AG ISA (NZ) 250

The Auditor-General’s Statement on Consideration of Laws and Regulations

At a glance

The standard expands on the underlying standard ISA (NZ) 250 (Revised) (XRB website) in that you:

need to familiarise yourself with any guidance or direction from the OAG, including in the applicable audit brief;
need to immediately inform the OAG of any significant non-compliance with laws and regulations;
need to report to the OAG all instances of a public entity’s non-compliance with laws and regulations in the document that summarises the audit conclusions.

Introduction

Scope of this Statement

This Auditor-General’s Auditing Statement:
1. establishes the Auditor-General’s requirements in relation to ISA (NZ) 250 (Revised): Consideration of Laws and Regulations in an Audit of Financial Statements (ISA (NZ) 250 (Revised))¹; and
2. establishes additional requirements and provides associated guidance to reflect the public sector perspective.
This Statement and the equivalent auditing standard on which it is based reflect the requirements for considering laws and regulations when carrying out an annual audit. It should be noted that the requirements of this Statement and the equivalent auditing standard are not designed or intended to enable the Appointed Auditor to to carry out a legal compliance audit or to provide assurance on a public entity’s compliance with all applicable laws and regulations.
Instead this Statement and the equivalent auditing standard reflect that it is the responsibility of management and those charged with governance to ensure that a public entity complies with laws and regulations.²

Application

Compliance with this Statement is mandatory for Appointed Auditors who carry out annual audits on behalf of the Auditor-General. This Statement requires compliance with all of the requirements of ISA (NZ) 250 (Revised) and the additional requirements included in this Statement.
This Statement applies to audits of financial statements and/or performance information that have been prepared for reporting periods beginning on or after 1 April 2023, although earlier application is encouraged.
There are specific issues of compliance with laws and regulations for the Appointed Auditor to consider when auditing appropriations in government departments (including planning, carrying out fieldwork, and reporting). For further guidance, the Appointed Auditor is to refer to AG-2: The Appropriation Audit and the Controller Function and/or the applicable audit brief.
In addition, the Auditor-General may require Appointed Auditors to carry out additional work on compliance with laws and regulations in the course of an annual audit. If this is required, Appointed Auditors should refer to Auditing Standard AG-3 and the relevant audit brief for instructions and guidance on this additional work.

Objectives

The objectives of the Appointed Auditor are to:
1. consider compliance with laws and regulations:
  - obtaining sufficient appropriate audit evidence regarding compliance with the provisions of those laws and regulations generally recognised to have a direct effect on the determination of material amounts and disclosures in the financial statements and performance information;
  - performing specified audit procedures to help identify instances of non-compliance with other laws and regulations that may have a material effect on the financial statements and performance information; and³
2. respond appropriately to identified or suspected non-compliance with laws and regulations identified during the audit.

Definitions

For the purpose of this Auditor-General’s Auditing Statement, the defined term listed below has the following meaning:

Appointed Auditor: means the person or persons appointed by the Auditor-General to carry out the annual audit or other engagement on behalf of the Auditor-General, and who are supported by other members of the audit team. Where an Auditor-General’s Statement or Standard expressly intends that a requirement be fulfilled by the Appointed Auditor personally, the requirement will indicate that the Appointed Auditor shall personally satisfy the requirement.

Requirements

The Auditor’s Consideration of Compliance with Laws and Regulations (Ref: Para. A1-A4)

The Appointed Auditor shall, in meeting the requirements of paragraph 13 of ISA (NZ) 250 (Revised):
1. gain an understanding of any laws and regulations that apply to the public entity that are generally recognised to have a direct effect on the determination of material amounts and disclosures in the financial statements and performance information;
2. familiarise themselves with any guidance or direction from the OAG, including in the applicable audit brief;
3. maintain a general awareness of current events by monitoring:
  - the results of any Parliamentary scrutiny of the public entity or the sector in which it operates;
  - the outcome of any reviews by government agencies;
  - the outcome of any court proceedings; and
  - comments in the media; and
4. monitor the development of any new legislative requirements that are likely to affect the public entity.
The Appointed Auditor shall obtain an understanding of the legal and regulatory framework that applies to the public entity in accordance with the requirements of paragraph 13 of ISA (NZ) 250 (Revised) and ensure that their audit file includes adequate documentation that:
1. provides a description of the legal and regulatory framework applicable to the entity and the industry or sector in which it operates;
2. provides a description of how the public entity ensures that it complies with that framework;
3. identifies the laws and regulations that have a direct effect on the determination of material amounts and disclosures in the financial statements and performance information and why the Appointed Auditor has assessed those laws and regulations as material; and
4. identifies the audit procedures that the Appointed Auditor plans to perform to assess compliance with those laws and regulations that have been identified as having a direct effect on the determination of material amounts and disclosures in the financial statements and performance information.
The Appointed Auditor shall perform audit procedures in keeping with paragraph 14 of ISA (NZ) 250 (Revised) in order to meet the objectives of this statement to obtain sufficient appropriate audit evidence that the public entity has complied with those laws and regulations that have been identified as having a direct effect on the determination of material amounts and disclosures in the financial statements and performance information.
In carrying out audit procedures on those laws and regulations that have been identified as having a direct effect on the determination of material amounts and disclosures in the financial statements and performance information, the Appointed Auditor shall comply with any guidance provided by the OAG, including the applicable audit brief.
The Appointed Auditor shall, in meeting the requirements of paragraph 15 of ISA (NZ) 250 (Revised), follow any guidance or direction from the OAG, including in the applicable audit brief.
The Appointed Auditor shall, in meeting the requirements of paragraph 16 of ISA (NZ) 250 (Revised), remain alert during the annual audit for any possible non-compliance with other laws or regulations that could be considered to have a direct effect on the determination of material amounts and disclosures in the financial statements and performance information, although they may not have been originally identified as relevant during audit planning.

