AU 317: Illegal Acts by Clients

AU-C 250: Consideration of Laws and Regulations in an Audit of Financial Statements

AU EFFECTIVE DATE AND APPLICABILITY

AU-C EFFECTIVE DATE AND SUMMARY OF CHANGES

SAS No. 122, Codification of Auditing Standards and Procedures, is effective for audits of financial statements with periods ending on or after December 15, 2012.

AU-C Section 250 supersedes AU Section 317 and contains some substantive changes to requirements. It requires the performance of procedures to identify instances of noncompliance with those laws and regulations that may have a material effect on the financial statements. The auditor is specifically required to inspect correspondence with the relevant licensing or regulatory authorities. This is a new requirement and is expected to affect current practice.

There are also several changes that make explicit requirements that are implicit in AU Section 317. These are not expected to change practice:

• Obtain an understanding of the legal and regulatory framework.
• Obtain an understanding of how the entity is complying with that framework.
• Determine whether the auditor has a responsibility to report suspected noncompliance to parties outside the entity
• Document identified or suspected noncompliance, including the results of any discussions about such items.

In addition, there is a difference in the AU Section 317 concept of “no assurance” and AU-C Section 250 concept of “inherent limitations of an audit.” AU-C Section 250 states that because of the inherent limitations of an audit, some material misstatements in the financial statements may not be detected even when the audit is properly planned and performed in accordance with GAAS. The extant standard states, in relation to illegal acts, that an audit performed in accordance with GAAS provides no assurance that noncompliance with laws and regulations will be detected or that any contingent liabilities that may result will be disclosed. These differing descriptions are not expected to affect current practice.

The requirement in AU Section 317 to obtain a written representation from management concerning the absence of noncompliance with laws or regulations is included in AU-C 580, Written Representations.

AU DEFINITIONS OF TERMS

Illegal acts. Violations of laws or governmental regulations. For purposes of this section, a distinction is made between the following types of illegal acts:

• Illegal acts with a direct and material effect on determination of financial statement amounts.
• Other illegal acts.

AU-C 250 DEFINITIONS OF TERMS

Source: AU-C 250.11

Noncompliance. Acts of omission or commission by the entity, either intentional or unintentional, which are contrary to the prevailing laws or regulations. Such acts include transactions entered into by, or in the name of, the entity or on its behalf by those charged with governance, management, or employees. Noncompliance does not include personal misconduct (unrelated to the business activities of the entity) by those charged with governance, management, or employees of the entity.

OBJECTIVES OF AU SECTION 317

Illegal acts are so diverse that articulating the auditor’s responsibility for their detection and reporting has proven to be very complex. Some laws and regulations, such as the Internal Revenue Code regulations concerning income tax expense, clearly fall within the auditor’s expertise, and the audit of financial statements normally includes testing compliance with such laws and regulations. Other laws and regulations, such as those on occupational safety and health or food and drug administration, are clearly outside the auditor’s expertise and are not susceptible to testing by customary auditing procedures. Some laws and regulations fall in between these extremes.

Simple criteria for distinguishing those laws and regulations that should be of greater concern to the auditor have not been found. The materiality of the consequences of violation is not suitable. Many laws and regulations outside the auditor’s expertise and not susceptible to audit testing could have consequences very material to the financial statements if violated. Even the relation to financial matters is not conclusive. For example, laws concerning securities trading are financially related, but involve complex legal concepts.

This section takes the approach of dividing illegal acts into two broad categories or types. The auditor’s responsibility for detection of illegal acts differs depending on the type of illegal act. The auditor’s responsibility to detect misstatements resulting from illegal acts having a direct and material effect on the determination of financial statement amounts (except disclosure of contingencies) is the same as that for errors (see Section 312) and fraud (see Section 316). For other illegal acts, the auditor should be aware of the possibility that such illegal acts may have occurred. If specific information comes to the auditor’s attention that such acts may have occurred, the auditor should apply audit procedures specifically directed toward ascertaining whether an illegal act has occurred. However, an audit in accordance with generally accepted auditing standards (GAAS) provides no assurance that illegal acts will be detected or that any contingent liabilities that may result will be disclosed.

In this section, the requirements are directed primarily toward what the auditor should do when a possible illegal act comes to his or her attention and there is no general obligation to apply any audit procedures specifically designed to detect illegal acts.

OBJECTIVES OF AU-C SECTION 250

AU-C 250 states that:

. . . the objectives of the auditor are to

FUNDAMENTAL REQUIREMENTS1

Audit Procedures Absent Evidence of Possible Illegal Acts

An audit does not normally include audit procedures specifically designed to detect illegal acts. However, audit procedures may bring possible illegal acts to the auditor’s attention. The auditor should be aware of the possibility that illegal acts may have occurred. If information indicates that illegal acts may have occurred, the auditor should apply audit procedures to address the matter.

The auditor should ask management about the client’s compliance with laws and regulations. Where applicable, the auditor should also ask management about:

The auditor also ordinarily obtains written management representations about the absence of violations or possible violations of laws or regulations whose effects should be considered for disclosure in the financial statements or as a basis for recording a loss contingency (see Section 333). The auditor does not need to perform any further procedures in this area absent specific information concerning possible illegal acts.

Evidence of Possible Illegal Acts

According to AU 317.09, the auditor should be aware that specific information such as the following may raise a question concerning possible illegal acts:

Response to Possible Illegal Acts

When the auditor becomes aware of information about a possible illegal act, the auditor should obtain an understanding of (1) the nature of the possible illegal act, (2) the circumstances in which the act occurred, and (3) sufficient other information to allow the auditor to consider the effect on the financial statements.

The auditor should inquire of management at a level above those involved, if possible. If management does not provide satisfactory information that there has been no illegal act, the auditor should respond by:

Evaluation of Detected or Expected Illegal Acts

The auditor should consider the quantitative and qualitative aspects of the illegal act. Loss contingencies resulting from illegal acts that may be required to be disclosed should be evaluated similar to other loss contingencies.

The auditor should consider the implications of an illegal act for the rest of the audit, particularly whether the auditor can rely on client representations. Factors to consider include the relationship of the perpetration and concealment, if any, of the illegal act to specific control procedures and the level of management or employees involved.

Effect on the Audit Report

If the auditor concludes that an illegal act that has a material effect on the financial statements has not been properly accounted for or disclosed, the auditor should issue a qualified or an adverse opinion.

If the client prevents the auditor from obtaining sufficient competent evidential matter to evaluate whether an illegal act that could be material to the financial statements has occurred, or is likely to have occurred, the auditor generally should disclaim an opinion.

Consideration of Withdrawal

If the client refuses to accept the auditor’s report as modified because of an illegal act, the auditor should withdraw from the engagement and communicate, in writing, the reasons for withdrawal to the audit committee or to the board of directors.

Even when the illegal act is not material to the financial statements, the auditor may decide to withdraw from the engagement when the client does not take the remedial action the auditor considers necessary in the circumstances.

Internal Communications

The auditor should be sure that the audit committee or others with equivalent authority and responsibility are adequately informed about illegal acts that come to the auditor’s attention. (The auditor should communicate directly with the audit committee or equivalent body if senior management is involved in the illegal act.) Since clearly inconsequential matters need not be communicated to the audit committee, the auditor may agree in advance with the audit committee on the nature of matters to be communicated.

Any communication should:

External Communications

The auditor is not ordinarily responsible for disclosing an illegal act outside the client’s organization and such disclosure would be precluded by the auditor’s ethical or legal obligation of confidentiality, unless the matter affects his opinion on the financial statements. The auditor should recognize, however, that in the following circumstances, a duty to notify parties outside the client may exist:

INTERPRETATIONS

There are no interpretations for this section.

TECHNIQUES FOR APPLICATION

Distinction Between Responsibility for Detection of Illegal Acts and Fraud

The auditor should plan and perform the audit to provide reasonable assurance that material fraud will be detected. The same responsibility applies to material, direct-effect illegal acts. An intentional material misstatement or omission in financial information filed with the SEC is a violation of federal securities laws and should be regarded as a material illegal act. However, the appropriate guidance for the audit approach to these matters is Section 316. For indirect-effect illegal acts, the auditor should be aware of the possibility that such illegal acts may have occurred. If a possible indirect-effect illegal act having a material effect on the financial statements is detected, the auditor should apply specific procedures to determine if an illegal act has occurred. Examples of customary audit procedures that might bring possible illegal acts to the auditor’s attention include:

Required Procedures

In spite of the fact that this section states that the auditor does not apply procedures specifically directed to the detection of illegal acts, there are some required procedures. The required procedures are:

In addition, written representations concerning the absence of illegal acts are usually included in the management representation letter.

A question that often arises in practice is whether obtaining a management representation letter meets the separately stated requirement to inquire of management concerning the client’s compliance with laws and regulations. Practice differs on this point. Some auditors obtain the typical written representations from management and make no separate oral inquiries on illegal acts.

Other auditors believe it is prudent to make separate inquiries near the conclusion of the audit. As part of the closing conference with the client, they obtain additional oral assurances from the client on the absence of violations of laws and regulations. This oral communication is intended to evoke candor and stress the importance the auditor attaches to being fully informed on such matters. Because Section 316 does require the auditor to inquire about fraud, in practice the inquiries about fraud and illegal acts are typically combined. These inquiries are a separate audit step and are normally documented in the audit program or other working papers.

The inquiries concerning policies on illegal acts and use of directives and obtaining written representations from management personnel are required only when applicable. For example, if management personnel are required to complete a questionnaire on compliance with a code of conduct, it would be prudent for the auditor to become familiar with the process and review returned questionnaires. However, if an entity does not have a code of conduct or does not require management personnel to make representations on compliance, the entity’s policies and procedures are not necessarily deficient.

1 The requirements apply to those illegal acts with an indirect and contingent effect. Those illegal acts with a direct and material effect are treated the same as errors (see Section 312) or fraud (see Section 316).