ICAG Paper 2.3 - Audit and Assurance
ICAG Level 2 - MSL Business School
ICAG Paper 2.3: Audit and Assurance
ICAG Paper 2.3 Audit and Assurance is the Application Level paper that introduces candidates to the full audit process — from engagement acceptance, through risk assessment and planning, to evidence gathering, review, and reporting. It is the foundation on which Paper 3.2 Advanced Audit and Assurance is built, and the paper that prepares candidates for the realities of audit practice in Ghana's private and public sectors.
This paper is not just about knowing what auditors do. It is about understanding why — the theoretical underpinning of audit as a mechanism for accountability and corporate governance, the professional and ethical standards that govern audit practice, and the practical judgement required to design and execute an audit that gives users of financial statements the confidence they need. The examiner tests all of this: theory, standards, computation, professional ethics, and practical application.
Paper 2.3 is also one of the most ethics-intensive papers in the ICAG qualification. Professional scepticism, independence, and the ethical obligations of the auditor run through every section. Candidates who understand the 'why' behind audit requirements — not just the rules — will consistently outperform those who simply memorise standards.
At MSL Business School — Ghana's most decorated ICAG tuition provider with 40+ national awards and 2,000+ successful students — our Paper 2.3 classes develop genuine audit judgement, not just examination technique. Our lecturers bring real-world audit experience from Ghana's Big Four and mid-tier firms, so the standards come alive in practical context.
Paper 2.3 Audit and Assurance — At a Glance
Level: ICAG Application Level (Level 2)
Exam Format: Written examination — scenario-based questions requiring technical knowledge, professional judgement, and ethical reasoning
Exam Duration: 3 hours
Pass Mark: 50%
Core Standards: International Standards on Auditing (ISAs) — as issued by IAASB; Ghana-specific regulatory framework
Key Skills: Risk assessment, audit planning, evidence evaluation, report drafting, professional scepticism and ethical judgement
Ethics: Examined specifically in Section B and expected throughout all sections
Why Paper 2.3 Audit and Assurance Matters
Audit is the cornerstone of financial accountability. When investors rely on published financial statements, when banks make lending decisions, when the government assesses tax compliance, and when regulators monitor financial institutions — they are relying, directly or indirectly, on the work of auditors. The audit opinion provides independent assurance that financial statements present a true and fair view, reducing information asymmetry between management and the users of financial statements.
In Ghana, the statutory audit framework is embedded in the Companies Act, 2019 (Act 992), which requires all companies above certain thresholds to have their financial statements audited. The Bank of Ghana, the National Insurance Commission, and the Securities and Exchange Commission all impose additional audit requirements on regulated entities. The Auditor-General audits public sector bodies under the Audit Service Act, 2000 (Act 584). Understanding this regulatory landscape is as important as understanding the ISAs themselves.
For candidates planning careers in public accounting, audit is the professional pathway. For those heading into industry or the public sector, audit knowledge makes you a better-informed preparer — because you understand what auditors are looking for and why. Either way, Paper 2.3 builds skills that are immediately valuable.
Paper 2.3 Syllabus Structure and Weightings
Nine sections cover the complete audit process from engagement acceptance to final report, plus internal audit and public sector auditing. Sections B, D, and E each carry 15% — making professional ethics, audit planning, and evidence gathering the most heavily examined areas:
(A) Nature of audit and assurance - 10%
(B) Regulatory, professional and ethical issues - 15%
(C) Accepting and managing engagements - 10%
(D) Planning for engagements - 15%
(E) Engagement evidence - 15%
(F) Audit review - 10%
(G) Concluding and reporting - 10%
(H) Internal Audit - 5%
(I) Auditing in the public sector - 10%
Section A: Nature of Audit and Assurance (10%)
Section A establishes the conceptual foundations of audit — what it is, why it exists, and how it fits into the broader framework of corporate governance and accountability. These foundations are tested both directly and as the backdrop for all other sections.
Assurance Engagements — Definition and Components
An assurance engagement is one in which a practitioner aims to obtain sufficient appropriate evidence to express a conclusion designed to enhance the degree of confidence of the intended users — other than the responsible party — about the subject matter. The five elements of an assurance engagement:
A three-party relationship: The practitioner (auditor/assurance provider), the responsible party (management/entity), and the intended users (shareholders, lenders, regulators)
An appropriate subject matter: Financial statements, internal controls, sustainability reports, compliance with regulations — any subject matter that can be evaluated against criteria
Suitable criteria: The standards against which the subject matter is evaluated — IFRS for financial statements, ISAs for audit procedures, specific regulatory requirements for compliance engagements
Sufficient appropriate evidence: The practitioner must gather enough relevant and reliable evidence to support their conclusion
A written assurance report: The formal communication of the practitioner's conclusion to the intended users
Levels of Assurance
Reasonable assurance (audit): A high but not absolute level of assurance — expressed as a positive opinion ('In our opinion, the financial statements present fairly...'). The statutory financial statement audit provides reasonable assurance.
