CAalley.com

  
 

Auditing and Assurance Standard (AAS) 21 

Consideration of Laws and Regulations in an Audit of Financial Statements

 

The following is the text of the Statement on Standard Auditing Practices (SAP) 21, "Consideration of Laws and Regulations in an Audit of Financial Statements", issued by the Institute of Chartered Accountants of India. This Statement should be read in conjunction with the "Preface to the Statements on Standard Auditing Practices", issued by the Institute1.

 INTRODUCTION

  1. The purpose of this Statement on Standard Auditing Practices (SAP) is to establish standards on the auditor's responsibility regarding consideration of laws and regulations in an audit of financial statements.

     
  2. When planning and performing audit procedures and in evaluating and reporting the results thereof, the auditor should recognize that non-compliance by the entity with the laws and regulations may materially affect the financial statements. However, an audit cannot be expected to detect non-compliance with all laws and regulations. Detection of non-compliance, regardless of materiality, requires consideration of the implications for the integrity of management or employees and the possible effect on other aspects of the audit.

     
  3. The term "non-compliance" as used in the SAP refers to acts of omission or commission by the entity being audited, either intentional or unintentional, which are contrary to the prevailing laws or regulations. Such acts include transactions entered into by, or in the name of, the entity or on its behalf by its management or employees. For the purpose of this SAP, non-compliance does not include personal misconduct (unrelated to the business activities of the entity) by the entity's management or employees.

     
  4. Whether an act constitutes non-compliance is a legal determination that is ordinarily beyond the auditor's professional competence. The auditor's training, experience and understanding of the entity and its industry may provide a basis for recognition that some acts coming to the auditor's attention may constitute non-compliance is generally based on the advice of an informed expert qualified to practise law but ultimately can only be determined by a court of law.

     
  5. Laws and regulations vary considerably in their relation to the financial statements. Some laws or regulations determine the form or content of an entity's financial statements or the amounts to be recorded or disclosures to be made in financial statements. Other laws or regulations are to be complied with by management or prescribe the provisions under which entity is allowed to conduct its business. Some entities operate in heavily regulated industries (such as banks, sugar and pharmaceuticals industries). Others are only subject to the many laws and regulations that generally relate to the operating aspects of the business (such as those related to occupational safety and health). Non-compliance with laws and regulations could result in financial consequences for the entity such as fines, litigations, etc. Generally, the further removed non-compliance is from the events and transactions ordinarily reflected in financial statements, the less likely the auditor is to become aware of it or recognize its possible non-compliance.

     
  6. This SAP applies to audits of financial statements and does not apply to other engagements in which the auditor is specifically engaged to test and report separately on compliance with specific laws or regulations.

     
  7. The auditor's responsibility to consider fraud and errors in an audit of financial statements is provided in SAP 4, "Fraud and Error."


    RESPONSIBILITY OF MANAGEMENT FOR THE COMPLIANCE WITH LAWS AND REGULATIONS
     
  8. It is management's responsibility to ensure that the entity's operations are conducted in accordance with laws and regulations. The responsibility for the prevention and detection of non-compliance rests with management.

     
  9. The following policies and procedures, among others, may assist management in discharging its responsibilities for the prevention and detection of non-compliance with laws and regulations:
     
    • Monitoring legal requirements and ensuring that operating procedures are designed to meet these requirements.
       
    • Instituting and operating appropriate systems of internal control.
       
    • Developing, publicising and following a Code of Conduct2.
       
    • Ensuring employees are properly trained and understand the Code of Conduct.
       
    • Monitoring compliance with the Code of Conduct and acting appropriately to discipline employees who fail to comply with it.
       
    • Establishing a legal department and/or engaging legal advisors to assist in monitoring legal requirements.
       
    • Maintaining a register of significant laws with which the entity has to comply within its particular industry and a record of complaints in respect of non-compliance.
       
    • In larger entities, these policies and procedures may be supplemented by assigning responsibilities to:
       
    • An internal audit function.
       
    • An audit committee.

 

THE AUDITOR'S CONSIDERATION OF COMPLIANCE WITH LAWS AND REGULATIONS

  1. The auditor is not, and cannot be held responsible for preventing non-compliance. The fact that an audit is carried out may, however, act as a deterrent.
     
  2.  An audit is subject to the unavoidable risk that some material misstatements of the financial statements will not be detected, even though the audit is properly planned and performed in accordance with SAPs and other generally accepted audit procedures. This risk is higher with regard to material misstatements resulting from non-compliance with laws and regulations due to factors such as:
     
    • Existence of laws and regulations, relating to the operating aspects of the entity, that do not have a material effect on the financial statements and are not captured by the accounting and internal control systems.
       
    • The inherent limitations of the accounting and internal control systems and the testing procedures.
       
    • Persuasive rather than conclusive nature of audit evidence, in general.
       
    • Deliberate designs, such as collusion, forgery, deliberate failure to record transactions, senior management override of controls or intentional misrepresentations being made to the auditor, to conceal non-compliance.

