INTERNATIONAL STANDARD ON AUDITING 250

CONSIDERATION OF LAWS AND REGULATIONS

IN AN AUDIT OF FINANCIAL STATEMENTS
(This Standard is effective, but contains conforming amendments that become
effective at a future date)*

CONTENTS
Paragraph
Introduction ................................................................................................... 1-8
Responsibility of Management for the Compliance With Laws
and Regulations ...................................................................................... 9-10
The Auditor’s Consideration of Compliance With Laws and
Regulations ............................................................................................. 11-31
Reporting of Noncompliance ......................................................................... 32-38
Withdrawal From the Engagement ................................................................ 39-40
Appendix: Indications that Noncompliance May Have Occurred

International Standard on Auditing (ISA) 250, “Consideration of Laws and

Regulations in an Audit of Financial Statements” should be read in the context of the
“Preface to the International Standards on Quality Control, Auditing, Assurance and
Related Services,” which sets out the application and authority of ISAs.

* The Audit Risk Standards, comprising ISA 315, “Understanding the Entity and Its Environment and Assessing
the Risks of Material Misstatement,” ISA 330, “The Auditor’s Procedures in Response to Assessed Risks,” and
ISA 500 (Revised), “Audit Evidence,” gave rise to conforming amendments to ISA 250. These amendments
are effective for audits of financial statements for periods beginning on or after December 15, 2004.

1 ISA 250 (CONFORMED)

 CONSIDERATION OF LAWS AND REGULATIONS (CONFORMED)

Introduction
1. The purpose of this International Standard on Auditing (ISA) is to establish
standards and provide guidance on the auditor’s responsibility to consider laws
and regulations in an audit of financial statements.
2. When designing planning and performing audit procedures and in
evaluating and reporting the results thereof, the auditor should recognize
that noncompliance by the entity with laws and regulations may
materially affect the financial statements. However, an audit cannot be
expected to detect noncompliance with all laws and regulations. Detection of
noncompliance, regardless of materiality, requires consideration of the
implications for the integrity of management or employees and the possible
effect on other aspects of the audit.
3. The term “noncompliance” as used in this ISA refers to acts of omission or
commission by the entity being audited, either intentional or unintentional,
which are contrary to the prevailing laws or regulations. Such acts, include
transactions entered into by, or in the name of, the entity or on its behalf by its
management or employees. For the purpose of this ISA, noncompliance does
not include personal misconduct (unrelated to the business activities of the
entity) by the entity’s management or employees.
4. Whether an act constitutes noncompliance is a legal determination that is
ordinarily beyond the auditor’s professional competence. The auditor’s
training, experience and understanding of the entity and its industry may
provide a basis for recognition that some acts coming to the auditor’s attention
may constitute noncompliance with laws and regulations. The determination as
to whether a particular act constitutes or is likely to constitute noncompliance
is generally based on the advice of an informed expert qualified to practice law
but ultimately can only be determined by a court of law.
5. Laws and regulations vary considerably in their relation to the financial
statements. Some laws or regulations determine the form or content of an
entity’s financial statements or the amounts to be recorded or disclosures to be
made in financial statements. Other laws or regulations are to be complied with
by management or set the provisions under which the entity is allowed to
conduct its business. Some entities operate in heavily regulated industries
(such as banks and chemical companies). Others are only subject to the many
laws and regulations that generally relate to the operating aspects of the
business (such as those related to occupational safety and health and equal
employment). Noncompliance with laws and regulations could result in
financial consequences for the entity such as fines, litigation, etc. Generally,
the further removed noncompliance is from the events and transactions
ordinarily reflected in financial statements, the less likely the auditor is to
become aware of it or to recognize its possible noncompliance.

ISA 250 (CONFORMED) 2

 CONSIDERATION OF LAWS AND REGULATIONS (CONFORMED)

6. Laws and regulations vary from country to country. National accounting and
auditing standards are therefore likely to be more specific as to the relevance of
laws and regulations to an audit.
7. This ISA applies to audits of financial statements and does not apply to other
engagements in which the auditor is specifically engaged to test and report
separately on compliance with specific laws or regulations.
8. Guidance on the auditor’s responsibility to consider fraud and error in an audit
of financial statements is provided in ISA 240, “The Auditor’s Responsibility
to Consider Fraud and Error in an Audit of Financial Statements.”