Limited assurance (review): A lower level than reasonable assurance — expressed as a negative conclusion ('Nothing has come to our attention that causes us to believe that the financial statements are not prepared...'). Review engagements (ISRE 2400) provide limited assurance.
Reasonable assurance cannot be absolute because: management uses estimates and judgements, audit procedures are applied to samples rather than 100% of transactions, and some evidence is persuasive rather than conclusive.
The Audit Expectation Gap
The audit expectation gap is the difference between what users of financial statements believe auditors do and what auditors actually do. Key components:
Reasonableness gap: Users expect more than what is reasonably achievable — e.g., expecting auditors to detect all fraud, or expecting auditors to guarantee the accuracy of financial statements
Performance gap: The difference between what can reasonably be expected and what auditors actually deliver — either because standards are inadequate or because auditors underperform
Reducing the expectation gap requires: better communication in audit reports (the enhanced audit report under ISA 701 is partly designed to address this), public education about audit limitations, and continuous improvement in audit standards and methodology.
Types of Audit and Assurance Engagements
Financial statement audit: Provides reasonable assurance that the financial statements are free from material misstatement — whether due to fraud or error. The primary focus of Paper 2.3.
Compliance audit: Evaluates whether the entity has complied with applicable laws, regulations, contracts, or grant conditions. Common in the public sector.
Performance audit: Evaluates the economy, efficiency, and effectiveness of an entity's operations (the 3Es). Predominantly a public sector concept.
Internal audit: An independent appraisal function within the entity — reviews operations, internal controls, risk management, and governance on behalf of management and the board (see Section H).
Fraud — Responsibility and Detection
ISA 240 (The Auditor's Responsibilities Relating to Fraud) establishes the division of responsibility:
Primary responsibility for the prevention and detection of fraud rests with management and those charged with governance — through the design and operation of internal controls
The auditor's responsibility is to obtain reasonable assurance that the financial statements as a whole are free from material misstatement, whether caused by fraud or error
The auditor maintains professional scepticism throughout — alert to conditions that may indicate fraud, without assuming that management is dishonest
Types of fraud relevant to financial statements: fraudulent financial reporting (intentional misstatement to deceive users) and misappropriation of assets (theft of entity's assets)
Fraud triangle: incentive/pressure, opportunity, and rationalisation — the three conditions that tend to be present when fraud occurs
Auditing as Corporate Governance
The external audit is a key pillar of corporate governance — it provides shareholders with independent verification that management's financial reporting is reliable. In Ghana, the Companies Act 2019 (Act 992) requires the auditor to report to the shareholders (not to management), preserving independence. The audit committee of the board provides a direct link between the external auditor and independent directors, further strengthening the governance function of audit.
Section B: Regulatory, Professional and Ethical Issues (15%)
Section B is the most ethics-intensive section of the paper and one of the most heavily examined. Candidates must understand the regulatory framework governing audit in Ghana, the professional standards that apply, and the specific ethical obligations of auditors — including independence, objectivity, confidentiality, and the resolution of ethical conflicts.
The Regulatory Framework for Audit in Ghana
The Companies Act, 2019 (Act 992)
Act 992 is the primary legislation governing the statutory audit of companies in Ghana. Key provisions candidates must know:
Qualification of an auditor: Must be a member of a body of accountants established in Ghana (i.e., ICAG) or approved by the Registrar-General. Disqualifications: officers/employees of the company, close relatives of directors, debtors/creditors beyond set limits.
Appointing authority: Auditors are appointed by shareholders at the Annual General Meeting (AGM). First auditors may be appointed by directors. The company's audit committee recommends the auditor to the board, which recommends to shareholders.
Remuneration: Fixed by the shareholders at the AGM, or by the directors if they appointed the first auditor. The level of remuneration must not compromise independence.
Duties and rights of the auditor: Duty to audit the financial statements and report to shareholders. Rights: access to all books, accounts, and vouchers; right to obtain information from officers and employees; right to attend and be heard at any general meeting.
Resignation, retirement, and removal: An auditor may resign by giving written notice to the company. Removal requires a special resolution with special notice. A resigning auditor may require the company to circulate a statement of circumstances — ensuring shareholders are aware of any concerns. The auditor may address the AGM when being removed.
Bank of Ghana and National Insurance Commission
The Bank of Ghana (BoG) and National Insurance Commission (NIC) have powers to appoint, approve, and remove auditors of regulated entities (banks, specialised deposit-taking institutions, and insurance companies). Auditors of regulated entities have additional reporting obligations to these regulators — including reporting significant matters that come to light during the audit, even without client consent in certain circumstances. This represents a statutory override of the duty of confidentiality.
Institutional Regulation of Audit Practice
IFAC (International Federation of Accountants): The global organisation for the accountancy profession; sets international standards (ISAs through IAASB, ethics through IESBA, education through IAESB)
ICAG (Institute of Chartered Accountants, Ghana): The national professional body; admits members, sets professional standards, disciplines members, and monitors audit quality through the Audit Monitoring Unit (AMU)
Internal Audit Agency (IAA): Coordinates internal audit in the public sector under Act 658; sets standards for internal auditors in MDAs and MMDAs
IAASB and International Standards on Auditing
The International Auditing and Assurance Standards Board (IAASB) develops ISAs. The standard-setting process involves: consultation paper, exposure draft, public comment period, final standard. ISAs are principles-based, allowing professional judgement in application. Ghana has adopted ISAs as the basis for audit of financial statements. Candidates must understand the authority of ISAs and the due process behind them.
Professional Ethics for Auditors — IESBA Code of Ethics
The IESBA Code of Ethics for Professional Accountants (as adopted by ICAG) sets out the five fundamental principles and a threats-and-safeguards framework for managing ethical conflicts. Auditors face unique ethical pressures — independence is both a state of mind (independence in fact) and an appearance (independence in appearance).
The Five Fundamental Principles
Integrity: Honest and straightforward in all professional and business relationships — no false statements, no misleading information, no association with misleading financial statements
Objectivity: Not allowing bias, conflict of interest, or undue influence to override professional judgement — the cornerstone of audit credibility
Professional competence and due care: Maintaining the knowledge and skills required to deliver competent professional service; acting diligently and in accordance with applicable technical and professional standards
Confidentiality: Not disclosing client information to third parties without proper authority or legal/professional right — except where disclosure is required by law (e.g., regulatory reporting, court orders, anti-money laundering obligations) or permitted by the client
Professional behaviour: Complying with relevant laws and regulations; avoiding actions that bring discredit to the profession
Independence Threats and Safeguards
The threats-and-safeguards approach requires auditors to identify threats to independence, evaluate their significance, and apply safeguards to eliminate or reduce them to an acceptable level:
Self-interest threat: Financial interest in the client (shareholding, loan), fee dependency (one client represents a disproportionate share of revenue), contingent fees based on audit outcome. Safeguard: prohibitions on shareholding; fee thresholds (public interest entities — fees from one client should not exceed 15% of total practice income); fixed fee arrangements.
Self-review threat: Reviewing your own work — e.g., if the audit firm also prepared the financial statements or designed internal controls that are now being audited. Safeguard: separate teams for non-audit and audit services; prohibition on providing certain non-audit services to audit clients.
Advocacy threat: Promoting the client's position — e.g., acting as legal advocate or promoting the client's shares. Safeguard: restrictions on legal representation and promotional services.
Familiarity threat: Becoming too close to the client and too willing to accept their assertions — particularly after long tenure. Safeguard: mandatory audit partner rotation (7 years for partners on public interest entity audits in Ghana; cooling-off period before return).
Intimidation threat: Being pressured by the client to change the audit opinion, or threatened with removal if an adverse opinion is given. Safeguard: reporting to those charged with governance (audit committee); escalation within the firm; potential resignation with a statement of circumstances.
Ethical Issues Specific to Auditors
Acceptance of gifts and hospitality: Must not accept gifts of more than trivial value from audit clients — creates a self-interest threat and compromises objectivity
Second opinions: Providing a second opinion on accounting treatment to a company whose current auditor has given an unfavourable view — risks creating a 'forum shopping' situation. The IESBA Code requires the auditor to contact the existing auditor before accepting such an engagement.
Fee arrangements: Contingent fees tied to audit outcomes are prohibited. Referral fees must be disclosed.
Conflicts of interest: Acting for two clients whose interests conflict — must disclose to both and obtain consent, or decline.
Responding to non-compliance with laws and regulations (NOCLAR): ISA 250 and the IESBA NOCLAR provisions require auditors to escalate identified or suspected non-compliance through governance structures; in certain circumstances (particularly for regulated entities), to report directly to regulators, overriding confidentiality.
Section C: Accepting and Managing Engagements (10%)
Before accepting any audit or assurance engagement, the auditor must complete a thorough pre-engagement assessment. Accepting an engagement without proper due diligence creates professional and legal risk — and may result in the auditor being associated with a client whose integrity undermines the credibility of their work.
Pre-Engagement Acceptance Procedures
Ethical and Professional Considerations
Independence assessment — confirm there are no independence threats that cannot be mitigated by safeguards
Integrity of management and owners — background research on the prospective client, predecessor auditor communication, enquiries of third parties
Competence to perform the engagement — does the firm have the technical expertise, industry knowledge, and resources required?