       
  3. The auditor should plan and perform the audit recognizing that the audit may reveal conditions or events that would   lead to questioning whether an entity is complying with laws and regulations.

     
  4. In accordance with specific statutory requirements, the auditor may be specifically required to report as part of the audit of the financial statements whether the entity complies with certain provisions of laws or regulations. In these circumstances, the auditor would plan to test for compliance with these provisions of the laws and regulations.

     
  5. In order to plan the audit, the auditor should obtain a general understanding of the legal and regulatory framework applicable to the entity and how the entity is complying with that framework.

     
  6.  In obtaining this general understanding, the auditor would particularly recognize that non-compliance of some laws and regulations may have a fundamental effect on the operations of the entity and may even cause the entity to cease operations, or call into question the entity's continuance as a going concern. For example, a Non-Banking Financial Company might have to cease to carry on the business of a non-banking financial institution if it fails to obtain a certificate of registration issued under Chapter IIIB of the Reserve Bank of India Act, 1934 and if its Net Owned Funds are less than the amount specified by the RBI in this regard.

     
  7.  To obtain the general understanding of laws and regulations, the auditor would ordinarily:
     
    • Use the existing knowledge of the entity's industry and business.
       
    • Inquire of management as to the laws and regulations that may be expected to have a fundamental effect on the operations of the entity.
       
    • Inquire of management concerning the entity's policies and procedures regarding compliance with laws and regulations.
       
    • Discuss with management the policies or procedures adopted for identifying, evaluating and accounting for litigation claims and assessments.

       
  8.  After obtaining the general understanding, the auditor should perform procedures to identify instances of non-compliance with these laws and regulations where non-compliance should be considered when preparing financial statements, specifically:
     
    • Inquiring of management as to whether the entity is in compliance with such laws and regulations.
       
    • Inspecting correspondence with the relevant licensing or regulatory authorities.

       
  9.  Further, the auditor should obtain sufficient appropriate audit evidence about compliance with those laws and regulations generally recognised by the auditor to have an effect on the determination of material amounts and disclosures in financial statements. The auditor should have a sufficient understanding of these laws and regulations in order to consider them when auditing the assertions related to the determination of the amounts to be recorded and the disclosures to be made.

     
  10. Such laws and regulations would be well established and known to the entity and within the industry; they would be considered on a recurring basis each time financial statements are issued. These laws and regulations may relate, for example, to the form and content of financial statements, including industry specific requirements or the accrual or recognition of expenses for retirement benefits etc.

     
  11. Other than as described in paragraphs 17, 18, and 19, the auditor need not test or perform other procedures on the entity's compliance with laws and regulations since this would be outside the scope of an audit of financial statements.

     
  12. The auditor should be conscious that procedures applied for the purpose of forming an opinion on the financial statements may bring instances of possible non-compliance with laws and regulations to the auditor's attention. For example, such procedures include reading minutes; inquiring of the entity's management and legal counsel concerning litigation, claims and assessments; and performing substantive tests of details of transactions or balances.

     
  13. The auditor should obtain written representations that management has disclosed to the auditor all known actual or possible non-compliance with laws and regulations whose effects should be considered when preparing financial statements.

     
  14. In absence of evidence to the contrary, the auditor is entitled to assume the entity is in compliance with these laws and regulations.

 

PROCEDURES WHEN NON-COMPLIANCE IS DISCOVERED

  1. The Appendix to this SAP sets out examples of the type of information that might come to the auditor's attention that may indicate non-compliance.

     
  2. When the auditor becomes aware of information concerning a possible instances of non-compliance, the auditor should obtain an understanding of the nature of the act and the circumstances in which it has occurred, and sufficient other information to evaluate the possible effect on the financial statements.

     
  3.  When evaluating the possible effect on the financial statements, the auditor considers:

     
    • The potential financial consequences, such as fines, penalties, damages, litigation, threat of expropriation of assets and enforced discontinuation of operations, including vitiation of going concern assumption.
       
    • Whether the potential financial consequences require disclosure.
       
    • Whether the potential financial consequences are so serious as to call into question the true and fair view given by the financial statements.

       
  4. When the auditor believes there may be non-compliance, the auditor should document the findings and discuss them with management. Documentation of findings would include copies of records and documents and making minutes of conversations, if appropriate.

     
  5. If management does not provide satisfactory information that it is in fact in compliance, the auditor would consult with the entity's lawyer about application of the laws and regulations to the circumstances and the possible effects on the financial statements. When it is not considered appropriate to consult with the entity's lawyer or when the auditor is not satisfied with the opinion, the auditor would consider consulting some other lawyer as to whether a violation of a laws and regulations is involved, the possible legal consequences and what further action, if any, the auditor would take.

     
  6. When adequate information about the suspected non-compliance cannot be obtained, the auditor should consider the effect of the lack of audit evidence on the auditor's report.

     
  7. The auditor should consider the implications of non-compliance in relation to other aspects of the audit, particularly the reliability of management representations. In this regard, the auditor reconsiders the risk assessment and the validity of management representations, in case of non-compliance not detected by internal controls or not included in management representations. The implications of particular instances of non-compliance discovered by the auditor will depend on the relationship of the perpetration and concealment, if any, of the act to specific control procedures and the level of management or employees involved.

