ISA 300 : Planning an Audit of Financial Statements

Where planning fails

Before we get into the standard itself, I want to be direct about what actually goes wrong with audit planning, because ISA 300 reads differently once you understand the failure patterns it was designed to address.

The most common failure is not skipping planning. Almost nobody skips it entirely. The failure is static planning: a strategy document that gets locked down in October and never responds to what the team finds during the audit. The junior discovers an unexpected related-party transaction in December. The plan does not change. A control test fails in January. The plan does not change. The numbers come in 15% above forecast. The plan does not change. At the review stage, the working papers show a straight line from the original plan to the final opinion, as if nothing unexpected happened along the way.

Regulators have caught onto this. The FRC, AFM, and WPK all look for the same thing: evidence that the auditor updated the plan in response to emerging information. A plan that never changes is a plan that was never responsive to what the audit actually found.

The second failure is conflating strategy with plan. I think this matters more than most guidance suggests, because when teams treat the strategy and the plan as a single document, they lose the ability to step back and ask whether the overall approach still makes sense. They get trapped in procedure-level detail without questioning whether the direction is right.

The objective of the auditor

ISA 300.4 states the objective:

What actually happens: teams read “effective” and think “efficient.” They are not the same thing. Efficient means getting through the work quickly. Effective means the audit achieves its overall objective under ISA 200 , which is obtaining reasonable assurance about whether the financial statements (FS) are free from material misstatement. An audit can be efficient and still miss risks, because efficiency optimises for speed while effectiveness optimises for coverage and quality of evidence.

I think the single-word objective (“effective”) is doing more work than it appears to do. It means identifying the right risks, deploying resources to the areas that matter, obtaining sufficient appropriate evidence, and reaching defensible conclusions. Planning is what connects those outcomes to the people doing the work.

Preliminary engagement activities

I have seen firms start planning in detail before confirming that they should still be on the engagement at all. ISA 300.6 requires preliminary activities before detailed planning begins, and the sequence matters.

What actually happens in practice: the team rolls into planning assuming continuance is automatic. Then, halfway through fieldwork, someone surfaces a conflict or an integrity concern that should have been caught at acceptance. By that point, the firm has committed resources, set timelines, and made commitments to the audit committee. Unwinding is painful and expensive.

The three preliminary activities are:

Independence and ethics evaluation. Under ISA 220 , the EP must form a conclusion on compliance with independence requirements before committing resources. This is not a form to file. It is a genuine assessment of whether the firm, the partner, and the team members have threats to independence that need to be addressed or that preclude acceptance.

Acceptance and continuance. Has new information emerged since last year? Integrity concerns about management, significant changes in the entity, potential scope limitations, fee pressure that would compromise quality. For initial engagements, this includes communication with the predecessor auditor.

Terms of engagement. Under ISA 210 , the auditor agrees the terms with management and confirms that the preconditions for an audit exist. This includes confirming that management accepts responsibility for the FS, for internal control, and for providing unrestricted access to information.

These gates exist to stop planning effort from being wasted on an engagement the firm should walk away from. They belong at the front of the process, not alongside it.

Overall audit strategy vs. audit plan

ISA 300 distinguishes between two planning outputs, and the distinction is not academic. Getting this wrong creates a planning document that is either too vague to direct fieldwork or too granular to reveal whether the overall approach makes sense.

The overall audit strategy

The strategy is the high-level framework ( ISA 300.7 –8). It answers the question: given what we know about this entity, where should this audit focus, and what resources does it need?

The strategy is typically documented as a memorandum or summary document. It should be concise enough to communicate the key decisions to the team, not a 30-page document that nobody reads.

The audit plan

The plan is the detailed programme ( ISA 300.9 ). It describes:

• The nature, timing, and extent of planned risk assessment procedures ( ISA 315 ).
• The nature, timing, and extent of planned further audit procedures at the assertion level, covering tests of controls and substantive procedures ( ISA 330 ).
• Other planned procedures required to comply with ISAs, such as communications with governance ( ISA 260 ), obtaining written representations ( ISA 580 ), and performing overall analytical procedures ( ISA 520 ).

The plan is more granular and evolves as the audit progresses. Once risk assessment procedures are performed and results are in, the planned further audit procedures will almost certainly need to change.

Planning is iterative (not a phase)

ISA 300.2 and A13 are direct about this: planning is not something that happens at the start and ends when fieldwork begins. It is a continual and iterative process running from acceptance through to completion.

What actually happens: a senior or manager finalises the plan in October or November, the team begins fieldwork, and the plan sits in the file untouched until the completion meeting. I think this is the single most common ISA 300 compliance gap, because the standard explicitly requires the strategy and plan to be updated as circumstances change ( ISA 300.10 ).