Communication with predecessor auditor — professional requirement before accepting an engagement from an existing audit client of another firm; the predecessor must respond honestly about the professional reasons for the change
Legal and Regulatory Considerations
Client is a legal entity duly incorporated (Companies Act 2019 compliance)
No legal impediment to the firm acting as auditor (e.g., disqualification provisions under Act 992)
For regulated entities — confirmation that the appointment is subject to regulatory approval (Bank of Ghana, NIC)
Anti-money laundering — client due diligence (CDD) under Ghana's AML Act
Risk Assessment at Acceptance Stage
Inherent business risk: Risks specific to the client's industry, operating environment, and business model that could lead to material misstatement
Engagement risk: Risk that the firm will suffer financial loss, reputational damage, or professional sanctions from accepting the engagement — even if the audit is technically correct
Fraud risk indicators at acceptance: Prior instances of fraud, aggressive accounting policies, high management turnover, unusual related party transactions, prior auditor changes for non-routine reasons
Terms of Engagement — Engagement Letter
ISA 210 requires the auditor to agree the terms of the engagement with management before commencing. The engagement letter confirms:
The objective and scope of the audit
The responsibilities of the auditor and of management (management prepares financial statements; auditor expresses an opinion)
The applicable financial reporting framework (IFRS)
The expected form and content of the audit report
The basis for fee calculation
The engagement letter protects both parties and reduces the risk of misunderstanding — particularly important for first-time engagements. It should be updated when circumstances change significantly.
Section D: Planning for Engagements (15%)
Audit planning is the process by which the auditor determines the nature, timing, and extent of audit procedures. Effective planning ensures the audit is focused on the highest-risk areas, resources are allocated efficiently, and the engagement is completed on time and within budget. ISA 300 requires that planning be treated as a continuous, dynamic process — not a one-time activity.
Understanding the Business and Its Environment
ISA 315 requires the auditor to obtain an understanding of the entity and its environment sufficient to identify and assess the risks of material misstatement. Key areas:
Industry and regulatory factors: In Ghana — mining sector (GNPC, EPA obligations), banking sector (BoG regulations, capital adequacy), cocoa sector (COCOBOD pricing), real estate (Land Title Registry), manufacturing (import duties, energy costs)
Nature of the entity: Business operations, ownership structure, governance arrangements, investment and financing activities, accounting policies
Objectives and strategies: What is management trying to achieve? What are the key risks to those objectives?
Measurement and review of financial performance: What KPIs does management track? Preliminary analytical review of year-on-year changes and industry benchmarks — unexpected movements indicate higher risk
Internal control environment: The overall tone set by management regarding control (control environment) — a weak control environment elevates all risks
Audit Risk Model
Audit risk = Inherent risk × Control risk × Detection risk. The auditor cannot control inherent or control risk — they can only respond to them by adjusting detection risk through the nature, timing, and extent of audit procedures.
Inherent risk (IR): The susceptibility of an assertion to material misstatement, assuming no related controls. High for: complex transactions, management estimates, related party transactions, high-value/liquid assets, revenue near year-end
Control risk (CR): The risk that a material misstatement will not be prevented or detected by the entity's internal controls. Assessed through understanding and testing internal controls.
Detection risk (DR): The risk that the auditor's procedures will not detect a material misstatement that exists. Controlled by the auditor through the design of audit procedures — the lower the acceptable DR, the more extensive the testing required.
If IR and CR are high, the auditor must set DR very low — requiring more extensive and reliable audit procedures. If IR and CR are low, DR can be set higher — allowing more efficient (less extensive) testing.
Materiality
ISA 320 requires the auditor to determine materiality to guide the design of audit procedures and the evaluation of findings. Information is material if its omission or misstatement could influence the economic decisions of users. Materiality is a judgement — no mechanical formula exists. Common benchmarks used in practice:
Profit before tax: 5–10% (most common for profitable companies)
Revenue: 0.5–1% (for low-margin or loss-making companies)
Total assets: 1–2% (for asset-intensive businesses like banks or property companies)
Equity: 1–5% (for non-profit or early-stage entities)
Performance materiality (a lower threshold than overall materiality) is set to reduce the risk that uncorrected and undetected misstatements in aggregate exceed overall materiality — typically 50–75% of overall materiality.
Specific materiality may be set lower for particular items — e.g., directors' remuneration disclosures (always highly sensitive regardless of amount), related party transactions, regulatory capital ratios for banks.
Internal Controls — Understanding and Testing
Components of Internal Control (COSO Framework)
Control environment: The foundation — management's attitude to internal control, ethical values, governance structures, and oversight by those charged with governance. A weak control environment elevates all other risks.
Risk assessment: Management's process for identifying and responding to business risks — including fraud risk
Control activities: The specific policies and procedures that ensure management's directives are carried out — authorisations, reconciliations, segregation of duties, physical safeguards, IT controls
Information and communication: The systems that capture, process, and report financial information accurately and on time
Monitoring: Ongoing assessment of the effectiveness of internal controls — including internal audit
IT General Controls and Application Controls
IT General Controls (ITGCs): Controls over the IT environment that support the reliability of application controls — access controls, change management, operations controls, backup and recovery. If ITGCs are weak, all application controls built on that environment are unreliable.
Application Controls: Controls built into specific applications — input controls (validation checks, completeness checks), processing controls (batch totals, exception reports), output controls (reconciliation of output to input).
