What is the Audit Strategy?
ISA 300.7 requires the auditor to establish an overall audit strategy before developing the detailed audit plan. The strategy addresses four areas: scope, timing, direction, and resourcing. It is the first formal output of the planning process and sets the framework within which the detailed plan operates.
ISA 300.8 requires the auditor to consider the results of preliminary engagement activities — continuance assessments, ethical requirements, and engagement acceptance — when setting the strategy. These feed directly into how the strategy is shaped.
ISA 300.A8 lists matters the auditor considers when establishing the strategy: materiality determinations, areas of higher assessed risk, whether specialists are needed, preliminary analytical procedures results, and the planned nature and timing of communications with those charged with governance. The strategy is where the engagement partner records the rationale behind the plan — the "why" that drives the "how."
Key Points
- Four areas: scope, timing, direction, and resourcing (ISA 300.7).
- Must precede the detailed plan — the strategy informs the plan, not the other way around.
- Strategy is the "why"; the plan is the "how." Both are required but serve different purposes.
- Engagement-specific content is essential — generic template-filling is a common deficiency.
Why it matters in practice
The most common deficiency is generic template-filling rather than engagement-specific strategy. A strategy that could apply to any client in any industry does not meet the requirement. The document must reflect this client, this year, with specific consideration of the factors that drive this engagement's scope, timing, and resourcing.
Firms frequently complete the strategy and the detailed plan simultaneously, treating them as a single step. Inspection teams distinguish the two. When both documents are dated the same day with identical sign-off times, reviewers question whether the strategy genuinely informed the plan or was completed retroactively to satisfy the file structure.
A strategy without a plan is rationale without execution — it explains why but not how. A plan without a strategy is procedures without rationale — it shows what was done but not why those procedures were chosen over alternatives. Both gaps are flagged, but the absence of a distinct strategy is more commonly found because firms default to jumping straight to the detailed plan.
Key standard references
- ISA 300.7: Requirements for establishing the overall audit strategy.
- ISA 300.8: Consideration of preliminary engagement activities.
- ISA 300.A8: Matters to consider when establishing the strategy.
- ISA 300.5: Engagement partner involvement in planning, including the strategy.
Related terms
Related tools
Related reading
Frequently asked questions
What four areas must the audit strategy address?
ISA 300.7 requires the strategy to: (1) identify engagement characteristics that define scope, (2) ascertain reporting objectives to plan timing, (3) consider factors significant in directing effort, and (4) determine required resources including specialists.
Can the strategy be completed at the same time as the detailed plan?
Technically ISA 300.7 requires the strategy first, with the plan developing from it. When both documents are dated the same day with identical sign-off times, inspection teams question whether the strategy genuinely informed the plan or was completed retroactively.