Wiley Practitioner's Guide to GAAS 2020. Joanne M. Flood
Reporting Identified or Suspected Noncompliance
SCOPE
AU-C 250 applies to an audit of financial statements. It does not apply to assurance engagements specifically to test and report separately on compliance with specific laws or regulations. (AU-C 250.01)
DEFINITION OF TERM
Source: AU-C 250.11. For the definition related to this standard, see Appendix A, “Definitions of Terms”: Noncompliance.
OBJECTIVES OF AU-C SECTION 250
AU-C Section 250.10 states that:
The objectives of the auditor are to
1 obtain sufficient appropriate audit evidence regarding material amounts and disclosures in the financial statements that are determined by the provisions of those laws and regulations generally recognized to have a direct effect on their determination (see paragraph .06a),
2 perform specified audit procedures that may identify instances of noncompliance with other laws and regulations that may have a material effect on the financial statements (see paragraph .06b), and
3 respond appropriately to noncompliance or suspected noncompliance with laws and regulations identified during the audit.
(AU-C Section 250.10)
REQUIREMENTS
Management’s Responsibilities
Management and those charged with governance have the responsibility for the entity’s operations complying with laws and regulations including financial statement reports. (AU-C 250.03) Procedures to aid management in complying with laws and regulations include:
Monitoring legal requirements
Ensuring that procedures are designed to meet requirements
Operating systems of internal controls
Following a code of conduct
Employing legal advisers
Maintaining documentation of the laws and regulations with which the entity must comply
(AU-C 250.A2)
Auditor’s Responsibilities
In general, the procedures in this section are designed to help the auditor identify material misstatement due to noncompliance with laws and regulations. Noncompliance with laws and regulations is so diverse that articulating the auditor’s responsibility for their detection and reporting has proven to be very complex. The auditor is not responsible for preventing or detecting noncompliance with laws or regulations. (AU-C 250.04) Some laws and regulations, such as the Internal Revenue Code regulations concerning income tax expense, clearly fall within the auditor’s expertise, and the audit of financial statements normally includes testing compliance with such laws and regulations. Other laws and regulations, such as those on occupational safety and health or food and drug administration, are clearly outside the auditor’s expertise and are not susceptible to testing by customary auditing procedures. (AU-C 250.05)
Categories of Laws and Regulations
AU-C 250 makes a distinction in the auditor’s responsibility between two categories of laws and regulations:
1 Those that have a direct effect on the determination of financial statement amounts—for example, pension and tax laws and regulations.
2 Those that do not have a direct effect but compliance may be fundamental to operating and continuing the business, and which may carry material penalties for noncompliance—for example, operating licenses and environmental regulation.
(AU-C 250.06)
AU-C Section 250 requires the performance of procedures to identify material misstatements resulting from noncompliance with laws and regulations. The auditor is not expected to detect noncompliance with all laws and regulations. (AU-C 250.04) Because of the inherent limitations of an audit, some material misstatements in the financial statements may not be detected even when the audit is properly planned and performed in accordance with GAAS. (AU-C 250.05)
Audit Procedures
The auditor is explicitly required to:
1 Obtain an understanding of the legal and regulatory framework.
2 Obtain an understanding of how the entity is complying with that framework.
(AU-C 250.12)
To obtain an understanding of the entity’s legal and regulatory framework, the auditor may, among other procedures,
Use the auditor’s existing understanding of the entity’s industry and regulatory and other external factors and update the understanding of those regulations that directly determine the reported amounts and disclosures in the financial statements.
Inquire of management concerning the client’s compliance with laws and regulations, policies on prevention of noncompliance, and the use of directives and periodic representations obtained from management at appropriate levels of authority concerning compliance with laws and regulations.
Consider the entity’s history of noncompliance.
(AU-C 250.A8)
For laws and regulations in category 1 above, the auditor must obtain sufficient evidence regarding material amounts in the financial statements that are determined by those laws and regulations. (AU-C 250.13)
For category 2, the auditor’s responsibility is to perform specified audit procedures that may identify noncompliance having a material effect on the financial statements. (AU-C 250.07) These are:
Inquire of management and, if appropriate, those charged with governance about whether the entity is complying with laws and regulations.
Inspect correspondence with the relevant licensing or regulatory authorities.
(AU-C 250.14)
During the audit, the auditor should remain alert to instances of noncompliance that may be revealed by other audit procedures. (AU-C 250.15) Examples of customary audit procedures that might bring possible noncompliance to the auditor’s attention include:
Reading minutes
Making inquiries of management and legal counsel concerning litigation, claims, and assessments
Performing substantive tests of sensitive transactions
(AU-C 250.A17)
In addition to those procedures, the auditor may apply other procedures, if necessary, to further understand the nature of noncompliance that has come to the auditor’s attention. The additional procedures might include:
Examining supporting documents, such as invoices
Confirming significant information with other parties to the transaction
Determining