Responsibility of Management for the Compliance With Laws and

Regulations
9. It is management’s responsibility to ensure that the entity’s operations are
conducted in accordance with laws and regulations. The responsibility for the
prevention and detection of noncompliance rests with management.
10. The following policies and procedures, among others, may assist management
in discharging its responsibilities for the prevention and detection of
noncompliance:
• Monitoring legal requirements and ensuring that operating procedures are
designed to meet these requirements.
• Instituting and operating appropriate systems of internal control.
• Developing, publicizing and following a code of conduct.
• Ensuring employees are properly trained and understand the code of
conduct.
• Monitoring compliance with the code of conduct and acting appropriately
to discipline employees who fail to comply with it.
• Engaging legal advisors to assist in monitoring legal requirements.
• Maintaining a register of significant laws with which the entity has to
comply within its particular industry and a record of complaints.
In larger entities, these policies and procedures may be supplemented by
assigning appropriate responsibilities to the following:
• An internal audit function.
• An audit committee.

3 ISA 250 (CONFORMED)

 CONSIDERATION OF LAWS AND REGULATIONS (CONFORMED)

The Auditor’s Consideration of Compliance With Laws and

Regulations
11. The auditor is not, and cannot be held responsible for preventing
noncompliance. The fact that an annual audit is carried out may, however, act
as a deterrent.
12. An audit is subject to the unavoidable risk that some material misstatements of
the financial statements will not be detected, even though the audit is properly
planned and performed in accordance with ISAs. This risk is higher with
regard to material misstatements resulting from noncompliance with laws and
regulations due to factors such as the following:
• There are many laws and regulations, relating principally to the operating
aspects of the entity, that typically do not have a material effect on the
financial statements and are not captured by the entity’s accounting and
internal control information systems relevant to financial reporting.
• The effectiveness of audit procedures is affected by the inherent
limitations of the accounting and internal control systems and by the use
of testing.
• Much of the audit evidence obtained by the auditor is persuasive rather
than conclusive in nature.
• Noncompliance may involve conduct designed to conceal it, such as
collusion, forgery, deliberate failure to record transactions, senior
management override of controls or intentional misrepresentations being
made to the auditor.
13. In accordance with ISA 200, “Objective and General Principles
Governing an Audit of Financial Statements” the auditor should plan and
perform the audit with an attitude of professional skepticism recognizing
that the audit may reveal conditions or events that would lead to
questioning whether an entity is complying with laws and regulations.
14. In accordance with specific statutory requirements, the auditor may be
specifically required to report as part of the audit of the financial statements
whether the entity complies with certain provisions of laws or regulations. In
these circumstances, the auditor would plan to test for compliance with these
provisions of the laws and regulations.
15. In order to plan the audit, the auditor should obtain a general
understanding of the legal and regulatory framework applicable to the
entity and the industry and how the entity is complying with that
framework.
16. In obtaining this general understanding, the auditor would particularly
recognize that some laws and regulations may give rise to business risks that

ISA 250 (CONFORMED) 4

 CONSIDERATION OF LAWS AND REGULATIONS (CONFORMED)

have a fundamental effect on the operations of the entity. That is,

noncompliance with certain laws and regulations may cause the entity to cease
operations, or call into question the entity’s continuance as a going concern.
For example, noncompliance with the requirements of the entity’s license or
other title to perform its operations could have such an impact (for example,
for a bank, noncompliance with capital or investment requirements).
17. To obtain the general understanding of laws and regulations, the auditor would
ordinarily:
• Use the existing understanding knowledge of the entity’s industry,
regulatory and other external factors and business;
• Inquire of management concerning the entity’s policies and procedures
regarding compliance with laws and regulations;
• Inquire of management as to the laws or regulations that may be expected
to have a fundamental effect on the operations of the entity;
• Discuss with management the policies or procedures adopted for
identifying, evaluating and accounting for litigation claims and
assessments; and
• Discuss the legal and regulatory framework with auditors of subsidiaries
in other countries (for example, if the subsidiary is required to adhere to
the securities regulations of the parent company).
18. After obtaining the general understanding, the auditor should perform
further audit procedures to help identify instances of noncompliance with
those laws and regulations where noncompliance should be considered
when preparing financial statements, specifically:
(a) Inquiring of management as to whether the entity is in compliance
with such laws and regulations; and
(b) Inspecting correspondence with the relevant licensing or
regulatory authorities.
19. Further, the auditor should obtain sufficient appropriate audit evidence
about compliance with those laws and regulations generally recognized by
the auditor to have an effect on the determination of material amounts
and disclosures in financial statements. The auditor should have a
sufficient understanding of these laws and regulations in order to consider
them when auditing the assertions related to the determination of the
amounts to be recorded and the disclosures to be made.
20. Such laws and regulations would be well established and known to the entity
and within the industry; they would be considered on a recurring basis each
time financial statements are issued. These laws and regulations, may relate,
for example, to the form and content of financial statements, including industry

