Annual Audit Manual
COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
7513 Actions on discovery of possible non-compliance with laws and regulations
Jun-2020
In This Section
Actions on discovery of potential non-compliance
Communication with management and those charged with governance
Overview
This topic explains:
-
What actions are necessary on discovery of potential non‑compliance with laws and regulations;
-
What is to be communicated to management and those charged with governance regarding the non‑compliance with laws and regulations;
-
What audit documentation is necessary and where to file the documentation in the audit file;
-
What are the effects of non‑compliance with laws and regulations on our risk assessment and on our written representations.
CAS Requirement
If the auditor becomes aware of information concerning an instance of non‑compliance or suspected non‑compliance with laws and regulations, the auditor shall obtain (CAS 250.19):
(a) An understanding of the nature of the act and the circumstances in which it has occurred; and
(b) Further information to evaluate the possible effect on the financial statements.
OAG Policy
When material instances of non-compliance are identified the engagement leader shall consult with the Internal Specialist-Compliance with Authorities and Legal Services. [Nov‑2015]
Other than when the matters are clearly inconsequential, where the engagement leader believes there may be non‑compliance and management do not provide satisfactory information confirming compliance, we shall consult client’s legal counsel and communicate with senior management, the Audit Committee and the Board of Directors, as appropriate. [Nov‑2015]
We shall report to those charged with governance any material instances of non‑compliance which we believe to be intentional, without delay. [Oct‑2012]
If we suspect that members of senior management are involved in a material instance of non‑compliance, and there is no higher authority at the client to whom we can report the issue, or if we believe that the report may not be acted upon or are unsure as to the person to whom to report, we shall consult the assistant auditors general of the applicable practice and, where appropriate, the Internal Specialist—Compliance with Authorities, OAG Legal Services or the Internal Specialist for Fraud. [Jun‑2020]
For further guidance on Consultations, see OAG Audit 3081 and OAG Audit 3082
See OAG Audit 1141 for guidance on significant matters
CAS Guidance
The auditor may become aware of information concerning an instance of non‑compliance with laws and regulations other than as a result of performing the procedures in paragraphs 13‑17 (e.g., when the auditor is alerted to non‑compliance by a whistle blower) (CAS 250.A17).
The following matters may be an indication of non‑compliance with laws and regulations (CAS 250. A18):
-
Investigations by regulatory organizations and government departments or payment of fines or penalties;
-
Payments for unspecified services or loans to consultants, related parties, employees or government employees;
-
Sales commissions or agent’s fees that appear excessive in relation to those ordinarily paid by the entity or in its industry or to the services actually received;
-
Purchasing at prices significantly above or below market price;
-
Unusual payments in cash, purchases in the form of cashiers’ cheques payable to bearer or transfers to numbered bank accounts;
-
Unusual transactions with companies registered in tax havens;
-
Payments for goods or services made other than to the country from which the goods or services originated;
-
Payments without proper exchange control documentation;
-
Existence of an information system which fails, whether by design or by accident, to provide an adequate audit trail or sufficient evidence;
-
Unauthorized transactions or improperly recorded transactions;
-
Adverse media comment.
Matters relevant to the auditor’s evaluation of the possible effect on the financial statements include (CAS 250.A19):
-
The potential financial consequences of identified or suspected non‑compliance with laws and regulations on the financial statements including, for example, the imposition of fines, penalties, damages, threat of expropriation of assets, enforced discontinuation of operations, and litigation;
-
Whether the potential financial consequences require disclosure;
-
Whether the potential financial consequences are so serious as to call into question the fair presentation of the financial statements, or otherwise make the financial statements misleading.
OAG Guidance
Other examples which may indicate the existence of non‑compliance are as follows:
-
Transactions not recorded in a complete or timely manner in order to maintain accountability for assets;
-
Violations of laws and regulations cited in reports of examinations by regulatory agencies that have been made available to us;
-
Unexplained payments made to government officials or employees;
-
Failure to file tax returns or pay government duties or similar fees that are common to the entity’s industry or the nature of its business.
CAS Requirement
If the auditor suspects there may be non-compliance, the auditor shall discuss the matter, unless prohibited by law or regulation, with the appropriate level of management and, where appropriate, those charged with governance. If management or, as appropriate, those charged with governance, do not provide sufficient information that supports that the entity is in compliance with laws and regulations and, in the auditor’s judgment, the effect of the suspected non‑compliance may be material to the financial statements, the auditor shall consider the need to obtain legal advice (CAS 250.20).
CAS Guidance
The auditor is required to discuss the suspected non‑compliance with the appropriate level of management and, where appropriate, those charged with governance, as they may be able to provide additional audit evidence. For example, the auditor may confirm that management and, where appropriate, those charged with governance have the same understanding of the facts and circumstances relevant to transactions or events that have led to the suspected non‑compliance with laws and regulations (CAS 250.A20).
