Generally accepted auditing standards (GAAS) regarding an auditor's responsibility to consider laws and regulations in an audit of financial statements has been codified in AU-C Section 250, Consideration of Laws and Regulations in an Audit of the Financial Statements, published by the American Institute of Certified Public Accountants (AICPA).
AU-C 250 states that the auditor is responsible for obtaining reasonable assurance that the financial statements as a whole are free from material misstatement, whether caused by fraud or error. The provisions of some laws and regulations have a direct effect on the financial statements in that they determine the reported amounts and disclosures in an entity's financial statements. In conducting an audit of the financial statements, the auditor takes into account the applicable legal and regulatory framework, defined as those laws and regulations to which an entity is subject.
Most audits of local government agencies and quasi-public organizations (local auditees) that report to the Louisiana Legislative Auditor (LLA) are performed in accordance with Government Auditing Standards (also called generally accepted government auditing standards (GAGAS) or the Yellow Book). In a GAGAS audit, the CPA is required to extend the requirements of AU-C Section 250 to consideration of compliance with provisions of contracts and grant agreements.
GAAS and GAGAS require the auditor to communicate to the entity's management any matters of noncompliance with provisions of laws, regulations, contracts, and grant agreements that has a material effect on the financial statements or other financial data significant to the audit objectives. In a GAGAS audit, this communication takes the form of the Independent Auditor’s Report on Internal Control Over Financial Reporting and on Compliance and Other Matters Based on an Audit of Financial Statements Performed in Accordance with Government Auditing Standards (the Yellow Book Report).
In a GAAS audit, the communication is made to management alone; in a GAGAS audit, the communication (the Yellow Book report) is included with the audited financial statements.
If the CPA concludes that the local auditee’s noncompliance has a material effect on the financial statements, and it has not been adequately reflected in the financial statements, or if the CPA cannot obtain sufficient appropriate audit evidence to evaluate whether the noncompliance causes the financial statements to be materially misstated, the CPA should follow the requirements of AU-C 250.24 - .26.
AU-C 250 also addresses the auditor’s responsibility if fraud or suspected fraud has been detected. Louisiana Revised Statute 24:523 prescribes additional reporting responsibilities for agencies that have knowledge that fraud or misappropriations have occurred. LLA policy also requires specific elements to be included in a finding reporting fraud or misappropriations in a local auditee’s audit report.
AU-C 250 acknowledges that because of the inherent limitations of an audit, an unavoidable risk exists that some material misstatements in the financial statements may not be detected, even though the audit is properly planned and performed in accordance with GAAS; but defines the requirements of the auditor to obtain sufficient appropriate audit evidence for different categories of laws and regulations.
AU-C 250 requires the auditor to obtain an understanding of the legal and regulatory framework applicable to the entity and the environment in which the entity operates, and how the entity is complying with that framework. What are the sources a CPA firm can use to determine the legal and regulatory framework under which a local auditee is required to operate?
1. The CPA should start with inquiry of the local auditee he is auditing. The local auditee has the primary responsibility for identifying and complying with the laws and regulations that may have a direct and material effect on their financial statements.
For instance, a local government auditee should be knowledgeable about the local government budget act, public bid law, records retention law, and other laws that affect them. A local government auditee should also be knowledgeable about the laws that specifically apply to their type of local auditee (parish governing authority, municipality, school board, assessor, clerk of court, coroner, district or municipal court, sheriff, district attorney, housing authority, special service district, etc.).
The CPA should read the minutes of the governing board for discussion of legal matters, and should examine any grant documents and bond indentures to determine specific requirements under those documents. The CPA should also ask the local auditee for any correspondence from taxing, licensing, grantor or other oversight bodies.
The CPA should obtain management’s written representation as to whether they are complying with these laws; and should also consider requesting a legal representation letter from the local auditee’s attorney.
2. The Louisiana Compliance Questionnaire provide a basic list of the laws and regulations with which local auditees must comply. There are different questionnaires for local governments, quasi-public organizations, and charter schools.
3. Many local governments have advocacy organizations that provide information about legal matters on their websites.
4. The Legislative Auditor’s website has a Legal Assistance page that has a wealth of information regarding local auditee law. This information is updated annually for any changes in the law, after the close of each Louisiana legislative session.
5. Other sources of legal information that are available to the general public include:
- The Louisiana Legislature’s website has a search engine for Louisiana Revised Statutes and the Louisiana Constitution of 1974
- The Louisiana Attorney General’s website has a search engine for Louisiana Attorney General opinions
- The Internal Revenue Service’s website has a search engine for payroll and other tax-related issues6. The Legislative Auditor periodically sends information regarding laws and regulations by email to CPAs on its approved list. These notifications (Audit Risk Alerts) are sent on an as-needed basis.
The sources named above are good starting points, but the list cannot be considered an all-inclusive list or a safe harbor by a CPA firm performing a GAGAS audit. The CPA should remain alert to the possibility that there are other laws and regulations with which the local auditee is required to comply.
If performing an initial engagement, the CPA should use his or her existing understanding of the legal and regulatory framework applicable to like agencies.
If performing a repeat engagement, the CPA should ensure that all of the permanent file information regarding laws and regulations pertinent to the local auditee has been updated. The CPA should also consider the local auditee’s history of noncompliance with laws and regulations.
A CPA performing an audit of a local auditee that is required to provide for a Single Audit should also consider the compliance requirements of Title 2, U.S. Code of Federal Regulations, Part 200, Uniform Requirements, Cost Principles, and Audit Requirements of Federal Awards (Uniform Guidance), published by the Office of Management and Budget; and AU-C 935, Compliance Audits.
- Am I expected to give a legal opinion on whether a local auditee has complied with laws and regulations that have a material and direct effect on the financial statements? I’m a CPA, not an attorney.
- Does a CPA firm need to be concerned about which laws to test in a review/attestation engagement?