Compliance with Laws and Regulations
Entities operate within a complex web of laws and regulations. Some of these directly determine how amounts are presented in the financial statements, while others govern the entity's operations and may only indirectly affect financial reporting. The auditor has a responsibility to consider the effect of laws and regulations on the financial statements, but the extent of that responsibility differs depending on whether the law has a direct or indirect effect on the financial statements.
This section covers the auditor's consideration of laws and regulations under AU-C 250 and AS 2405, the distinction between direct-effect and indirect-effect laws, the auditor's responsibility for detecting noncompliance, procedures for identifying noncompliance, reporting obligations, the effect on the audit opinion, legal letter (attorney letter) requirements, and going concern considerations related to noncompliance.
The auditor is not an attorney and is not expected to have the legal expertise to identify all instances of noncompliance. However, the auditor is responsible for obtaining reasonable assurance that the financial statements are free from material misstatement—including misstatements arising from noncompliance with laws and regulations that have a direct and material effect on the financial statements.
Direct-Effect vs. Indirect-Effect Laws
The distinction between direct-effect and indirect-effect laws is fundamental to understanding the auditor's responsibilities:
| Category | Definition | Examples | Auditor's Responsibility |
|---|---|---|---|
| Direct-effect laws | Laws and regulations that have a direct and material effect on the determination of amounts and disclosures in the financial statements | Tax laws, pension and benefit regulations (ERISA), revenue recognition rules for government contractors, banking reserve requirements | The auditor designs procedures to obtain reasonable assurance of detecting noncompliance that could cause material misstatement |
| Indirect-effect laws | Laws and regulations related to the entity's operating activities that do not directly affect financial statement amounts but whose noncompliance may result in fines, penalties, or litigation that require disclosure | Environmental regulations, occupational safety laws (OSHA), antitrust laws, data privacy regulations, anti-corruption laws (FCPA) | The auditor's responsibility is limited to performing specified inquiry and inspection procedures; the auditor is not required to design specific procedures to detect noncompliance |
Example: Gies Co. is a government contractor. Federal Acquisition Regulation (FAR) cost accounting standards directly affect how Gies Co. recognizes revenue and allocates costs on government contracts—these are direct-effect laws. Gies Co. is also subject to OSHA workplace safety regulations. Violations of OSHA rules could result in fines or litigation but do not directly determine financial statement amounts—these are indirect-effect laws.
The CPA exam frequently tests the distinction between direct-effect and indirect-effect laws. Remember: if a law tells you how much to record or how to disclose something in the financial statements, it is a direct-effect law. If a law governs how the business operates, it is an indirect-effect law.
Auditor's Responsibility for Detecting Noncompliance
Direct-Effect Laws
For direct-effect laws, the auditor has the same level of responsibility as for detecting other material misstatements. The auditor must:
- Obtain a general understanding of the legal and regulatory framework applicable to the entity and the industry
- Determine how the entity complies with those laws and regulations
- Design and perform audit procedures to detect noncompliance that could result in material misstatement
- Evaluate identified instances of noncompliance for their effect on the financial statements
Indirect-Effect Laws
For indirect-effect laws, the auditor's responsibility is more limited. The auditor should:
- Inquire of management about the entity's compliance with laws and regulations
- Inspect correspondence with relevant regulatory authorities and licensing agencies
- Remain alert for information indicating possible noncompliance
The auditor is not required to design specific procedures to detect noncompliance with indirect-effect laws. However, if the auditor becomes aware of possible noncompliance, the auditor must investigate further.
Procedures for Identifying Noncompliance
The auditor performs the following procedures to identify potential noncompliance:
| Procedure | Description |
|---|---|
| Inquire of management | Ask management whether the entity is in compliance with applicable laws and regulations, and whether any notices of noncompliance have been received |
| Inquire of legal counsel | Ask the entity's in-house or external legal counsel about litigation, claims, and known regulatory matters |
| Inspect correspondence | Review correspondence with regulatory agencies, taxing authorities, and licensing bodies |
| Read minutes | Review minutes of board of directors and audit committee meetings for discussion of legal or regulatory matters |
| Review compliance reports | Examine internal audit or compliance department reports on regulatory compliance |
| Review contracts and agreements | Examine significant contracts for compliance-related provisions (e.g., debt covenants, grant requirements) |
| Obtain written representations | Include in the management representation letter a statement that management has disclosed all known or suspected noncompliance |
Example: During the audit of Illini Security, the auditor inquires of management about compliance with data privacy regulations. Management discloses that the company received a notice from a state attorney general regarding a potential violation of data breach notification requirements. The auditor must evaluate whether this potential noncompliance could result in a material liability or required disclosure.
Evaluating Identified or Suspected Noncompliance
When the auditor identifies or suspects noncompliance, the following steps are required:
- Obtain an understanding of the nature of the act and the circumstances in which it occurred
- Evaluate the effect on the financial statements—consider potential fines, penalties, damages, loss of revenue, contingent liabilities, and required disclosures
- Consult with management and, if appropriate, legal counsel about the matter
- Consider the implications for other aspects of the audit, including the reliability of management's representations and the assessment of fraud risk
- Determine whether the matter should be communicated to those charged with governance
- Document the findings, the auditor's assessment, and the conclusions reached
If the auditor suspects that management is involved in noncompliance, this raises significant concerns about the integrity of management and the reliability of management's representations. The auditor should consider the effect on the overall audit, including whether it is appropriate to continue the engagement.