5 ISA 250 (CONFORMED)

 CONSIDERATION OF LAWS AND REGULATIONS (CONFORMED)

specific requirements; accounting for transactions under government contracts;

or the accrual or recognition of expenses for income taxes or pension costs.
21. Other than as described in paragraphs 18-20, the auditor does not test or
perform other audit procedures on the entity’s compliance with laws and
regulations since this would be outside the scope of an audit of financial
statements.
22. The auditor should be alert to the fact that audit procedures applied for
the purpose of forming an opinion on the financial statements may bring
instances of possible noncompliance with laws and regulations to the
auditor’s attention. For example, such audit procedures include reading
minutes; inquiring of the entity’s management and legal counsel concerning
litigation, claims and assessments; and performing substantive tests of details
of classes of transactions, account or balances, or disclosures.
23. The auditor should obtain written representations that management has
disclosed to the auditor all known actual or possible noncompliance with
laws and regulations whose effects should be considered when preparing
financial statements.
24. In the absence of audit evidence to the contrary, the auditor is entitled to
assume the entity is in compliance with these laws and regulations.

Audit Procedures When Noncompliance is Discovered

25. The Appendix to this ISA sets out examples of the type of information that
might come to the auditor’s attention that may indicate noncompliance.
26. When the auditor becomes aware of information concerning a possible
instance of noncompliance, the auditor should obtain an understanding of
the nature of the act and the circumstances in which it has occurred, and
sufficient other information to evaluate the possible effect on the financial
statements.
27. When evaluating the possible effect on the financial statements, the auditor
considers:
• The potential financial consequences, such as fines, penalties, damages,
threat of expropriation of assets, enforced discontinuation of operations
and litigation.
• Whether the potential financial consequences require disclosure.
• Whether the potential financial consequences are so serious as to call into
question the true and fair view (fair presentation) given by the financial
statements.
28. When the auditor believes there may be noncompliance, the auditor
should document the findings and discuss them with management.

ISA 250 (CONFORMED) 6

 CONSIDERATION OF LAWS AND REGULATIONS (CONFORMED)

Documentation of findings would include copies of records and documents and

making minutes of conversations, if appropriate.
29. If management does not provide satisfactory information that it is in fact in
compliance, the auditor would consult with the entity’s lawyer about the
application of the laws and regulations to the circumstances and the possible
effects on the financial statements. When it is not considered appropriate to
consult with the entity’s lawyer or when the auditor is not satisfied with the
opinion, the auditor would consider consulting the auditor’s own lawyer as to
whether a violation of a law or regulation is involved, the possible legal
consequences and what further action, if any, the auditor would take.
30. When adequate information about the suspected noncompliance cannot be
obtained, the auditor should consider the effect of the lack of sufficient
appropriate audit evidence on the auditor’s report.
31. The auditor should consider the implications of noncompliance in relation
to other aspects of the audit, particularly the reliability of management
representations. In this regard, the auditor reconsiders the risk assessment and
the validity of management representations, in case of noncompliance not
detected by the entity’s internal controls or not included in management
representations. The implications of particular instances of noncompliance
discovered by the auditor will depend on the relationship of the perpetration
and concealment, if any, of the act to specific control activities procedures and
the level of management or employees involved.

Reporting of Noncompliance
To Management
32. The auditor should, as soon as practicable, either communicate with those
charged with governancethe audit committee, the board of directors and
senior management, or obtain audit evidence that they are appropriately
informed, regarding noncompliance that comes to the auditor’s attention.
However, the auditor need not do so for matters that are clearly
inconsequential or trivial and may reach agreement in advance on the nature of
such matters to be communicated.
33. If in the auditor’s judgment the noncompliance is believed to be
intentional and material, the auditor should communicate the finding
without delay.
34. If the auditor suspects that members of senior management, including
members of the board of directors, are involved in noncompliance, the
auditor should report the matter to the next higher level of authority at
the entity, if it exists, such as an audit committee or a supervisory board.
Where no higher authority exists, or if the auditor believes that the report may

7 ISA 250 (CONFORMED)

 CONSIDERATION OF LAWS AND REGULATIONS (CONFORMED)

not be acted upon or is unsure as to the person to whom to report, the auditor
would consider seeking legal advice.

