In 2023, the Financial Reporting Council (FRC) opened a consultation on the proposed International Standard on Auditing (UK) 250 (ISA 250), which covers how auditors should consider laws and regulations in relation to a financial audit, and at the end of March it launched a re-consultation on its proposals.

During the previous consultation, respondents expressed serious concerns about the proposals, and what this would mean for the day-to-day reality of conducting an audit.

The original proposals removed the important distinction between ‘direct’ laws and regulations, such as companies legislation, and ‘indirect’ ones, which have the potential to impact financial statements if there’s evidence of an issue that had a material effect on the accounts, such as health and safety legislation. There are concerns that “bright lines” in auditing standards encourage auditors to put too much into the less onerous category.

Currently, an auditor would need to actively look for problems when it comes to direct laws and regulations, while with indirect laws and regulations, the auditor would only need to act if something came to their attention.

The original proposals for ISA 250 would have required auditors treat all laws and regulations in the same way. This, respondents said, was untenable, because it would effectively require auditors to understand all of the legislation that could possibly affect an entity, globally, which would involve the need to use expensive specialist expertise.

The new proposals

FRC is re-consulting of ISA 250 in the light of the introduction of the Economic Crime and Corporate Transparency Act, and some recent non-compliance with laws and regulations (NOCLAR) cases.

“We are concerned that the existing distinction between different categories of laws and regulations hinders auditors from identifying risks of material misstatements in the financial statements, when those risks relate to noncompliance with laws and regulations, particularly those that relate to indirect laws and regulations,” said FRC in its new consultation document. “We remain committed to removing this distinction in order to improve the robustness of the identification of risks of material misstatement associated with non-compliance with laws and regulations.”

In the original consultation, respondents expressed concern at the broad scope of the revisions. There were questions about the amount of work this would entail for auditors. In this new consultation, FRC acknowledges that “the auditor’s responsibilities cannot be open-ended to the effect of identifying and determining compliance with all laws and regulations pertaining to the entity”.

In response to concerns, it has removed the original objective within the standard and introduced a new objective: “To identify and assess the risks of material misstatement of the financial statements due to fraud or error relating to non-compliance with laws and regulations.”

Responding to concerns about the amount of legal advice required to meet obligations. FRC specified that an auditor would not be expected to have more of an understanding of the laws and regulations than required to undertake the audit. “Their understanding and expected work is bounded by what is needed to be able to express an opinion – nothing more.”

In the new version of ISA 250, FRC has changed the wording with regards to indirect laws and regulations to: “…compliance with which may be fundamental to the operating aspects of the business, to an entity’s ability to continue its business, or to avoid material penalties”.

Is it different enough?

The devil is always in the detail and the FRC’s impact assessment sets out the increased hours it estimates will result from the proposed revisions. Familiarisation and training is estimated to take 45 hours per firm. FRC believes that the revisions will add 15 additional hours per audit, with an additional hour for public interest entity audits. It does not differentiate between different sizes of audit teams, and it’s not clear how this was calculated.

Dr Paul Winrow, Partner, Public Policy & Regulation at Forvis Mazars, says that the firm encouraged FRC to consider the proportionality of the original proposals. “It is, therefore, pleasing to see that the FRC has responded to those concerns with this re-consultation, including providing clarity over the objective of the standard and ‘fundamental’ laws and regulations,” says Winrow.

The revised approach is more practical and better aligned with the principle of risk-based auditing under ISA 315, says Ian Graham, Partner and Head of Practice at Moore Kingston Smith. “It also helps to reinforce the importance of auditors building a solid understanding of the business they are auditing.”

The revised proposals will still lead to increased work effort for auditors and audited entities, says Winrow, despite some concerns about scalability and proportionality being addressed. “While we would expect management at public interest and larger entities to have systems and processes which capture relevant laws and regulations, it is likely that this will not be the case for many SMEs. The revised standard does not sufficiently address how auditors should address such situations.”

Winrow wants to see the proposals go further by explicitly stating that legal expertise will not normally be required. “We question whether the proposals are sufficiently scalable. For example, for large, complex, international group engagements, more consideration needs to be given to the impact on group audits under ISA (UK) 600 (in particular, the impact on components outside of the UK).

“At the other end of the spectrum, the impact on audits of SMEs could be more challenging, particularly given that the auditor’s starting point is intended to be management’s assessment, which may vary in its level of formality and maturity across such entities, despite the revised proposals.”

Steve Gale, Head of Audit at Crowe, says that the issues with ISA 250 have not been sufficiently addressed in the re-consultation.

“The new proposal to replace [the original] framework with the concept of ‘fundamental’ laws and regulations does not improve clarity,” he says. “It introduces a more subjective judgement that is harder to apply consistently and easier to second‑guess with hindsight. The likely outcome is more audit work on lower‑risk compliance matters, driven by fear of challenge rather than by investor need.”

Introducing a wholly UK‑specific standard in ISA (UK) 250 makes group audits harder, as overseas auditors will be required to apply a standard that does not exist in their jurisdiction, he added. “This will likely lead to the UK group auditor needing to specify additional work for the component auditor to undertake.”

The consultation timeline

The consultation will run until Thursday 21 May. ICAEW members who wish to have their say can contact Helen Pierpoint, Technical Manager, Audit and Assurance.

“This proposal originated with a proposal by the US auditing standard setter that was not well-received in the US,” says Katharine Bagshaw, ICAEW’s Senior Manager, Auditing Standards, Audit and Assurance. “That proposal has now been withdrawn and for a while, we thought that the UK proposal, which is different, might be shelved too.

“Re-consultation is always good and we need to hear from members about whether they think the changes have gone far enough to operationalise the proposals effectively, and whether they think that the FRC’s estimates in terms of increased work effort are right.”