On November 25, 2024, Macy’s delayed its Q3 earnings release after discovering a single accountant had concealed $151 million in small-parcel delivery expenses across 11 consecutive quarters from Q4 2021 through November 2024. The control gap that allowed the concealment to persist was a textbook internal-audit miss.
The board-level Key Risk Indicators for Internal Audit would have flagged the trajectory (continuous-auditing rule coverage on accrual journals, audit plan coverage of high-risk delivery-cost accounts, manual-journal-entry sample testing, and reconciliation aging analytics) ran below threshold or were absent entirely.
Macy’s recognized $4.36 billion in delivery expenses across the same 11-quarter window. The concealment ran at 3.5% of the bucket and stayed under the materiality threshold the audit team scoped.
| Key Takeaways |
| A 2026 program of Key Risk Indicators for Internal Audit covers six categories: audit plan coverage and risk assessment, audit execution and performance, findings and issue closure, independence / conformance / quality assurance, resources / staffing / skills, and continuous auditing and data analytics. |
| The IIA Global Internal Audit Standards became effective January 9, 2025. The single 120-page document holds five domains, 15 principles, and 52 standards, replacing the prior IPPF mandatory elements. Domains III and IV (Governing and Managing the Internal Audit Function) tighten board and CAE accountability for performance measurement. |
| Macy’s disclosed on November 25, 2024 that a single accountant concealed $151 million in delivery expenses across 11 quarters from Q4 2021 to Q3 2024 by manipulating accrual entries. Continuous-auditing analytics and journal-entry KRIs would have flagged the volume and pattern years before the press release. |
| The IIA’s 2025 North American Pulse of Internal Audit reported CAE GenAI use jumped from 15% to 40% in a single year. Approximately one-third of CAEs now hold ERM oversight responsibility (up from 24% nine years earlier). Funding insufficiency was reported by 47% of CAEs. |
| Big 4 PCAOB Part I.A deficiency rate landed at 20% in 2024, with revenue recognition, ICFR testing, and accounting estimates as the most-cited concerns. Internal audit functions track external-audit deficiency themes as a leading indicator for management-action work. |
| Standards: IIA Global Internal Audit Standards (2024, effective January 9, 2025), IIA International Professional Practices Framework, IIA Three Lines Model (2020), COSO Internal Control – Integrated Framework, COSO ERM 2017, ISO 31000:2018, and ISO 19011:2018 management-systems auditing. |
| Most US Fortune-500 internal audit functions run 35 to 50 Key Risk Indicators for Internal Audit, with 8 to 12 elevated to the audit committee each quarter. Tracking fewer than 25 leaves blind spots; tracking more than 60 dilutes audit-committee attention. |
Macy’s lands inside a wider profession-level reset. The IIA’s Global Internal Audit Standards became effective January 9, 2025, the first major rewrite in years. The new framework holds five domains, 15 principles, and 52 standards.
The IIA’s 2025 North American Pulse reported CAE GenAI use rising from 15% in 2024 to 40% in 2025, with data analytics named as the top skill CAEs want to enhance among staff.
Six categories anchor the dashboard below: audit plan coverage and risk assessment, audit execution and performance, findings and issue closure, independence / conformance / quality assurance, resources / staffing / skills, and continuous auditing and data analytics.
Each set of Key Risk Indicators for Internal Audit ties to the IIA Global Internal Audit Standards, ISO 31000:2018, or COSO Internal Control – Integrated Framework. A US chief audit executive can pull the thresholds straight into the next quarterly audit-committee paper.
Figure 1. Key Risk Indicators for Internal Audit distributed across six categories used in US chief audit executive organizations.
What Are Key Risk Indicators for Internal Audit?
An internal-audit Key Risk Indicator is a leading metric that flags an audit-function failure (plan coverage gaps, execution slippage, findings-aging blow-out, conformance issue, or analytics blind spot) before the audit committee, the external auditor, or the regulator finds out first.
Internal-audit risk covers the loss exposure tied to the function’s ability to deliver assurance on the organization’s risk and control environment.
KPIs measure progress against the audit plan. Key Risk Indicators for Internal Audit measure exposure against a documented tolerance.
The same metric (engagement cycle time, finding closure rate, audit-plan completion) can play either role depending on whether it is reported against an audit-team target or an audit-committee-approved risk threshold.
Useful Key Risk Indicators examples on an internal-audit dashboard share four traits. They are measurable, owned by one named role (CAE, audit director, head of QAR, head of analytics), calibrated to a green / amber / red threshold, and they move ahead of the audit-committee question rather than after it.
