Key Takeaways

  • ISA 250 (Revised) addresses the auditor's responsibility to consider laws and regulations in an audit of financial statements — not as a compliance auditor, but as an auditor who must assess whether non-compliance could cause material misstatement.
  • The standard distinguishes between two categories of laws and regulations, with fundamentally different auditor responsibilities for each: (a) laws with a direct effect on financial statement amounts and disclosures (e.g., tax law, pension law), where the auditor actively tests compliance; and (b) other laws and regulations (e.g., health and safety, environmental, licensing), where the auditor's responsibility is limited to specified procedures designed to identify non-compliance that could be material.
  • Management is responsible for ensuring the entity complies with all applicable laws — the auditor is not. Whether an act constitutes non-compliance is ultimately a matter for a court of law to determine.
  • When non-compliance is identified or suspected, the auditor must obtain an understanding of the act, evaluate its effect on the financial statements, discuss it with management and those charged with governance, and consider the implications for the audit.
  • The auditor must consider whether to report non-compliance to regulatory authorities outside the entity — taking into account legal obligations, ethical requirements (including the IESBA NOCLAR provisions), and the public interest.
  • ISA 250 (Revised) incorporates amendments responding to the IESBA's NOCLAR (Non-Compliance with Laws and Regulations) requirements in the Code of Ethics.

What is ISA 250 (Revised)?

ISA 250 (Revised), titled "Consideration of Laws and Regulations in an Audit of Financial Statements," addresses one of the more challenging areas of auditing: the boundary between the auditor's role and that of management when it comes to legal and regulatory compliance.

The fundamental challenge is this: entities operate within a vast web of laws and regulations — tax codes, company law, employment law, environmental regulations, health and safety legislation, data protection rules, industry-specific licensing requirements, anti-money laundering laws, and more. An entity's non-compliance with any of these could have financial consequences — fines, penalties, litigation, remediation costs, loss of licences — that might materially affect the financial statements. But the auditor cannot reasonably be expected to test compliance with every applicable law.

ISA 250 resolves this by creating two tiers of responsibility based on the nature of the law's relationship to the financial statements.

The Two Categories of Laws and Regulations

Category (a): Direct effect on financial statements

These are laws and regulations generally recognised as having a direct and material effect on the determination of amounts and disclosures in the financial statements (ISA 250.6(a)).

Examples:

  • Tax legislation (corporate income tax, VAT, payroll taxes)
  • Pension and social security contribution laws
  • Financial reporting regulations (company law requirements for form and content of financial statements)
  • Government grants and subsidies legislation (recognition criteria, clawback provisions)

Auditor's responsibility: The auditor obtains sufficient appropriate audit evidence regarding compliance with these laws — essentially the same level of assurance as for any other financial statement assertion. These laws are directly integrated into the audit of the related account balances and disclosures.

Category (b): Other laws and regulations

These do not directly determine financial statement amounts but are fundamental to the entity's operations, its ability to continue business, or may result in material amounts if breached (ISA 250.6(b)).

Examples:

  • Operating licences and permits (banking licences, pharmaceutical approvals, construction permits)
  • Environmental regulations and emission standards
  • Health and safety legislation
  • Data protection and privacy regulations (GDPR)
  • Competition and antitrust law
  • Employment law (working time, minimum wage, discrimination)
  • Anti-bribery and corruption legislation
  • Import/export controls and sanctions

Auditor's responsibility: Limited to performing specified audit procedures to help identify non-compliance that may have a material effect on the financial statements. The auditor does not actively test compliance but remains alert throughout the audit for indications that non-compliance may have occurred.

The practical boundary

The distinction between categories sounds clear in theory but can be difficult in practice. Consider environmental regulations: the requirement to accrue for site remediation costs has a direct effect on the financial statements (category (a)). But the underlying environmental law that creates the remediation obligation is a category (b) matter. Similarly, data protection: a GDPR fine directly affects the financial statements, but compliance with GDPR's operational requirements is category (b). When in doubt, the question to ask is: does this law directly determine an amount or disclosure in the financial statements? If yes, category (a). If it only affects the financial statements indirectly through consequences of non-compliance, category (b).

Required Procedures

For all audits

ISA 250.13–17 requires the following procedures regardless of category:

Obtain a general understanding of the legal and regulatory framework applicable to the entity and the industry, and how the entity is complying with that framework (ISA 250.13). This understanding informs the risk assessment under ISA 315 and helps identify which laws fall into which category.

Obtain sufficient appropriate audit evidence regarding compliance with category (a) laws — those with a direct effect on financial statement amounts (ISA 250.14).

Perform specified procedures to identify non-compliance with category (b) laws: inquire of management and, where appropriate, those charged with governance about whether the entity is in compliance; and inspect correspondence, if any, with relevant licensing or regulatory authorities (ISA 250.15).

Remain alert throughout the audit for instances or indications of non-compliance (ISA 250.16). This is an ongoing obligation — the auditor may discover non-compliance through any audit procedure, not just those specifically designed for this purpose.

Obtain written representations that management has disclosed all known instances of non-compliance or suspected non-compliance whose effects should be considered in preparing the financial statements (ISA 250.17).

When Non-Compliance Is Identified or Suspected

Step 1: Understand the act

ISA 250.19 requires the auditor to obtain an understanding of the nature of the act and the circumstances in which it occurred, and to obtain further information to evaluate the possible effect on the financial statements. This is not about determining legal guilt — it is about understanding the financial implications.

Step 2: Discuss with management and governance

ISA 250.20–22 requires the auditor to discuss the matter with management and, where appropriate, those charged with governance. If the non-compliance appears intentional, or management itself is involved, the auditor must communicate directly with those charged with governance. The auditor should also consider whether management's response — remedial action taken, disclosures made, or inaction — is appropriate.

Step 3: Evaluate the effect on the financial statements

ISA 250.21 requires the auditor to evaluate whether the non-compliance has a material effect on the financial statements. This includes considering: the potential financial consequences (fines, penalties, damages, remediation costs, loss of revenue), the need for disclosure, and whether the consequences are so serious as to call into question the entity's ability to continue as a going concern.

Step 4: Evaluate the effect on the audit

ISA 250.23–25 requires the auditor to evaluate the implications for other aspects of the audit, including the reliability of management's representations, the risk assessment, and the adequacy of audit evidence obtained. If the entity does not take appropriate remedial action, the auditor must consider modifying the audit opinion.

Reporting Outside the Entity

ISA 250.28 addresses one of the most sensitive obligations in auditing: whether to report non-compliance to an authority outside the entity.

The auditor must determine whether they have a responsibility to report identified or suspected non-compliance to parties outside the entity. This assessment considers:

Legal requirements. In many jurisdictions, auditors have statutory obligations to report certain types of non-compliance. In the EU, auditors of PIEs must report breaches of EU regulations to competent authorities. In the Netherlands, the Wwft requires reporting of unusual transactions. In the UK, specific reporting obligations exist under the Proceeds of Crime Act and Money Laundering Regulations. In France, commissaires aux comptes must report criminal offences to the Procureur de la République.

The IESBA Code and NOCLAR provisions. The IESBA's NOCLAR framework (effective since 2017) creates an ethical obligation for auditors to consider reporting non-compliance to appropriate authorities even where no legal requirement exists, where doing so would be in the public interest and not contrary to law.

Professional duty of confidentiality. The obligation to maintain client confidentiality may be overridden by law, regulation, or ethical requirements in certain circumstances. The tension between confidentiality and public interest reporting is one of the most complex areas in professional ethics.

Navigating the reporting decision

When you identify significant non-compliance, the reporting decision requires careful analysis — often in consultation with the firm's ethics partner and legal counsel. The key questions are: (1) Am I legally required to report? (Check jurisdiction-specific obligations.) (2) If not legally required, does the IESBA NOCLAR framework or my national ethical code create an expectation to report? (3) What are the potential consequences of reporting vs. not reporting — for the public, for the entity, and for the auditor? (4) Have I documented my analysis and the basis for my conclusion? This is an area where consultation with the firm is essential — do not make reporting decisions in isolation.

The Auditor's Limitations

ISA 250.5–6 is explicit about the limits of the auditor's responsibilities:

  • The auditor is not responsible for preventing non-compliance with laws and regulations.
  • Whether an act constitutes actual non-compliance is ultimately a matter for legal determination by a court of law.
  • The further removed non-compliance is from the financial statements, the less likely the auditor is to detect it. This inherent limitation is particularly relevant for category (b) laws, where the auditor's procedures are limited and non-compliance may be deliberately concealed.
  • An audit conducted in accordance with ISAs provides reasonable assurance, not absolute assurance, that the financial statements are free from material misstatement caused by non-compliance.

ISA 250 in Your Jurisdiction

Netherlands. COS 250 follows ISA 250 (Revised) closely. Dutch auditors face significant additional obligations under the Wwft (anti-money laundering), which requires reporting of unusual transactions to FIU-Nederland regardless of materiality to the financial statements. The NBA's practice notes address the interaction between COS 250 and Wwft obligations. For OOB (PIE) engagements, auditors must also report certain matters to the AFM under the Wta.

