What is an Audit Plan?
ISA 300.7 requires the auditor to develop an audit plan that includes a description of the nature, timing, and extent of planned risk assessment procedures (ISA 315), further audit procedures at the assertion level (ISA 330), and other planned audit procedures required to comply with the ISAs. The plan also covers direction, supervision, and review of the engagement team's work.
The audit plan is not a static document. ISA 300.A12 makes clear that planning is a continuous process throughout the engagement. As the auditor performs risk assessment procedures and gains new information, the nature, timing, and extent of further audit procedures may need to change. ISA 300.10 requires the auditor to update and change the overall audit strategy and audit plan as necessary during the course of the audit.
The distinction between the audit strategy and the audit plan matters. The strategy sets the scope, timing, and direction of the engagement at a high level. The plan converts that direction into specific procedures at the assertion level, with sample sizes, timing of procedures, and team member assignments. The strategy tells you what to focus on. The plan tells you exactly what each team member will do about it.
Key Points
- ISA 300.7 requires assertion-level specificity — generic procedures like "perform substantive testing on revenue" are not sufficient.
- Planning is continuous, not a phase that ends when fieldwork begins. ISA 300.A12 requires ongoing reassessment.
- ISA 300.10 mandates updates whenever new information changes the risk picture during the engagement.
- The plan must link procedures to assessed risks, not just list procedures in isolation from the risk assessment.
Why it matters in practice
The FRC's 2023 annual inspection report flagged audit plans that did not reflect changes identified during fieldwork. Teams produced planning documents at the start of the engagement and never revisited them, even when interim testing revealed new risks or when the risk assessment changed materially during the audit.
The most common weakness is generic procedures. Teams produce plans with broad descriptions — "perform substantive testing on revenue" or "test a sample of trade receivables" — without linking each procedure to a specific assertion or assessed risk. ISA 300.7(b) requires the plan to describe further audit procedures at the assertion level for each material class of transactions, account balance, and disclosure. A plan that does not connect procedures to assertions does not meet this requirement.
ISA 330.6 reinforces this by requiring the auditor to design and perform further audit procedures whose nature, timing, and extent are responsive to the assessed risks of material misstatement at the assertion level. If the plan does not specify which assertions each procedure addresses, there is no way to demonstrate that the response is appropriate to the risk.
Key standard references
- ISA 300.7–9: Requirements for the audit plan, including assertion-level procedures.
- ISA 300.10: Requirement to update the strategy and plan when new information emerges.
- ISA 300.A12: Application guidance confirming that planning is continuous throughout the engagement.
- ISA 330.6: Assertion-level responses to assessed risks of material misstatement.
Related terms
Related tools
Related reading
Frequently asked questions
What is the difference between the audit plan and the audit strategy?
The strategy (ISA 300.7) sets scope, timing, direction, and resourcing at the engagement level. The plan translates that into specific procedures at the assertion level with sample sizes, timing, and team member assignments. The strategy rarely changes mid-engagement; the plan almost always does.
Must the audit plan be updated during fieldwork?
Yes. ISA 300.10 requires revision whenever new information changes the risk assessment. Copy-forward plans that ignore interim findings are the most common documentation gap flagged in inspections.