To the Users of the Auditor’s Report on the Financial Statements

35. If the auditor concludes that the noncompliance has a material effect on
the financial statements, and has not been properly reflected in the
financial statements, the auditor should express a qualified or an adverse
opinion.
36. If the auditor is precluded by the entity from obtaining sufficient
appropriate audit evidence to evaluate whether noncompliance that may
be material to the financial statements, has, or is likely to have, occurred,
the auditor should express a qualified opinion or a disclaimer of opinion
on the financial statements on the basis of a limitation on the scope of the
audit.
37. If the auditor is unable to determine whether noncompliance has occurred
because of limitations imposed by the circumstances rather than by the
entity, the auditor should consider the effect on the auditor’s report.

To Regulatory and Enforcement Authorities

38. The auditor’s duty of confidentiality would ordinarily preclude reporting
noncompliance to a third party. However, in certain circumstances, that duty of
confidentiality is overridden by statute, law or by courts of law (for example,
in some countries the auditor is required to report noncompliance by financial
institutions to the supervisory authorities). The auditor may need to seek legal
advice in such circumstances, giving due consideration to the auditor’s
responsibility to the public interest.

Withdrawal From the Engagement

39. The auditor may conclude that withdrawal from the engagement is necessary
when the entity does not take the remedial action that the auditor considers
necessary in the circumstances, even when the noncompliance is not material
to the financial statements. Factors that would affect the auditor’s conclusion
include the implications of the involvement of the highest authority within the
entity which may affect the reliability of management representations, and the
effects on the auditor of continuing association with the entity. In reaching
such a conclusion, the auditor would ordinarily seek legal advice.
40. As stated in the Code of Ethics for Professional Accountants issued by the
International Federation of Accountants, on receipt of an inquiry from the
proposed auditor, the existing auditor should advise whether there are
any professional reasons why the proposed auditor should not accept the
appointment. The extent to which an existing auditor can discuss the affairs of
a client with a proposed auditor will depend on whether the client’s permission

ISA 250 (CONFORMED) 8

 CONSIDERATION OF LAWS AND REGULATIONS (CONFORMED)

to do so has been obtained and/or the legal or ethical requirements that apply in
each country relating to such disclosure. If there are any such reasons or other
matters which need to be disclosed, the existing auditor would, taking account
of the legal and ethical constraints, including where appropriate permission of
the client, give details of the information and discuss freely with the proposed
auditor all matters relevant to the appointment. If permission from the client
to discuss its affairs with the proposed auditor is denied by the client, that
fact should be disclosed to the proposed auditor.

Public Sector Perspective

1. Many public sector engagements include additional audit responsibilities with
respect to consideration of laws and regulations. Even if the auditor’s
responsibilities do not extend beyond those of the private sector auditor,
reporting responsibilities may be different as the public sector auditor may be
obliged to report on instances of noncompliance to governing authorities or to
report them in the audit report. In respect to public sector entities, the Public
Sector Committee (PSC) has supplemented the guidance included in this ISA in
its Study 3, “Auditing for Compliance with Authorities—A Public Sector
Perspective.”

9 ISA 250 (CONFORMED)

 CONSIDERATION OF LAWS AND REGULATIONS (CONFORMED)

Appendix

Indications That Noncompliance May Have Occurred

Examples of the type of information that may come to the auditor’s attention that may
indicate that noncompliance with laws or regulations has occurred are listed below:
• Investigation by government departments or payment of fines or penalties.
• Payments for unspecified services or loans to consultants, related parties,
employees or government employees.
• Sales commissions or agent’s fees that appear excessive in relation to those
ordinarily paid by the entity or in its industry or to the services actually received.
• Purchasing at prices significantly above or below market price.
• Unusual payments in cash, purchases in the form of cashiers’ checks payable to
bearer or transfers to numbered bank accounts.
• Unusual transactions with companies registered in tax havens.
• Payments for goods or services made other than to the country from which the
goods or services originated.
• Payments without proper exchange control documentation.
• Existence of an information accounting system which fails, whether by design or by
accident, to provide an adequate audit trail or sufficient evidence.
• Unauthorized transactions or improperly recorded transactions.
• Media comment.

ISA 250 (CONFORMED) 10