On November 25, 2024, Macy’s took the unusual step of delaying its Q3 2024 earnings release after discovering that a single employee had concealed $151 million in small-parcel delivery expenses. The concealment ran for 11 consecutive quarters from Q4 2021 through November 2024.
The Macy’s case is a master class in why Key Risk Indicators for Finance Departments matter at the line-item level. The employee falsified accrual journal entries and supporting documentation, a category of fraud that segregation-of-duties exceptions, manual-journal-entry-volume KRIs, and reconciliation-aging KRIs would have caught at quarter close.
Macy’s still recognized $4.36 billion in delivery expenses across the same period; the concealment was about 3.5% of the full bucket and never touched cash.
| Key Takeaways |
| A 2026 program of Key Risk Indicators for Finance Departments covers six categories: financial reporting and SOX / ICFR, treasury and liquidity, AP / AR and working capital, tax and regulatory compliance, FP&A and forecasting, and internal controls and fraud detection. |
| On November 25, 2024, Macy’s disclosed that a single employee had concealed $151 million in delivery expenses across 11 quarters (Q4 2021 to Q3 2024) by manipulating accrual entries. The retailer delayed Q3 2024 earnings, replaced the employee, and triggered an internal investigation. |
| The 2024 SOX adverse-reporting rate sat at about 15% across the Audit Analytics filer set, down from over 26% in 2021. About 20-25% of US companies report at least one material weakness each year per Protiviti, with manual journal entries, account reconciliation aging, and segregation-of-duties failures the dominant root causes. |
| The Big 4 aggregate PCAOB Part I.A deficiency rate dropped to 20% in 2024 from 26% in 2022 and 2023. Deloitte ran 14%, KPMG ran 20%, BDO topped the list at 60%. PCAOB cited revenue recognition, ICFR testing, and estimates as the most-flagged areas. |
| Standards: COSO Internal Control – Integrated Framework (2013), COSO ERM 2017, SOX Section 404, the PCAOB Auditing Standards, ISO 31000:2018, the AICPA’s Statements on Auditing Standards, and the IIA’s International Professional Practices Framework anchor the program. |
| Most US CFO programs run 40 to 55 Key Risk Indicators for Finance Departments, with 8 to 12 elevated to the audit-and-risk committee or full board each quarter. Tracking fewer than 25 leaves blind spots; tracking more than 70 dilutes attention. |
| The CFO owns the dashboard. Controllers, treasurers, FP&A leads, tax directors, and chief audit executives own individual KRIs. Internal audit reports back to the audit committee on KRI integrity and remediation aging. |
Macy’s is not a one-off. The 2024 SOX adverse-reporting rate sat near 15% across over 5,000 management assessments tracked by Audit Analytics.
Big 4 aggregate PCAOB Part I.A deficiency rate hit 20% in 2024, with BDO at 60% and Deloitte at 14%. Material weaknesses, manual journals, and reconciliation aging keep showing up as the leading indicators in retrospect.
Six categories anchor the dashboard below: financial reporting and SOX / ICFR, treasury and liquidity, AP / AR and working capital, tax and regulatory compliance, FP&A and forecasting, and internal controls and fraud detection.
Each set of Key Risk Indicators for Finance Departments ties to COSO Internal Control – Integrated Framework, ISO 31000:2018, or SOX Section 404. A US CFO can pull the thresholds straight into the next quarterly audit-committee paper.
Figure 1. Key Risk Indicators for Finance Departments distributed across six categories used in US CFO organizations.
What Are Key Risk Indicators for Finance Departments?
A finance Key Risk Indicator is a leading metric that flags a control failure, a forecasting miss, a cash-flow squeeze, or a fraud event before the audit committee, the auditor, or the regulator finds out first. Finance risk covers the loss exposure tied to financial reporting accuracy, treasury solvency, working-capital management, tax compliance, and fraud control.
KPIs measure progress against the close-the-books target. Key Risk Indicators for Finance Departments measure exposure against a documented tolerance.
The same metric (DSO, days cash on hand, account-reconciliation aging) can play either role depending on whether it is reported against a finance-team target or a board-approved risk threshold.
