The content on this page has been converted from PDF to HTML format using an artificial intelligence (AI) tool as part of our ongoing efforts to improve accessibility and usability of our publications. Note:

No human verification has been conducted of the converted content.
While we strive for accuracy errors or omissions may exist.
This content is provided for informational purposes only and should not be relied upon as a definitive or authoritative source.
For the official and verified version of the publication, refer to the original PDF document.

If you identify any inaccuracies or have concerns about the content, please contact us at [email protected].

Re-Consultation on ISA (UK) 250 (Revised) and ISA (UK) 270 (Revised)

The Financial Reporting Council (FRC) is the UK's independent regulator responsible for promoting transparency and integrity in business. The FRC sets the UK Corporate Governance and Stewardship Codes and UK standards for accounting and actuarial work; monitors and takes action to promote the quality of corporate reporting; and operates independent enforcement arrangements for accountants and actuaries. As the Competent Authority for audit in the UK the FRC sets auditing and ethical standards and monitors and enforces audit quality.

The FRC does not accept any liability to any party for any loss, damage or costs howsoever arising, whether directly or indirectly, whether in contract, tort or otherwise from any action or decision taken (or not taken) as a result of any person relying on or otherwise using this document or arising from any omission from it.

© The Financial Reporting Council Limited 2026 The Financial Reporting Council Limited is a company limited by guarantee. Registered in England number 2486368. Registered Office: 13th Floor, 1 Harbour Exchange Square, London E14 9GE

Introduction

1The Financial Reporting Council (FRC) is committed to acting as a proportionate and principles-based regulator and balances the need to minimise the impact of regulatory requirements on business, while working to support the delivery of high-quality audit and assurance work, to maintain investor and wider stakeholder confidence in audit and assurance in support of our public interest mandate.

2In October 2023 the Financial Reporting Council (FRC) published a consultation¹ on:

Proposed International Standard on Auditing (UK) 250 (Revised) 'Consideration of Laws and Regulations In An Audit Of Financial Statements'; and
Proposed International Standard On Auditing (UK) 270² (Revised) 'Special Considerations For Public Interest Entities—Communicating And Reporting To An Appropriate Authority Outside The Entity'.

3The overarching objectives of the proposed revisions were:

Proposed ISA (UK) 250 (Revised) – to enhance audit quality through the application of a risk-based approach to the consideration of laws and regulations in an audit of financial statements, driving a more robust and proportionate approach to the identification and assessment of risks relating to non-compliance with laws and regulations.
Proposed ISA (UK) 270 (Revised) to support auditors with their responsibilities to report to regulators, helping to ensure that critical information is communicated to the appropriate authorities on a timely basis.

4Stakeholders responded to the consultation saying that they were not convinced that our proposals were a proportionate way of addressing the risk of poor-quality audit or audit failure as a result of material non-compliance with law or regulation not being identified by auditors. We made changes to our proposals to address this feedback and the FRC has now decided to re-consult on revisions to both standards, and seek stakeholder views on whether the proposals as amended, are a proportionate way to address these risks. As the focus is on the changes we have made to respond to stakeholder feedback, this consultation is a shorter, more targeted exercise.

Why we are re-consulting

5Since our original consultation in 2023–24, the audit and regulatory environment has continued to evolve. The Economic Crime and Corporate Transparency Act 2023 has come into force, introducing new compliance obligations and increasing the risk of penalties for non-compliance. At the same time, several Enforcement Cases have highlighted weaknesses in how auditors identify and respond to non-compliance with laws and regulations (NOCLAR) and reporting to regulators. These developments reinforce the need for clearer, risk-based standards that help auditors focus on areas of greatest significance rather than applying overly procedural approaches. Without these revisions, the current standards risk falling behind legislative requirements and failing to support high-quality audits in the public interest.

6The proposed revisions to ISA (UK) 250 and ISA (UK) 270 build on extensive feedback from the original consultation and are designed to clarify expectations without introducing unnecessary burdens. They align with the risk-based approach already embedded in ISA (UK) 315, remove outdated distinctions between direct and indirect laws, and provide proportionate guidance for auditors. Re-consulting now ensures stakeholders can review these targeted changes in light of recent developments and confirm that they strike the right balance between audit quality and cost.

Invitation to comment

7The FRC is requesting comments on this re-consultation by Thursday 21 May 2026.

8Comments are invited in writing on all aspects of the re-consultation and the proposed revised standards, particularly in relation to questions 1–10 as detailed below.

9Comments should be emailed to Kate Dalby at [email protected].

Proposed ISA (UK) 250 (Revised) Consideration of Laws and Regulations in an Audit of Financial Statements

Background

10In an audit of financial statements, the auditor is required to obtain reasonable assurance that the financial statements are free from material misstatement, whether due to fraud or error. As part of an audit of financial statements, the auditor is required to consider the laws and regulations that an entity is subject to.

11Non-compliance with laws and regulations could result in a material misstatement of the financial statements, either through those laws and regulations which affect the determination of items in the financial statements, or through failure to comply with those laws and regulations which affect the operations of an entity. Non-compliance with such laws and regulations may result in potential fines, litigation or other consequences which could have a material effect on the entity.

Key themes arising from consultation and outreach

Removal of distinction between different categories of laws and regulations

12Extant ISA (UK) 250 distinguishes the auditor's responsibilities and work effort in relation to the entity's compliance with laws and regulations into two categories conditional upon whether those laws and regulations effect the determination of material amounts and disclosures in the financial statements.

Where the provisions of those laws and regulations are generally recognised to have a direct effect on the determination of material amounts and disclosures in the financial statements (“direct laws and regulations”), then the auditor is required to obtain sufficient appropriate audit evidence regarding compliance with those provisions.
Where there are other laws and regulations that do not have a direct effect on the determination of the amounts and disclosures in the financial statements, but compliance with which may be fundamental to the operating aspects of the business, to an entity's ability to continue its business, or to avoid material penalties, (“indirect laws and regulations") the auditor's responsibilities are currently limited to undertaking specified audit procedures to help identify non-compliance.

13However, a material misstatement of the financial statements could arise from non-compliance with either category of laws and regulations. This is implicit in ISA (UK) 315 which requires the auditor to:

Obtain an understanding of industry, regulatory and other external factors (Para. 19(a)(i)) and the applicable financial reporting framework (Para. 19(b)).
Obtain an understanding of how inherent risk factors affect susceptibility of assertions to misstatement and the degree to which they do so (Para. 19(c)).

14Further, there are examples of regulatory factors that may indicate the existence of a risk of material misstatement given in Appendix 2 of ISA (UK) 315³ as follows:

Relevant Inherent Risk Factor:	Examples of Events or Conditions That May Indicate the Existence of Risks of Material Misstatement at the Assertion Level:
Complexity	Regulatory: Operations that are subject to a high degree of complex regulation
Change	Regulatory: Inception of investigations in the entity's operations of financial results by regulatory or government bodies Impact of new legislation related to environmental protection

15The auditor is therefore required to identify and assess risks of material misstatement no matter the source of those risks.

How we have responded to concerns

16We are concerned that the existing distinction between different categories of laws and regulations hinders auditors from identifying risks of material misstatements in the financial statements, when those risks relate to non-compliance with laws and regulations, particularly those that relate to indirect laws and regulations. We remain committed to removing this distinction in order to improve the robustness of the identification of risks of material misstatement associated with non-compliance with laws and regulations.

17However, we recognise that the requirements originally proposed in ED ISA (UK) 250 were being interpreted in a different way to that which we originally intended, primarily as follows:

financial statements – See Work effort required to identify laws and regulations; and
Which laws and regulations may be determined by the auditor to fall into the category of those laws and regulations with which non-compliance may have a material effect on the financial statements – See Fundamental laws and regulations.

Q1. Do you agree that the proposed changes made to ED2 ISA (UK) 250 will enhance and strengthen the auditor's identification of risks of material misstatement of the financial statements due to fraud or error relating to non-compliance with laws and regulations? If you disagree with the proposals, please explain what you suggest instead and why.

Q2. Do you agree that the proposed changes introduce no additional requirements to identify and assess risks of material misstatement of the financial statements due to fraud or error relating to non-compliance with laws and regulations beyond the auditor's existing obligations under ISAs (UK)? If you disagree, please explain which aspects you believe impose additional requirements and why.

Work effort required to identify laws and regulations

18ED ISA (UK) 250 included the following objective of the standard:

"To identify those laws and regulations with which non-compliance may have a material effect on the financial statements."

