ISA 300 Planning an Audit: The Planning Memorandum Structure

You're starting a new engagement. The prior-year file has a planning memo that's three pages of boilerplate copied from the methodology manual, with the client's name inserted. The risk assessment is generic. The materiality calculation references the wrong year's financials. The partner signed it two months after fieldwork started. None of this is unusual, and all of it is a problem.

To plan an audit under ISA 300, the engagement partner establishes an overall audit strategy (ISA 300.7-8) that documents the scope, timing, and direction of the audit, then develops an audit plan (ISA 300.10-11) that translates the strategy into specific procedures. The planning memorandum is the practical document that captures both, and it must be completed before substantive fieldwork begins.

What ISA 300 requires and why the planning memo matters

ISA 300.7 requires the auditor to establish an overall audit strategy that sets the scope, timing, and direction of the audit, and guides the development of the audit plan. ISA 300.8 adds that in establishing the overall strategy, the auditor must identify the characteristics of the engagement that define its scope, ascertain the reporting objectives to plan the timing, and consider the factors that are significant in directing the engagement team's efforts.

This isn't a formality. The planning memo is the document that connects your understanding of the client to the work you're going to do. When a quality reviewer opens your file, the planning memo is typically the first document they read. It tells them whether you understood the engagement before you started testing, or whether you backed into a plan after the fact.

ISA 300.9 requires the overall audit strategy to be documented. ISA 300.10-11 require the audit plan (the detailed procedures) to be documented. In practice, most non-Big 4 firms combine these into a single planning memorandum, and this is acceptable provided both elements are present.

The standard also requires the planning to be completed before substantive fieldwork begins. A planning memo dated after the start of fieldwork, or a memo that references information obtained during fieldwork, indicates that planning was performed retrospectively. Inspection bodies flag this consistently.

Overall audit strategy vs audit plan

ISA 300 distinguishes between the overall audit strategy (the high-level plan) and the audit plan (the specific procedures). ISA 300.9 describes the strategy as setting scope, timing, and direction. ISA 300.10 describes the plan as including the nature, timing, and extent of planned risk assessment procedures, planned further audit procedures at the assertion level, and other planned procedures required by the ISAs.

In practice, the distinction looks like this. The overall audit strategy says: "Revenue is a significant account, revenue recognition fraud risk is presumed under ISA 240, and we will perform detailed testing of a sample of revenue transactions in Q4 with interim procedures in October." The audit plan says: "Select 25 sales invoices from the October-December period, agree to delivery documentation and signed contracts, recalculate revenue recognition timing against IFRS 15 criteria, and test a further 15 credit notes issued in January for cut-off."

The planning memorandum captures the strategy. The detailed audit programme (a separate document or set of working papers) captures the plan. Some firms combine both into the planning memo by appending a procedures schedule. Either approach works provided the ISA 300.10-11 requirements are met.

Section 1: engagement context

This section answers the question: what do we need to know about this client before we plan the audit?

It covers the entity's legal structure, ownership, governance, the applicable financial reporting framework (Dutch GAAP, IFRS, German HGB), the nature of the business, significant changes since the prior year, and any regulatory requirements specific to the engagement.

Keep it factual and current. If the client changed its articles of association, acquired a subsidiary, lost a major customer, or changed its IT system during the year, it goes here. If nothing changed, state that explicitly. A blank section is worse than a section that says "No significant changes from the prior year."

Include the engagement terms. Reference the engagement letter date, the financial year being audited, the applicable standards (ISAs as adopted in the jurisdiction), the reporting deadline, and any special reporting requirements (management letter, compliance report, group reporting package).

ISA 300.A5 notes that the auditor considers the results of preliminary engagement activities (ISA 300.6), including the ISA 220 engagement acceptance and continuance evaluation. Reference the conclusion from that evaluation rather than repeating it.

This section should be one to two pages for a standard mid-market engagement. If it runs longer, you're including detail that belongs in the permanent file.

Section 2: materiality

The planning memo documents the materiality calculation and the rationale. This is the ISA 320 determination, but it's recorded in the planning memo because materiality drives every subsequent decision in the plan.

State the benchmark chosen (revenue, profit before tax, total assets, or another appropriate benchmark), the percentage applied, the resulting overall materiality, the performance materiality (the reduced figure used to set scope, typically 60-75% of overall materiality), and the clearly trivial threshold (the amount below which misstatements won't be accumulated, typically 3-5% of overall materiality).

Document why you chose that benchmark. For a loss-making entity, profit before tax may not be stable. Revenue or total assets may be more appropriate. For a holding entity with minimal revenue, total assets is often the right benchmark. The rationale matters more than the number.

If the entity is part of a group, state the component materiality allocated by the group engagement team and compare it to the standalone materiality. The lower figure drives the audit.

Cross-reference to the detailed materiality working paper if the full calculation sits outside the memo. The memo should contain the conclusion and key judgements, not necessarily every calculation step.

Section 3: risk assessment approach

This section documents how you'll identify and assess the risks of material misstatement. It's the bridge between understanding the entity (section 1) and identifying the key audit areas (section 4).

ISA 300.8(c) requires the auditor to consider factors that are significant in directing the engagement team's efforts. The risk assessment approach section describes those factors.

Cover four areas. First, the sources of information you'll use for the risk assessment: prior-year working papers, management discussions, analytical procedures on interim or prior-year financials, industry knowledge, and the results of any walkthroughs or controls testing. Second, the significant audit areas you've identified from the preliminary risk assessment (these feed into section 4). Third, the fraud risk assessment approach, referencing ISA 240 requirements for the team discussion and management inquiries. Fourth, the areas where you expect to use a controls-reliance strategy versus a purely substantive approach, and why.

For a continuing engagement, the prior-year file is your starting point. What misstatements were found? What control deficiencies were reported? What changed in the business? A good risk assessment section explains how this year's plan responds to what you already know.

For a first-year engagement, the risk assessment section will be longer because you're building the understanding from scratch. ISA 510 procedures for opening balances intersect with planning here. Reference those procedures in the plan.

Section 4: key audit areas

List the areas that will receive the most audit attention and explain why. This section is not a list of every account balance. It's a list of the areas where the risk of material misstatement is highest or where significant judgement is involved.

For each key area, state the financial statement line item, the relevant assertion(s), why it's a key area (significant balance, complex accounting treatment, history of misstatements, susceptibility to fraud, estimation uncertainty), and the planned audit approach (substantive testing, test of controls, combination).

Be specific. "Revenue" is not a key area description. "Revenue recognition timing for long-term construction contracts under IFRS 15, including the percentage-of-completion estimates and variable consideration constraints" is a key area description. The specificity forces you to think about what you're actually going to test and why.

ISA 300.A7 notes that the auditor's identification of significant risks under ISA 315 affects the audit plan. If you've identified a significant risk (revenue recognition fraud, management override, going concern), it must appear in this section with a specific planned response. Significant risks cannot be addressed through standard procedures alone.

Limit this section to four to eight key areas for a mid-market engagement. If you have more than eight, you're either auditing a complex entity (in which case the planning memo will be longer) or you're not prioritising.

Section 5: team allocation and specialist needs

Document who is doing what. Name the engagement partner, the engagement quality reviewer (if applicable), the audit manager, the senior, and the number of staff assigned. For each team member, state their allocated responsibilities (which sections of the audit they're responsible for).

If the engagement requires a specialist (ISA 620), state the area requiring specialist input, the specialist to be engaged, and the timing of the specialist's work. Common specialist needs on mid-market engagements include valuations for investment property or goodwill impairment, actuarial input for pension obligations, IT audit support for ERP system controls, and tax specialists for deferred tax positions.

ISA 300.A8 notes that the engagement partner considers the nature, timing, and extent of the direction, supervision, and review required for the engagement. The team allocation section documents this consideration. If the engagement includes junior team members working on high-risk areas, the planning memo should specify the supervision arrangements.

This section is also where you note any component auditors for group engagements. Reference the ISA 600 group audit instructions and the component materiality allocation.

Section 6: timing and deadlines

Document the timeline: when planning is completed, when interim procedures occur, when year-end fieldwork starts and ends, when the draft financial statements are expected from the client, when the management letter is due, and when the audit report is signed.

ISA 300.A12 notes that the timing of certain procedures depends on the auditor's assessment of the risks of material misstatement. Procedures for higher-risk areas may need to be performed closer to the period end. The timing section should reflect this: if inventory observation is a key procedure, state the date and location. If bank confirmations need to be sent, state the expected dispatch date.

