Planning the Audit: Strategy, Plan, and Team Resources

Learning objectives

By the end of this chapter you should be able to:

• Distinguish clearly between the overall audit strategy, the detailed audit plan, and area-specific audit programmes, and explain how they fit together.
• Identify and assess risks of material misstatement, link them to relevant financial statement assertions, and design proportionate audit responses.
• Use planning analytical procedures to pinpoint unusual trends or relationships and refine audit focus.
• Plan team resourcing, supervision, and review so that higher-risk and more complex areas receive appropriate expertise and scrutiny.
• Document planning judgements and decisions so the audit approach is clear, traceable, and defensible.

Overview & key concepts

Audit planning turns an understanding of the entity into a focused approach for obtaining sufficient, appropriate evidence. Good planning improves audit quality, reduces wasted work, and helps the team respond quickly when issues emerge.

Three planning outputs and how they relate

Audit planning usually produces three usable outputs, each answering a different question:

• Overall audit strategy:What is our overall route and why?It sets scope decisions, timing, the headline approach, and resourcing. It is written for engagement-level control and review.
• Audit plan:What will we do in response to the risks we’ve identified?It translates risk assessment into specific audit responses and sets the intended nature, timing and extent at a workable level.
• Audit programmes:What exact steps will the team perform in each area?These are the procedure lists the team executes and signs off for cycles and balances, tailored to the entity’s systems and risks.

The strategy sets direction, the plan turns direction into responses, and programmes turn responses into executable work.

Planning is not a one-off exercise. It should be refreshed when new information becomes available (for example, unexpected results from analytical procedures, changes in the business, or issues identified during interim work).

Overall audit strategy

The overall audit strategy sets the engagement’s direction. It explains:

• Scope: what is being audited (entities, components, locations, significant classes of transactions and disclosures).
• Reporting framework and timetable: the applicable framework and the deadlines for completion, approval, and filing.
• Audit approach: the planned balance between reliance on controls and substantive work, and whether any areas require a more unpredictable approach.
• Resourcing: how the work will be staffed (skills, seniority, specialists), and key review points.

The strategy should be proportionate to the entity and should highlight the main drivers of risk, complexity, and judgement.

Audit plan

The audit plan converts the strategy into a practical, risk-led set of actions. It sets out the planned nature, timing, and extent of audit responses to assessed risks.

A strong audit plan will:

• List theidentified risksand show which accounts/disclosures they affect.
• Link each risk to relevantassertions.
• Specify theplanned responses, including:
  • whether controls will be tested and, if so, which controls and at what timing
  • substantive procedures, including tests of details and substantive analytical procedures
• Indicatewhowill perform the work,whenit will be performed (interim/year-end), andhow muchevidence will be obtained (extent, sample sizes, coverage).

Audit programme

An audit programme is the detailed procedure list used to perform work in a particular area. It is the operational tool that the team executes and signs off.

Programmes should be tailored. A generic checklist is rarely sufficient on its own because it may not reflect the entity’s specific risks, systems, or estimates.

Audit programmes are primarily internal working tools that support consistent execution and documentation. They are not the “big picture” planning output (that is the strategy and plan), and they should be adjusted when risks or findings change.

Assertions used in audit planning

When planning and designing procedures, auditors link risks to assertions. For clarity, it helps to keep the list consistent and to match assertions to what is being tested.

Assertions for classes of transactions and events

• Occurrence: recorded transactions happened and relate to the entity.
• Completeness: all transactions that should be recorded are recorded.
• Accuracy: amounts and other data are recorded correctly.
• Cut-off: transactions are recorded in the correct accounting period.
• Classification: transactions are recorded in the proper accounts.
• Presentation and disclosure: transactions are appropriately described and disclosed.

Assertions for account balances

• Existence: recorded assets, liabilities, and equity interests exist.
• Rights and obligations: the entity controls the rights to assets and has obligations for liabilities.
• Completeness: all balances that should be recorded are recorded.
• Accuracy, valuation and allocation: balances are recorded appropriately and measured on a suitable basis, including any allocations required (for example, provisions, impairments, and accrual estimates).
• Classification: balances are appropriately classified (e.g. current/non-current).
• Presentation and disclosure: balances are appropriately described and disclosed.

Assertions for presentation and disclosure (notes)

• Occurrence and rights and obligations: disclosed events occurred and relate to the entity, and disclosed rights/commitments reflect the entity’s position.
• Completeness: all required disclosures are included.
• Classification and presentation: disclosures are appropriately organised and clearly described (clarity and understandability are part of effective presentation).
• Accuracy and valuation: amounts and other information are stated correctly and consistently with underlying records.

Professional scepticism

Professional scepticism (planning perspective)

In planning, scepticism is about how readily the team is prepared to believe what it is told, and how quickly it looks for independent support. Explanations are treated as starting points, not conclusions—especially where incentives, judgement, or complexity are present.

Practically, a sceptical plan will:

• identify where management could be unintentionally wrong (error) and where they might be motivated to present results favourably (bias or fraud);
• require corroboration for unusual movements (for example, linking a margin change to pricing files, production data, or supplier invoices—not just verbal explanations);
• build in extra challenge around estimates (methods, key inputs, and whether alternative outcomes are plausible); and
• include some unpredictability in testing so the work is not entirely easy to anticipate or “manage”.

Risk assessment procedures

Risk assessment procedures help the team understand the entity and identify where misstatements could arise. Common procedures include:

• discussions with management and relevant staff
• observation and inspection (process walk-throughs, site visits, review of documents)
• preliminary analytical procedures
• understanding key processes and relevant controls
• considering external factors (market conditions, regulation, supply chain, technology)

The output should be a clear set of assessed risks that drive audit responses.

Planning analytical procedures

Planning analytical procedures are performed early to identify unexpected relationships, unusual movements, or inconsistencies. They typically involve:

• trend analysis (current vs prior period)
• ratio analysis (e.g. gross margin, inventory days)
• comparisons to budgets, forecasts, or non-financial information (units produced, headcount, capacity)

These procedures are used to direct attention and refine the audit plan; they are not performed to “prove” balances are correct at the planning stage.

Expectations should be built on reliable data (for example, reconciled management information, consistent non-financial metrics, or stable historical relationships). Planning analytics may be performed at overall financial statement level and then drilled down to assertion level (or vice versa) depending on the data available and the risks identified.

Investigation thresholds should reflect materiality and the volatility of the line item: stable balances justify tighter thresholds than highly variable lines. Follow-up should be proportionate—a small variance in a volatile area may need limited work, while a modest variance in a stable area may require deeper corroboration.

Nature, timing, extent

These three terms describe how audit procedures are designed:

• Nature: what type of procedure is performed (inspection, observation, recalculation, confirmation, enquiry, analytical procedures).
• Timing: when the work is done (interim, year-end, or after year-end) and the period covered.
• Extent: how much work is done (sample sizes, number of locations tested, level of coverage, thresholds for investigation).

Higher-risk areas generally require more persuasive evidence, later timing, and greater extent.

Significant risk

A significant risk is a risk identified as requiring special audit consideration. In practice, these risks often arise where misstatement is more likely or could be more serious because the underlying area is particularly complex, judgemental, unusual, or susceptible to manipulation.

Significant risks commonly involve:

• fraud risk factors (including incentives and opportunities to manipulate results)
• complex accounting or estimation uncertainty
• unusual or non-routine transactions
• significant management judgement and potential bias
• major business change (new systems, rapid expansion, acquisitions, restructures)

When a significant risk is identified, the audit plan typically changes in visible ways: more senior involvement, more robust and targeted tests, and reduced reliance on analytical procedures alone as the primary response.

Materiality in planning

Materiality in planning (how auditors use it)

Materiality helps the team decide what deserves attention and how much evidence is enough. Typically, the audit file will document:

• Planning materiality: the headline benchmark used to plan work for the financial statements overall.
• Performance materiality: a working “safety buffer” set below planning materiality to address the risk that smaller misstatements add up across many areas.
• Materiality for particular items or disclosures (where needed): a lower threshold for classes of transactions, account balances, or disclosures where users may be especially sensitive, or where small errors could matter in context.

In addition, teams often set a clearly trivial threshold for accumulating misstatements identified, to support consistent documentation and evaluation. Materiality should be revisited if the numbers or circumstances change materially during the audit.

