Warning

The content on this page has been converted from PDF to HTML format using an artificial intelligence (AI) tool as part of our ongoing efforts to improve accessibility and usability of our publications. Note:

  • No human verification has been conducted of the converted content.
  • While we strive for accuracy errors or omissions may exist.
  • This content is provided for informational purposes only and should not be relied upon as a definitive or authoritative source.
  • For the official and verified version of the publication, refer to the original PDF document.

If you identify any inaccuracies or have concerns about the content, please contact us at [email protected].

FRC Response to IAASB’s Exposure Draft on ISA 250 Responding to Non-Compliance or Suspected Non-Comp

Mrs Kathleen Healy Technical Director International Auditing and Assurance Standards Board 529 Fifth Avenue 6th Floor New York NY 10017 USA

15 October 2015

Dear Mrs Healy

Exposure Draft – Proposed Amendments to the International Auditing and Assurance Standards Board (IAASB) International Standards - Responding to Non-Compliance or Suspected Non-Compliance with Laws and Regulations

The Financial Reporting Council (FRC) welcomes the opportunity to comment on the proposed amendments to the IAASB's International Standards (the ISAs) set out in the above exposure draft (ED).

Overall, we support the IAASB's objective that it is in the public interest: to ensure that the IAASB's and the International Ethical Standards Board of Accountant's (IESBA) standards are able to operate in conjunction with each other without conflict; and to draw appropriate attention to, or clarify and emphasise key aspects of, the IESBA's Exposure Draft 'Responding to Non-Compliance with Laws and Regulations' (IESBA Re-ED) in the ISAs. As requested in the explanatory memorandum accompanying the proposed standard, we have provided responses to specific questions posed by the IAASB below.

1. Whether respondents believe the proposed limited amendments are sufficient to resolve actual or perceived inconsistencies of approach or to clarify and emphasize key aspects of the NOCLAR proposals in the IAASB’s International Standards.

As the proposals set out in the IESBA Re-ED are not intended to set any specific requirements with respect to the performance of an audit or assurance engagement, and do not undermine the ISAs including ISA 2501, we support the IAASB's decision to make the limited amendments now, subject to a more fulsome review of ISA 250 in due course. With regard to the proposed amendments we have additional recommendations set out below.

Determining whether to report non-compliance to regulatory and enforcement authorities in the context of the wider public interest.

Paragraph 28 of ISA 250 deals with the auditor's responsibility to determine if it is necessary to report identified or suspected non-compliance to parties outside the entity. The supporting application material in paragraph A19 has been enhanced to assist the auditor to determine if they have a legal or ethical duty or right to disclose identified or suspected non-compliance with laws and regulations (NOCLAR) to an appropriate authority.

We welcome the proposed enhancement to the ED. However, as expressed in our response to the IESBA Re-ED2, the auditor should be required to make such disclosure if it is not made by management or those charged with governance if disclosure to an appropriate authority would, on balance, be in the public interest. This would be in the context of having given due consideration to any potential adverse consequences, and is not precluded by law or regulation.

In addition, strengthening ISA 250 in this regard would be consistent with other ISAs. For example, ISA 7013 states that "it will be extremely rare for a matter determined to be a key audit matter not to be communicated in the auditor's report. This is because there is presumed to be a public interest benefit in providing greater transparency about the audit for intended users”. ISA 2404 states that “The auditor may consider it appropriate...to determine the appropriate course of action in the circumstances, the purpose of which is to ascertain the steps necessary in considering the public interest aspects of identified fraud".

We believe that the proposed application material in the IAASB ED should also emphasise a key aspect of the IESBA Re-ED; the auditor's responsibility to determine if it is necessary to report NOCLAR to an appropriate authority in the context of the wider public interest (paragraph 225.27 of the IESBA Re-ED).

We therefore recommend that the IAASB include additional application material drawing the auditor's attention to the wider public interest in their determination whether to report non-compliance to an appropriate authority.

Tipping Off

Paragraph 19 of ISA 250 requires the auditor to discuss information concerning any NOCLAR with those charged with governance. Consistent with the IESBA Re-ED, proposed wording in the supporting application material in paragraph A15 of ISA 250 makes it clear that in some jurisdictions there are legal or regulatory provisions that prohibit communicating such matters to those charged with governance prior to making any disclosure to an appropriate authority pursuant to anti-money laundering legislation ("tipping off"). Accordingly, in some circumstances the auditor's obligation under law or regulation may override the requirement in paragraph 19 of the ISA to communicate NOCLAR with those charged with governance.

We support this additional material, but we believe it is of such importance - as it seeks to prevent the auditor from inadvertently prejudicing the legal process that it should be included more prominently in the ISA as part of the requirement. Our suggestions for editorial changes to give effect to this suggestion are included in Appendix I.

2. The impact, if any, of the proposed limited amendments in jurisdictions that have not adopted, or do not plan to adopt, the IESBA Code. For example, would any of the changes to the IAASB’s International Standards be deemed incompatible with the relevant ethical requirements that would apply in those jurisdictions?

We are not aware of any instances where any changes to the ISAs would be deemed incompatible with the relevant ethical requirements that apply in the United Kingdom, and believe that they have been drafted in an appropriately framework neutral manner.

3. Should respondents be of the view that a more fulsome review of ISA 250 would nevertheless be beneficial in due course…, respondents are asked for their comments, if any, on what further changes may be required to ISA 250 and why.

Whilst we agree with the IAASB that prolonging the finalisation of the proposed changes to the ISAs beyond the effective date of the IESBA Re-ED could have unintended consequences, we are of the view that a more fulsome review of ISA 250 is necessary. In this regard, we support the suggestions made in paragraph 16 of the ED that further consideration of the following areas is essential:

  • The existing distinction between the types of laws and regulations in paragraph 6 of ISA 250) and the different levels of work effort applied to each under extant ISA 250 warrants further investigation or revision (see below for further comment on this matter).
  • ISA 250 should address making inquiries of management or, when appropriate, TCWG, regarding NOCLAR that may occur.
  • ISA 250 should include a requirement to obtain an understanding of how management identifies and addresses known or suspected NOCLAR as an essential component in obtaining an understanding of the entity and its environment.
  • ISA 250 should include guidance addressing personal misconduct related to the business activities of the entity or parties associated with the entity, including contractors.
  • NOCLAR should be addressed in other ISAs, such as when dealing with auditor's experts and in a group audit situation.

However, we believe that there are a number of other aspects of ISA 250 where improvement is required, particularly in regard to the distinction between the different categories of laws and regulations and the procedural approach in ISA 250, and have discussed our concerns related to these matters below.

Distinction between the different categories of laws and regulations

ISA 250 currently distinguishes the auditor's responsibilities and work effort in relation to the entity's compliance with laws and regulations into two categories conditional upon whether those laws and regulations "effect the determination of material amounts and disclosures in the financial statements".

If the provisions of those laws and regulations have an “effect on the determination of material amounts and disclosures”, for example, most directly they may require specific disclosures to be made in the financial statements ('direct laws and regulations'), then the auditor is required to obtain sufficient appropriate audit evidence regarding compliance with those provisions. Notwithstanding that paragraph A8 of ISA 250 makes a confusing contradictory point that costs of non-compliance (e.g. litigation costs) may need to be provided for in the financial statements, but are not considered to have an affect on the financial statements.

ISA 250 describes the second category as other laws and regulations that do not have a direct effect on the determination of amounts and disclosures in the financial statements ('other laws and regulations'). ISA 250 explains further that compliance with those other laws and regulations may be: 'fundamental to the operating aspects of the business', 'the entity's ability to continue its business', or to ‘avoid material penalties'.

Accordingly, the ISA recognises that other laws and regulations may have a material effect on the financial statements but does not specifically describe them as such. However, the auditor is not required to obtain sufficient appropriate audit evidence on the entity's compliance with other laws and regulations, but only required to perform limited specified audit procedures to help identify such instances.

In some sectors, e.g. banking, non-compliance with other laws and regulations covering operating aspects of the business can certainly have a “fundamental effect on the operations of the entity” or impact the “entity's ability to continue its business” and would therefore impact the financial statements. Yet, under the current ISA 250 requirements, whether breaches of such laws and regulations give rise to actual or potential material liabilities may not immediately be obvious to the auditor, or may not be evidenced in the entity's information or by actions of the entity because they are outside the information systems that are the auditor's normal focus.