Here is a worked example of how this should play out. You are auditing a mid-size manufacturing client. Your October strategy identifies revenue recognition and inventory valuation as the two significant risk areas. In December, during interim testing, the team discovers that the client’s CFO resigned and was replaced by someone with no public-company experience. In January, the new CFO adopts a different capitalisation policy for tooling costs, reversing three years of consistent treatment. Your original plan has no procedures for tooling capitalisation because it was immaterial under the old approach. Now it is not.

If the plan does not change, the audit misses a material risk that emerged after planning. If the plan changes but you do not document why, the working papers (WP) show a gap between the original strategy and the work performed. Either outcome creates a quality finding.

Common triggers for plan revisions include:

• Unexpected results during substantive testing that suggest the initial risk assessment was wrong.
• New information about the entity (a significant transaction, a personnel change, a litigation claim, or a going concern indicator).
• Scope changes. You discover that a service organisation processes more transactions than initially understood, or a component previously considered immaterial has become significant.
• Resource shifts. A key team member leaves the engagement, forcing reallocation of work and possibly a change in the supervision approach.

ISA 300.10 requires the auditor to update and change the overall audit strategy and audit plan as necessary during the audit. This is not optional. It is a requirement.

Involvement of key engagement team members

ISA 300.5 requires the EP and other key members of the engagement team to be involved in planning. The standard says “involved,” not “informed.” There is a difference.

What actually happens: the manager writes the strategy, the partner reviews it and signs off, and nobody pretends the partner was “involved” in any meaningful sense. I think firms underestimate the risk here, because ISA 220 makes EP involvement in planning a quality management requirement. When an inspector asks the partner to walk through the rationale for the strategy, a partner who rubber-stamped someone else’s work cannot do it convincingly.

“Other key members” typically means the audit manager and senior team members responsible for significant risk areas. For group audits, this may include representatives from component audit teams. The point is that people with relevant experience should contribute to planning decisions, not just execute procedures someone else designed.

For smaller engagements, where the EP may be working with one team member or none, ISA 300 .A11 acknowledges that planning can be more straightforward. A brief memorandum from the prior year, updated for current-year changes, may suffice as the audit strategy. But even here, the EP must actively set the direction rather than default to last year’s approach.

Direction, supervision, and review

ISA 300.11 requires the auditor to plan the nature, timing, and extent of direction and supervision of engagement team members and the review of their work. This is not a separate activity bolted onto planning. It is part of planning.

What actually happens: direction means handing a junior the audit programme and saying “start with cash.” Supervision means checking in once a week. Review means looking at the WP the night before the file goes to the partner. None of that meets the standard’s intent, which is that the level of direction and supervision should be planned based on the assessed risks and the capabilities of the team.

The factors that drive the intensity of direction and supervision ( ISA 300 .A14):

• Entity size and complexity. A multinational with operations in twelve countries requires more structured direction than a single-entity SME.
• The area of the audit. High-risk areas (estimates, revenue recognition, related parties) require closer supervision than routine cash or prepayments testing.
• The assessed risk of material misstatement (RoMM). Higher-risk areas demand more detailed instructions about what to do and more thorough review of what was done.
• Team capability. A first-year associate testing a complex estimate needs different direction from a five-year senior testing trade receivables.

This connects directly to ISA 220 ’s quality management requirements. I think the planning-supervision link is underappreciated, because when supervision fails, the root cause is almost always a planning failure: nobody planned who would supervise what, or at what level of detail.

Additional considerations for initial engagements

Initial engagements carry planning risks that recurring audits do not. ISA 300.13 identifies these, but I want to flag what trips teams up in practice.

The predecessor auditor conversation is legally required in many jurisdictions and ethically required everywhere. What actually happens: the incoming team sends a perfunctory letter, gets a perfunctory response, and files both without extracting any useful information. The conversation should surface whether there were disagreements with management, unresolved accounting issues, concerns about integrity, or reasons the predecessor chose not to stand for reappointment. If the predecessor is evasive, that itself is information.

• Opening balances. ISA 510 requires sufficient appropriate evidence about opening balances. For an initial engagement, this may mean reviewing the predecessor’s WP (subject to professional protocols) or performing additional procedures. I have seen teams underestimate the effort here, particularly for entities with complex provisions or long-tail liabilities where the opening position drives the current-year balance.
• Acceptance procedures. ISA 220 requires the firm’s acceptance procedures to be completed before the engagement begins. For a new client, this is not a formality. It is a genuine risk assessment about whether the firm has the competence, capacity, and independence to take on the work.

Documentation

Here is a legitimate disagreement in the profession: how much planning documentation is enough? ISA 300.12 requires documentation of the overall audit strategy, the audit plan, and any significant changes made during the engagement along with the reasons for those changes. But the standard does not prescribe a format or a length.

Some firms produce 40-page planning documents for every engagement because they are afraid of inspection findings. Other firms produce bare-minimum memos because they believe the work speaks for itself. I think both extremes miss the point. The documentation needs to do one thing well: enable someone who was not on the engagement to understand the key planning decisions and why they were made. If a 3-page memo does that, it is sufficient. If a 40-page document does not explain the rationale behind the decisions, it fails despite its length.

What regulators actually look for is not volume. It is evidence that the plan responded to emerging information.

ISA 300 in your jurisdiction

Netherlands. COS 300 follows ISA 300 closely. AFM inspections have consistently focused on planning quality. The AFM’s specific concern is whether the audit strategy reflects a genuine understanding of the entity’s risks or whether it is a SALY rollforward of the prior year with updated dates. They expect to see evidence that the EP was substantively involved in planning and that the strategy was tailored to the entity’s specific circumstances.

Germany. IDW PS 300 adapts ISA 300 for the German context. German practice integrates planning with the Prüfungsplanung (audit planning) requirements of the WPO, which require detailed documentation of the planned audit approach. The WPK’s inspections examine whether planning is responsive to entity-specific risks and whether the Prüfungsbericht reflects the planned approach.

United Kingdom. ISA (UK) 300 is substantively aligned with ISA 300 . The FRC’s inspection findings regularly cite planning as a root cause of audit quality issues. Their three recurring themes: insufficient consideration of fraud risks during planning, inadequate tailoring of the plan to entity-specific circumstances, and failure to update the plan in response to findings during fieldwork.

France. NEP 300 implements ISA 300 within the French statutory framework. French practice integrates planning with the legal timetable of the mandat (audit appointment), which typically runs for six financial years. This multi-year context allows French commissaires aux comptes to develop a longer-term audit strategy (the plan de mission) that considers the entity’s evolution across the mandate period. This is unusual internationally and creates a different planning rhythm from the annual cycle used elsewhere.

Frequently asked questions

What is the difference between the overall audit strategy and the audit plan?

The strategy sets the high-level scope, timing, and direction. It determines what the audit will cover, when, and with what resources. The plan contains the detailed procedures (the specific nature, timing, and extent of risk assessment and further audit procedures at the assertion level). The strategy guides the development of the plan. In practice, the strategy answers “what are we trying to do?” and the plan answers “how exactly will we do it?”

Is planning done once at the beginning of the audit?

No. Planning is iterative and continuous. The initial strategy and plan are developed before fieldwork begins, but both must be updated as the audit progresses and circumstances change. ISA 300 explicitly requires updates when necessary. A plan that does not change during the engagement is almost certainly a plan that was not responding to what the audit found.

Who is responsible for planning?

The EP has overall responsibility and must be involved in establishing the strategy and identifying significant risks. Other key team members should participate to contribute their experience. Planning responsibilities can be delegated to experienced team members for specific aspects, but the partner retains oversight and cannot delegate the strategy itself.

Does the auditor need to communicate the plan to those charged with governance?

Yes. ISA 260 requires the auditor to communicate an overview of the planned scope and timing to those charged with governance. The auditor should be careful not to make procedures too predictable, particularly regarding fraud risk responses.

How detailed should planning documentation be?

This depends on the engagement. For a large listed entity, the documentation will be extensive (separate strategy and plan documents, detailed resource allocations, risk matrices). For a smaller entity, a brief memorandum covering the key decisions may be sufficient. The test is whether someone reviewing the file can understand what decisions were made and why.

Further reading and source references

• IAASB Handbook 2024: ISA 300 full text. The authoritative source including all application material and the appendix of matters the auditor may consider in establishing the strategy.
• ISA 315 (Revised 2019): Identifying and Assessing the Risks of Material Misstatement. The standard that drives the risk assessment component of planning.
• ISA 320 : Materiality in Planning and Performing an Audit. The materiality determination that shapes the scope of the plan.
• ISA 220 (Revised): Quality Management for an Audit. The EP’s responsibilities for planning and supervision.
• ISA 210 : Agreeing the Terms of Audit Engagements. The preliminary engagement activities referenced in ISA 300 .

This guide reflects the ISA 300 text as published in the IAASB 2024 Handbook. National implementations may include additional requirements. Always consult the applicable national standard alongside the international text. This content is for educational purposes and does not constitute legal or professional advice.

Related ciferi content

Related guides:

Put audit concepts into practice with these free tools: