This Auditing Standard deals with the auditor’s responsibility to consider laws and regulations in an audit of a financial report.  This Auditing Standard does not apply to other assurance engagements in which the auditor is specifically engaged to test and report separately on compliance with specific laws or regulations.

The effect on a financial report of laws and regulations varies considerably.  Those laws and regulations to which an entity is subject constitute the legal and regulatory framework.  The provisions of some laws or regulations have a direct effect on the financial report in that they determine the reported amounts and disclosures in an entity’s financial report.  Other laws or regulations are to be complied with by management or set the provisions under which the entity is allowed to conduct its business but do not have a direct effect on an entity’s financial report.  Some entities operate in heavily regulated industries (such as banks and chemical companies).  Others are subject only to the many laws and regulations that relate generally to the operating aspects of the business (such as those related to occupational safety and health, and equal employment opportunity).  Non‑compliance with laws and regulations may result in fines, litigation or other consequences for the entity that may have a material effect on the financial report.

(Ref: Para. A1–A8)

It is the responsibility of management, with the oversight of those charged with governance, to ensure that the entity’s operations are conducted in accordance with the provisions of laws and regulations, including compliance with the provisions of laws and regulations that determine the reported amounts and disclosures in an entity’s financial report. 

Responsibility of the Auditor

The requirements in this Auditing Standard are designed to assist the auditor in identifying material misstatement of the financial report due to non‑compliance with laws and regulations.  However, the auditor is not responsible for preventing non‑compliance and cannot be expected to detect non‑compliance with all laws and regulations. 

The auditor is responsible for obtaining reasonable assurance that the financial report, taken as a whole, is free from material misstatement, whether due to fraud or error.^[1] In conducting an audit of the financial report, the auditor takes into account the applicable legal and regulatory framework.  Owing to the inherent limitations of an audit, there is an unavoidable risk that some material misstatements in the financial report may not be detected, even though the audit is properly planned and performed in accordance with the Australian Auditing Standards.^[2] In the context of laws and regulations, the potential effects of inherent limitations on the auditor’s ability to detect material misstatements are greater for such reasons as the following:

• There are many laws and regulations, relating principally to the operating aspects of an entity, that typically do not affect the financial report and are not captured by the entity’s information systems relevant to financial reporting.
• Non‑compliance may involve conduct designed to conceal it, such as collusion, forgery, deliberate failure to record transactions, management override of controls or intentional misrepresentations being made to the auditor.
• Whether an act constitutes non‑compliance is ultimately a matter to be determined by a court or other appropriate adjudicative body.

Ordinarily, the further removed non‑compliance is from the events and transactions reflected in the financial report, the less likely the auditor is to become aware of it or to recognise the non‑compliance.

This Auditing Standard distinguishes the auditor’s responsibilities in relation to compliance with two different categories of laws and regulations as follows: (Ref: Para. A6, A12–A13)

1. The provisions of those laws and regulations generally recognised to have a direct effect on the determination of material amounts and disclosures in the financial report such as tax and superannuation laws and regulations (see paragraph 14) (Ref: Para. A12); and
2. Other laws and regulations that do not have a direct effect on the determination of the amounts and disclosures in the financial report, but compliance with which may be fundamental to the operating aspects of the business, to an entity’s ability to continue its business, or to avoid material penalties (e.g., compliance with the terms of an operating license, compliance with regulatory solvency requirements, or compliance with environmental regulations); non‑compliance with such laws and regulations may therefore have a material effect on the financial report (see paragraph 15) (Ref: Para. A13).

In this Auditing Standard, differing requirements are specified for each of the above categories of laws and regulations.  For the category referred to in paragraph 6(a), the auditor’s responsibility is to obtain sufficient appropriate audit evidence regarding compliance with the provisions of those laws and regulations.  For the category referred to in paragraph 6(b), the auditor’s responsibility is limited to undertaking specified audit procedures to help identify non‑compliance with those laws and regulations that may have a material effect on the financial report.

The auditor is required by this Auditing Standard to remain alert to the possibility that other audit procedures applied for the purpose of forming an opinion on the financial report may bring instances of non‑compliance to the auditor’s attention.  Maintaining professional scepticism throughout the audit, as required by ASA 200,^[3] is important in this context, given the extent of laws and regulations that affect the entity. 

The auditor may have additional responsibilities under law, regulation or relevant ethical requirements regarding an entity’s non‑compliance with laws and regulations, which may differ from or go beyond this Auditing Standard, such as: (Ref: Para. A8)

1. Responding to identified or suspected non‑compliance with laws and regulations, including requirements in relation to specific communications with management and those charged with governance, assessing the appropriateness of their response to non‑compliance and determining whether further action is needed;
2. Communicating identified or suspected non‑compliance with laws and regulations to other auditors (e.g., in an audit of a group financial report); and
3. Documentation requirements regarding identified or suspected non‑compliance with laws and regulations.

Complying with any additional responsibilities may provide further information that is relevant to the auditor’s work in accordance with this and other Australian Auditing Standards (e.g., regarding the integrity of management or, where appropriate, those charged with governance). 

[Deleted by the AUASB.  Refer Aus 0.3]