We recognise that the auditor's responsibilities cannot be open-ended to the effect of identifying and determining compliance with all laws and regulations pertaining to the entity, but the ISA fails to give auditors a sufficient mechanism to identify those laws and regulations that have, or may potentially have, a material effect on the financial statements.

This challenge, or lack of clarity, lies significantly in the underlying framework of the ISA which is primarily procedural based as opposed to outcome based with a risk focused assessment, which is discussed further below (Procedural Approach versus Risk Based Approach). However, there are other aspects of ISA 250 in relation to this matter that need to be explored or strengthened through revision such as:

  • The boundaries between direct laws and regulations and other laws and regulations in the context of the financial statement audit (as noted in the ED);
  • Introducing requirements and guidance for the auditor to obtain an understanding of laws or regulations pertaining to the circumstances of the entity including those laws or regulations governing how the auditor should address non-compliance, suspected non-compliance and potential non-compliance;
  • Introducing guidance that assists the auditor to determine the depth and breadth of the understanding of relevant laws and regulations (and subsequent response) required. For instance, the IAASB might also explore to what extent ISA 250 should require action by the auditor under the auditor's wider public interest responsibilities? For example, breaches of environmental laws and regulations that may endanger the health or safety or employees or the public; personal misconduct of employees unrelated to the business activities of the client; or non-compliance with laws and regulations committed by persons conducting business affairs with the entity.

Procedural approach versus a Risk Based Approach

ISA 250 is an overly procedural standard that is out of line with the ISA's outcome based approach with a risk focused assessment ('risk-based approach'). In the redrafting of ISA 250 during the IAASB's Clarity Project, a number of stakeholders expressed concern that the ISA should be updated to be aligned with the risk-based approach. We appreciate that the IAASB introduced some elements of the risk-based approach in respect of the auditor's work effort relating to non-compliance with direct laws and regulations, (described above in 'Distinction between the different categories of laws and regulations') but as any further revision to the ISA was out of scope of the project, the ISA remains primarily procedural based, making it deficient in many aspects.

Procedural requirements can increase audit quality when they form part of, or supplement, an already established risk-based approach (for example, when they require auditors to examine a matter more thoroughly). However, in practice, absent a risk-based approach, the risk that the auditor does not identify material misstatement(s) of the financial statements due to non-compliance with laws and regulation (detection risk) is increased. This is because a procedural approach instantly narrows the focus of the audit, whereas a risk-based approach allows the auditor to exercise professional judgment and choose which audit procedures will be most effective in the circumstances.

In this respect we wish to draw attention to the recent findings of the FRC Audit Quality Team's thematic review into the auditors' considerations of compliance with laws and regulations (Thematic Review).5 In the Thematic Review it was noted that improvements were needed in the identification and assessment of the laws and regulations affecting the specific audited entity, including the need for greater professional scepticism in relation to possible breaches that could affect the financial statements. The Thematic Review notes that auditors' had a lack of focus on identifying the specific risks in relation to non-compliance with laws and regulations, and that the consideration of laws and regulations, and the performance of related audit procedures was viewed as a compliance exercise rather than as an important and integral part of the audit.

Aligning ISA 250 to a risk-based approach could have a significant positive impact on audit quality as a result of better risk assessments through a more detailed understanding of the entity and its environment, including its internal control, and improved design and performance of audit procedures to respond to assessed risks of material misstatements.

Also, distinguishing between the different categories of laws and regulations may be less complicated under the risk model. The need to obtain a more thorough understanding of the entity and its environment, including its internal control under the risk model, as opposed to the current requirement to obtain a "general understanding”, will give auditors greater opportunity to identify laws and regulations that merit their attention.

We do recognise that there could be some challenges in aligning ISA 250 to a risk-based approach. There will likely be several aspects of this approach that the IAASB would need to explore further. For example:

  • Risk of material misstatement at the financial statement level and the assertion level ISA 250 only briefly discusses the risk assessment, but in relation to the 'implications of non-compliance ...to other aspects of the audit'.6 Risks of material misstatement at the assertion level for laws and regulations that set out financial reporting requirements can probably be aligned to those already set out in ISA 315. However, there is no guidance on management assertions in relation to other instances of laws and regulations, other than those that are explicitly stated (e.g. written representations)
  • Internal controls - In performing an audit, auditors are required to understand and evaluate internal controls, and this should include understanding and evaluating controls that assist management and those charged with governance comply with laws and regulations (preventative) and controls that enable them to detect and address instances of NOCLAR, including addressing relevant reporting requirements. ISA 250 has very little guidance on internal controls. The IAASB would need to update the ISA to reflect more recent developments in management's internal controls over financial reporting, compliance and conduct of business.
  • Objectives - The objective should reflect the application of the audit risk ISAs in the context of identifying and appropriately responding to the risks resulting from non-compliance with laws and regulations. Currently the objectives of ISA 250 focus on specified audit procedures and do not sufficiently identify the desired outcome (paragraph 8(b) of ISA 250 in particular). As the objectives are written as specified procedures, there is a danger that the auditor is more focused on establishing whether the procedures have been undertaken, and not on applying judgement about the effect of any identified instances of non-compliance with laws and regulations (i.e. going beyond the specified procedures).
  • ISA 250 and ISA 5707 - the ISAs would be enhanced by linking non-compliance with laws and regulations that could impact an entity's ability to continue its business and the auditor's responsibilities relating to management's use of the going concern assumption in ISA 570.

Yours sincerely

Handwritten signature of Ray King.

Ray King Director of the FRC and Chairman of the FRC's Audit & Assurance Council

Enquiries in relation to this letter should be directed to Marek Grabowski, Director of Audit Policy. DDI: 020 7492 2325 Email: [email protected]

Appendix 1

We have included our proposed changes to ISA 250 below. Within our recommendations for editorial changes to the proposed text, additions are noted in “underline" and deletions in "strike-through.”

Paragraph Text
19 Tipping off
As illustrated below, the requirement may be expressed as being conditional on applicable law or regulation and the proposed application material would remain as it explains why the requirement is conditional.
19. If the auditor suspects there may be non-compliance, the auditor shall discuss the matter with management and, where appropriate, those charged with governance, unless prohibited by law or regulation. If management or, as appropriate, those charged with governance do not provide sufficient information that supports that the entity is in compliance with laws and regulations and, in the auditor’s judgment, the effect of the suspected non-compliance may be material to the financial statements,_the auditor shall consider the need to obtain legal advice. (Ref: Para. A15-A16)
A15. The auditor may discuss the findings with those charged with governance where they may be able to provide additional audit evidence. For example, the auditor may confirm that those charged with governance have the same understanding of the facts and circumstances relevant to transactions or events that have led to the possibility of non-compliance with laws and regulations. However, in some jurisdictions, laws or regulations may prohibit alerting (“tipping-off") the entity when, for example, the auditor is required to report the non-compliance to an appropriate authority pursuant to anti-money laundering legislation.

About the FRC

The Financial Reporting Council is the UK's independent regulator responsible for promoting high quality corporate governance and reporting to foster investment. We promote high standards of corporate governance through the UK Corporate Governance Code. We set standards for corporate reporting and actuarial practice and monitor and enforce accounting and auditing standards. We also oversee the regulatory activities of the actuarial profession and the professional accountancy bodies and operate independent disciplinary arrangements for public interest cases involving accountants and actuaries.

8th Floor, 125 London Wall, London EC2Y 5AS Tel: +44 (0)20 7492 2300 Fax: +44 (0)20 7492 2399 www.frc.org.uk The Financial Reporting Council Limited is a company limited by guarantee. Registered in England number 2486368. Registered office: as above. (Please note our new address)

  1. International Standard on Auditing 250 'Consideration of Laws And Regulations in an Audit of Financial Statements' 

  2. For the FRC response to the IESBA Re-ED follow this link www.frc.org.uk 

  3. International Standard on Auditing 701 'Communicating key audit matters in the independent auditors report' paragraph A53 

  4. International Standard on Auditing 240 'The Auditor's Responsibilities Relating to Fraud in an Audit of Financial Statements' 

  5. FRC Audit Quality Thematic Review (January 2014) 'Fraud risks and laws and regulations' 

  6. ISA 250 paragraph 21 

  7. International Standard on Auditing 570 'Going Concern' 

File

Name FRC Response to IAASB’s Exposure Draft on ISA 250 Responding to Non-Compliance or Suspected Non-Comp
Publication date 27 September 2023
Type Response to external consultations
Format PDF, 78.2 KB
Download original
Back to top