Laws and regulations

An important part of an external audit is the consideration by the auditor as to whether the client has complied with laws and regulations.  

It is important that candidates preparing for Audit and Assurance (AA) and Advanced Audit and Assurance (AAA) have an understanding of how laws and regulations affect an audit, not only in terms of the work the auditor is required to do, but also to appreciate the responsibilities of both management and the auditor where laws and regulations are concerned.  

The auditing standard that is relevant to this article is ISA 250 (Revised), Consideration of Laws and Regulations in an Audit of Financial Statements, and the objectives of the auditor according to paragraph 11 in ISA 250 are:

  • to obtain sufficient appropriate audit evidence regarding compliance with the provisions of those laws and regulations generally recognised to have a direct effect on the determination of material amounts and disclosures in the financial statements
  • to perform specified audit procedures to help identify instances of non-compliance with other laws and regulations that may have a material effect on the financial statements
  • to respond appropriately to identified or suspected non-compliance with laws and regulations identified during the audit.

The standard defines an act of ‘non-compliance’ as follows:

‘Acts of omission or commission intentional or unintentional, committed by the entity, or by those charged with governance, by management or by other individualsworking for or under the direction of the entity which are contrary to the prevailing laws or regulations. Non-compliance does not include personal misconduct unrelated to the business activities of the entity.’

Respective responsibilities of management and auditors

Candidates need to go into the exam with an understanding as to who is responsible for compliance with laws and regulations and who is responsible for the detection of non-compliance with laws and regulations.

It is the responsibility of management to ensure that an entity complies with relevant laws and regulations. It is not the responsibility of the auditor to either prevent or detect non-compliance.   

Question 1(c) of the December 2011 F8 exam (now AA) for four marks required candidates to:

‘Explain the responsibilities of management and auditors of Chuck Industries Co in relation to compliance with laws and regulations under ISA 250, Consideration of Laws and Regulations in an Audit of Financial Statements.’

The question itself was linked to a brief scenario where Chuck Industries Co had received a visit from the tax authority who had discovered incorrect levels of tax had been deducted from the payroll as tax rates had not been updated in the previous year and the finance director was questioning the audit firm as to why they had not identified this non-compliance with tax legislation. 

To secure a pass in this part of the question, candidates would have had to:

  • understand that it is role of the management of Chuck Industries Co to ensure the operations of the entity are conducted in accordance with laws and regulations (this applies to tax legislation also)
  • appreciate that an auditor is not responsible for prevention of non-compliance with laws and regulations and is not expected to detect instances of non-compliance
  • acknowledge in the answer that it is the auditor’s responsibility to obtain reasonable assurance that the financial statements are free from material misstatement. To that end the auditor will take into account the legal and regulatory framework within which the entity operates
  • make reference to the auditor’s responsibility to consider those laws and regulations that have both a direct and an indirect effect on the determination of material amounts and disclosures in the financial statements.

Direct and indirect laws and regulations

There are many laws and regulations that a reporting entity may have to comply with in order to continue in business. For example, many entities will have to comply with strict health and safety legislation; a food manufacturer may have strict food hygiene legislation to comply with, and an accountancy firm will have a code of ethics to follow from its professional body. Such laws and regulations will have both a direct effect on the financial statements and an indirect effect.   

For those laws and regulations that have a direct effect on the financial statements, the auditor will be concerned about gathering sufficient and appropriate audit evidence that the entity has complied with such laws and regulations. For example, when auditing the payroll the auditor will be concerned with gathering sufficient and appropriate audit evidence to ensure that tax legislation has been correctly applied by the entity because if it has not (as in Question 1(c) in the December 2011 F8 exam), there is risk that the entity could be fined for non-compliance and the fines could be material, either in isolation or when aggregated with other misstatements. In addition, amounts within the financial statements may also be misstated as a result of the non-compliance with laws and regulations.

For those laws and regulations that have an indirect effect on the financial statements, the auditor will undertake procedures with the objective of identifying non-compliance with such laws and regulations. ISA 250 gives examples in paragraph 6(b) of:

  • compliance with the terms of an operating license 
  • compliance with regulatory solvency requirements, or
  • compliance with environmental regulations.

When designing procedures to help to identify non-compliance with laws and regulations, ISA 315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment requires an auditor to obtain a general understanding of:

  • the applicable legal and regulatory framework, and
  • how the entity complies with that framework.

Identifying non-compliance with laws and regulations can be tricky for auditors, particularly where fraud and/or money laundering is concerned (see later in the article). It is for this reason that the auditor must maintain a degree of professional scepticism and remain alert to the possibility that other audit procedures applied may bring instances of non-compliance or suspected non-compliance with laws and regulations to the auditor’s attention, and such procedures could include:

  • reading minutes of board meetings
  • enquiring of management and/or legal advisers concerning litigation or claims brought against the entity, and
  • undertaking substantive tests on classes of transactions, account balances or disclosures.