Include the client's deadlines. If the entity has a statutory filing deadline, a group reporting package deadline, or a regulatory submission date, record those. The audit timeline works backward from the earliest binding deadline.

Also document the planned communications. ISA 260 requires communication with those charged with governance on planning matters, significant audit findings, and the auditor's opinion. State when the planning communication will occur and when the completion communication is expected.

For recurring engagements, note any changes from the prior-year timeline and the reason (earlier deadline, late financial statements last year, new group requirement).

Planning for smaller entities

ISA 300.A2-A4 acknowledge that the planning process for smaller entity audits can be simpler. A sole-practitioner audit of a small BV with €2 million in revenue does not require the same planning infrastructure as a group audit of a €200 million holding company.

For smaller entities, the overall audit strategy and audit plan can be combined into a brief memorandum. The key sections still exist, but they can be shorter. Engagement context might be half a page. Materiality is a single paragraph with the calculation. Risk assessment can reference the prior year with updates. Key areas might be two or three items. Team allocation might be "Partner and one assistant, two weeks fieldwork."

What ISA 300.A3 does not permit is skipping the planning entirely. Even for the smallest engagement, the auditor must document the scope, timing, and direction of the audit before starting substantive work. A one-page planning memo that covers all six sections is acceptable. No planning memo at all is not.

The AFM's inspection findings on smaller engagements consistently flag planning deficiencies: no documented overall strategy, materiality not set before fieldwork, risk assessment performed after testing was complete. These are the same findings that appear on larger engagements, but they're more common on smaller ones because the perceived time pressure is higher and the planning "payoff" feels lower.

The payoff is real. A 30-minute planning exercise that identifies two key risk areas and sets a focused scope saves hours of unfocused testing later. Planning for small engagements isn't about documentation volume. It's about thinking before testing.

Worked example: planning memo for Larsson Teknik AB

Scenario: Larsson Teknik AB manufactures industrial sensors in Gothenburg, Sweden. Revenue for the year ended 31 December 2025 was €18 million. Larsson is a private company with 65 employees, audited under ISAs as adopted in Sweden. The engagement is a continuing engagement (third year). The engagement partner is also the sole practitioner. One audit assistant will perform fieldwork.

1. Engagement context.

Larsson Teknik AB is a wholly owned subsidiary of Larsson Group AB. The entity reports under K3 (Swedish GAAP for larger entities). Significant change in 2025: Larsson signed a five-year supply contract with a German automotive manufacturer, representing approximately 30% of 2025 revenue. No changes to legal structure, governance, or IT systems. The group engagement team has not issued group audit instructions (Larsson's group parent is not audited under ISA 600 due to its size).

Documentation note: Reference the engagement letter dated 15 September 2025. Note the statutory filing deadline of 30 June 2026. Record the new supply contract as a significant business change requiring consideration in the risk assessment.

2. Materiality.

Benchmark: revenue (€18 million). Percentage: 1.0% (appropriate for a manufacturing entity with stable revenue). Overall materiality: €180,000. Performance materiality: €117,000 (65% of overall materiality, reflecting the continuing engagement with some identified risks). Clearly trivial threshold: €9,000.

Documentation note: State why revenue was chosen over profit (profit before tax fluctuated between €400,000 and €1.2 million over the past three years, making it an unstable benchmark). Cross-reference to the materiality working paper for the full calculation.

3. Risk assessment approach.

Sources: prior-year working papers (no material misstatements, two immaterial adjustments in revenue cut-off totalling €14,000), management discussion on 8 January 2026, preliminary analytical review of 2025 trial balance against prior year, industry knowledge of the industrial sensor market.

Fraud risk assessment: team discussion held on 8 January 2026 (documented separately per ISA 240.15). Revenue recognition fraud risk is presumed. Management override procedures will include journal entry testing and retrospective estimate review.

Audit approach: purely substantive for all areas. Larsson has limited segregation of duties (small finance team of three), and the prior-year controls evaluation concluded that a controls-reliance strategy is not efficient.

Documentation note: Reference the ISA 240 team discussion working paper. Note that the new automotive supply contract introduces revenue recognition timing risk (long-term contract with milestone payments). This drives the planned revenue cut-off testing in section 4.

