ISA 300 — Planning an Audit of Financial Statements: Complete Guide

Key Takeaways

ISA 300 requires the auditor to plan the audit so that the engagement will be performed in an effective manner. Planning is not optional — it is a requirement for every audit engagement.
Planning involves two distinct but interrelated outputs: the overall audit strategy (which sets the scope, timing, and direction of the audit) and the audit plan (which contains the detailed nature, timing, and extent of procedures to be performed).
Planning is not a discrete phase — it is a continual and iterative process that begins before fieldwork starts and continues until the audit is complete. The strategy and plan must be updated as circumstances change and new information emerges.
Preliminary engagement activities must be performed at the beginning of each audit engagement: evaluating compliance with ethical requirements (including independence), evaluating acceptance/continuance of the client relationship, and establishing an understanding of the engagement terms (ISA 210).
The engagement partner and other key team members must be involved in planning to bring their experience and insight to the process.
The auditor must plan the direction, supervision, and review of engagement team members — scaling this based on the assessed risks, entity complexity, and team capabilities.
ISA 300 requires documentation of the overall audit strategy, the audit plan, and any significant changes made during the engagement.

What is ISA 300?

ISA 300, titled "Planning an Audit of Financial Statements," establishes the foundation for every audit engagement. An audit that is not properly planned cannot be performed effectively — the wrong risks will be assessed, the wrong procedures will be designed, the wrong people will be assigned, and the wrong areas will receive attention.

The standard is written in the context of recurring audits but identifies additional considerations for initial engagements. It connects directly to virtually every other ISA: the risk assessment under ISA 315 feeds into the plan, the materiality determination under ISA 320 shapes the scope, the responses under ISA 330 constitute the detailed procedures, and the quality management under ISA 220 governs how the plan is executed and supervised.

The Objective of the Auditor

ISA 300.4 states the objective simply:

The objective of the auditor is to plan the audit so that it will be performed in an effective manner.

"Effective" means the audit achieves its overall objective (ISA 200) — obtaining reasonable assurance about whether the financial statements are free from material misstatement. An effective audit is one that identifies the right risks, deploys resources efficiently, obtains sufficient appropriate evidence, and reaches well-supported conclusions. Planning is the mechanism that makes all of this possible.

Preliminary Engagement Activities

ISA 300.6 requires the auditor to perform certain activities at the beginning of each audit engagement, before detailed planning begins:

Evaluating compliance with ethical requirements, including independence — under ISA 220, the engagement partner must form a conclusion on compliance with independence requirements. This must happen before resources are committed to the engagement.

Evaluating acceptance and continuance of the client relationship — considering whether new information has emerged (integrity concerns, significant changes in the entity, scope limitations) that would affect the firm's willingness to continue. For initial engagements, this includes communication with the predecessor auditor.

Establishing an understanding of the terms of engagement — under ISA 210, agreeing with management on the terms and confirming that the preconditions for an audit exist.

These preliminary activities ensure the auditor does not invest significant planning effort in an engagement that should not be accepted or continued.

Overall Audit Strategy vs. Audit Plan

ISA 300 distinguishes between two planning outputs that serve different purposes:

The overall audit strategy

The strategy is the high-level framework (ISA 300.7–8). It sets:

Element	What It Determines
Scope	The reporting framework, industry-specific reporting requirements, locations/components, the need for group audit considerations
Timing	Key dates (interim work, year-end fieldwork, report deadline), coordination with the entity's timetable
Direction	The nature of resources to deploy — team composition, use of specialists, involvement of component auditors, allocation of resources to high-risk areas
Materiality	The preliminary determination of materiality that shapes the scope and nature of procedures
Key risks	Initial identification of areas requiring significant auditor attention based on prior experience and preliminary understanding

The strategy is typically documented as a memorandum or summary document — concise enough to communicate the key decisions to the engagement team.

