statements to make them more complete and transparent.
● An unwillingness to address identified deficiencies in internal control on a timely basis.
Illustration 5. Example Program for Management Override of Internal Control
AU-C 250 CONSIDERATION OF LAWS AND REGULATIONS IN AN AUDIT OF FINANCIAL STATEMENTS
AU-C Original Pronouncement
AU-C 250 Definition of Term
Source: AU-C 250.11
Noncompliance. Acts of omission or commission by the entity, either intentional or unintentional, which are contrary to the prevailing laws or regulations. Such acts include transactions entered into by, or in the name of, the entity or on its behalf by those charged with governance, management, or employees. Noncompliance does not include personal misconduct (unrelated to the business activities of the entity) by those charged with governance, management, or employees of the entity.
Objectives of AU Section 250
AU-C Section 250.10 states that:
…the objectives of the auditor are to
a. obtain sufficient appropriate audit evidence regarding material amounts and disclosures in the financial statements that are determined by the provisions of those laws and regulations generally recognized to have a direct effect on their determination (see paragraph .06a),
b. perform specified audit procedures that may identify instances of noncompliance with other laws and regulations that may have a material effect on the financial statements (see paragraph .06b), and
c. respond appropriately to noncompliance or suspected noncompliance with laws and regulations identified during the audit.
Requirements
Auditor's Responsibilities
Noncompliance with laws and regulations is so diverse that articulating the auditor's responsibility for their detection and reporting has proven to be very complex. Some laws and regulations, such as the Internal Revenue Code regulations concerning income tax expense, clearly fall within the auditor's expertise, and the audit of financial statements normally includes testing compliance with such laws and regulations. Other laws and regulations, such as those on occupational safety and health or food and drug administration, are clearly outside the auditor's expertise and are not susceptible to testing by customary auditing procedures.
Categories of Laws and Regulations
AU-C 250 makes a distinction in the auditor's responsibility between two categories of laws and regulations:
1. Those that have a direct effect on the determination of financial statement amounts – for example, pension and tax laws and regulations. (AU-C 250.6a)
2. Those that do not have a direct effect but compliance may be fundamental to operating and continuing the business, and which may carry material penalties for noncompliance – for example, operating licenses and environmental regulation. (AU-C 250.06b)
AU-C Section 250 requires the performance of procedures to identify material misstatements resulting from noncompliance with laws and regulations. The auditor is not expected to detect noncompliance with all laws and regulations. (AU-C 250.04) Because of the inherent limitations of an audit, some material misstatements in the financial statements may not be detected even when the audit is properly planned and performed in accordance with GAAS. (AU-C 250.05)
Audit Procedures
The auditor is explicitly required to:
● Obtain an understanding of the legal and regulatory framework.
● Obtain an understanding of how the entity is complying with that framework.
(AU-C 250.12)
To obtain an understanding of the entity's legal and regulatory framework, the auditor may, among other procedures,
● Use the auditor's existing understanding of the entity's industry and regulatory and other external factors and update the understanding of those regulations that directly determine the reported amounts and disclosures in the financial statements.
● Inquire of management concerning the client's compliance with laws and regulations, policies on prevention of noncompliance, and the use of directives and periodic representations obtained from management at appropriate levels of authority concerning compliance with laws and regulations.
● Consider the entity's history of noncompliance.
(AU-C 250.A8)
For laws and regulations category 1 above, the auditor must obtain sufficient evidence regarding material amounts in the financial statements that are determined by those laws and regulations. (AU-C 250.13)
For category 2, the auditor's responsibility is to perform specified audit procedures that may identify noncompliance having a material effect on the financial statements. (AU-C 250.07) These are:
● Inquire of management and, if appropriate, those charged with governance about whether the entity is complying with laws and regulations.
● Inspect correspondence with the relevant licensing or regulatory authorities.
(AU-C 250.14)
During the audit, the auditor should remain alert to instances of noncompliance that may be revealed by other audit procedures. (AU-C 250.15) Examples of customary audit procedures that might bring possible noncompliance to the auditor's attention include:
1. Reading minutes
2. Making inquiries of management and legal counsel concerning litigation, claims, and assessments
3. Performing substantive tests of sensitive transactions
(AU-C 250.A17)
However, aside from the requirements above and absent specific information concerning possible noncompliance, the auditor does not need to perform any further procedures in this area. AU-C 580, Written Representations, requires the auditor to obtain a written representation from management concerning the absence of noncompliance with laws or regulations. (AU-C 250.16)
Response to Identified or Suspected Noncompliance with Laws and Regulations
When the auditor becomes aware of information about a possible noncompliance, the auditor should obtain an understanding of:
1. The nature of the possible noncompliance,
2. The circumstances in which the act occurred, and
3. Sufficient other information to allow the auditor to consider the effect on the financial statements.
(AU-C 250.17)
According to
