed, a qualified or adverse opinion may be required. Management must be informed (unless they are implicated), and the matter must be escalated to those charged with governance.

Reporting to Regulators

In some jurisdictions and sectors (financial services, charities, public sector), auditors have statutory duties to report certain matters directly to regulators, overriding normal client confidentiality. Auditors must be aware of these obligations in their specific context.

Further Reading

• Auditor Ethics and Independence
• ISA 240 Fraud in an Audit
• Audit CPD

Study with Learnsignal: Audit CPD for qualified accountants. Browse CPD.