What is an audit plan?

Most audit plans we see at mid-tier firms read like a shopping list. "Test a sample of trade receivables." "Perform substantive testing on revenue." No assertion, no link to an assessed risk, no team member named. Copy-forward plans that haven't been touched since the last engagement are where planning becomes a tick box exercise, and they are the first thing a reviewer flags.

ISA 300.7 requires the auditor to develop an audit plan describing the nature, timing, and extent of (a) planned risk assessment procedures under ISA 315 , (b) further audit procedures at the assertion level under ISA 330 , (c) other procedures required to comply with the ISAs, and (d) direction, supervision, and review of the engagement team's work. Planning is not a phase that ends when fieldwork begins. ISA 300 .A12 treats it as continuous, and ISA 300.10 requires the auditor to update the overall audit strategy and the plan whenever new information shifts the risk picture during the audit.

When risk assessment procedures turn up something the team didn't anticipate (a new covenant, a restated comparative, a change in key personnel), the plan has to move with it. At most firms this is where things slip: the risk assessment gets updated, but nobody re-opens the plan to change the assertion-level procedures. That disconnect is what we usually find when we read a file cold.

Strategy and plan are not the same document. Strategy sets scope, timing, and direction at the engagement level. The plan converts that direction into specific procedures at the assertion level, with sample sizes, procedure timing, team member assignments, and review responsibilities. Strategy tells you what to focus on. The plan tells each team member exactly what to do about it.

Key Points

  • ISA 300.7 requires assertion-level specificity. Generic procedures like "perform substantive testing on revenue" are not sufficient.
  • Planning is continuous, not a phase that ends when fieldwork begins. ISA 300 .A12 requires ongoing reassessment.
  • ISA 300.10 mandates updates whenever new information changes the risk picture during the engagement.
  • The plan must link procedures to assessed risks, not just list procedures in isolation from the risk assessment.
  • Strategy drives plan. If procedures appear in the plan without a corresponding risk identified upstream, the file has a gap a reviewer will find.

Why it matters in practice

The FRC's 2023 annual inspection report flagged audit plans that did not reflect changes identified during fieldwork. Teams produced planning documents at the start of the engagement and never revisited them, even when interim testing revealed new risks or the risk assessment changed materially mid-audit. In regulatory language, the plans were "not updated in response to changes in the assessed risks." In our experience, what that actually means is that someone rolled forward last year's plan, nobody re-opened it in November, and the file closed with a plan that pre-dated half of what the team found.

The most common weakness is generic procedures. Teams produce plans with broad descriptions (most frequently some variant of "perform substantive testing on revenue" or "test a sample of trade receivables") without linking each procedure to a specific assertion or assessed risk. ISA 300.7 (b) requires the plan to describe further audit procedures at the assertion level for each material class of transactions, account balance, and disclosure. A plan that does not connect procedures to assertions does not meet this requirement. This is the weakness that generates the most review notes during EQCR, because it's visible within thirty seconds of opening the plan.

ISA 330.6 reinforces the link by requiring the auditor to design further audit procedures whose nature, timing, and extent respond to the assessed risks of material misstatement at the assertion level. If the plan does not say which assertions each procedure addresses, there is no way for a reviewer to demonstrate the response is appropriate to the risk. We usually write the assertion in the procedure description itself (for example, "test cut-off assertion for revenue by examining 15 invoices either side of year-end") because it survives copy-forward better than a separate column.

Key standard references

  • ISA 300.7 –9. Requirements for the audit plan, including assertion-level procedures.
  • ISA 300.10 . Requirement to update the strategy and plan when new information emerges.
  • ISA 300 .A12. Application guidance confirming that planning is continuous throughout the engagement.
  • ISA 330.6 . Assertion-level responses to assessed risks of material misstatement.

Related terms

Audit StrategyAudit PlanningRisk of Material MisstatementMateriality

Related tools

Materiality Calculator
ISA 320
Sampling Calculator
ISA 530

Related tools

Materiality Calculator
ISA 320
Sampling Calculator
ISA 530

Related reading

How to Write an Audit Planning Memorandum (ISA 300)
Blog guide

Frequently asked questions

What is the difference between the audit plan and the audit strategy?

The strategy (ISA 300.7) sets scope, timing, direction, and resourcing at the engagement level. The plan translates that into specific procedures at the assertion level with sample sizes, timing, and team member assignments. The strategy rarely changes mid-engagement; the plan almost always does.

Must the audit plan be updated during fieldwork?

Yes. ISA 300.10 requires revision whenever new information changes the risk assessment. Copy-forward plans that ignore interim findings are the most common documentation gap flagged in inspections.

Get practical audit insights, weekly.

No exam theory. Just what makes audits run faster.

290+ guides published20 free toolsBuilt by practicing auditors

No spam. We’re auditors, not marketers.

This glossary entry is for educational purposes and does not constitute legal or professional advice. Always consult the applicable standard text for authoritative guidance.

Last reviewed: · Standards version: IAASB 2024 Handbook