Germany. IDW PS 250 adapts ISA 250 for the German environment. German Wirtschaftsprüfer have specific reporting obligations under the GwG (anti-money laundering) and, for financial institutions, under the KWG (banking supervision law). The interaction between ISA 250's framework and German company law (AktG, GmbHG, HGB) creates additional complexity — particularly regarding the Wirtschaftsprüfer's duty to report to the supervisory board.

United Kingdom. ISA (UK) 250 is split into two sections: Section A (consideration of laws and regulations — aligned with ISA 250) and Section B (the auditor's statutory right and duty to report to regulators). Section B is a UK-specific addition addressing the auditor's obligations to report to regulators of financial services entities (FCA, PRA) and public interest entities. The FRC has proposed significant revisions to both sections, moving towards a more risk-based approach.

France. NEP 250 implements ISA 250 within the French statutory audit framework. The French commissaire aux comptes has a distinctive legal obligation — the révélation des faits délictueux — requiring the auditor to report criminal offences discovered during the audit to the Procureur de la République. This is a mandatory reporting obligation with no materiality threshold, making it one of the strongest auditor reporting duties in Europe.

Related Ciferi Content

Continue building your understanding of the ISA framework:

ISA 200 — Overall Objectives of the Independent Auditor
The foundational objectives that ISA 250 operates within
ISA 240 — The Auditor's Responsibilities Relating to Fraud
The companion standard for intentional misstatement
ISA 260 — Communication with Those Charged with Governance
Reporting non-compliance to governance bodies

Put audit concepts into practice with these free tools:

Materiality Calculator
ISA 320
Sampling Calculator
ISA 530
Going Concern Checklist
ISA 570
ECL Calculator
IFRS 9

Frequently Asked Questions

Is the auditor responsible for ensuring the entity complies with all laws?

No. Responsibility for compliance rests with management and those charged with governance. The auditor's responsibility is to consider laws and regulations in the context of the financial statement audit — specifically, to obtain reasonable assurance that the financial statements are free from material misstatement caused by non-compliance.

What is the difference between ISA 240 (fraud) and ISA 250 (laws and regulations)?

ISA 240 deals specifically with fraud — intentional acts involving deception for unjust advantage. ISA 250 deals with the broader category of non-compliance with laws and regulations, which may be intentional or unintentional. There is overlap: fraud often involves breaking laws, and non-compliance can constitute fraud. Where both standards apply, both must be followed.

What is NOCLAR?

NOCLAR stands for Non-Compliance with Laws and Regulations, a framework introduced by the IESBA in 2016 within the Code of Ethics for Professional Accountants. It establishes ethical obligations for professional accountants (including auditors) regarding how they respond to identified or suspected non-compliance with laws and regulations, including when to report to external authorities.

Must the auditor report all non-compliance to regulators?

Not necessarily. The reporting obligation depends on the jurisdiction, the nature of the non-compliance, and the applicable legal and ethical requirements. Some jurisdictions impose mandatory reporting for specific types of non-compliance (e.g., money laundering, criminal offences). In other cases, the auditor must exercise professional judgment, considering the public interest, legal requirements, and the IESBA NOCLAR provisions.

What if management refuses to take action on identified non-compliance?

The auditor must consider the implications for the audit, including: whether to modify the audit opinion, whether to report to authorities outside the entity, and whether to withdraw from the engagement. The auditor should also communicate the matter to those charged with governance if management's inaction is itself a governance concern.

Further Reading and Source References

  • IAASB Handbook 2024 — The authoritative source for the complete ISA 250 (Revised) text, including all application material.
  • IESBA Code of Ethics — The NOCLAR provisions (Sections 260 and 360) — the ethical framework for responding to non-compliance.
  • ISA 240 — The Auditor's Responsibilities Relating to Fraud — the companion standard for intentional misstatement.
  • ISA 315 (Revised 2019) — Identifying and Assessing Risks of Material Misstatement — the risk assessment framework that ISA 250's procedures feed into.
  • EU Audit Directive (2014/56/EU) — European legislative requirements for auditor reporting of non-compliance.
  • EU Anti-Money Laundering Directives — The regulatory framework for suspicious transaction reporting.

This guide reflects the ISA 250 (Revised) text as published in the IAASB 2024 Handbook. National implementations may include additional requirements — always consult the applicable national standard (e.g., COS 250 in the Netherlands, ISA (UK) 250 in the UK, IDW PS 250 in Germany, or NEP 250 in France) alongside the international text. This content is for educational purposes and does not constitute legal or professional advice.

Last reviewed: March 2026 · Standards version: IAASB 2024 Handbook