What is an Audit Planning Memorandum?
No ISA uses the phrase "audit planning memorandum" by name. But ISA 230.8 requires the auditor to prepare documentation sufficient to enable an experienced auditor, having no previous connection with the audit, to understand the nature, timing, and extent of audit procedures performed, the results, and the significant matters arising during the audit and their conclusions. ISA 300.12 requires documentation of the overall audit strategy, the audit plan, and any significant changes made during the engagement.
Most firms satisfy these combined requirements through a planning memorandum — a narrative document that records the team's understanding of the client, the key risks identified, the materiality judgments made, and the rationale for the audit approach chosen. The defensibility of a planning memo comes from the quality of the link between what the team knows about the client and what the team decided to do about it. Length is not a proxy for quality.
ISA 230.A2 sets the standard: documentation should enable an experienced auditor with no previous connection to the engagement to understand the work performed. A planning memo filled with boilerplate descriptions copied from prior years does not meet this standard. A shorter memo that clearly explains why the team chose a particular approach for this specific client does.
Key Points
- ISA 230.8 requires rationale, not just decisions. The memo must explain why the team chose a particular approach.
- ISA 300.12 requires documenting significant changes to the strategy and plan during the engagement.
- The "experienced auditor" test (ISA 230.A2) is the benchmark — would someone unfamiliar with the engagement understand the logic?
- Boilerplate fails inspection review. Client-specific reasoning is what separates a defensible memo from a template.
Why it matters in practice
The AFM's 2022 inspection findings identified planning memoranda that described the audit approach without explaining why that approach was chosen for the specific client. The memo stated what the team planned to do but not what about the client's circumstances led to that decision. ISA 230.8 requires documentation of significant matters and the auditor's professional judgments related to them. A description without rationale does not satisfy this.
A second common weakness: teams update the risk assessment and audit plan during fieldwork but forget to update the planning memorandum. ISA 300.12 requires the auditor to document significant changes made to the overall audit strategy or the audit plan during the audit, and the reasons for those changes. If the risk assessment changed because interim testing revealed a new fraud risk, but the planning memo still reflects the original assessment, the file is internally inconsistent.
The strongest planning memos follow a simple structure: what we know about the client this year, what changed from last year, what risks arise from those facts, and how our audit approach responds to each risk. Every judgment connects back to a specific piece of client knowledge. That is what ISA 230.A2 requires.
Key standard references
- ISA 230.8: Requirement to document significant matters, professional judgments, and their rationale.
- ISA 300.12: Requirement to document the audit strategy, plan, and any significant changes with reasons.
- ISA 230.A2: The "experienced auditor" standard for documentation sufficiency.
- ISA 315.19–20: Requirements for understanding the entity and its environment.
Related terms
Related tools
Related reading
Frequently asked questions
Is a planning memorandum required by the ISAs?
No ISA uses the phrase 'audit planning memorandum' by name, but ISA 230.8 requires documenting significant matters and their rationale, and ISA 300.12 requires documenting the strategy, plan, and any significant changes. Most firms satisfy these requirements through a planning memorandum.
What makes a planning memo defensible?
The quality of the link between what you know about the client and what you decided to do about it. ISA 230.A2 states documentation should enable an experienced auditor with no previous connection to understand the work performed. Boilerplate fails this test.