However, in some jurisdictions, law or regulation may restrict the auditor’s communication of certain matters with management and those charged with governance. Law or regulation may specifically prohibit a communication, or other action, that might prejudice an investigation by an appropriate authority into an actual, or suspected, illegal act, including alerting the entity, for example, when the auditor is required to report the identified or suspected non‑compliance to an appropriate authority pursuant to anti-money laundering legislation. In these circumstances, the issues considered by the auditor may be complex and the auditor may consider it appropriate to obtain legal advice (CAS 250.A21).
If management or, as appropriate, those charged with governance do not provide sufficient information to the auditor that the entity is in fact in compliance with laws and regulations, the auditor may consider it appropriate to consult with the entity’s in-house or external legal counsel about the application of the laws and regulations to the circumstances, including the possibility of fraud, and the possible effects on the financial statements. If it is not considered appropriate to consult with the entity’s legal counsel or if the auditor is not satisfied with the legal counsel’s opinion, the auditor may consider it appropriate to consult on a confidential basis with others within the firm, a network firm, a professional body, or with the auditor’s legal counsel as to whether a contravention of a law or regulation is involved, including the possibility of fraud, the possible legal consequences, and what further action, if any, the auditor would take (CAS 250.A22).
See OAG Audit 2200 for guidance on communications.
CAS Requirement
The auditor shall include in the audit documentation identified or suspected non‑compliance with laws and regulations (CAS 250.30):
(a) The audit procedures performed, the significant professional judgments made and the conclusions reached thereon; and
(b) The discussions of significant matters related to the non‑compliance with management, those charged with governance and others, including how management and, where applicable, those charged with governance have responded to the matter.
OAG Policy
Within our audit file we shall document known or possible departures from laws or regulations by the entity that have come to our attention as a significant matter. [Nov‑2015]
See OAG Audit 1143 for related guidance on significant matters.
CAS Guidance
The auditor’s documentation of findings regarding identified or suspected non‑compliance with laws and regulations may include, for example (CAS 250. A35):
- Copies of records or documents.
- Minutes of discussions held with management, those charged with governance or parties outside the entity.
Law, regulation or relevant ethical requirements may also set out additional documentation requirements regarding identified or suspected non‑compliance with laws and regulations (CAS 250. A36).
OAG Guidance
Our documentation may include the following:
-
Details of supporting documents such as invoices, cancelled cheques and agreements examined and how these compared to accounting records.
-
Confirmations received from the other party or from the intermediaries such as banks or lawyers confirming significant information concerning the transactions.
-
Evidence of how the transaction was authorized.
-
Our consideration of whether other similar transactions or events may have occurred and what procedures we applied to identify them.
CAS Requirement
The auditor shall evaluate the implications of identified or suspected non‑compliance in relation to other aspects of the audit, including the auditor’s risk assessment and the reliability of written representations, and take appropriate action (CAS 250.22).
CAS Guidance
As required by paragraph 22, the auditor evaluates the implications of identified or suspected non‑compliance in relation to other aspects of the audit, including the auditor’s risk assessment and the reliability of written representations. The implications of particular identified or suspected non‑compliance will depend on the relationship of the perpetration and concealment, if any, of the act to specific controls and the level of management or individuals working for, or under the direction of, the entity involved, especially implications arising from the involvement of the highest authority within the entity. As noted in paragraph 9, the auditor’s compliance with law, regulation or relevant ethical requirements may provide further information that is relevant to the auditor’s responsibilities in accordance with paragraph 22 (CAS 250. A23).
Examples of circumstances that may cause the auditor to evaluate the implications of identified or suspected non‑compliance on the reliability of written representations received from management and, where applicable, those charged with governance include when (CAS 250.A24):
-
The auditor suspects or has evidence of the involvement or intended involvement of management and, where applicable, those charged with governance in any identified or suspected non‑compliance.
-
The auditor is aware that management and, where applicable, those charged with governance have knowledge of such non‑compliance and, contrary to legal or regulatory requirements, have not reported, or authorized reporting of, the matter to an appropriate authority within a reasonable period.
In certain circumstances, the auditor may consider withdrawing from the engagement, where permitted by law or regulation, for example when management or those charged with governance do not take the remedial action that the auditor considers appropriate in the circumstances, or the identified or suspected non‑compliance raises questions regarding the integrity of management or those charged with governance, even when the non‑compliance is not material to the financial statements. The auditor may consider it appropriate to obtain legal advice to determine whether withdrawal from the engagement is appropriate. When the auditor determines that withdrawing from the engagement would be appropriate, doing so would not be a substitute for complying with other responsibilities under law, regulation or relevant ethical requirements to respond to identified or suspected non‑compliance. Furthermore, paragraph A9 of CAS 220 indicates that some ethical requirements may require the predecessor auditor, upon request by the proposed successor auditor, to provide information regarding non‑compliance with laws and regulations to the successor auditor (CAS 250.A25).