Engagement team, supervision, and review

Planning includes ensuring that the engagement team has the competence and time needed for the risks identified. This includes:

• assigning experienced staff to high-risk areas (estimates, revenue, inventory valuation)
• involving specialists where necessary (IT, valuations, tax)
• setting clear supervision and review points (including increased focus on significant risks)
• ensuring the team understands documentation expectations and how judgements will be evidenced in the audit file

Strong review is not a final-stage activity; it should be built into the timetable.

Core theory and frameworks

Building the overall audit strategy

The overall strategy is developed by moving from understanding to direction-setting:

1. Confirm scope and reporting requirements
   • components, locations, significant classes of transactions, and key disclosures
   • reporting framework and reporting timetable
2. Identify what drives risk and complexity
   • business model, significant changes, systems reliance, estimates and judgements
3. Set the broad audit approach
   • planned balance between controls work and substantive work
   • areas requiring unpredictability
4. Set materiality levels
   • planning materiality, performance materiality, and any materiality for particular items/disclosures
5. Plan resourcing and review
   • allocate senior time and specialists to higher-risk areas
   • agree review points and escalation triggers
6. Plan communications
   • client deliverables, timing, access to people and systems
   • communications to those charged with governance on key planning matters (including significant risks)

The strategy should be documented clearly so it can be traced to assessed risks and the detailed plan.

Converting strategy into a detailed audit plan

A detailed audit plan is built by linking risks to assertions and responses:

• Risk statementsin entity-specific terms (what could go wrong and why).
• Affected areas: accounts, transactions, and disclosures impacted.
• Assertions: which assertions are most exposed (e.g. occurrence and cut-off for revenue; valuation for inventory; rights and obligations for goods held by third parties).
• Planned responses:
  • controls testing (if relevant): which controls, how to test, and when
  • substantive procedures: tests of details and targeted analytical work
• Nature, timing, extent: set clearly and proportionately.
• Responsibilities: assign staff, reviewers, and specialists.
• Contingencies: plan for delays in client schedules, inventory counts, system access, or overseas locations.

Performing planning analytical procedures

A robust approach to planning analytics typically includes:

• selecting meaningful benchmarks (prior year, budgets, rolling forecasts, non-financial data)
• building expectations using a simple, explainable basis (e.g. volume × price; margin trends; production output)
• setting thresholds for investigation (linked to materiality, volatility, and risk)
• documenting the follow-up required (including corroboration for explanations)
• updating assessed risks and planned procedures where analytics reveal unexpected patterns

Planning team resources, supervision, and review

Resourcing should follow risk:

• allocate senior input to significant risks and complex judgements
• plan specialist involvement early (especially IT and valuation issues)
• schedule reviews soon after work is performed, not just at the end
• define escalation triggers (e.g. unexpected margin movements, count discrepancies, control failures)

Risk assessment and response

Audit responses should be proportionate and targeted:

• higher risk → more persuasive evidence (more reliable sources and more direct testing)
• greater estimation uncertainty → deeper challenge of assumptions and alternative outcomes
• reliance on controls → confirm the controls are relevant to the risk and assertion, test design and implementation first, and then test operating effectiveness to decide how far substantive work can be reduced
• fraud risks → increased unpredictability and procedures that address the possibility of override

Documentation and communication

Planning documentation should enable a reviewer to understand:

• what risks were identified and how they were assessed
• why the chosen approach is appropriate
• how materiality was set and how it influences planned work
• how procedures respond to significant risks and other assessed risks
• how resourcing and review align with risk

Communication planning should ensure the entity understands key deliverables, timing expectations, and the importance of timely access to records and personnel.

Worked example

Narrative scenario

ABC Ltd is a manufacturing company that launched a new product line during the year and began selling into several overseas markets. The supply chain now includes multiple freight providers and overseas warehouses. Inventory is tracked through an integrated system that links purchasing, production, dispatch, and invoicing.

The audit team is planning the year-end audit. Early discussions and preliminary information suggest increased risk in inventory valuation, revenue cut-off, and disclosures about the new product line and international expansion. The team also expects reliance on system-generated reports, making the design and operation of IT-related controls particularly important.

Required

1. Identify key risks arising from the expansion and new product line.
2. Develop an audit plan addressing these risks, including the nature, timing, and extent of procedures.
3. Allocate team resources appropriate to risk and complexity.
4. Document planning decisions clearly.
5. Perform planning analytical procedures to refine audit focus.

Solution

1) Key risks

Inventory valuation, existence, and rights/obligations

• A new product line may have limited sales history, increasing judgement in net realisable value and obsolescence provisions (valuation).
• Overseas warehousing and longer transit times increase the risk of goods in transit being misstated and of inventory being held by third parties under arrangements that affect rights and obligations (existence; rights and obligations; cut-off).
• System reliance and complex flows increase risk of incomplete or inaccurate inventory records (completeness; accuracy; valuation).

Revenue occurrence and cut-off

• Overseas delivery terms may vary by customer, increasing risk of revenue recorded in the wrong period (cut-off) or without the underlying dispatch/delivery event (occurrence).
• System interfaces between dispatch, shipping documentation, and invoicing may fail or be overridden (occurrence; accuracy; cut-off).

Disclosures

• Expansion and a new product line may require additional disclosures (for example, accounting judgements and estimates, key uncertainties, significant events during the year, and risk exposures). Certain disclosures apply only where the entity falls within the scope of the relevant reporting requirements (completeness; presentation and disclosure).

IT controls and system-generated information

• Heavy reliance on integrated reporting increases the risk that unreliable system outputs are used as audit evidence.
• Rapid change increases the risk of weak access controls, poor change management, or interface failures affecting financial reporting (accuracy; completeness).

2) Detailed audit plan (nature, timing, extent)

Inventory

Controls testing (interim, with roll-forward where appropriate)

• Test key controls over:
  • inventory movements (receipts, issues to production, finished goods transfers)
  • access controls and segregation of duties for inventory adjustments
  • authorisation and review of write-downs/obsolescence provisions
• Evaluate controls over system changes and key automated interfaces that feed inventory records where system reports will be used for audit evidence.

Substantive procedures (primarily year-end)

• Attendance at inventory countsat significant locations, with coverage based on value and risk:
  • observe count procedures
  • perform test counts and reconcile to final inventory listings
  • assess controls over count adjustments
• Cut-off testingaround year-end:
  • sample goods received notes and dispatch documents before and after year-end
  • match to purchase invoices/sales invoices and verify correct period recognition
• Rights and obligations focus:
  • obtain confirmations or third-party statements for inventory held at overseas warehouses (where material)
  • inspect key logistics/storage contracts for terms affecting ownership and responsibility
• Valuation testing:
  • test cost build-ups or cost calculations (materials, labour, and overhead allocation bases where relevant)
  • test net realisable value using post year-end selling prices, returns, and slow-moving analyses
  • challenge write-down assumptions for the new product line (ageing, demand evidence, pricing actions)

Extent

• Increase sample sizes and widen location coverage where:
  • the new product line is material
  • goods in transit/third-party locations are significant
  • count differences, pricing pressure, or system weaknesses are identified

Revenue

Controls testing (interim)

• Test controls over:
  • order acceptance, dispatch confirmation, and automated invoicing
  • credit notes and returns processing
  • authorisation and monitoring of manual journal entries affecting revenue

Substantive procedures (year-end focus)

• Occurrence and cut-off testing:
  • select dispatches around year-end and trace to invoices and shipping documents
  • verify delivery terms for overseas sales and confirm the point at which performance is achieved for revenue purposes (for example, when control transfers to the customer, where relevant)
• Substantive analytical procedures:
  • develop expectations by product line and region (volume × price; margin trends)
  • investigate unexpected fluctuations beyond defined thresholds, corroborating explanations
• Tests of details:
  • agree samples to supporting documents (customer order, dispatch evidence, invoice)
  • consider external confirmations for material receivables where risk indicates

Extent

• Increase testing for:
  • manual journal entries and adjustments near period end
  • unusual sales spikes or margin shifts
  • new overseas customers/channels with limited history

Disclosures

Substantive procedures (year-end)

• Use a disclosure review tailored to the year’s changes (new product line, overseas markets, key estimates).
• Perform a completeness review of:
  • disclosures of significant judgements and estimation uncertainty
  • narrative consistency with audit evidence (inventory valuation basis; revenue delivery terms; key risks)
• Review board minutes, major contracts, and post year-end events for disclosure implications.

IT controls and system-generated reports

IT-focused work (early planning and interim)

• Identify key reports used in financial reporting (inventory listings, margin reports, dispatch-to-invoice reports).
• Test relevant IT controls (access, change management) and key application controls or automated interfaces underpinning those reports.
• Where a report will be used as audit evidence, evaluatehow it is generated: confirm the report parameters, confirm completeness of the population included, and test the accuracy of key fields back to underlying data.
• If controls are weak, plan alternative substantive procedures (independent recalculations, expanded testing, and greater use of external evidence).

3) Team resources, supervision, and review

• Assign an experienced senior to lead inventory work, including count attendance planning and valuation challenge.
• Allocate a team member with IT controls capability (or an IT specialist) to evaluate system reliance, key reports, and interfaces.
• Schedule manager-level review of:
  • significant risks and planned responses
  • inventory valuation conclusions (including any write-downs)
  • revenue occurrence and cut-off results and any indicators of management bias
• Plan partner involvement for:
  • significant risks
  • sensitive judgements
  • final review of conclusions and communications

4) Documentation of planning decisions

Document in the planning file:

• entity understanding and key changes in the year
• assessed risks and linked assertions (including rights and obligations and occurrence where relevant)
• materiality decisions (planning, performance, and any particular items/disclosures) and rationale
• planned responses with nature, timing, extent
• planned use of controls testing and justification
• resourcing plan, supervision, and review timetable
• key client deliverables and agreed deadlines
• planned communications and escalation triggers

Documentation should allow a reviewer to see the logic from risk identification through to planned work.

5) Planning analytical procedures and how they refine the plan

Perform early analytics such as:

• Revenueby month, product line, and region:
  • investigate late-year spikes, unusual credit notes, and margin anomalies
• Gross marginby product line:
  • identify margin compression that may indicate pricing pressure, incorrect costing, or obsolete stock
• Inventoryageing and inventory days:
  • focus valuation work where ageing is worsening or turnover has slowed
• Freight and duty costsas a percentage of sales:
  • identify changes that could affect inventory cost and margin consistency

Using results

• If analytics show unexpected margin decline in the new product line, increase valuation testing and challenge costing and pricing assumptions.
• If revenue spikes occur in the final weeks of the year, extend occurrence and cut-off testing and expand journal entry testing.
• If inventory days increase materially, expand procedures around slow-moving and obsolete inventory and increase the use of post year-end sales evidence.

Common pitfalls and misunderstandings

• Blurring strategy and plan: The strategy sets direction; the plan specifies detailed responses. Keep them distinct and linked.
• Listing risks without designing responses: Risks must be tied to assertions and specific procedures, not left as standalone statements.
• Superficial planning analytics: Comparisons without expectations, thresholds, and follow-up rarely identify the real risk areas.
• Overreliance on enquiry: Explanations for anomalies should be corroborated, especially in higher-risk areas.
• Resourcing not aligned to risk: Complex judgements and system reliance require experience and timely review.
• Ignoring system-generated evidence risks: If key reports cannot be relied upon, the plan must shift to more independent evidence.
• Not revisiting the plan: Planning should be updated when new risks emerge or interim work identifies weaknesses.

Summary and further reading

Audit planning converts business understanding into a structured, risk-led audit approach. The overall audit strategy sets direction and resourcing, the audit plan translates assessed risks into specific responses (defined by nature, timing, and extent), and audit programmes turn those responses into executable work. Planning analytical procedures highlight where misstatement risk may be higher, helping the team focus effort efficiently. Clear documentation and appropriate supervision ensure that the approach is coherent, proportionate, and defensible.

FAQ

Overall audit strategy vs audit plan — what’s the difference?

Think of the strategy as the engagement’s route-map: it records the big decisions (scope, timing, headline approach, and resourcing). The audit plan is the risk response blueprint: for each assessed risk it sets out what work will be done, by whom, and with what nature, timing and extent. In practice, the strategy helps you control the engagement; the plan helps you execute it.

How do planning analytical procedures improve audit planning?

They highlight unusual movements or relationships that may indicate higher misstatement risk. This allows the team to refine risk assessment, adjust procedures, and concentrate effort where it is most likely to matter. Expectations should be based on reliable data and followed up with corroboration where anomalies are identified.

Why does professional scepticism matter during planning?

Planning involves judgement about what could go wrong and how evidence will be obtained. A sceptical mindset encourages independent corroboration, stronger challenge of estimates, and procedures designed to test the risks rather than simply confirm management’s narrative.

What should an effective audit plan contain?

It should document assessed risks, link them to assertions (including occurrence and rights and obligations where relevant), and set out tailored responses with clear nature, timing, and extent. It should also capture materiality decisions, team responsibilities, review points, and how system reliance (where relevant) will be addressed.

How should work be allocated across the audit team?

Higher-risk and more judgemental areas should be led and reviewed by more experienced staff, and specialists should be used where needed (for example, IT controls or complex valuations). Review should be scheduled early enough to resolve issues without last-minute pressure.

What is the role of materiality in planning?

Materiality helps focus audit work on matters likely to influence user decisions. Performance materiality provides headroom so that several smaller issues across different areas do not unexpectedly add up to a material total. Where relevant, a lower threshold may also be set for particular transactions or disclosures that are sensitive in context, and a clearly trivial threshold may be used for accumulating misstatements identified.

Summary (Recap)

This chapter explained how audit planning is structured and documented. It distinguished between the overall audit strategy (direction and resourcing), the audit plan (risk-led responses defined by nature, timing, and extent), and audit programmes (detailed area procedures used to execute and document work). It emphasised consistent use of assertions, linking risks to procedures, using planning analytical procedures to refine focus, and allocating resources and review in line with risk and complexity. It also highlighted common pitfalls that weaken planning quality and audit defensibility.

Glossary

Glossary (exam-focused, “what it answers”)

Overall audit strategy
Purpose: sets the engagement’s route-map.
Answers: “Where are the big risks, what’s our broad approach, and who/when is needed?”
Typically covers: scope decisions, timing (interim vs year-end), headline approach (controls vs substantive), resourcing and review points.

Audit plan
Purpose: turns risks into planned responses.
Answers: “What procedures will we do for each risk, and how much work is enough?”
Typically covers: risks, linked assertions, responses (controls testing and/or substantive), and the planned nature/timing/extent.

Audit programme
Purpose: the team’s step-by-step worklist for a specific area.
Answers: “What do I actually do on revenue/inventory/payroll—and how do I evidence it?”
Note: an internal execution tool; update it when risks or findings change.

Assertions
Meaning: the implied claims made when financial statements are prepared (about transactions, balances, and disclosures).
Use in planning: match each risk to the assertion(s) most exposed, then design procedures that directly test those assertions.

Professional scepticism
Meaning: a questioning approach that looks for independent support, especially where judgement, incentives, or complexity exist.
Planning impact: pushes the team to corroborate explanations, challenge estimates, and build in some unpredictability.

Risk assessment procedures
Meaning: the work done to understand the entity and pinpoint where misstatements could arise.
Output: assessed risks that drive the audit plan.

Planning analytical procedures
Meaning: early comparisons and relationships used to spot where results don’t “make sense” and where audit effort should concentrate.

Nature, timing, extent
Nature: what kind of test (inspection, confirmation, recalculation, etc.).
Timing: when it’s performed (interim/year-end).
Extent: how much work (coverage, sample sizes, thresholds).

Significant risk
Meaning: a risk needing special attention due to complexity, judgement, unusual features, or susceptibility to manipulation.
Planning effect: more senior focus and more robust, targeted responses.

Planning materiality / Performance materiality / Materiality for particular items
Planning: overall benchmark for planning work.
Performance: a lower working level so many small issues do not unexpectedly add up.
Particular items: lower threshold where context makes smaller misstatements important.

Clearly trivial threshold
Meaning: a practical cut-off below which items aren’t accumulated because they are clearly inconsequential.

Engagement team / Supervision and review
Meaning: who does the work and how it’s directed and checked so the file supports the conclusions.