19Several respondents expressed concern that this objective had the effect of expanding the scope of the audit, as, to meet the objective, the auditor would have to undertake a comprehensive review of all laws and regulations in order to be able to identify those laws and regulations with which non-compliance may have a material effect on the financial statements. Some respondents also argued that management would be unlikely to be able to provide a complete list of laws and regulations applicable to the entity with an assessment of whether those laws and regulations could have a material impact.

How we have responded to concerns

20We recognise that the auditor's responsibilities cannot be open-ended to the effect of identifying and determining compliance with all laws and regulations pertaining to the entity. To focus the work effort appropriately, we have therefore removed the original objective and included a new objective focusing on the risk of material misstatement as follows:

"To identify and assess the risks of material misstatement of the financial statements due to fraud or error relating to non-compliance with laws and regulations."

21Similarly, the over-arching requirement in ED ISA (UK) 250 paragraph 12-1 has been updated to align it to the new objective as follows:

"In applying ISA (UK) 315 (Revised July 2020), the auditor shall perform the procedures in paragraphs 12-2–12-3 to obtain audit evidence that provides an appropriate basis for the:

Identification and assessment of risks of material misstatement due to fraud or error relating to non-compliance with laws and regulations; and
Design of further audit procedures in accordance with ISA (UK) 330 (Revised July 2020).”

Q3. Do you agree with the proposed changes made to ED2 ISA (UK) 250 clarifying the objective and the over-arching requirement? If you disagree with the proposals, please explain what you suggest instead and why.

Fundamental laws and regulations

22As noted above, concerns were expressed that the removal of the distinction between the work effort in respect of direct and indirect laws and regulations had the potential to be onerous as entities are subject to a wide array of laws and regulations. Further many laws and regulations had the potential to have a material effect on the financial statements if breached. Where should the auditor draw the line?

23The proposed revisions in ED ISA (UK) 250 were designed to better align that standard to the requirements in ISA (UK) 315 which result in the identification of events or conditions that may indicate the existence of risks of material misstatement at the assertion level. In other words, a law or regulation with which non-compliance may have a material effect on the financial statements could potentially be an event or condition that may indicate the existence of a risk of material misstatement, for example, where the legislation is particularly complex or where non-compliance has occurred within the sector or industry.

How we have responded to concerns

24Accordingly, we have amended the wording in requirement 12-2(a) to focus on:

"Regulatory factors, including those laws and regulations that are fundamental to the operating aspects of the business and to an entity's ability to continue its business."

25This wording should be familiar to auditors as the extant standard explains that indirect laws and regulations are those with which compliance “may be fundamental to the operating aspects of the business, to an entity's ability to continue its business, or to avoid material penalties.” This should help ensure that auditors take a proportionate and effective rather than defensive approach.

Q4. Do you agree with the proposed changes made to ED2 ISA (UK) 250 to focus work effort on those laws and regulations that are fundamental to the operating aspects of the business and to an entity's ability to continue its business? If you disagree with the proposals, please explain what you suggest instead and why.

Considering the need for specialist legal expertise

26Linked to the distinction between direct and indirect laws and regulations, many respondents argued that specialist legal expertise (lawyers or other legal experts) would be required to identify relevant laws and regulations, particularly those that were indirect as the auditors would not have such knowledge or expertise. Having to use compliance and regulatory experts and lawyers could give rise to significant additional costs on every audit. That was never the intent of the revised draft standard, but rather a tendency to over-engineer a response to a requirement for an informed and risk-based assessment of risks.

How we have responded to concerns

27Under the extant standard, the auditor is required to obtain a general understanding of the legal and regulatory framework applicable to the entity and the industry or sector in which the entity operates, and how the entity is complying with that framework. This includes both direct and indirect laws and regulations, and therefore an auditor, who has built their understanding of the entity subject to audit, should already have some knowledge of the relevant laws and regulations.

28Further, as explained in paragraph 23, the risk assessment procedures introduced into proposed ISA (UK) 250 are designed to identify events and conditions relevant to those laws and regulations with which non-compliance may have a material effect on the financial statements, including:

The provisions of those laws and regulations relating to the determination of material amounts and disclosures in the financial statements; and
Those laws and regulations that are fundamental to the operating aspects of the business and to an entity's ability to continue its business.

The auditor is, therefore, not expected to have an understanding of laws and regulations than is greater than that required to undertake the audit. Their understanding and expected work is bounded by what is needed to be able to express an opinion – nothing more.

29Additional specialist legal skills will, therefore, not normally be required on an audit. We have therefore provided clarification through additional application material (paragraphs A10-1-A10-3).

Q5. Do you agree with the proposed clarification to ED2 ISA (UK) 250 to help auditors determine the very limited circumstances where the engagement team requires specialized legal skills or knowledge? If you disagree with the proposals, please explain what you suggest instead and why.

Maturity of internal control systems and risk management processes in audited entities

30The work effort proposed in ED ISA (UK) 250 to identify those laws and regulations with which non-compliance may have a material effect on the financial statements is centred around the auditor understanding management's process for identifying relevant laws and regulations, the business risks associated with non-compliance and the controls management put in place to address those risks.

31However, one of the concerns raised is that not all entities will have mature risk assessment and internal control systems in place for specifically identifying the relevant laws and regulations. In the absence of an appropriate assessment made by management, there is an argument that auditors will inevitably need to perform the work themselves.

32In addition, several respondents identified that there would be an additional burden on businesses as a result of the requirement to identify relevant laws and regulations.

How we have responded to concerns

33Whilst we recognise these concerns, management are primarily responsible for ensuring that the entities they run comply with relevant laws and regulations. This is important to mitigate against the risk of sanction where law or regulation is breached. This requires that they have an understanding of the fundamental laws and regulations that impact their entity, and business risks or controls in place to address potential non-compliance with laws and regulations.

34We have clarified this in paragraph A11-7 in respect of the entity's system of internal control.

Q6. Do you agree with the proposed clarification to ED2 ISA (UK) 250 on management and those charged with governance's responsibilities in respect of non-compliance with laws and regulations? If you disagree with the proposals, please explain what you suggest instead and why.

Proposed ISA (UK) 270 (Revised) Special Considerations for Audits of Public Interest Entities—Communicating and Reporting to an Appropriate Authority Outside the Entity

Background

35ISA (UK) 250 (Revised November 2019) 'Section B—The Auditor's Statutory Right and Duty to Report to Regulators of Public Interest Entities and Regulators of Other Entities in the Financial Sector' is an auditing standard unique to the UK and not based on a corresponding international one issued by the IAASB.

36Whilst the standard has historically been linked to ISA (UK) 250 Section A due to its association with non-compliance with laws and regulations, it is much wider in scope, because of underlying UK legal and regulatory requirements (predominantly arising from the EU Audit Regulation and Directive which still apply as UK retained law). For example, matters related to going concern, modified audit reports, integrity of management and those charged with governance (fit and proper status) might all need to be reported to a regulator depending on the circumstances.

37The proposed revisions to ED ISA (UK) 270 therefore:

Renumbered and renamed the standard to make it absolutely clear that reporting and communicating to an appropriate authority outside the entity can arise in any area of the audit and is not just linked to non-compliance with laws and regulations;
Made the standard more principles-based; and
Introduced an additional reporting requirement for auditors that where a reportable matter exists but there are no law, regulation or relevant ethical requirements identified, the auditor is still required to consider whether the reportable matter is one that should be reported in the public interest.

Key themes arising from consultation and outreach

Reporting in the public interest

38We had proposed in ED ISA 270 (UK) to include an additional reporting requirement for auditors (in proposed paragraph 18) that where a reportable matter exists but there are no law, regulation or relevant ethical requirements identified, the auditor is still required to consider whether the reportable matter is one that should be reported in the public interest to an appropriate authority outside the entity.

How we have responded to concerns

39We have removed the requirement and that part of the definition that related to this requirement, as not being proportionate to the risk faced.

Q7. Do you agree that the retained proposals in ED2 ISA (UK) 270 will enhance and strengthen the auditor's identification of matters that should be reported to an appropriate authority outside the entity? If you disagree with the proposals, please explain what you suggest instead and why.

Reporting to an appropriate authority outside the entity

40Some respondents requested further guidance over which authority outside the entity an auditor might be required to report to.

How we have responded to concerns

41We have clarified that reports are generally made to the appropriate authority outside the entity that has the statutory powers to be able to act on the information provided in the report from the auditor. The auditor also needs to recognise that this may necessitate reporting to more than one authority outside the entity.

42We have also clarified that for all matters identified in accordance with paragraph 18, the auditor of a public interest entity should make a report to the Financial Reporting Council as competent authority.

Q8. Do you agree with the proposed clarification in ED2 ISA (UK) 270 on reporting to appropriate authorities outside the entity? If you disagree with the proposals, please explain what you suggest instead and why.

Proposed effective date

43We are proposing an effective date for ED2 ISA (UK) 250 and ED2 ISA (UK) 270 for audits of financial statements for periods beginning on or after 15 December 2027. Earlier adoption would be permitted.

Q9. Do you agree with the proposed effective date for audits of financial statements for periods commencing on or after 15 December 2027 for both ED2 ISA (UK) 250 and ED2 ISA (UK) 270? If you disagree with the proposals, please explain what you suggest instead and why.

Q10. What practical steps could the FRC take to help minimise the cost of implementing the proposed revisions? Please provide specific suggestions.

Appendix 1: Impact Assessment

The FRC is a principles-based regulator and is committed to issuing proportionate Standards and Guidance that support the provision of high-quality, independent audit. As a matter of policy, the FRC's auditing standards are based on the corresponding international standards issued by the IAASB. Where necessary the international standards are augmented with additional requirements to address specific UK legal and regulatory requirements; and additional guidance that is appropriate in the UK national legislative, cultural and business context.

In developing the revisions to ISA (UK) 250 and ISA (UK) 270, we have sought to maintain our support for the underlying international standards while introducing supplemental requirements and guidance to address concerns currently identified in the UK.

We recognise that some additional costs will be incurred by practitioners, including those incurred at the firm level relating to audit methodology and tools updates, training development and delivery, and auditor familiarisation with the changes to the standards. There will also be additional costs incurred at the audit engagement level in respect of enhanced planning and performance.

Some of the responses to the consultation suggested we had underestimated the impact of the proposed revisions for ISA (UK) 250 at the engagement level. However, this appears to be based on a misinterpretation of the work effort required to meet the requirements and objectives of the revised standard. The amendments to the final standards as outlined in this feedback statement should clarify the work effort required and therefore we do not propose to amend the quantifiable costs originally included for the consultation.

The revised standards have been designed to be proportionate and scalable, incorporating a risk-based approach that allows the auditor to use judgement to determine an appropriate response. We believe that benefits in the public interest of clarifying the auditor's responsibilities in relation to the consideration of laws and regulations and reporting to an appropriate authority outside the entity in an audit of financial statements, although not quantifiable, will outweigh the costs of implementation.

The quantifiable cost as a result of these proposals is estimated to be:

Revised requirement	Assumptions	Cost Impacts	Estimated Cost (Hours)	Recurring (Y/N)
Familiarisation and Training (impact is mitigated to some extent as forms part of update process undertaken annually)	Updating guidance by technical managers/partners (90%/10%)	Audit firm	45 per firm	N
Familiarisation and Training (impact is mitigated to some extent as forms part of update process undertaken annually)	Updating guidance by technical managers/partners (90%/10%)	Familiarisation of changes by practitioner	Audit firm	2 per practitioner
Increased Work Effort in identifying laws and regulations with which non-compliance may have a material effect on the financial statements	Additional risk assessment procedures and related activities, identifying, assessing and responding to risks of material misstatement due to NOCLAR	Audit firm	15 per audit	Y
Increased Work Effort in communicating and reporting to an appropriate authority outside the entity (PIEs only)	Identification of laws/regulations/ethical requirements. Most requirements already exist so no additional work effort.	PIE audit firms	1 per audit	Y

Financial Reporting Council

London office:
13th Floor, 1 Harbour Exchange Square,
London,
E14 9GE

Birmingham office:
5th Floor, 3 Arena Central,
Bridge Street, Birmingham,
B1 2AX

+44 (0)20 7492 2300
www.frc.org.uk

https://www.frc.org.uk/consultations/proposed-revisions-to-isa-uk-250-section-a-and-isa-uk-250-section-b/ ↩
The consultation document referred to ISA (UK) 2X0 which has subsequently been renumbered ISA (UK) 270 ↩
ISA (UK) 315 (Revised July 2020), Appendix 2, Paragraph 5 ↩

File

Name Re-Consultation on ISA (UK) 250 (Revised) and ISA (UK) 270 (Revised)

Publication date 24 March 2026

Type Consultation paper

Format PDF, 562.2 KB

Download original

Re-Consultation on ISA (UK) 250 (Revised) and ISA (UK) 270 (Revised)

File

Is this page useful?