 

COMMUNICATION / REPORTING OF NON-COMPLIANCE

To Management

  1. The auditor should, as soon as possible, either communicate with the audit committee, the board of directors and senior management, or obtain evidence that they are appropriately informed, regarding non-compliance that comes to the auditors' attention. However, the auditor need not do so for matters that are clearly inconsequential or trivial and may reach agreement in advance on the nature of such matters to be communicated.

     
  2. If in the auditor's judgement the non-compliance is believed to be intentional and / or material, the auditor should communicate the finding without delay.

     
  3. If the auditor suspects that members of senior management, including members of the board of directors, are involved in non-compliance, the auditor should communicate the matter to the next higher level of authority at the entity, such as an audit committee or board of directors. Where no higher authority exists, or if the auditor believes that the communication may not be acted upon or is unsure as to the person to whom to report, the auditor may consider seeking legal advice.

 

To the Users of the Auditor's Report on the Financial Statements
  1. If the auditor concludes that the non-compliance has a material effect on the financial statements, the auditor should express a qualified or an adverse opinion.

     
  2. If the auditor is precluded by the entity from obtaining sufficient appropriate audit evidence to evaluate whether non-compliance that may be material to the financial statements, has, or is likely to have, occurred, the auditor should express a qualified opinion or a disclaimer of opinion on the financial statements on the basis of a limitation on the scope of the audit.

     
  3. If the auditor is unable to determine whether non-compliance has occurred because of limitations imposed by the circumstances rather than by the entity, the auditor should consider the effect on the auditor's report.

 

To Regulatory and Enforcement Authorities

  1. The auditor's duty of confidentiality would ordinarily preclude reporting non-compliance to a third party. However, in certain circumstances, that duty of confidentiality is overridden by statute, law or by courts of law (for example, the auditor is required to report certain matters of non-compliance to the Reserve Bank of India as per the requirements of Non-Banking Financial companies Auditor's Report (Reserve Bank) Directions, 1988, issued by the Reserve Bank of India.)

 

WITHDRAWAL FROM THE ENGAGEMENT

  1. The auditor may conclude that withdrawal from the engagement is necessary when the entity does not take the remedial action that the auditor considers necessary in the circumstances, even when the non-compliance is not material to the financial statements. Factors that would affect the auditor's conclusion include within the implications of the involvement of the highest authority within the entity which may affect the reliability of management representations, and the effects on the auditor of continuing association with the entity. In appropriate circumstances, the auditor may consider seeking legal advice.

     
  2. An outgoing auditor, on receiving communication from the incoming auditor, should send a reply to him as soon as possible, setting out in detail the reasons, which according to him had given rise to the attendant circumstances but without disclosing any information as regards the affairs of the client which he is not competent to do. However, with the permission of the client he may disclose information regarding affairs of the client to the incoming auditor.

 

EFFECTIVE DATE

  1. This Statement on Standard Auditing Practices becomes operative for all audits commencing on or after 1st July, 2001.

 

APPENDIX

Indications That Non-compliance May Have Occurred

Examples of the type of information that may come to the auditor's attention that may indicate that non-compliance with laws and regulations has occurred are listed below:

  • Investigation by government departments or payment of fines, additional taxes or penalties.
     
  • Payment for unspecified services or loans to consultants, related parties, employees or government employees.
     
  • Sales commission or agent's fees that appear excessive in relation to those ordinarily paid by the entity or in its industry or to those ordinarily paid by the entity or in its industry or to the services actually received.
     
  • Purchases at prices significantly above or below market price.
     
  • Unusual payments in cash and other unusual transactions.
     
  • Unusual transactions with companies registered in tax havens.
     
  • Payments for goods or services made other than to the country from which the goods or services originated.
     
  • Payments without proper exchange control documentation.
     
  • Existence of an accounting system which fails, whether by design or by accident, to provide an adequate audit trail or sufficient evidence.
     
  • Unauthorized transactions or improperly recorded transactions.
     
  • Media comment.

 

1. With the formation of the Auditing Practices Committee in 1982, the Council of the Institute has been issuing a series of Statements on Standard Auditing Practices (SAPs). Statements on Standard Auditing Practices lay down the principles governing an audit. These principles apply whenever an independent audit is carried out. Statements on Standard Auditing Practices become mandatory on the dates specified in the respective SAPs. The mandatory status implies that, while discharging their attest function, it will be the duty of the members of the Institute to ensure that SAPs are following in the audit of financial information covered by their audit reports. If, for any reason, a member has not been able to perform an audit in accordance with the SAPs, his report should draw attention to the material departures therefrom.

 2. Code of Conduct in this context means a document containing standard instructions to be followed by employees for ensuring compliance with laws and regulations.

  

Go to "AAS" Listings

  

Read our disclaimer and privacy policy
In case of problems viewing CAalley, please inform us