What is the audit strategy?
Most mid-tier files we see have a strategy document, a plan document, and identical timestamps on both. The inspection question that follows is always the same: did the strategy actually shape the plan, or did someone build both at the same time to satisfy the file structure? On about half the engagements we review, the honest answer is the second one. That is the finding. That is what makes this a tick box exercise instead of a planning tool.
ISA 300.7 requires the auditor to establish the strategy before developing the detailed plan. Scope, timing, direction, and resourcing are the four areas it must cover. The strategy is the first formal output of planning and sets the framework inside which the plan operates.
ISA 300.8 requires the auditor to consider the results of preliminary engagement activities (continuance assessments, ethical requirements, and engagement acceptance) when setting the strategy. Those feed directly into how it gets shaped. ISA 300 .A8 lists the matters the engagement partner weighs at this stage: materiality determinations, areas of higher assessed RoMM, whether specialists are needed, the preliminary analytical procedures, and planned communications with those charged with governance. The strategy is where the EP records the rationale behind the plan. The "why" that drives the "how."
Key Points
- Four areas: scope, timing, direction, and resourcing ( ISA 300.7 ).
- Must precede the detailed plan — the strategy informs the plan, not the other way around.
- Strategy is the "why"; the plan is the "how." Both are required but serve different purposes.
- Engagement-specific content is essential — generic template-filling is a common deficiency.
Why it matters in practice
In our experience the single most common deficiency is generic template-filling rather than engagement-specific content. A strategy that could apply to any client in any industry does not meet ISA 300.7 . The document has to reflect this client, this year, with specific consideration of the factors that drive this engagement's scope, timing, and resourcing.
Firms regularly complete the strategy and the detailed plan in the same sitting, treating them as one step. Inspection teams separate the two. When both documents carry the same date and identical sign-off times, reviewers question whether the strategy genuinely informed the plan or was completed retroactively to satisfy the file structure.
A strategy without a plan is rationale without execution. It explains why but not how. A plan without a strategy is procedures without rationale. It shows what was done but not why those procedures were chosen over alternatives. Both gaps get flagged, but the absence of a distinct strategy is the one we see more often, because firms default to jumping straight into the detailed plan.
Key standard references
- ISA 300.7 : Requirements for establishing the overall audit strategy.
- ISA 300.8 : Consideration of preliminary engagement activities.
- ISA 300 .A8: Matters to consider when establishing the strategy.
- ISA 300.5 : Engagement partner involvement in planning, including the strategy.
Related terms
Related tools
Related reading
Frequently asked questions
What four areas must the audit strategy address?
ISA 300.7 requires the strategy to: (1) identify engagement characteristics that define scope, (2) ascertain reporting objectives to plan timing, (3) consider factors significant in directing effort, and (4) determine required resources including specialists.
Can the strategy be completed at the same time as the detailed plan?
Technically ISA 300.7 requires the strategy first, with the plan developing from it. When both documents are dated the same day with identical sign-off times, inspection teams question whether the strategy genuinely informed the plan or was completed retroactively.