Transaction Cycles — Key Controls
The examiner tests controls in the three main transaction cycles:
Revenue/sales cycle: Authorisation of credit limits, customer order review, despatch matched to order, invoice matched to despatch note, statement reconciliations, segregation of cash handling and recording, regular bank reconciliation
Purchases/payables cycle: Authorisation of purchase orders, goods received note (GRN) matched to order and invoice (three-way match), segregation of ordering/receiving/payment functions, regular supplier statement reconciliations
Payroll/employee costs cycle: Authorisation of new employees and payroll changes, segregation of HR and payroll functions, independent review and approval of payroll, reconciliation of gross wages to PAYE/SSNIT returns
Tests of Controls vs. Substantive Procedures
Tests of controls: Designed to evaluate the operating effectiveness of controls in preventing or detecting material misstatements. If controls are effective, the auditor can reduce the extent of substantive testing.
Substantive procedures: Designed to detect material misstatements in account balances, transactions, or disclosures — regardless of the effectiveness of controls. Include: tests of details (directly testing individual transactions or balances) and substantive analytical procedures (using relationships between data to identify unexpected movements).
Sampling and Computer-Assisted Audit Techniques (CAATs)
Audit sampling: Applying audit procedures to less than 100% of a population to draw conclusions about the whole population. Statistical sampling provides a quantifiable measure of sampling risk; non-statistical sampling relies on professional judgement. Sample size depends on: tolerable error, expected error, confidence level, population size.
CAATs: Using the client's computer systems to extract and analyse data — test 100% of a population, identify unusual transactions, perform analytical procedures. Key CAATs: audit software (ACL, IDEA), test data, and integrated test facilities.
Data analytics: Using advanced statistical and visual techniques to analyse large datasets — identifying patterns, anomalies, and trends that manual testing would miss. Increasingly standard in Big Four and large firms.
AI in audit: Machine learning tools can identify high-risk transactions, predict audit findings, and automate routine testing — allowing auditors to focus human judgement on complex, high-risk areas.
Section E: Engagement Evidence (15%)
Audit evidence is any information used by the auditor to draw conclusions on which the audit opinion is based. ISA 500 requires auditors to obtain sufficient (enough) appropriate (relevant and reliable) audit evidence. The quality of evidence is as important as the quantity — more poor-quality evidence does not compensate for a lack of high-quality evidence.
Assertions Framework
The auditor designs tests to address specific management assertions about the financial statements. Understanding assertions is essential for designing effective audit procedures — every test should be mapped to one or more assertions.
Methods of Gathering Audit Evidence
Inspection of records and documents: Examining physical or electronic records — purchase invoices, contracts, board minutes, title deeds. Reliability depends on source (internal vs. external) and whether the document was created under controlled conditions.
Inspection of tangible assets: Physical examination — PPE, inventory. Confirms existence but not ownership, value, or completeness.
Observation: Watching a process being performed — e.g., inventory count, payroll distribution. Evidence is limited to the moment of observation.
Inquiry: Asking questions of management, employees, or third parties. Corroborative only — inquiry alone is not sufficient for any significant assertion.
Confirmation (external): Obtaining representations from third parties — bank confirmations, debtor circularisation, solicitor letters. Among the most reliable forms of evidence for specific assertions.
Recalculation: Re-performing mathematical calculations — depreciation schedules, interest calculations, VAT computations. Confirms accuracy but not the underlying data.
Re-performance: Independently re-executing a procedure — reperforming a bank reconciliation, reprocessing payroll. Highly reliable for the specific procedure tested.
Analytical procedures: Evaluating financial information through plausible relationships — comparing current year to prior year, actual to budget, industry benchmarks, ratio analysis. Effective for identifying anomalies requiring further investigation.
Reliability of Evidence
Key principles from ISA 500:
External evidence is more reliable than internal evidence
Evidence obtained directly by the auditor is more reliable than evidence obtained indirectly or by inference
Original documents are more reliable than photocopies or electronic versions (absent evidence of tampering controls)
Evidence from independent sources is more reliable than evidence from the client
Strong internal controls increase the reliability of internally generated evidence
Audit Procedures for Specific Balance Sheet Areas
Revenue and Receivables
Cut-off testing: Examine invoices and despatch records around year-end — confirm revenue is recognised in the correct period (completeness and occurrence)
Debtors' circularisation (ISA 505): Send confirmation requests directly to customers — positive confirmation requires response regardless; negative confirmation assumes no response means agreement (less reliable). Confirms existence, rights, and valuation.
Aged receivables review: Identify slow-moving and disputed balances — assess adequacy of allowance for doubtful debts (valuation assertion)
Analytical review: Compare receivables days to prior year and industry; compare revenue by product, region, or customer to identify unexpected movements
Inventory
Inventory count attendance (ISA 501): Observe management's inventory count — test count procedures, perform test counts, reconcile count results to accounting records. Confirms existence and completeness.
Net realisable value (NRV) testing: Review post-year-end sales prices; compare to cost; identify slow-moving, obsolete, or damaged inventory. Confirms valuation (IAS 2 — lower of cost and NRV).
