7511 Responsibilities in relation to laws and regulations
Sep-2022

CAS Objective

The objectives of the auditor are (CAS 250.11):

(a) To obtain sufficient appropriate audit evidence regarding compliance with the provisions of those laws and regulations generally recognized to have a direct effect on the determination of material amounts and disclosures in the financial statements;

(b) To perform specified audit procedures to help identify instances of non‑compliance with other laws and regulations that may have a material effect on the financial statements; and

(c) To respond to identified or suspected non‑compliance with laws and regulations identified during the audit.

Effect of laws and regulations

CAS Guidance

The effect on financial statements of laws and regulations varies considerably. Those laws and regulations to which an entity is subject constitute the legal and regulatory framework. The provisions of some laws or regulations have a direct effect on the financial statements in that they determine the reported amounts and disclosures in an entity’s financial statements. Other laws or regulations are to be complied with by management or set the provisions under which the entity is allowed to conduct its business but do not have a direct effect on an entity’s financial statements. Some entities operate in heavily regulated industries (such as banks and chemical companies). Others are subject only to the many laws and regulations that relate generally to the operating aspects of the business (such as those related to occupational safety and health, and equal employment opportunity). Non‑compliance with laws and regulations may result in fines, litigation or other consequences for the entity that may have a material effect on the financial statements. (CAS 250.2).

Definition of non‑compliance

CAS Guidance

For the purposes of CAS 250, the following term has the meaning attributed below:

Non-compliance—Acts of omission or commission intentional or unintentional, committed by the entity, or by those charged with governance, by management or by other individuals working for or under the direction of the entity, which are contrary to the prevailing laws or regulations. Non‑compliance does not include personal misconduct unrelated to the business activities of the entity (CAS 250.12).

Acts of non‑compliance with laws and regulations include transactions entered into by, or in the name of, the entity, or on its behalf, by those charged with governance, by management or by other individuals working for or under the direction of the entity (CAS 250.A9).

Non-compliance also includes personal misconduct related to the business activities of the entity, for example, in circumstances where an individual in a key management position, in a personal capacity, has accepted a bribe from a supplier of the entity and in return secures the appointment of the supplier to provide services or contracts to the entity (CAS 250.A10).

Management responsibilities

CAS Guidance

It is the responsibility of management, with the oversight of those charged with governance, to ensure that the entity’s operations are conducted in accordance with the provisions of laws and regulations, including compliance with the provisions of laws and regulations that determine the reported amounts and disclosures in an entity’s financial statements. (CAS 250.3).

It is the responsibility of management, with the oversight of those charged with governance, to ensure that the entity’s operations are conducted in accordance with laws and regulations. Laws and regulations may affect an entity’s financial statements in different ways: for example, most directly, they may affect specific disclosures required of the entity in the financial statements or they may prescribe the applicable financial reporting framework. They may also establish certain legal rights and obligations of the entity, some of which will be recognized in the entity’s financial statements. In addition, laws and regulations may impose penalties in cases of non‑compliance. (CAS 250. A1).

The following are examples of the types of policies and procedures an entity may implement to assist in the prevention and detection of non‑compliance with laws and regulations (CAS 250.A2):

  • Monitoring legal requirements and ensuring that operating procedures are designed to meet these requirements;
  • Instituting and operating appropriate systems of internal control;
  • Developing, publicizing and following a code of conduct;
  • Ensuring employees are properly trained and understand the code of conduct;
  • Monitoring compliance with the code of conduct and acting appropriately to discipline employees who fail to comply with it;
  • Engaging legal advisors to assist in monitoring legal requirements;
  • Maintaining a register of significant laws and regulations with which the entity has to comply within its particular industry and a record of complaints.

In larger entities, these policies and procedures may be supplemented by assigning appropriate responsibilities to the following:

  • An internal audit function.
  • An audit committee.
  • A compliance function.
Auditor responsibilities

CAS Guidance

The requirements in CAS 250 are designed to assist the auditor in identifying material misstatement of the financial statements due to non‑compliance with laws and regulations. However, the auditor is not responsible for preventing non‑compliance and cannot be expected to detect non‑compliance with all laws and regulations. (CAS 250.4).

The auditor is responsible for obtaining reasonable assurance that the financial statements, taken as a whole, are free from material misstatement, whether due to fraud or error. In conducting an audit of financial statements, the auditor takes into account the applicable legal and regulatory framework. Owing to the inherent limitations of an audit, there is an unavoidable risk that some material misstatements in the financial statements may not be detected, even though the audit is properly planned and performed in accordance with the CASs. In the context of laws and regulations, the potential effects of inherent limitations on the auditor’s ability to detect material misstatements are greater for such reasons as the following (CAS 250.5):

  • There are many laws and regulations, relating principally to the operating aspects of an entity, that typically do not affect the financial statements and are not captured by the entity’s information systems relevant to financial reporting.
  • Non-compliance may involve conduct designed to conceal it, such as collusion, forgery, deliberate failure to record transactions, management override of controls or intentional misrepresentations being made to the auditor.
  • Whether an act constitutes non‑compliance is ultimately a matter to be determined by a court or other appropriate adjudicative body.

Ordinarily, the further removed non‑compliance is from the events and transactions reflected in the financial statements, the less likely the auditor is to become aware of it or to recognize the non‑compliance.

The auditor may have additional responsibilities under law, regulation or relevant ethical requirements regarding an entity’s non‑compliance with laws and regulations, which may differ from or go beyond this CAS, such as (CAS 250.9):

(a) Responding to identified or suspected non‑compliance with laws and regulations, including requirements in relation to specific communications with management and those charged with governance, assessing the appropriateness of their response to non‑compliance and determining whether further action is needed;

(b) Communicating identified or suspected non‑compliance with laws and regulations to other auditors (e.g., in an audit of group financial statements); and

(c) Documentation requirements regarding identified or suspected non‑compliance with laws and regulations.

Complying with any additional responsibilities may provide further information that is relevant to the auditor’s work in accordance with this and other CASs (e.g., regarding the integrity of management or, where appropriate, those charged with governance).

Law, regulation or relevant ethical requirements may require the auditor to perform additional procedures and take further actions. For example, the Code of Ethics for Professional Accountants issued by the International Ethics Standards Board for Accountants (IESBA Code) requires the auditor to take steps to respond to identified or suspected non‑compliance with laws and regulations and determine whether further action is needed. Such steps may include the communication of identified or suspected non‑compliance with laws and regulations to other auditors within a group, including a group engagement partner, component auditors or other auditors performing work at components of a group for purposes other than the audit of the group financial statements (CAS 250.A8).

OAG Guidance

CAS 250 provides the requirements and guidance relevant to our responsibility in the audit of financial statements, which primarily remains to perform audit procedures designed to assess and respond to the risk of material misstatement of the financial statements due to non‑compliance with laws and regulations.

As explained in OAG Audit 7513, in circumstances where we identify material instances of non‑compliance, the engagement leader shall consult with the Internal Specialist- Compliance with authorities and Legal Services.

We obtain an understanding of the legal and regulatory framework applicable to the entity and its industry as part of understanding the entity and its environment in accordance with CAS 315.19. Refer to OAG Audit 5024 for further guidance. This forms a basis for our understanding of how management considers the risks of non‑compliance with laws and regulations and how they respond to those risks.

We then perform further risk assessment procedures to identify any risks of non‑compliance and obtain sufficient evidence over the entity’s compliance with laws and regulations that have a direct effect on the financial statements in accordance with CAS 250.

When, based on the procedures performed, actual or suspected instances on non‑compliance with laws and regulation are identified we perform further audit procedures in procedure ‘Evaluate potential impact of non‑compliance with laws and regulations’.

Other considerations

CAS Guidance

The auditor is required by CAS 250 to remain alert to the possibility that other audit procedures applied for the purpose of forming an opinion on financial statements may bring instances of non‑compliance to the auditor’s attention. Maintaining professional skepticism throughout the audit, as required by CAS 200, is important in this context, given the extent of laws and regulations that affect the entity. (CAS 250.8).

