ISA 250 (Revised): Consideration of Laws and Regulations in an Audit: Complete Guide

Why the two-category split matters

Most audit failures involving ISA 250 do not involve tax. They involve environmental permits, operating licences, AML violations, sanctions breaches. Category (b). The category where the standard gives auditors the weakest tools.

I think this is the single most important thing to understand about ISA 250 , because it explains the gap between what the standard asks and what regulators expect after something goes wrong. The standard says “remain alert.” The inspection report says “the auditor failed to identify a significant non-compliance that was evident from documents on the audit file.” The gap between those two sentences is where careers get damaged.

ISA 250 resolves the scope problem (you cannot test every law) by dividing responsibility into two tiers. That division is structurally sound. But it creates an incentive problem: for category (b) laws, the minimum-effort response is to document that you asked management, get the management rep letter signed, and move on. We have all seen files where that is exactly what happened. The file tells a story, all right. Just not the right one.

The two categories of laws and regulations

Category (a): direct effect on financial statements

Where teams most often get this wrong: they classify a law as category (a) just because it can produce a big number. That is not the test. Category (a) laws are those “generally recognised as having a direct effect on the determination of material amounts and disclosures in the financial statements” ( ISA 250.6 (a)). The key word is determination. These laws directly set the numbers.

What actually happens on most engagements: category (a) takes care of itself. Tax is tested through the tax provision work. Pension obligations run through the actuary. Government grant recognition criteria feed into revenue testing. You are already doing this work under other ISAs; ISA 250 just confirms you need to.

Common examples:

• Tax legislation (corporate income tax, VAT, payroll taxes)
• Pension and social security contribution laws
• Financial reporting regulations (company law requirements for FS form and content)
• Government grant and subsidy legislation (recognition criteria, clawback provisions)

The auditor obtains sufficient appropriate audit evidence regarding compliance with these laws ( ISA 250.14 ). In practice, that means the same level of assurance as for any other FS assertion. These laws get woven into substantive testing for the related account balances.

Category (b): other laws and regulations

This is where the real difficulty lives. Category (b) laws do not directly set FS amounts, but non-compliance can produce material consequences: fines, remediation costs, licence revocations, litigation ( ISA 250.6 (b)).

The common mistake I see: teams treat category (b) as a SALY exercise. Copy last year’s inquiry memo, update the date, get the rep letter signed, done. That works right up until it does not. At my firm we had an engagement where a client’s waste disposal contractor lost its permit mid-year. Nobody told us. The inquiry response said “compliant with all applicable environmental regulations.” We found out from a local newspaper article that a team member happened to read. That is not a system. That is luck.

Examples of category (b) laws:

• Operating licences and permits (banking, pharmaceutical, construction)
• Environmental regulations and emission standards
• Health and safety legislation
• Data protection and privacy (GDPR)
• Competition and antitrust law
• Anti-bribery and corruption legislation
• Import/export controls and sanctions

The auditor’s responsibility for category (b) is limited to specified procedures: inquire of management and TCWG about compliance, inspect correspondence with regulatory authorities, and remain alert throughout the audit ( ISA 250.15 –16). The auditor does not actively test compliance.

Required procedures (and what actually happens)

The gap between the standard’s requirements and typical practice is wider here than in almost any other ISA. Not because teams are negligent, but because the procedures themselves are weak relative to the risk. ISA 250.13 –17 sets out five requirements. Here is each one, followed by what actually happens on most files I have reviewed.

Understanding the legal and regulatory framework

ISA 250.13 requires you to obtain a general understanding of the legal and regulatory framework applicable to the entity and industry, and how the entity complies with it. This feeds the risk assessment under ISA 315 .

What actually happens: on a recurring engagement, this is often a paragraph in the planning memo that has not been meaningfully updated since the original acceptance. Honestly, on about half the engagements I have seen, the “legal and regulatory framework” section reads like it was written by someone who Googled the client’s industry for ten minutes. That is a problem, because this is the step where you decide which laws are category (a) and which are category (b). Get it wrong here, and everything downstream is wrong.

Testing category (a) compliance

Obtain sufficient appropriate audit evidence regarding compliance with category (a) laws ( ISA 250.14 ).

What actually happens: this usually works. Tax gets tested. Pensions get tested. Grant recognition gets tested. The procedures are baked into substantive testing already.

Specified procedures for category (b)

Inquire of management and, where appropriate, TCWG about compliance. Inspect any correspondence with relevant licensing or regulatory authorities ( ISA 250.15 ).

What actually happens: the inquiry happens, but it is often a single question in a standard questionnaire. “Are you in compliance with all applicable laws and regulations?” Management ticks “yes.” The regulatory correspondence inspection is frequently skipped when management says there is no correspondence. We have seen this on about half the engagements we review. I think the standard undersells this step. At firms like ours, we now ask for copies of key licences and permits and check expiry dates ourselves, even though the standard does not require it. It takes twenty minutes per engagement. It would have caught the expired environmental permit in the opening example.