Valuation of WIP: Review cost accumulation methods; test cut-off of material issues and labour allocation
Property, Plant and Equipment
Physical inspection: Confirm existence of major assets — useful for high-value or easily movable assets
Valuation evidence: For revalued assets — assess competence of valuer, review valuation report, evaluate reasonableness of assumptions
Title documents: Confirm rights and obligations — land certificates, vehicle registration documents
Depreciation review: Recalculate depreciation; review useful life estimates for reasonableness; confirm consistency of policy
Liabilities and Provisions
Creditor circularisation: Confirm balances with major suppliers — particularly useful for detecting unrecorded liabilities (completeness)
Post-balance sheet payment testing: Review payments made after year-end — confirm that all liabilities existing at year-end have been recorded (completeness)
Provisions review (IAS 37): Assess whether recognition criteria are met; evaluate management's estimate; consider legal correspondence, expert opinions
Section F: Audit Review (10%)
The audit review stage covers the completion procedures performed near the end of the engagement — before the auditor forms their final opinion. These procedures confirm that the financial statements remain appropriate in light of events occurring after the year-end, that going concern assumptions are sound, and that management's written representations have been obtained.
Subsequent Events (ISA 560)
Adjusting events: Events after the reporting date that provide evidence of conditions existing at the reporting date — e.g., a major customer going into administration after year-end (provides evidence of recoverability of the year-end receivable), discovery of fraud after year-end relating to the audit period. The financial statements must be adjusted.
Non-adjusting events: Events after the reporting date that relate to conditions arising after the reporting date — e.g., a fire destroying assets after year-end, a major acquisition after year-end. Disclose in notes if material, but do not adjust.
The auditor performs active subsequent events review up to the date of the audit report. After signing, the auditor has no active obligation — but if a material subsequent event comes to the auditor's attention before the financial statements are issued, ISA 560 requires the auditor to discuss with management and take appropriate action.
Going Concern (ISA 570)
ISA 570 requires the auditor to evaluate whether management's use of the going concern assumption is appropriate. The going concern assumption is fundamental — financial statements prepared on a going concern basis assume the entity will continue to operate for at least 12 months from the date of the audit report.
Going concern indicators (red flags):
Financial: Net current liability position, loan covenant breaches, inability to refinance debt, loss of major customer or contract, negative operating cash flows, significant deterioration in key ratios
Operational: Labour difficulties, loss of key management, dependence on a single supplier or customer, significant legal proceedings
Other: Regulatory non-compliance, changes in government policy, natural disasters
If material uncertainty about going concern exists: the financial statements must include adequate disclosure (IAS 1), and the auditor must include a material uncertainty related to going concern paragraph in the audit report. If management refuses to disclose adequately, the opinion is modified.
Written Representations (ISA 580)
Written representations are management's written confirmation of matters that the auditor cannot independently verify. They are a required form of audit evidence — but their reliability is limited (management is confirming their own assertions). Key representations: management acknowledges its responsibility for the financial statements, all transactions have been recorded, there are no undisclosed related party transactions, all subsequent events have been disclosed. A refusal to provide written representations is a scope limitation — the auditor would disclaim an opinion.
Analytical Procedures at the Conclusion Stage
ISA 520 requires the auditor to perform analytical procedures at or near the completion of the engagement as an overall review. The objective is to confirm that the financial statements are consistent with the auditor's overall understanding of the entity — not to identify specific misstatements (that is done during fieldwork). Unexpected relationships at this stage require further investigation.
Section G: Concluding and Reporting (10%)
Section G covers the auditor's final responsibilities — forming and communicating the opinion, modifying the report when necessary, and communicating other matters to those charged with governance.
Structure of the Audit Report (ISA 700)
A standard (unmodified) audit report includes:
Title (Independent Auditor's Report) and addressee (shareholders)
Opinion paragraph — stating whether the financial statements present fairly / give a true and fair view
Basis for Opinion paragraph — confirming the audit was conducted under ISAs and that the auditor is independent
Material uncertainty related to going concern (if applicable)
Key Audit Matters (KAMs) — for listed entities under ISA 701 (see below)
Other information — responsibilities regarding other information in the annual report
Responsibilities of management paragraph — management prepares the financial statements
Auditor's responsibilities paragraph — the auditor's objective is to obtain reasonable assurance
Signature, date, and address of the auditor
Emphasis of Matter vs. Other Matter Paragraphs (ISA 706)
Emphasis of Matter paragraph: Used to draw users' attention to a matter properly presented or disclosed in the financial statements that is fundamental to their understanding. Does not modify the opinion — the financial statements are not misstated. Example: a significant uncertainty about a pending litigation outcome that is already adequately disclosed.
Other Matter paragraph: Used to communicate a matter not presented or disclosed in the financial statements but relevant to users' understanding of the audit. Example: prior year financial statements were audited by a different firm.
Communicating with Those Charged with Governance (ISA 260 and ISA 265)
ISA 260: Requires the auditor to communicate significant audit findings to those charged with governance (usually the audit committee) — including: significant difficulties encountered during the audit, significant audit adjustments, matters relating to independence, other matters relevant to financial reporting oversight.