Responding to identified or suspected non-compliance with Laws and Regulations

The Appointed Auditor shall not provide opinions (in a legal sense) on a public entity’s compliance with laws and regulations. Nothing in the Auditor-General’s responsibility to consider laws and regulations in the annual audit, including references to certain laws and regulations disclosed in the audit report or the letter to management or those charged with governance, should be misconstrued as the auditor providing a legal opinion on the entity’s compliance with relevant laws and regulations (Ref: Para. A5).
The Appointed Auditor shall not report a public entity’s non-compliance with laws and regulations to any responsible Minister or to Parliament without prior OAG authorisation. The OAG is responsible for making these decisions and shall consider factors such as the frequency or pattern of non-compliance and the effects of non-compliance when making its decision. Communication with any Minister about instances where non-compliance with laws and regulations is considered to be material shall be done directly by the OAG, in consultation with the Appointed Auditor.
If there is uncertainty about the nature of non-compliance with laws and regulations, the Appointed Auditor shall request and obtain the public entity’s view, which may include any legal advice it has obtained, before consulting the OAG. If doubt exists on whether there is non-compliance and the Appointed Auditor needs independent legal advice, the Appointed Auditor shall obtain the legal advice from the Assistant Auditor-General – Legal, Policy, and Inquiries at the OAG. In doing so, the Appointed Auditor shall obtain, if possible, any legal advice that has been obtained by the public entity about the suspected non-compliance and provide this advice to the OAG (Ref: Para. A6).

Immediate reporting of certain types of non-compliance to the OAG

The Appointed Auditor shall immediately inform the OAG about any non-compliance with laws and regulations that:
1. is considered to have a direct effect on the determination of material amounts and disclosures in the financial statements and performance information, and for which the OAG has not provided guidance;
2. calls into question the ethics or behaviour of management and/or those charged with governance or where fraud is suspected; or
3. where management and/or those charged with governance are suspected of being involved in any deliberate non-compliance with a law or regulation

Reporting instances of non-compliance

The Appointed Auditor shall immediately advise the OAG when management and/or those charged with governance are involved in non-compliance with the laws and regulations, so the OAG is involved in developing the response to the requirements contained in paragraphs 25 and 29 of ISA (NZ) 250 (Revised).
The Appointed Auditor shall immediately inform the appropriate level of management of any non-compliance that is of such a nature that it can be remedied or repaired (for example, illegal investments). This provides management with the opportunity to take prompt action to correct any non-compliance.
In addition to the reporting requirements of paragraph 23 of ISA (NZ) 250 (Revised), the Appointed Auditor shall report in the management letter (to the appropriate level of management or those charged with governance) any concerns they have about the integrity of internal control or other deficiencies that affect the ability of the public entity to monitor its compliance with laws and regulations.
All instances of a public entity’s non-compliance with laws and regulations identified during the annual audit shall be reported to the OAG in the document summarising the audit conclusions (Ref: Para. A7).

Reporting non-compliance in the audit report

The Appointed Auditor shall follow any directions issued by the OAG on reporting non-compliance in the audit report including any requirements to have audit reports approved by the Auditor-General’s Opinions Review Committee as outlined in AG ISA (NZ) 700.
Non-compliance that has a pervasive effect on the financial and performance information⁴ shall be referred by the Appointed Auditor to the Audit Quality group at the OAG. The Audit Quality group may request the Appointed Auditor to prepare a submission to the Auditor-General’s Opinions Review Committee.
The Appointed Auditor shall follow any directions issued by the OAG covering how any non-compliance is to be reported in the audit report.
If the OAG has not issued any directions covering how the non-compliance is to be reported in the audit report, the Appointed Auditor shall consult the Audit Quality group about the appropriate audit report to issue when they identify non-compliance.