Useful Key Risk Indicators examples on a finance dashboard share four traits. They are measurable, owned by one named officer (controller, treasurer, FP&A lead, tax director, or chief audit executive), calibrated to a green / amber / red threshold, and they move ahead of the close issue or fraud event rather than after it.
How Key Risk Indicators for Finance Departments Differ from KPIs
| Attribute | Key Performance Indicator (KPI) | Finance Key Risk Indicator (KRI) |
| Direction | Measures progress against the finance plan (close days, days payable, forecast accuracy, audit fee variance) | Measures exposure against tolerance (material weakness count, manual-journal-entry volume, reconciliation aging, segregation-of-duties exceptions, days cash on hand) |
| Time view | Lagging or current performance against the finance scorecard | Leading early-warning signal of restatement, going-concern flag, fraud event, or material weakness |
| Trigger | Finance committee review, departmental scorecard, OKRs | Disclosure-committee paper, audit-committee paper, board reporting, 10-K risk-factor disclosure |
| Owner | Controller, treasurer, FP&A lead, tax director, AP / AR lead | CFO and chief audit executive; reported to the audit committee or risk committee |
| Reference | Annual finance plan, OKRs, close-and-consolidation calendar | COSO Internal Control – Integrated Framework (2013), COSO ERM 2017, SOX Section 404, PCAOB Auditing Standards, AICPA SAS, ISO 31000:2018 |
Financial Reporting and SOX Key Risk Indicators for Finance Departments
The Macy’s $151 million concealment ran through accrual journal entries that traditional account-reconciliation review missed for 11 quarters.
The forensic conclusion pointed at journal-entry-volume KRIs, override-rate KRIs, and reconciliation-aging KRIs as the missing controls. SOX KRIs read whether the close-the-books process can support the next 10-K signature without a restatement.
Top 10 Financial Reporting and SOX Key Risk Indicators for Finance Departments
| Financial Reporting / SOX KRI | Green threshold | Amber threshold | Red threshold |
| Material weaknesses open | 0 | 1 | >1 |
| Significant deficiencies open | 0-1 | 2-3 | >3 |
| Account reconciliations >30 days aging | <5 | 5-15 | >15 |
| Manual journal entries / month (% of total) | <10% | 10-25% | >25% |
| Top-side / late-period journal volume | <5 | 5-15 | >15 |
| Restatements (Big-R or little-r) | 0 | 1 | >1 |
| Audit adjustments above materiality (qtr) | 0 | 1-2 | >2 |
| Close cycle-time vs. plan (days) | <=plan | 1-3 over | >3 over |
| SOX control-testing failure rate | <5% | 5-10% | >10% |
| Segregation-of-duties exceptions open | 0 | 1-3 | >3 |
Manual-journal-entry volume above 25% of total entries is the SOX KRI most US controllers under-watch. It is the same control gap LogicManager flagged in its post-mortem on Macy’s. Track top-side and late-period journals separately; both deserve their own threshold.
Treasury and Liquidity Key Risk Indicators for Finance Departments
Days cash on hand and the 90-day cash-forecast accuracy are the treasury KRIs every CFO watches first.
The 2023 regional-bank failures and the higher-rate environment through 2024 made cash-buffer thresholds tighter at most US public companies and private firms. Treasury KRIs read solvency, FX exposure, and counterparty concentration as a single dashboard.
Top 9 Treasury and Liquidity Key Risk Indicators for Finance Departments
| Treasury / Liquidity KRI | Green threshold | Amber threshold | Red threshold |
| Days Cash on Hand | >=120 | 60-119 | <60 |
| 90-day cash forecast accuracy | >=95% | 85-94% | <85% |
| Covenant headroom (lowest covenant) | >15% | 5-15% | <5% |
| Bank counterparty concentration (top 1) | <35% | 35-50% | >50% |
| Uninsured deposit balance ($M) | <$10M | $10-50M | >$50M |
| Open FX exposure unhedged (% of plan) | <10% | 10-25% | >25% |
| Idle cash balance vs. plan | +/-5% | 5-15% | >15% |
| Working-capital line drawn (% of facility) | <50% | 50-80% | >80% |
| Wire / ACH override events (per qtr) | 0 | 1-2 | >2 |
Figure 2. US finance reporting and audit data points 2024 driving the Key Risk Indicators for Finance Departments that belong on a 2026 audit-committee paper.