Remaining alert

ISA 250.16 requires the auditor to remain alert throughout the audit for instances or indications of non-compliance. This is an ongoing obligation that applies during every procedure.

What actually happens: “remain alert” is not a procedure you can document. Nobody writes “I remained alert today” in their WPs. The instruction only produces results when team members actually know what the client’s key regulatory risks are, which brings us back to the quality of the planning step. A junior doing ticking and bashing on a receivables confirmation is not going to spot a competition law violation. That is fine. But the EP and PM need to brief the team on what to watch for.

Written representations

Obtain written representations that management has disclosed all known instances of non-compliance or suspected non-compliance whose effects should be considered in preparing the FS ( ISA 250.17 ).

What actually happens: the rep letter gets signed. It always gets signed. I have never seen a client refuse to sign the non-compliance representation. This is simultaneously required and nearly useless as an audit procedure, because a management that is concealing non-compliance will sign a representation saying it is not. The value is not in the comfort it provides. The value is in the legal trail it creates if things go wrong later.

When non-compliance is identified or suspected

So you have found something. Maybe it is the expired permit. Maybe it is a clause in a contract that looks like it violates competition law. Maybe it is a pattern of payments to a government official’s consulting company. Now what?

The most common failure at this stage is not a procedural one. It is a judgment failure: teams downplay what they have found because escalating it is uncomfortable and creates work. A PIOOMA estimate of the financial impact (“probably not material”) replaces proper analysis. That is the wrong instinct. ISA 250.19 –25 sets out a four-step response framework, and skipping steps is how firms end up in inspection findings.

Worked example: the expired permit, complicated

Go back to the manufacturing client with the expired environmental permit. You do the work. You discover that the permit expired because the client failed an emissions inspection six months ago and has been operating without authorisation since. The renewal is not “in progress” in any meaningful sense. The client needs to invest in new filtration equipment before the regulator will reissue the permit. Estimated cost: EUR 400,000. The regulator has also issued a formal warning letter, which management did not mention in the inquiry response or disclose to TCWG.

Now your problem is not just an expired permit. You have a provision question (the filtration equipment), a contingent liability question (potential fines), a management integrity question (they misrepresented the status), a disclosure question (the FS are silent), and a going concern question (can the plant operate without the permit?). You also need to decide whether the management rep letter, which says “no known instances of non-compliance,” was signed in good faith. One expired permit has just touched five different areas of the audit.

This is why I think ISA 250 is harder than it looks. The procedures are simple. The judgment when you find something is not.

Reporting outside the entity

No part of ISA 250 makes auditors more anxious than paragraph 28. Should you report non-compliance to someone outside the entity? The answer depends on where you are, what you found, and which ethical code applies to you.

Reasonable people disagree on where the line sits. Some practitioners believe that any time there is a clear legal reporting obligation, you follow it, and otherwise you stay quiet because confidentiality is the default. Others argue that the NOCLAR provisions shifted the default: the public interest now comes first, and confidentiality is the exception requiring justification. I lean toward the second view, because the trend in regulation across Europe is clearly toward more auditor reporting, not less. But I understand why the first position exists, and both positions find support in the literature.

Legal requirements

In many jurisdictions, auditors have statutory obligations to report certain types of non-compliance. In the EU, auditors of PIEs must report breaches of EU regulations to competent authorities. In the Netherlands, the Wwft requires reporting of unusual transactions to FIU-Nederland regardless of FS materiality. In the UK, specific reporting obligations exist under the Proceeds of Crime Act and Money Laundering Regulations. In France, commissaires aux comptes must report criminal offences to the Procureur de la République.

The IESBA Code and NOCLAR provisions

The IESBA’s NOCLAR framework (effective since 2017) goes beyond statute. It creates an ethical obligation for auditors to consider reporting non-compliance to appropriate authorities even where no legal requirement exists, where doing so serves the public interest and is not contrary to law. This was a significant shift. Before NOCLAR, the ethical codes in most jurisdictions treated confidentiality as nearly absolute. NOCLAR introduced a duty to weigh confidentiality against public harm.

Professional duty of confidentiality

Confidentiality can be overridden by law, regulation, or ethical requirements. The tension between confidentiality and public interest reporting is real, and it does not have a clean answer. What I can say is that “I was protecting client confidentiality” has not been a successful defence in any European inspection case I am aware of where the auditor knew about significant non-compliance and chose not to report it.