Reporting identified or suspected non-compliance with laws and regulations

Where the auditor discovers non-compliance with laws and regulations, the auditor must notify those charged with governance. However, care must be taken by the auditor because if the auditor suspects that those charged with governance are involved, the auditor must then communicate with the next highest level of authority, which may include the audit committee. If a higher level of authority does not exist, the auditor will then consider the need to obtain legal advice.

The auditor must also consider whether the non-compliance has a material effect on the financial statements and, in turn, the impact the non-compliance will have on their report.   

If the auditor identifies or suspects non-compliance, the auditor will need to consider whether law, regulation and ethical requirements either require the auditor to report to an appropriate authority outside the entity, or establish responsibilities under which this may be appropriate.  

There may be occasions when the auditor’s duty of confidentiality may be overridden by law or statute. This can be the case when the auditor discovers non-compliance with legislation such as drug trafficking or money laundering.

Money laundering

The Study Guide to AAA covers the issue of money laundering separately to that of laws and regulations in A2(a) to (g). ACCA’s Code of Ethics and Conduct defines ‘money laundering’ as:

‘...the process by which criminals attempt to conceal the true origin and ownership of the proceeds of their criminal activity, allowing them to maintain control over the proceeds and, ultimately, providing a legitimate cover for their sources of income.’

Auditors need to be particularly careful where money laundering issues are concerned – especially for a business that is predominantly cash-based because the scope for money laundering in such businesses is wide. There are usually three stages in money laundering:

  • Placement – which is the introduction or ‘placement’ of illegal funds into a financial system.
  • Layering – which is where the money is passed through a large number of transactions. This is done so that it makes it difficult to trace the money to its original source.
  • Integration – which is where the ‘dirty’ money becomes ‘clean’ as it passes back into a legitimate economy.

Money laundering offences can include:

  • concealing criminal property
  • acquiring, using or possessing criminal property
  • becoming involved in arrangement which is known, or suspected, of facilitating the acquisition of criminal property. 

There are many countries in which money laundering is a criminal offence and, where an accountant or an auditor discovers a situation which may give rise to money laundering, the accountant or auditor must report such suspicions to a ‘money laundering reporting officer’ (MLRO) whose responsibility it is to report such suspicions to an enforcement agency (in the UK, this enforcement agency is the National Crime Agency (NCA)).

It is an offence to fail to report suspicions of money laundering to NCA or the MLRO as soon as practicable, and it is also an offence if the MLRO fails to pass on a report to the NCA. Where the entity is actively involved in money laundering, the signs are likely to be similar to those where there is a risk of fraud, and can include:

  • complex corporate structure where complexity does not seem to be warranted 
  • transactions not in the ordinary course of business 
  • many large cash transactions when not expected 
  • transactions where there is a lack of information or explanations, or where explanations are unsatisfactory, or
  • transactions with little commercial logic taking place in the normal course of business.

Question 3(b) in the March/June 2016 P7 (Int) Sample Questions (now AAA) gave candidates a scenario where they were placed in the position of audit manager. The audit senior had noted as part of their review of the cash book, a receipt of $350,000 for which the source was unclear followed by a transfer of the same amount to a bank account held in another country. When questioned, the financial controller had referred the audit senior to the business owner. Documentary evidence had been requested but had not yet been received.

This particular question did not make reference to the term ‘money laundering’ in the scenario or in the question requirement; the question required the candidate to evaluate the implications for the completion of the audit, recommending any further actions which should be taken by the firm.

The fact that no mention of money laundering was made either in the scenario or in the question requirements is reflective of the fact that in real life those committing money laundering will not openly admit to committing such offences. Money laundering is therefore very similar (if not identical in many ways) to fraud and, therefore, auditors should set aside any beliefs concerning the integrity and honesty of the audit client and keep a sceptical mindset where such issues are concerned.

Tipping off

The term ‘tipping off’ means that the MLRO discloses something that will prejudice an investigation. It is an offence to make the perpetrators of money laundering aware that the auditor has suspicions or knowledge regarding their money laundering activities or that these suspicions or knowledge have been reported. It is unnecessary for the auditor to gain all the facts, or to ascertain without a doubt, that an offence has occurred. The auditor only needs to satisfy themselves that their suspicions are reasonable, and obtain sufficient evidence to show the allegations are made in good faith.


Candidates attempting AA and AAA are advised to gain a sound understanding of laws and regulations, not only in the context of the Syllabus and Study Guide but also in the context of real-life situations to allow for greater application of knowledge. 

Keep in mind the fact that questions in AAA will not always flag up that candidates need to consider laws and regulations; the challenging nature of AAA will mean that candidates will have to conclude for themselves that questions are testing a specific subject area of the syllabus.