ISA 265: Requires the auditor to communicate significant deficiencies in internal control identified during the audit to management and those charged with governance. Significant deficiencies are communicated in writing; other (lesser) deficiencies may be communicated orally. The management letter (also called the letter of recommendations or the letter of weakness) is the formal communication of control deficiencies.
Key Audit Matters (ISA 701)
ISA 701 applies to audits of listed entities (and those that choose to comply voluntarily). Key Audit Matters are those matters that required significant auditor attention — the highest-risk or most judgement-intensive areas of the audit. Examples: goodwill impairment, revenue recognition in complex arrangements, valuation of financial instruments, going concern assessment. KAMs are not a substitute for a modified opinion — they are a transparency tool within an unmodified report.
Section H: Internal Audit (5%)
Internal audit is an independent appraisal function established within an organisation to examine and evaluate its activities as a service to the organisation. Unlike external audit (which serves shareholders), internal audit serves management and the board.
Internal vs. External Audit — Key Differences
Appointment: Internal auditors are employees (or contracted service providers) appointed by management/board; external auditors are appointed by shareholders
Objective: Internal audit — improve operations and add value to the organisation; external audit — provide an independent opinion on financial statements
Reporting: Internal audit reports to management and the audit committee; external audit reports to shareholders
Scope: Internal audit — whatever management/board directs (operational, financial, compliance, governance, risk); external audit — the financial statements
Independence: Internal audit — functionally independent of management, but employed by the entity; external audit — completely independent of management and the entity
Standards: Internal audit — IIA Standards (Institute of Internal Auditors); external audit — ISAs
The Internal Audit Agency (IAA) — Ghana
The Internal Audit Agency Act, 2003 (Act 658) established the IAA to coordinate, facilitate, and provide quality assurance for internal audit activities in Ministries, Departments and Agencies (MDAs) and Metropolitan, Municipal and District Assemblies (MMDAs). The IAA:
Sets standards and procedures for internal audit in the public sector
Provides training and capacity building for internal auditors
Monitors the quality of internal audit work across government
Reports to the Minister for Finance on the state of internal audit in the public sector
Outsourcing Internal Audit
The internal audit function may be outsourced to an external firm. Benefits: access to specialist expertise, cost efficiency, independence from internal politics, flexibility in scope. Risks: loss of institutional knowledge, potential conflict if the same firm provides external audit (self-review threat), reduced integration with operations. The audit committee should oversee the performance of the outsourced internal audit function.
Risk-Based Internal Audit
Modern internal audit is risk-based — the internal audit plan is driven by the organisation's risk register. High-risk areas receive more internal audit attention; lower-risk areas less. Risk-based internal audit aligns internal audit resources with where they add the most value and provides assurance to the board on the management of key risks.
Section I: Auditing in the Public Sector (10%)
Public sector auditing in Ghana has a distinct regulatory framework and set of objectives that differ significantly from private sector audit. Section I tests candidates' understanding of Ghana's specific public sector audit architecture and the techniques used in public sector assurance work.
Public Sector Audit vs. Private Sector Audit — Key Differences
Accountability: Public sector auditors are accountable to the public through Parliament — not to shareholders
Objectives: Public sector audit includes financial audit, compliance audit, and performance audit (3Es) — private sector audit focuses primarily on financial statements
Standards: ISSAI (International Standards of Supreme Audit Institutions) issued by INTOSAI; Ghana's Auditor-General applies these alongside ISAs
Materiality: Non-compliance matters may be material regardless of their financial value — a public official taking a GHS 100 bribe is a material compliance failure even if the amount is financially trivial
Reporting: Reports to Parliament; made public; subject to parliamentary scrutiny through the Public Accounts Committee (PAC)
Ghana's Public Sector Audit Architecture
The Auditor-General: Established by Article 187 of the 1992 Constitution; independent of the executive; audits all public accounts of Ghana and reports to Parliament; has power to disallow and surcharge public officers for improper expenditure
The Audit Service Act 2000 (Act 584): Gives operational independence to the Auditor-General; sets out the mandate and powers of the Ghana Audit Service
The Public Financial Management Act 2016 (Act 921): Governs the management of public finances — the Auditor-General audits compliance with this Act
The Public Procurement Act 2003 (Act 663) as amended (Act 914): Public procurement is a key area of compliance audit — the Auditor-General reviews procurement processes for adherence to the Act
The Internal Audit Agency Act 2003 (Act 658): Coordinates public sector internal audit (see Section H)
The Public Accounts Committee (PAC): Parliamentary committee that reviews the Auditor-General's reports and holds public officials accountable for audit findings
Compliance Audit in the Public Sector
Compliance audit assesses whether an entity has complied with applicable laws, regulations, contracts, and grant conditions. In the Ghanaian public sector, key compliance areas include:
Public Financial Management Act 2016 — budget preparation, approval, execution, and reporting procedures
Public Procurement Act 2003 (as amended) — procurement methods, approvals, and documentation
Local Governance Act 2016 (Act 936) — for MMDAs, compliance with local government financial regulations
Conditions of grants and donor funds — many Ghanaian public sector entities receive funds from international donors (World Bank, IMF, bilateral donors) subject to specific spending and reporting conditions
Performance Audit in the Public Sector
Performance audit (also called value for money audit) evaluates the economy, efficiency, and effectiveness of public sector programmes and entities:
Economy: Were resources acquired at minimum cost? Avoid waste and overpaying for inputs.
