SA 250: Auditor’s Responsibilities in Responding to Laws and Regulatory Breaches

This guide explains the key requirements of SA 250 — how auditors should identify, assess and respond to non-compliance with laws and regulations when auditing financial statements.

What impact do you think regulatory breaches have on investor trust?

Auditing is not just about numbers — it’s about ensuring businesses stay true to the laws that govern them.

Auditing goes beyond checking figures: it includes assessing whether an entity is operating within the legal and regulatory framework applicable to its business. SA 250 — Consideration of Laws and Regulations in an Audit of Financial Statements — sets out the auditor's responsibilities in this area.

Scope of SA 250

SA 250 applies when the auditor conducts an audit of financial statements in accordance with Standards on Auditing. The standard requires the auditor to:

• Obtain an understanding of the legal and regulatory framework relevant to the entity.
• Consider how non-compliance (actual or suspected) may affect the financial statements.
• Respond appropriately when instances of non-compliance are identified or suspected.

Direct vs Indirect impact

SA 250 distinguishes between:

• Laws and regulations with direct impact — e.g., tax law, corporate reporting requirements, accounting regulation.
• Laws and regulations with indirect impact — e.g., environmental, health & safety, labor laws — which may not change amounts in the financial statements immediately but can have material consequences.

Auditor’s Responsibilities (Key Steps)

1. Obtain understanding

The auditor should gain knowledge about the legal and regulatory framework applicable to the entity and how management monitors compliance. This includes:

• Industry-specific laws and regulations.
• Internal compliance controls, policies and procedures.
• Sources of legal/regulatory advice used by the entity.

2. Assess risk of non-compliance

Risk assessment involves considering whether non-compliance could materially affect the financial statements or give rise to contingent liabilities (fines, penalties, remediation costs).

3. Perform audit procedures

Auditors are not legal investigators, but SA 250 requires procedures to remain alert to possible non-compliance. Typical procedures include:

• Inspection of regulatory correspondence and licenses.
• Enquiries of management and those charged with governance about compliance.
• Review of legal expenses, minutes of meetings, and contracts.
• Testing controls related to compliance where relevant.

4. Responding to identified or suspected non-compliance

When non-compliance is identified or suspected, the auditor should:

• Obtain an understanding of the facts and circumstances.
• Evaluate the effect on the financial statements and on the audit approach.
• Discuss the matter with management and, where appropriate, those charged with governance.
• Consider seeking legal advice if the matter is complex.
• Determine whether disclosure in the financial statements or modification of the audit opinion is required.

5. Documentation

All enquiries, evidence obtained, professional judgments and communications relating to non-compliance should be documented in the audit file. This includes:

• Details of identified or suspected breaches.
• Audit procedures performed and results.
• Communications with management, governance and (if applicable) regulators.

Impact on the Audit Report

The auditor’s conclusion on non-compliance influences the audit report as follows:

• No material effect: If non-compliance does not materially affect the financial statements and is appropriately disclosed, the auditor may not need to modify the opinion.
• Material misstatement: If non-compliance causes a material misstatement, the auditor should modify the opinion (qualified or adverse) depending on materiality and pervasiveness.
• Scope limitation: If the auditor cannot obtain sufficient appropriate evidence regarding suspected non-compliance, a disclaimer of opinion or qualified opinion may be necessary.

Practical Considerations & Best Practices

• Maintain professional skepticism: Be alert to indicators of non-compliance such as unusual transactions, unexplained payments or weak internal controls.
• Engage legal specialists promptly for complex regulatory matters.
• Communicate clearly: Timely communication with those charged with governance helps ensure the matter is handled appropriately.
• Update risk assessments: If new info emerges, adjust audit procedures and documentation accordingly.

Conclusion

SA 250 bridges audit work and legal/regulatory compliance. While auditors are not enforcers of law, they have a duty to evaluate and respond to non-compliance that could materially affect financial statements. Proper application of SA 250 helps protect stakeholders, improves transparency, and reinforces the credibility of financial reporting.