4. Key audit areas.

Revenue recognition (€18M, cut-off assertion, driven by the new long-term supply contract with milestone payments. Planned response: test a sample of December and January invoices for cut-off, review the contract terms for performance obligation identification under K3 chapter 23, test milestone completion documentation for Q4 billings).

Inventory valuation (€3.1M, valuation assertion. Raw material prices for electronic components fluctuated 8-12% during 2025. Planned response: attend physical count on 3 January 2026, test cost build-up for a sample of finished goods, assess net realisable value for slow-moving items identified by the inventory ageing report).

Trade receivables (€2.8M, valuation and existence assertions. Concentration risk from the new automotive customer representing €1.4M of the year-end balance. Planned response: send external confirmations to the five largest debtors including the automotive customer, test the provision matrix per IFRS 9 / K3 equivalent, review post-balance-sheet receipts).

Documentation note: For each key area, cross-reference to the detailed audit programme where the specific procedures, sample sizes, and timing are documented.

5. Team allocation and specialist needs.

Engagement partner (sole practitioner): overall supervision, revenue recognition testing, review of all working papers, signing the audit report. Audit assistant: inventory attendance, trade receivable confirmations, cash and bank testing, payroll analytical review, fixed asset roll-forward. No specialist required. The prior-year file identified no areas requiring specialist input. The new automotive contract is standard for the entity's industry and does not involve complex financial instruments or unusual accounting treatments.

Documentation note: Record that the audit assistant has three years' experience and has worked on the Larsson engagement for the prior two years. Note that the partner will review all high-risk area working papers before the completion meeting.

6. Timing.

Planning meeting with management: 8 January 2026 (completed). Inventory observation: 3 January 2026 (completed). Interim procedures: none planned (substantive approach, all procedures at year-end). Year-end fieldwork: 2-13 February 2026. Draft financial statements expected from client: 20 January 2026. Management letter: 28 February 2026. Communication with those charged with governance (ISA 260): planning matters communicated 8 January 2026; findings communication and draft audit report by 15 March 2026. Statutory filing deadline: 30 June 2026.

Documentation note: Record the dates and confirm that the planning memo was signed before fieldwork commenced on 2 February 2026. Note any dependencies (fieldwork start depends on receiving draft financial statements by 20 January).

Planning memorandum checklist

1. Complete and sign the planning memorandum before the start of substantive fieldwork, with the date on the memo matching (or predating) the first day of fieldwork (ISA 300.7-8).
2. Document the engagement context, including the financial reporting framework, significant business changes, regulatory requirements, and a reference to the engagement acceptance evaluation under ISA 220.
3. State overall materiality, performance materiality, and the clearly trivial threshold, with the benchmark rationale documented (ISA 320, cross-referenced in the planning memo).
4. Describe the risk assessment approach, including the sources of information used, the fraud risk assessment per ISA 240, and the decision between a controls-reliance and purely substantive strategy.
5. List the key audit areas with specific assertions, risk factors, and planned responses. Cross-reference each key area to the detailed audit programme.
6. Record the team allocation (names, responsibilities, supervision arrangements) and the audit timeline from planning through to the expected signing date.

Common mistakes

• Signing the planning memo after fieldwork has started. Inspection bodies across European jurisdictions flag this consistently. The AFM's guidance is explicit: the overall audit strategy must be established before substantive procedures commence. A planning memo dated during or after fieldwork suggests the plan was reverse-engineered from the work performed.
• Using the prior-year planning memo as a template without updating it for current-year changes. This produces a memo that references last year's financials, last year's team, and last year's deadlines. The risk assessment section is particularly vulnerable to this problem because it requires active engagement with new information.
• Failing to connect the risk assessment to the key audit areas. The memo identifies risks in one section and lists audit procedures in another, but there's no documented link between the two. ISA 300.10(b) requires the audit plan to include further audit procedures at the assertion level that are responsive to the assessed risks. If the connection isn't visible, the file looks like planning and testing occurred independently.

Related content

• Audit planning. Glossary entry covering the ISA 300 requirements for the overall audit strategy and audit plan, including the distinction between the two.
• Materiality calculator. Calculator for determining overall and performance materiality across multiple benchmarks. The materiality section of the planning memorandum cross-references the output from this calculation.
• How to set materiality for different industries: ISA 320 benchmarks. Application guide covering benchmark selection, percentage ranges by industry, and the qualitative factors that affect materiality determination.