Efficiency: Were resources used productively? Maximum output from a given input, or minimum input for a given output.
Effectiveness: Were the intended outcomes achieved? Did the programme actually deliver its policy objectives?
Performance audit requires the auditor to define relevant output and outcome measures, gather evidence on actual performance, and compare against standards or targets. It is more judgement-intensive than financial or compliance audit — there are rarely definitive 'right answers'.
Public Expenditure and Financial Accountability (PEFA) Framework
The PEFA framework provides a methodology for assessing the strength of a country's public financial management (PFM) system. It uses a set of high-level performance indicators covering: budget credibility, comprehensiveness and transparency, policy-based budgeting, predictability and control in budget execution, accounting and reporting, and external scrutiny and audit. Ghana participates in PEFA assessments, which are used by donors, Parliament, and government to track PFM improvements over time.
How to Pass ICAG Paper 2.3 Audit and Assurance
Learn Audit as a Process, Not a List of Rules: The most effective exam strategy for Paper 2.3 is to internalise the audit process as a logical sequence: accept (assess risk and independence) → plan (understand the business, assess risk, determine materiality) → execute (gather evidence addressing assertions) → complete (subsequent events, going concern, representations) → report (form and communicate opinion). When you understand the 'why', the specific requirements of each ISA make intuitive sense.
Master Professional Ethics — It's Everywhere: Ethics is not a standalone topic in Paper 2.3 — it permeates every section. In acceptance questions, ethics drives the decision. In planning questions, independence threats affect the audit approach. In reporting questions, pressure to modify the opinion is an ethical issue. Know the five fundamental principles and the five independence threats instinctively, and practise applying them to specific scenarios in clear, concise prose.
Know Your ISAs: The examiner tests specific ISA requirements — not just general audit concepts. Know the key requirements of: ISA 200, 210, 240, 250, 260, 265, 300, 315, 320, 330, 402, 500, 501, 505, 520, 540, 560, 570, 580, 700, 701, 705, 706, 720. MSL provides an ISA summary reference for each class session, so you always know which standard applies to the scenario.
Practise Writing Procedures: A common exam question asks candidates to describe the audit procedures they would perform for a specific balance or transaction class. Generic answers score few marks. Effective answers specify: the source of the evidence (document, confirmation, observation), the assertion being tested, and the expected finding. Practise writing procedures in 'VOCA' format: Verb (inspect, confirm, recalculate) + Object (the document or item) + Criterion (what makes it correct) + Assertion (which audit objective it addresses).
Study the Ghanaian Context Thoroughly: Paper 2.3 tests Ghana-specific regulatory knowledge — Companies Act 992, Bank of Ghana audit requirements, the Auditor-General's mandate under Article 187 of the Constitution, the Internal Audit Agency Act, and the public procurement framework. MSL's teaching is fully contextualised to the Ghanaian regulatory environment — not a generic international approach.
Why Study Paper 2.3 at MSL Business School?
What Makes MSL Different for Paper 2.3
Experienced audit lecturers with Big Four Ghana practice backgrounds
Ghana-specific regulatory content — Companies Act 992, BoG directives, IAA Act, Auditor-General's mandate
Live online classes with real-time Q&A — work through audit risk scenarios and ethics cases with your lecturer
ISA-by-ISA teaching approach — linking each standard to practical application in Ghanaian audit contexts
Same-day class recordings — review complex audit planning and reporting content at your own pace
The MSL App — ethics scenarios, ISA summaries, procedure-writing practice, and progress tracking
Mock examinations with detailed written feedback on audit procedures, report drafting, and ethical reasoning
2,000+ successful ICAG students — Ghana's most proven tuition track record
40+ national awards including Overall Best Graduating Student across all three ICAG sittings in 2024
ICAG-Approved Partner in Learning
Register for ICAG Level 2 Tuition at MSL Business School Today
Contact us via WhatsApp, email, or through the MSL App to enrol in our next Paper 2.3 Audit and Assurance class. Our team will match you with the right study plan to pass first time.
📞 Call or WhatsApp us: 053 050 4026
🌐 Apply online: mslbusinessschool.com/icag
Our team will confirm which papers you need to sit, advise on any exemptions, and get you enrolled in the right programme for your next sitting.
Related Pages:
ICAG Tuition — Enrol at MSL Business School
ICAG Level 2 Tuition — Overview of all six Application Level papers
ICAG Level 3 Tuition — Professional Level preparation
ICAG Level 1 Tuition — Knowledge Level preparation
How to Become a Chartered Accountant in Ghana — Complete ICAG Guide
MSL Business School Awards — Ghana's most successful ICAG students