Non-compliance by the entity with laws and regulations may result in a material misstatement of the financial statements. Detection of non‑compliance, regardless of materiality, may affect other aspects of the audit including, for example, the auditor’s consideration of the integrity of management, those charged with governance or employees (CAS 250.A3).

Whether an act constitutes non‑compliance with laws and regulations is a matter to be determined by a court or other appropriate adjudicative body, which is ordinarily beyond the auditor’s professional competence to determine. Nevertheless, the auditor’s training, experience and understanding of the entity and its industry or sector may provide a basis to recognize that some acts, coming to the auditor’s attention, may constitute non‑compliance with laws and regulations (CAS 250.A4).

In accordance with specific statutory requirements, the auditor may be specifically required to report, as part of the audit of the financial statements, on whether the entity complies with certain provisions of laws or regulations. In these circumstances, CAS 700 or CAS 800 deal with how these audit responsibilities are addressed in the auditor’s report. Furthermore, where there are specific statutory reporting requirements, it may be necessary for the audit plan to include appropriate tests for compliance with these provisions of the laws and regulations. (CAS 250.A5).

OAG Guidance

In evaluating the materiality of non‑compliance consider both the quantitative and qualitative materiality of the act.

Given the role of the Office as legislative auditor, compliance with authorities is an integral part of all annual financial audits including the audit of the financial statements of the Government of Canada, of Crown corporations, territorial governments and corporations as well as of other entities.

For further guidance see OAG Audit 11000.

Group audit considerations

OAG Guidance

Audit Instructions to other OAG audit teams

When we audit the parent company and other OAG teams audit a component, matters related to the component need to be communicated to the group engagement team. The involvement of other audit teams necessitates establishing an understanding among the engagement teams of the nature of potential non‑compliance that needs to be brought to the group engagement team’s attention and the procedures to be followed in consideration of the possibility that potential non‑compliance may have occurred. Other audit teams acting as component auditors may not be in a position to judge the extent to which the parent company may be obliged to disclose illegal or otherwise improper acts of which they may become aware. In some cases, it may be helpful to refer the other teams to the parent company’s business ethics policies for guidance. Guidance on the preparation of instructions for group audits is contained in OAG Audit 2300.

Audit Instructions to Component Auditors from External Firms

When we are the group auditor and an external firm participates in the engagement, consider establishing an understanding with the component auditors on matters such as the following:

  • The nature of questionable transactions, based on our laws and other requirements, the possible occurrence of which they need to be aware of in planning and executing their work.
  • The nature of any special procedures we may require, such as having the component auditors review the component’s written policies regarding business ethics for apparent omissions and conformity with parent company policies and reviewing other related internally generated communications available at the local level for apparent indications of non‑compliance with such policies.
  • The procedures to be followed when questionable acts come to their attention, including the need to report such acts immediately to the engagement team examining the consolidated (or parent company) financial statements together with information on all of the relevant circumstances.

Instructions for the performance of specific auditing procedures, such as a review of disbursements for the year, need to clearly state whether the procedures are intended to be part of the normal examination or represent a request for special work. Request the parent company to communicate with its affiliate as to the nature of any special work to be undertaken.

Responding to Non‑compliance with Laws and Regulations

Where component auditors or other auditors performing audits of a component’s financial statements for purposes other than the group audit (e.g., statutory audit) become aware of non‑compliance or suspected non‑compliance in relation to the component, in addition to responding to the matter, the component auditor or other auditor needs to communicate it to the group engagement leader unless prohibited from doing so by law or regulation.

Where the group engagement leader becomes aware of non‑compliance or suspected non‑compliance in the course of an audit of group financial statements (including as a result of being informed of such a matter by a component auditor or other auditor), in addition to responding to the matter in the context of the group audit, the group engagement leader needs to consider whether the matter may be relevant to one or more components and communicate with auditors performing work at those components unless prohibited from doing so by law or regulation.