The auditor’s limitations

Here is the part of ISA 250 that matters most when a regulator is reading your file after something went wrong. ISA 250.5 –6 is explicit about what you are and are not responsible for:

• You are not responsible for preventing non-compliance. That is management’s job.
• Whether an act constitutes actual non-compliance is a legal determination, not an audit conclusion. Courts decide this.
• The further removed non-compliance is from the FS, the less likely you are to detect it. This matters most for category (b) laws, where the auditor’s procedures are limited and concealment is possible.
• An ISA-compliant audit provides reasonable assurance, not absolute assurance, that the FS are free from material misstatement caused by non-compliance.

These limitations are real. They are also not a shield. In our experience, every inspection finding we have seen on ISA 250 acknowledged the inherent limitations and then said, in effect: “Yes, but within those limitations, you still did not do enough.” The question is never whether you are omniscient. It is whether you did what a reasonable auditor would have done with the information available.

ISA 250 in your jurisdiction

Netherlands. COS 250 follows ISA 250 (Revised) closely. Dutch auditors face significant additional obligations under the Wwft (anti-money laundering), which requires reporting of unusual transactions to FIU-Nederland regardless of FS materiality. The NBA’s practice notes address the interaction between COS 250 and Wwft obligations. For OOB (PIE) engagements, auditors must also report certain matters to the AFM under the Wta.

Germany. IDW PS 250 adapts ISA 250 for the German environment. German Wirtschaftsprüfer have specific reporting obligations under the GwG (anti-money laundering) and, for financial institutions, under the KWG (banking supervision law). The interaction between ISA 250 ’s framework and German company law (AktG, GmbHG, HGB) creates additional complexity, particularly regarding the duty to report to the supervisory board.

United Kingdom. ISA (UK) 250 splits into two sections: Section A (consideration of laws and regulations, aligned with ISA 250 ) and Section B (the auditor’s statutory right and duty to report to regulators). Section B is UK-specific, addressing obligations to report to regulators of financial services entities (FCA, PRA) and PIEs. The FRC has proposed revisions to both sections, moving towards a more risk-based approach.

France. NEP 250 implements ISA 250 within the French statutory audit framework. The French commissaire aux comptes has the distinctive révélation des faits délictueux obligation: the auditor must report criminal offences discovered during the audit to the Procureur de la République. This is mandatory, carries no materiality threshold, and is one of the strongest auditor reporting duties in Europe.

Frequently asked questions

Is the auditor responsible for ensuring the entity complies with all laws?

No. Compliance is management’s and TCWG’s responsibility. The auditor’s job is to consider laws and regulations in the context of the FS audit: specifically, to obtain reasonable assurance that the FS are free from material misstatement caused by non-compliance.

What is the difference between ISA 240 (fraud) and ISA 250 (laws and regulations)?

ISA 240 deals with fraud (intentional acts involving deception for unjust advantage). ISA 250 deals with non-compliance with laws and regulations, which may be intentional or unintentional. There is overlap: fraud often involves breaking laws, and non-compliance can constitute fraud. Where both standards apply, both must be followed.

What is NOCLAR?

NOCLAR stands for Non-Compliance with Laws and Regulations, a framework introduced by the IESBA in 2016 within the Code of Ethics for Professional Accountants. It establishes ethical obligations for professional accountants (including auditors) regarding how they respond to identified or suspected non-compliance, including when to report to external authorities.

Must the auditor report all non-compliance to regulators?

No. The reporting obligation depends on the jurisdiction, the nature of the non-compliance, and applicable legal and ethical requirements. Some jurisdictions impose mandatory reporting for specific types (money laundering, criminal offences). In other cases, the auditor exercises professional judgment, weighing the public interest, legal requirements, and the IESBA NOCLAR provisions.

What if management refuses to take action on identified non-compliance?

The auditor must consider the implications for the audit: whether to modify the audit opinion, whether to report to authorities outside the entity, and whether to withdraw from the engagement. The auditor should also communicate the matter to TCWG if management’s inaction is itself a governance concern.

Further reading and source references

• IAASB Handbook 2024: ISA 250 (Revised) full text, the authoritative source including all application material.
• IESBA Code of Ethics: The NOCLAR provisions (Sections 260 and 360), the ethical framework for responding to non-compliance.
• ISA 240 : The Auditor’s Responsibilities Relating to Fraud, the companion standard for intentional misstatement.
• ISA 315 (Revised 2019): Identifying and Assessing Risks of Material Misstatement, the risk assessment framework that ISA 250 ’s procedures feed into.
• EU Audit Directive (2014/56/EU): European legislative requirements for auditor reporting of non-compliance.
• EU Anti-Money Laundering Directives: The regulatory framework for suspicious transaction reporting.

This guide reflects the ISA 250 (Revised) text as published in the IAASB 2024 Handbook. National implementations may include additional requirements. Always consult the applicable national standard alongside the international text. This content is for educational purposes and does not constitute legal or professional advice.

Related ciferi content

Related guides:

Put audit concepts into practice with these free tools: