Annual Audit Manual
COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
7514 Reporting considerations
Apr-2018
In This Section
Overview
This topic explains:
- What communications are necessary if we identify instances of non-compliance with laws and regulations.
- What are the effects of non-compliance with laws and regulations on our audit opinion.
CAS Requirement
Unless all of those charged with governance are involved in management of the entity and, therefore, are aware of matters involving identified or suspected non-compliance already communicated by the auditor, the auditor shall communicate, unless prohibited by law or regulation, with those charged with governance matters involving non-compliance with laws and regulations that come to the auditor's attention during the course of the audit, other than when the matters are clearly inconsequential (CAS 250.23).
If, in the auditor's judgment, the non-compliance referred to in paragraph 23 is believed to be intentional and material, the auditor shall communicate the matter with those charged with governance as soon as practicable (CAS 250.24).
If the auditor suspects that management or those charged with governance are involved in non-compliance, the auditor shall communicate the matter to the next higher level of authority at the entity, if it exists, such as an audit committee or supervisory board. Where no higher authority exists, or if the auditor believes that the communication may not be acted upon or is unsure as to the person to whom to report, the auditor shall consider the need to obtain legal advice (CAS 250.25).
If the auditor has identified or suspects non-compliance with laws and regulations, the auditor shall determine whether law, regulation or relevant ethical requirements (CAS 250.29):
(a) Require the auditor to report to an appropriate authority outside the entity.
(b) Establish responsibilities under which reporting to an appropriate authority outside the entity may be appropriate in the circumstances.
OAG Policy
Where specific circumstances lead the engagement leader to determine it is necessary to report the identified or suspected non-compliance to the attention of the appropriate Minister, he shall determine the way to communicate that information directly to the Minister after consultations with Legal Services, the assistant auditors general of the practice, as well as the Auditor General. [Nov–2015]
If the engagement leader concludes that withdrawal from the engagement is necessary when the client does not take the remedial action that he considers necessary, even when an instance of non-compliance is not material to the financial statements, the engagement leader shall consult the assistant auditors general of the practice, Legal Services, and the Auditor General. [Nov–2015]
For further guidance related to:
- withdrawing from an engagement, see OAG Audit 3011.
- consultations, see OAG Audit 3081.
CAS Guidance
Reporting identified or suspected non-compliance with laws and regulations to an appropriate authority outside the entity may be required or appropriate in the circumstances because (CAS 250.A28):
(a) Law, regulation or relevant ethical requirements require the auditor to report;
(b) The auditor has determined reporting is an appropriate action to respond to identified or suspected non-compliance in accordance with relevant ethical requirements; or
(c) Law, regulation or relevant ethical requirements provide the auditor with the right to do so.
In some jurisdictions, the auditor may be required by law, regulation or relevant ethical requirements to report identified or suspected non-compliance with laws and regulations to an appropriate authority outside the entity. For example, in some jurisdictions, statutory requirements exist for the auditor of a financial institution to report the occurrence, or suspected occurrence, of non-compliance with laws and regulations to a supervisory authority. Also, misstatements may arise from non-compliance with laws or regulations and, in some jurisdictions, the auditor may be required to report misstatements to an appropriate authority in cases where management or those charged with governance fail to take corrective action (CAS 250.A29).
In other cases, the relevant ethical requirements may require the auditor to determine whether reporting identified or suspected non-compliance with laws and regulations to an appropriate authority outside the entity is an appropriate action in the circumstances. For example, the IESBA Code requires the auditor to take steps to respond to identified or suspected non-compliance with laws and regulations and determine whether further action is needed, which may include reporting to an appropriate authority outside the entity. The IESBA Code explains that such reporting would not be considered a breach of the duty of confidentiality under the IESBA Code (CAS 250.A30).
Even if law, regulation or relevant ethical requirements do not include requirements that address reporting identified or suspected non-compliance, they may provide the auditor with the right to report identified or suspected non-compliance to an appropriate authority outside the entity. For example, when auditing the financial statements of financial institutions, the auditor may have the right under law or regulation to discuss matters such as identified or suspected non-compliance with laws and regulations with a supervisory authority (CAS 250.A31).
In other circumstances, the reporting of identified or suspected non-compliance with laws and regulations to an appropriate authority outside the entity may be precluded by the auditor's duty of confidentiality under law, regulation or relevant ethical requirements (CAS 250.A32).
The determination required by paragraph 29 may involve complex considerations and professional judgments. Accordingly the auditor may consider consulting internally (e.g., within the firm or a network firm) or on a confidential basis with a regulator or professional body (unless doing so is prohibited by law or regulation or would breach the duty of confidentiality). The auditor may also consider obtaining legal advice to understand the auditor's options and the professional or legal implications of taking any particular course of action (CAS 250.A33).
CAS Requirement
If sufficient information about suspected non-compliance cannot be obtained, the auditor shall evaluate the effect of the lack of sufficient appropriate audit evidence on the auditor's opinion (CAS 250.21).
If the auditor concludes that the identified or suspected non-compliance has a material effect on the financial statements, and has not been adequately reflected in the financial statements, the auditor shall, in accordance with CAS 705, express a qualified opinion or an adverse opinion on the financial statements (CAS 250.26).
If the auditor is precluded by management or those charged with governance from obtaining sufficient appropriate audit evidence to evaluate whether non-compliance that may be material to the financial statements has, or is likely to have, occurred, the auditor shall express a qualified opinion or disclaim an opinion on the financial statements on the basis of a limitation on the scope of the audit in accordance with CAS 705 (CAS 250.27).
If the auditor is unable to determine whether non-compliance has occurred because of limitations imposed by the circumstances rather than by management or those charged with governance, the auditor shall evaluate the effect on the auditor's opinion in accordance with CAS 705 (CAS 250.28).
CAS Guidance
Identified or suspected non-compliance with laws and regulations is communicated in the auditor's report when the auditor modifies the opinion in accordance with paragraphs 26-28. In certain other circumstances, the auditor may communicate identified or suspected non-compliance in the auditor's report, for example (CAS 250.A26):
- When the auditor has other reporting responsibilities, in addition to the auditor's responsibilities under the CASs, as contemplated by paragraph 43 of CAS 700;
- When the auditor determines that the identified or suspected non-compliance is a key audit matter and accordingly communicates the matter in accordance with CAS 701, unless paragraph 14 of that CAS applies; or
- In exceptional cases when management or those charged with governance do not take the remedial action that the auditor considers appropriate in the circumstances and withdrawal from the engagement is not possible (see paragraph A25), the auditor may consider describing the identified or suspected non-compliance in an Other Matter paragraph in accordance with CAS 706.
Law or regulation may preclude public disclosure by either management, those charged with governance or the auditor about a specific matter. For example, law or regulation may specifically prohibit a communication, or other action, that might prejudice an investigation by an appropriate authority into an actual, or suspected, illegal act, including a prohibition on alerting the entity. When the auditor intends to communicate identified or suspected non-compliance in the auditor's report under the circumstances set out in paragraph A26 or otherwise, such law or regulation may have implications for the auditor's ability to describe the matter in the auditor's report, or in some circumstances to issue the auditor's report. In such cases, the auditor may consider obtaining legal advice to determine the appropriate course of action (CAS 250.A27).