The audit plan

The plan is the detailed programme (ISA 300.9). It describes:

The nature, timing, and extent of planned risk assessment procedures (ISA 315).
The nature, timing, and extent of planned further audit procedures at the assertion level — tests of controls and substantive procedures (ISA 330).
Other planned procedures required to comply with ISAs — such as communications with governance (ISA 260), obtaining written representations (ISA 580), and performing overall analytical procedures (ISA 520).

The audit plan is more granular and evolves as the audit progresses. Once risk assessment procedures are performed and results are obtained, the planned further audit procedures may need to change.

Strategy vs. plan in practice

Think of the strategy as the general's battle plan — it identifies the terrain, the objectives, and the deployment of forces. The audit plan is the detailed operational orders — which specific squad goes where, when, and does what. In practice, the two are developed together rather than sequentially, and they influence each other. A change in risk assessment (plan level) may require a change in resource allocation or timing (strategy level). For smaller engagements, the strategy may be a brief memorandum based on the prior year's experience, while the plan may be a tailored audit programme. For complex engagements, both documents will be substantial.

Planning Is Iterative

ISA 300.2 and A13 make a critical point: planning is not a one-off event at the start of the engagement. It is a continual and iterative process that runs from acceptance through to completion.

The auditor may begin with a preliminary strategy based on prior-year experience and initial discussions with management. As risk assessment procedures are performed (ISA 315), the strategy and plan are refined. As fieldwork proceeds and audit evidence is obtained, the auditor may discover information that contradicts the initial risk assessment — requiring further revision of the plan.

Common triggers for plan revisions include:

Unexpected findings during substantive testing that suggest the risk assessment was inadequate.
New information about the entity — a significant transaction, a change in key personnel, a litigation claim, or a going concern indicator.
Scope changes — discovery that a service organisation processes more transactions than initially understood, or that a component previously considered immaterial has become significant.
Resource constraints — a key team member becomes unavailable, requiring reallocation of work.

ISA 300.10 requires the auditor to update and change the overall audit strategy and audit plan as necessary during the audit.

Involvement of Key Engagement Team Members

ISA 300.5 requires the engagement partner and other key members of the engagement team to be involved in planning. This ensures that the audit benefits from their experience and insight — particularly their knowledge of the entity, the industry, and the applicable reporting framework.

"Other key members" typically includes the audit manager and any senior team members responsible for significant risk areas. For group audits, this may include representatives from component audit teams. The engagement partner's involvement in planning is also a quality management requirement under ISA 220 — the partner cannot delegate the planning of the audit strategy and the assessment of significant risks.

For smaller engagements, where the engagement partner may be working with one team member or none, ISA 300.A11 acknowledges that planning can be more straightforward — a brief memorandum from the prior year, updated for current-year changes, may suffice as the audit strategy.

Direction, Supervision, and Review

ISA 300.11 requires the auditor to plan the nature, timing, and extent of direction and supervision of engagement team members and the review of their work.

The level of direction and supervision depends on (ISA 300.A14):

The size and complexity of the entity — a complex multinational requires more structured direction than a straightforward SME.
The area of the audit — high-risk areas (estimates, revenue recognition, related parties) require closer supervision than routine areas.
The assessed risk of material misstatement — higher-risk areas demand more detailed direction on what to do and more thorough review of results.
The capabilities and competence of the team members — less experienced staff need more detailed instructions and more frequent review.

This connects directly to ISA 220's quality management requirements — the engagement partner must take responsibility for ensuring that the team is properly directed, that their work is supervised, and that the results are reviewed at appropriate levels.

Additional Considerations for Initial Audit Engagements

ISA 300.13 identifies matters the auditor should consider when planning an initial audit:

Communication with the predecessor auditor — under ISA 210 and professional ethics requirements, the incoming auditor should contact the predecessor (with the entity's permission) to understand whether there are reasons the appointment should not be accepted.
Opening balances — ISA 510 requires the auditor to obtain sufficient appropriate evidence about opening balances. For an initial engagement, this may require reviewing the predecessor's working papers (subject to professional protocols) or performing additional procedures.
Firm's quality management procedures — ISA 220 requires the firm's acceptance procedures to be completed before the engagement begins.

Documentation

ISA 300.12 requires documentation of:

The overall audit strategy — the key decisions regarding the scope, timing, and direction of the audit.
The audit plan — the nature, timing, and extent of risk assessment procedures and further audit procedures.
Any significant changes made to the strategy or plan during the audit, and the reasons for those changes.

The documentation does not need to be elaborate — the extent depends on the size and complexity of the entity and engagement. For a smaller engagement, a brief memorandum covering the key planning decisions may be sufficient.

Documenting significant changes

This is one of the most commonly missed documentation requirements. When the auditor discovers information during fieldwork that changes the planned approach — increasing sample sizes, adding procedures for a newly identified risk, extending year-end testing — the change and its rationale must be documented. Regulatory inspectors specifically look for evidence that the auditor responded to emerging information and did not simply follow the original plan regardless of what was found. A plan that never changes is a red flag that the audit was executed mechanically rather than responsively.

ISA 300 in Your Jurisdiction

Netherlands. COS 300 follows ISA 300 closely. AFM inspections have consistently focused on planning quality — particularly whether the audit strategy reflects a genuine understanding of the entity's risks rather than a mechanical rollforward of the prior year. The AFM expects to see evidence that the engagement partner was substantively involved in planning and that the strategy was tailored to the entity's specific circumstances.

Germany. IDW PS 300 adapts ISA 300 for the German context. German practice integrates planning with the Prüfungsplanung (audit planning) requirements of the WPO, which require detailed documentation of the planned audit approach. The WPK's inspections examine whether planning is responsive to entity-specific risks and whether the Prüfungsbericht reflects the planned approach.

United Kingdom. ISA (UK) 300 is substantively aligned with ISA 300. The FRC's inspection findings regularly cite planning as a root cause of audit quality issues — particularly insufficient consideration of fraud risks during planning, inadequate tailoring of the plan to the entity's specific circumstances, and failure to update the plan in response to findings during fieldwork.

France. NEP 300 implements ISA 300 within the French statutory framework. French practice integrates planning with the legal timetable of the mandat (audit appointment), which typically runs for six financial years. This multi-year context allows French commissaires aux comptes to develop a longer-term audit strategy — the plan de mission — that considers the entity's evolution across the mandate period.

Frequently Asked Questions

What is the difference between the overall audit strategy and the audit plan?

The strategy sets the high-level scope, timing, and direction — it determines what the audit will cover, when, and with what resources. The plan contains the detailed procedures — the specific nature, timing, and extent of risk assessment and further audit procedures at the assertion level. The strategy guides the development of the plan.

Is planning done once at the beginning of the audit?

No. Planning is iterative and continuous. The initial strategy and plan are developed before fieldwork begins, but both must be updated as the audit progresses, new information emerges, and circumstances change. ISA 300 explicitly requires updates when necessary.

Who is responsible for planning?

The engagement partner has overall responsibility for planning and must be involved in establishing the strategy and identifying significant risks. Other key team members should also participate to contribute their experience. However, planning responsibilities can be delegated to experienced team members for specific aspects — provided the partner retains oversight.

Does the auditor need to communicate the plan to those charged with governance?

Yes. ISA 260 requires the auditor to communicate an overview of the planned scope and timing of the audit to those charged with governance. However, the auditor must be careful not to make procedures too predictable — particularly regarding fraud risk responses.

How detailed should planning documentation be?

This depends on the size and complexity of the engagement. For a large listed entity, the documentation will be extensive — separate strategy and plan documents, detailed resource allocations, risk matrices. For a smaller entity, a brief memorandum covering the key decisions may be sufficient. The test is whether the documentation enables understanding of the key planning decisions and their rationale.