Reporting Obligations for Noncompliance
Communication to Those Charged with Governance
The auditor must communicate all identified or suspected noncompliance with laws and regulations to those charged with governance (e.g., the audit committee), unless the matters are clearly inconsequential.
Communication to Management
If the noncompliance involves management, the auditor communicates to those charged with governance directly, bypassing management.
External Reporting
Under AICPA standards, the auditor generally has no obligation to report noncompliance to parties outside the entity. However, important exceptions exist:
| Situation | Reporting Obligation |
|---|---|
| Successor auditor inquiry | The predecessor auditor should disclose matters affecting the decision to accept the engagement |
| Subpoena or legal proceedings | The auditor may be compelled to disclose information |
| Government audit requirements | Audits under Government Auditing Standards (Yellow Book) or Single Audit Act require reporting of noncompliance to regulatory bodies |
| SEC-registered entities | Under Section 10A of the Securities Exchange Act of 1934, auditors of issuers must report illegal acts to the SEC if management and the board fail to take appropriate remedial action |
Example: During the audit of Kingfisher Industries (an SEC registrant), the auditor discovers that management has been making improper payments to foreign government officials in violation of the Foreign Corrupt Practices Act (FCPA). After the auditor reports this to the audit committee, the board fails to take timely remedial action. Under Section 10A, the auditor is required to report the illegal act directly to the SEC.
Effect on the Audit Opinion
Noncompliance with laws and regulations can affect the audit opinion in several ways:
| Situation | Effect on Opinion |
|---|---|
| Material misstatement due to noncompliance (e.g., unrecorded liability for fines) and management refuses to adjust | Qualified or adverse opinion |
| Scope limitation — the auditor is unable to determine whether noncompliance has occurred or to evaluate its financial statement effect | Qualified opinion or disclaimer of opinion |
| Noncompliance is properly reflected in the financial statements (recorded/disclosed) | No modification required; unmodified opinion |
| Substantial doubt about going concern due to noncompliance (e.g., loss of operating license) | Add an emphasis-of-matter paragraph (nonissuers) or explanatory paragraph (issuers) |
Legal Letter Requirements (Attorney Letter / Inquiry of Client's Lawyer)
The letter of audit inquiry to the client's lawyer (commonly called the "legal letter" or "attorney letter") is a critical procedure for identifying contingent liabilities related to litigation, claims, and assessments—many of which arise from potential noncompliance.
Purpose
The legal letter provides the auditor with corroborative evidence about:
- Pending or threatened litigation and claims
- Management's evaluation of the likelihood of unfavorable outcomes
- Management's estimate of the range of potential loss
- Unasserted claims that the lawyer has been asked to evaluate
Process
- Management prepares a letter describing all pending and threatened litigation, claims, and assessments
- The auditor sends the letter to the entity's external legal counsel, asking the lawyer to confirm or supplement the information
- The lawyer responds directly to the auditor, commenting on each item
Key Considerations
- If the lawyer's response is limited (e.g., the lawyer refuses to comment on certain matters), the auditor must evaluate whether this constitutes a scope limitation
- The lawyer is not expected to comment on unasserted claims unless management has specifically identified them to the lawyer
- A failure to receive a response from the lawyer is a scope limitation that could result in a qualified opinion or disclaimer
Example: MAS Inc.'s auditor sends a legal letter to the company's outside counsel. The lawyer confirms one pending lawsuit with a probable unfavorable outcome and an estimated loss range of $2 million to $5 million. The lawyer declines to comment on two additional matters, citing attorney-client privilege. The auditor evaluates whether the refusal to comment creates a scope limitation and considers whether alternative procedures can provide the needed evidence.
The legal letter is sent by the auditor but is prepared based on information provided by management. The response comes from the lawyer directly to the auditor. This three-party process is designed to ensure that the auditor receives independent corroboration of management's assertions about litigation and claims.
Going Concern Considerations Related to Noncompliance
Noncompliance with laws and regulations can raise substantial doubt about the entity's ability to continue as a going concern. Situations that may trigger going concern considerations include:
- Loss of a critical license or permit required to operate (e.g., a bank losing its charter, a broadcaster losing its FCC license)
- Significant fines or penalties that threaten the entity's financial viability
- Government sanctions or debarment that would prevent the entity from operating in key markets
- Environmental remediation obligations that exceed the entity's financial capacity
- Criminal prosecution of the entity or key management personnel
Example: Illini Entertainment holds a liquor license that is essential to its concert venue operations. The state liquor control commission initiates proceedings to revoke the license due to repeated violations. If the license is revoked, Illini Entertainment would lose a substantial portion of its revenue. The auditor evaluates whether this raises substantial doubt about the entity's ability to continue as a going concern and considers the adequacy of the entity's disclosures.
When noncompliance raises going concern issues, the auditor must evaluate management's plans to mitigate the adverse effects. If substantial doubt remains after considering management's plans, the auditor must include an emphasis-of-matter paragraph (nonissuers) or explanatory paragraph (issuers) in the audit report, regardless of whether the financial statements include adequate disclosure.