AP, AR and Working Capital Key Risk Indicators for Finance Departments
The Macy’s concealment touched delivery accruals and never moved cash. Most finance fraud cases are quieter and show up first as reconciliation failures or AR-aging changes. AP and AR KRIs read working-capital health and the operating discipline that keeps quarter-end accruals honest.
Top 9 AP, AR and Working Capital Key Risk Indicators for Finance Departments
| AP / AR / WC KRI | Green threshold | Amber threshold | Red threshold |
| DSO vs. plan (days) | <=plan | 1-5 over | >5 over |
| DPO vs. plan (days) | +/-2 | +/-5 | >+/-5 |
| AR aging > 90 days (% of total) | <5% | 5-10% | >10% |
| Bad-debt write-off rate (rolling 12 mo) | <0.5% | 0.5-1.5% | >1.5% |
| AR / AP duplicate or override events | <5 | 5-15 | >15 |
| Vendor master changes >+/- 5% / month | <3 | 3-7 | >7 |
| Customer credit-limit overrides (qtr) | <5 | 5-15 | >15 |
| 3-way match exception rate | <3% | 3-7% | >7% |
| Inventory days vs. plan | +/-5 | 5-15 | >15 |
3-way match exception rate above 7% almost always lands on the next internal audit plan. Above 10%, expect an external-audit comment. The fix is rarely about the AP team; it is almost always about purchase-order, receiving, and master-data hygiene upstream.
Tax and Regulatory Compliance Key Risk Indicators for Finance Departments
Tax KRIs hold the line between an effective tax rate that holds and a Q4 surprise that hits EPS. State-level economic-nexus expansion, OECD Pillar Two implementation in EU subsidiaries, and the IRS Inflation Reduction Act enforcement push moved tax-provision adjustments and uncertain-tax-position reserves to the front of the audit-committee paper through 2025.
Top 8 Tax and Regulatory Compliance Key Risk Indicators for Finance Departments
| Tax / Regulatory KRI | Green threshold | Amber threshold | Red threshold |
| Tax provision adjustments (Q4 true-up $) | <$1M | $1-10M | >$10M |
| Uncertain tax positions reserve change | <5% | 5-15% | >15% |
| Open tax audits / inquiries (count) | <3 | 3-7 | >7 |
| State-nexus coverage gap (count) | 0 | 1-3 | >3 |
| Transfer-pricing documentation aging (mo) | <12 | 12-24 | >24 |
| Sales-and-use-tax filings late (qtr) | 0 | 1-2 | >2 |
| Pillar Two / GILTI exposure variance | <5% | 5-15% | >15% |
| Tax-payment SOX control exceptions | 0 | 1-2 | >2 |
Figure 3. Illustrative threshold dashboard showing Key Risk Indicators for Finance Departments across categories with green / amber / red bands.
FP&A and Forecasting Key Risk Indicators for Finance Departments
Forecast variance against actuals is the FP&A KRI investors and analysts watch most closely. A 6%+ deviation between guidance and actual EPS lands on every sell-side note within hours of release.
FP&A KRIs read the data quality, scenario discipline, and modeling integrity that produce the guidance line in the first place.
Top 9 FP&A and Forecasting Key Risk Indicators for Finance Departments
| FP&A / Forecasting KRI | Green threshold | Amber threshold | Red threshold |
| Forecast variance (revenue, qtr) | <2% | 2-5% | >5% |
| Forecast variance (EBIT / EPS, qtr) | <3% | 3-8% | >8% |
| Guidance revisions per year | 0-1 | 2-3 | >3 |
| Budget-to-actual variance (opex) | <5% | 5-15% | >15% |
| Capex variance vs. plan (qtr) | <10% | 10-25% | >25% |
| Scenario / sensitivity coverage | >=3 cases | 1-2 cases | 0 cases |
| Driver-tree coverage on guidance KPIs | >=90% | 75-89% | <75% |
| FP&A model integrity findings | 0 | 1-2 | >2 |
| Earnings-call surprise vs. consensus | +/-2% | 2-5% | >5% |
Internal Controls and Fraud Detection Key Risk Indicators for Finance Departments
The PCAOB’s 2024 Spotlight reported a 20% Big 4 aggregate Part I.A deficiency rate, with revenue recognition, ICFR testing, and accounting estimates as the most-cited concerns.
Internal-controls and fraud-detection KRIs read whether the company’s first-line and second-line controls catch the issue before the external auditor or a Wall Street Journal headline does.
Top 9 Internal Controls and Fraud Detection Key Risk Indicators for Finance Departments
| Internal Controls / Fraud KRI | Green threshold | Amber threshold | Red threshold |
| Whistleblower hotline tips (qtr) | >=3 | 1-2 | 0 |
| Internal audit findings open >180d | <5 | 5-15 | >15 |
| Internal audit coverage of high-risk areas | 100% | 85-99% | <85% |
| Continuous-monitoring rule exceptions | <10 | 10-50 | >50 |
| Privileged-access SOD violations open | 0 | 1-3 | >3 |
| Fraud cases opened (per year) | <2 | 2-5 | >5 |
| Fraud loss recovery rate | >=50% | 20-49% | <20% |
| Code-of-conduct attestations (annual) | 100% | 95-99% | <95% |
| Forensic / IV&V findings open | <3 | 3-7 | >7 |
Whistleblower hotline volume reads inversely. Zero tips in a quarter is a red flag, not a green one.
ACFE research consistently shows tips drive over 40% of fraud detection. A hotline that records nothing usually has an awareness problem, not a perfect-control problem.
How to Implement Key Risk Indicators for Finance Departments
Standing up a finance KRI program is a six-step exercise inside the wider enterprise risk management framework. The reference texts are COSO Internal Control – Integrated Framework, COSO ERM 2017, ISO 31000:2018, and the PCAOB Auditing Standards.
Six Steps to Deploy Key Risk Indicators for Finance Departments
- Step 1. Anchor in the finance taxonomy: Tie each KRI to one of the six categories so dashboard movement maps to a treatable exposure rather than a status-meeting talking point.
- Step 2. Calibrate thresholds: Set green / amber / red bands using internal trend, peer benchmarks, the close-the-books calendar, and the audit-committee-approved risk appetite statement.
- Step 3. Assign owners: Every KRI gets one named officer. SOX KRIs go to the controller; treasury KRIs to the treasurer; AP / AR KRIs to the shared-services lead; FP&A KRIs to the head of FP&A; tax KRIs to the tax director; fraud KRIs to the chief audit executive.
- Step 4. Define escalation: Document what happens at each band: who is notified, the response window, the disclosure-committee trigger, the audit-committee trigger, and the full-board paper threshold.
- Step 5. Automate collection: Pull data from the ERP, treasury workstation, GRC tool, FP&A platform, tax-provision system, hotline, and continuous-monitoring rules into a single finance KRI workbench updated weekly.
- Step 6. Review monthly and quarterly: Finance team reviews KRIs weekly, the disclosure committee monthly, and the audit-and-risk committee quarterly. Recalibrate thresholds at each major reporting milestone (10-Q, 10-K, year-end audit).
Common Pitfalls in Key Risk Indicators for Finance Departments
Implementation failures around Key Risk Indicators for Finance Departments repeat at every company size.
Fortune 500 retailers like Macy’s and 50-person growth-stage SaaS firms alike, the traps below show up in PCAOB inspection reports, restatement filings, and post-mortem audit-committee papers.
| Pitfall | Root cause | Remedy |
| Status-color reports treated as risk reports | Project status (green / yellow / red) substituted for KRI thresholds | Track KRIs separately with their own thresholds; close colors describe the period, KRIs describe specific exposure |
| Manual-journal volume unmonitored | JE volume tracked at year-end audit, not monthly | Add manual JE volume, top-side JEs, and late-period JEs as separate monthly KRIs |
| Reconciliation aging only at year-end | Aging reviewed at the SOX 404 walkthrough rather than quarter close | Track reconciliations >30 days aging weekly; escalate any open at quarter-end |
| Tax surprises every Q4 | Provision computed at year-end without leading indicators | Add tax provision adjustment trends, UTP reserve changes, and state-nexus coverage gaps as quarterly KRIs |
| Treasury counterparty blind spot | Bank concentration tracked only when a covenant breach lands | Add bank counterparty top-1 share and uninsured deposit balance as standing KRIs |
| Hotline silence read as good news | Quarter with zero tips celebrated rather than investigated | Set the green threshold for tips per quarter at >=3; investigate any quarter with zero |
| Vanity dashboards | Beautiful charts no committee acts on | Tie each amber / red band to a triggered action; track action closure as a meta-KRI |
Frequently Asked Questions About Key Risk Indicators for Finance Departments
What are the most important Key Risk Indicators for Finance Departments?
The seven most important Key Risk Indicators for Finance Departments are material weaknesses open, manual journal entries as a percentage of total, account reconciliations aging >30 days, days cash on hand, 90-day cash forecast accuracy, DSO vs. plan, and whistleblower hotline tips per quarter.
Together they cover the dominant 2026 finance-risk drivers across reporting, treasury, working capital, and fraud detection. Add 30 to 45 more across the six categories for a complete CFO program.
How many Key Risk Indicators for Finance Departments should a company track?
Most US public companies and large private firms run 40 to 55 Key Risk Indicators for Finance Departments in total, with 8 to 12 elevated to the audit-and-risk committee or full board each quarter. Tracking fewer than 25 leaves blind spots that show up in the next PCAOB inspection or short-seller report.
Tracking more than 70 invites monitoring fatigue and dilutes board attention. The right number scales with revenue scale, segment count, and regulatory tier (SOX issuer vs. private-company), not with the size of the GRC platform catalog.
How do Key Risk Indicators for Finance Departments differ from KPIs?
Key Risk Indicators for Finance Departments measure exposure against a tolerance, while KPIs measure progress against a plan target. A KPI tells the controller whether the close was on time. A KRI tells the audit committee whether the quality of the close created a restatement risk for the next 10-Q signature.
The same metric (close days, manual JE volume, DSO) can serve both purposes if its threshold (KRI) and target (KPI) are documented separately and reported side by side in the disclosure-committee pack.
Which standards govern Key Risk Indicators for Finance Departments?
The dominant references are COSO Internal Control – Integrated Framework (2013), COSO ERM 2017, SOX Section 404, the PCAOB Auditing Standards (especially AS 2201), AICPA Statements on Auditing Standards, ISO 31000:2018, the IIA’s International Professional Practices Framework, and the FASB Accounting Standards Codification.
US public companies add SEC Regulation S-X and S-K disclosure rules. Banks add FDIC and Federal Reserve guidance. Healthcare adds HITRUST and HHS-OCR controls. SaaS and tech companies add AICPA SOC 2 and ASC 606 revenue-recognition KRIs.
How often should Key Risk Indicators for Finance Departments be reviewed?
Finance KRIs should be measured continuously where the ERP and treasury workstation permit. Review weekly at the controllership and treasury operating level, monthly at the disclosure committee, and quarterly at the audit-and-risk committee or full board.
SOX, treasury, and fraud KRIs warrant real-time alerts. Tax and FP&A KRIs typically run on a monthly cadence. Internal-audit-coverage KRIs anchor on the annual audit plan with quarterly progress updates. Recalibrate thresholds at each 10-K signature, not at calendar year-end alone.
How does Macy’s 2024 fraud change Key Risk Indicators for Finance Departments?
Macy’s $151 million 11-quarter concealment moved manual-journal-entry volume, top-side journal volume, segregation-of-duties exceptions, and reconciliation aging from generic SOX checks to monthly board-paper KRIs across most US public-company CFO organizations. Continuous-monitoring rules expanded coverage to vendor-master changes and accrual-account aging.
Audit committees added a single-account-owner SOD KRI specifically to track high-risk concentration similar to the Macy’s setup. The lesson stuck: a control gap that runs three years quietly is not a one-quarter close issue, it is a board-level KRI.
How do Key Risk Indicators for Finance Departments support the audit committee?
Finance KRIs feed the quarterly audit-committee paper through a tiered rollup. Function dashboards (controllership, treasury, FP&A, tax, AP / AR, internal audit) aggregate to the enterprise heat map, with the top 8 to 12 indicators reaching the audit committee on the same agenda as the external-auditor letter and the management representations.
The committee paper should show trend, threshold breach history, owner, and remediation status, anchored to the audit committee’s documented risk appetite. Without that structure, the committee sees colors rather than decision support, and the next 10-Q signature inherits the same blind spots.
Can private companies use the same Key Risk Indicators for Finance Departments as public companies?
Yes, with calibration. A private company can use the same Key Risk Indicators for Finance Departments catalog but should narrow scope to 20 to 30 indicators that match the actual reporting obligation, debt covenants, and audit cadence.
Thresholds change with revenue scale, segment count, and lender requirements, but the metric definitions do not. Most private-company CFOs adopt the catalog ahead of an IPO, sale, refinancing, or first external audit. Discipline and ownership are the binding constraints, not headcount or GRC-tool spend.
Looking Ahead: Key Risk Indicators for Finance Departments in 2026 and 2027
PCAOB and SEC oversight stays elevated through 2026. The 2024 Spotlight made revenue recognition, ICFR testing, and estimates the most-cited deficiency areas across the Big 4. Audit committees will want SOX control-testing failure rate, manual JE volume, and reconciliation aging on every quarterly paper through the 2026 audit cycle.
AI and automation reshape the close-the-books process. Continuous-monitoring rules now scan journal entries, vendor changes, and reconciliations in real time. New finance KRIs emerge: continuous-monitoring rule-exception volume, AI-generated journal review coverage, and finance-team AI tool adoption against the program plan.
Treasury KRIs hold attention after the 2023 regional-bank events. Days cash on hand, uninsured deposit balance, and bank counterparty concentration belong on every quarterly paper through the 2026-2027 rate cycle. Tax KRIs broaden as Pillar Two implementation reaches more US multinationals through 2026.
A live KRI dashboard with monthly recalibration and a clear integrated risk management approach is what holds up under PCAOB inspection, SEC review, audit-committee scrutiny, and short-seller research. Without it, the finance organization rotates through the same concerns until the next Macy’s-scale incident or restatement forces one of them to the top of the agenda.
Ready to Operationalize Key Risk Indicators for Finance Departments?
At riskpublishing.com we help US CFOs build Key Risk Indicators for Finance Departments that hold up under audit-committee review and external-audit scrutiny.
The work usually includes the KRI catalog, a threshold-calibration workshop tied to peer benchmarks and SOX maturity, a function-to-enterprise rollup model, and a quarterly audit-committee paper template anchored to COSO Internal Control – Integrated Framework, COSO ERM 2017, ISO 31000:2018, SOX Section 404, and the PCAOB Auditing Standards.
Explore our risk advisory services, or contact us to scope a finance KRI maturity review tailored to the close-the-books calendar, segment mix, and oversight environment.
Related reading on riskpublishing.com (KRI library): Key Risk Indicators examples, how to develop Key Risk Indicators, how to use Key Risk Indicators, Key Risk Indicators dashboard, and Key Risk Indicators in Enterprise Risk Management.
Related reading (audit, controls and compliance): the risk-based internal audit guide, guide to audit risk assessment, guide to risk and control self assessment (RCSA), how to conduct compliance risk assessment, and compliance risk analysis.
Related reading (ERM and frameworks): enterprise risk management framework, ISO 31000 vs COSO ERM Framework, integrated risk management approach, risk appetite statements examples, and operational risk management framework.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.