Application and other explanatory material

The Auditor’s Consideration of Compliance with Laws and Regulations (Ref: Para. 10-15)

A1	The nature and extent of audit procedures is to be determined by the Appointed Auditor, after considering the likelihood and the effect of non-compliance and any advice from the OAG, including the applicable audit brief. In addition, to the guidance in paragraph A11 in ISA (NZ) 250 (Revised), Appointed Auditors may consider using the following audit procedures to meet the requirements of this statement: enquiring of management about any instances of non-compliance or any new or unusual activities/transactions (for example, new ventures and tax-based or investment transactions) carried out during the year, and reviewing those activities/transactions; reviewing minutes of management meetings or the public entity’s internal compliance reports, as applicable; reviewing systems and practices designed to monitor and report on compliance, or with compliance requirements embedded in them, and the adequacy of the public entity’s policies and procedures governing compliance with relevant statutory obligations; performing random or risk-based transaction tests that incorporate the element of checking for compliance with laws and regulations; and performing substantive tests of particular laws and regulations (such as those laws and regulations specifying the determination of material amounts and disclosures in the financial statements and performance information).
A2	Audit procedures may be substantive in nature or place reliance, where appropriate, on the systems and practices designed to control and monitor compliance, or on both. In making a decision about what approach to use, Appointed Auditors must ensure that they meet the evidential requirements of the auditing standards that have been issued by the New Zealand Auditing and Assurance Standards Board.
A3	If a substantive approach is taken, Appointed Auditors should apply audit procedures that provide a reasonable opportunity of detecting instances where non-compliance is considered to be material. Typically, substantive procedures will be directed to testing material year-end balances for the purposes of determining their fair presentation and whether they comply with those laws and regulations identified in accordance with the objectives in this statement where non-compliance may be material. For example, confirming whether an investment is lawful.
A4	If the focus is primarily on the systems and practices, audit procedures should be designed to test the effectiveness of internal control, including the internal control environment, established by management to minimise the occurrence of non-compliance.

Responding to identified or suspected non-compliance with Laws and Regulations (Ref: Para. 16-27)

A5	The OAG, in consultation with the Appointed Auditor, may also write directly to the chief executive or governing body in certain circumstances when non-compliance is identified.

Immediate reporting of certain non-compliance to the OAG

Assessment of non-compliance requires professional judgement and may need to be based on legal advice. If there is uncertainty about the fact of non-compliance with laws and regulations, the public entity should first be asked for its view, which may include reviewing any legal advice the entity has obtained.<sup">5

The Appointed Auditor is to consider that advice against any existing guidance provided by the OAG. If the OAG has not provided any existing guidance, the Appointed Auditor should consult with the OAG. The OAG will then provide the Appointed Auditor with the necessary direction and will determine, as appropriate, the need to report the non-compliance to external parties.

Reporting instances of non-compliance to the OAG

Formal reports made to management or those charged with governance on compliance with laws and regulations may be appended to the document summarising the audit conclusions. However, the essential action is to give the OAG an account of all non-compliance with laws and regulations identified at the same time that the audit report and the annual report are issued.

1: The ISA (NZ) Auditing Standards are scoped so that they apply to audits of “historical financial information”. However, for the purposes of the Auditor-General’s Auditing Standards and Statements, all references to “historical financial information” should be read as the audit of “historical financial statements and historical performance information”.

2: Nothing in this Statement requires or permits Appointed Auditors to provide opinions (in a legal sense) on a public entity’s compliance with relevant laws and regulations or to carry out a legal compliance audit. As a result, Appointed Auditors must take care to ensure that, unless a legal compliance audit has been carried out, any references to laws and regulations in their audit reports or management letters cannot be misconstrued by readers as the auditor providing assurance on the public entity’s compliance with those laws and regulations.

3: The Auditor-General’s auditing standard, AG-3, contains additional objectives in respect of considering laws and regulations that do not meet the criteria outlined in paragraph 8(a).

4: In keeping with the objectives in this Statement and the requirements in AG ISA (NZ) 700 and AG ISA (NZ) 705.

5: Note that the entity cannot be compelled to give Appointed Auditors or the OAG its legal advice. However, if an entity refuses to provide legal advice to the Appointed Auditor or to the OAG, this amounts to a limitation in scope and may result in a modification of the audit report.