How Key Risk Indicators for Internal Audit Differ from KPIs
| Attribute | Key Performance Indicator (KPI) | Internal-Audit Key Risk Indicator (KRI) |
| Direction | Measures progress against the audit plan (engagements completed, hours utilization, training hours, stakeholder survey score) | Measures exposure against tolerance (high-risk universe coverage gap, findings open > 180 days, QAR aging, independence findings, continuous-auditing rule coverage gap) |
| Time view | Lagging or current performance against the audit scorecard | Leading early-warning signal of audit-committee escalation, conformance issue, control-failure miss, or external-auditor reliance reduction |
| Trigger | Audit team review, weekly stand-up, monthly engagement review | Audit-committee paper, board reporting, external QAR, conformance certification |
| Owner | CAE, audit director, engagement manager | Chief audit executive; reported to the audit committee |
| Reference | Annual audit plan, OKRs, engagement scorecards | IIA Global Internal Audit Standards (2024), IIA Three Lines Model, COSO Internal Control, COSO ERM 2017, ISO 31000:2018, ISO 19011:2018 |
Audit Plan Coverage and Risk Assessment Key Risk Indicators for Internal Audit
Macy’s accrual-account testing fell outside the 2022-2024 audit plan coverage even though delivery-cost accounting was a top-five expense bucket.
Plan-coverage-and-risk-assessment KRIs read whether the audit universe is current, whether high-risk areas get covered on cycle, and whether the risk assessment refresh actually drives next year’s plan.
Top 9 Audit Plan Coverage and Risk Assessment Key Risk Indicators for Internal Audit
| Plan Coverage / Risk Assessment KRI | Green threshold | Amber threshold | Red threshold |
| Annual audit-plan completion (%) | >=95% | 85-94% | <85% |
| High-risk audit-universe coverage (%) | >=95% | 85-94% | <85% |
| Risk-assessment refresh aging (months) | <12 | 12-18 | >18 |
| Audit universe completeness | >=98% | 90-97% | <90% |
| Coverage gap on top-10 enterprise risks | 0 | 1-2 | >2 |
| Plan deviations approved without record | 0 | 1-3 | >3 |
| New entity / acquisition coverage delay | <6 mo | 6-12 mo | >12 mo |
| Combined assurance map gaps | <5 | 5-15 | >15 |
| Stakeholder-input cycles per year | >=2 | 1 | 0 |
High-risk audit-universe coverage is the plan-coverage KRI most US CAEs underwrite carefully.
A function operating below 85% coverage on the top-10 enterprise risks faces an audit-committee question that no number of completed engagements will answer.
Audit Execution and Performance Key Risk Indicators for Internal Audit
The IIA’s 2025 Pulse reported funding insufficiency at 47% of CAEs and a 13-point gap in funding for functions fully aligned to strategy.
Audit-execution-and-performance KRIs read whether the team delivers planned engagements on time, on budget, and at the documented quality bar.
Top 10 Audit Execution and Performance Key Risk Indicators for Internal Audit
| Audit Execution / Performance KRI | Green threshold | Amber threshold | Red threshold |
| Average engagement cycle time (days) | <60 | 60-90 | >90 |
| Engagement budget overruns (%) | <10% | 10-25% | >25% |
| Audit-budget variance vs. plan (%) | +/-5% | 5-15% | >15% |
| Hours utilization rate | 75-85% | 60-75% | <60% / >90% |
| Engagements with scope changes >25% | <10% | 10-25% | >25% |
| Engagement workpaper-review aging (d) | <14 | 14-30 | >30 |
| Reports issued > 60 days post-fieldwork | <10% | 10-25% | >25% |
| Stakeholder-survey average score | >=4.0 | 3.0-3.9 | <3.0 |
| Engagement-quality findings open | <3 | 3-7 | >7 |
| Repeat findings on prior-audit areas | <3 | 3-7 | >7 |
Figure 2. US internal audit profession data points 2024-2025 driving the Key Risk Indicators for Internal Audit that belong on a 2026 audit-committee paper.
Findings and Issue Closure Key Risk Indicators for Internal Audit
Findings without remediation are findings that did not happen. Findings-and-issue-closure KRIs read open management actions, severity-1 finding aging, repeat finding rate, and the closure pattern that decides whether the audit function actually moves the dial on control health.
Top 10 Findings and Issue Closure Key Risk Indicators for Internal Audit
| Findings / Closure KRI | Green threshold | Amber threshold | Red threshold |
| Open audit findings > 180 days | <10 | 10-25 | >25 |
| High-severity findings open > 60 days | 0 | 1-3 | >3 |
| High-severity findings open (total) | <5 | 5-10 | >10 |
| Repeat-finding rate (% of new findings) | <10% | 10-25% | >25% |
| Open management actions overdue | <10 | 10-30 | >30 |
| Action-closure validation completed (%) | >=95% | 85-94% | <85% |
| Findings reopened after closure (qtr) | 0 | 1-3 | >3 |
| Material weakness count (SOX) | 0 | 1 | >1 |
| Significant deficiencies open (SOX) | 0-1 | 2-3 | >3 |
| Audit-committee-escalated findings (qtr) | <3 | 3-7 | >7 |
Repeat-finding rate above 25% almost always lands on the next QAR external assessment. Above 35%, expect a no-better-than-partially-conforms finding from the QAR team.
The fix is rarely about the audit team; it is almost always about management-action quality and audit-committee follow-through.
Independence, Conformance and QAR Key Risk Indicators for Internal Audit
The IIA Global Internal Audit Standards Domain II (Ethics and Professionalism) and Domain III (Governing the Internal Audit Function) tightened independence and quality-assurance expectations.
Independence-conformance-and-QAR KRIs read whether the function operates within professional bounds and whether the external assessment cycle stays current.
Top 8 Independence, Conformance and QAR Key Risk Indicators for Internal Audit
| Independence / Conformance / QAR KRI | Green threshold | Amber threshold | Red threshold |
| External QAR aging (years since last) | <5 | 5 | >5 |
| Internal QAR completed annually | Yes | Partial | No |
| Conformance rating (last QAR) | Generally | Partially | Does not |
| Independence findings (annual) | 0 | 1 | >1 |
| CAE reporting line to audit committee | Direct | Dotted | None |
| Non-audit / consulting hours (%) | <20% | 20-30% | >30% |
| Code of ethics attestations on file | 100% | 95-99% | <95% |
| External-auditor reliance reductions | 0 | 1 | >1 |
Figure 3. Illustrative threshold dashboard showing Key Risk Indicators for Internal Audit across categories with green / amber / red bands.
Resources, Staffing and Skills Key Risk Indicators for Internal Audit
The IIA’s 2024 Pulse reported 26% of CAEs increased staff against 9% who decreased. The 2025 Pulse made data analytics the top skill CAEs want to enhance.
Resources-staffing-and-skills KRIs read whether the function has the people, hours, and capabilities to deliver the plan and run the analytics that keep up with management’s risk environment.
Top 8 Resources, Staffing and Skills Key Risk Indicators for Internal Audit
| Resources / Staffing / Skills KRI | Green threshold | Amber threshold | Red threshold |
| Vacancy rate | <5% | 5-10% | >10% |
| Voluntary attrition (rolling 12 mo) | <10% | 10-20% | >20% |
| Staff with CIA / CISA / CFE certification | >=60% | 40-59% | <40% |
| Average training hours / auditor / yr | >=40 | 20-39 | <20 |
| Co-source / outsource ratio (% hours) | 10-30% | <10% / 30-50% | >50% |
| Hot-skill coverage (analytics, cyber, AI) | >=80% | 60-79% | <60% |
| CAE tenure (years) | 3-7 | 1-2 / 7-10 | <1 / >10 |
| Funding-sufficiency self-rating | Sufficient | Somewhat | Insufficient |
Continuous Auditing and Data Analytics Key Risk Indicators for Internal Audit
The IIA Pulse reported CAE GenAI use jumped from 15% in 2024 to 40% in 2025, the fastest year-over-year shift in recent profession history.
Continuous-auditing-and-data-analytics KRIs read whether the function actually uses data analytics, AI, and continuous monitoring rules at the cadence that catches a Macy’s-shaped event before it runs to 11 quarters.
Top 9 Continuous Auditing and Data Analytics Key Risk Indicators for Internal Audit
| Continuous Auditing / Analytics KRI | Green threshold | Amber threshold | Red threshold |
| Continuous-auditing rule coverage (%) | >=80% | 60-79% | <60% |
| Engagements using data analytics (%) | >=85% | 65-84% | <65% |
| High-risk processes under continuous monitoring | >=80% | 60-79% | <60% |
| GenAI / automation tools deployed (count) | >=3 | 1-2 | 0 |
| Continuous-auditing exception SLA (days) | <7 | 7-30 | >30 |
| Data-quality findings on audit data | <5 | 5-15 | >15 |
| Anomaly-detection rule false-positive rate | <20% | 20-40% | >40% |
| Manual-journal-entry analytics coverage | 100% | 85-99% | <85% |
| Vendor-master-change analytics coverage | 100% | 85-99% | <85% |
How to Implement Key Risk Indicators for Internal Audit
Standing up an internal-audit KRI program is a six-step exercise inside the wider enterprise risk management framework. The reference texts are the IIA Global Internal Audit Standards, COSO Internal Control – Integrated Framework, ISO 31000:2018, and ISO 19011:2018 management-systems auditing.
Six Steps to Deploy Key Risk Indicators for Internal Audit
- Step 1. Anchor in the audit-function taxonomy: Tie each KRI to one of the six categories so dashboard movement maps to a treatable exposure rather than a status-meeting talking point.
- Step 2. Calibrate thresholds: Set green / amber / red bands using internal trend, peer benchmarks, the IIA Pulse data, and the audit-committee-approved risk appetite statement.
- Step 3. Assign owners: Every KRI gets one named role. Plan-coverage KRIs go to the head of audit planning; execution KRIs to audit directors; findings KRIs to the head of issue management; QAR KRIs to the QAR program lead; resource KRIs to the CAE chief of staff; analytics KRIs to the head of audit data and AI.
- Step 4. Define escalation: Document what happens at each band: who is notified, the response window, the audit-committee-chair pre-brief, and the full audit-committee paper threshold. Align with the audit-committee charter and IIA Standards Domain III governance expectations.
- Step 5. Automate collection: Pull data from the audit-management system, GRC tool, issue-tracking platform, time-tracking tool, training system, continuous-auditing rule engine, and HRIS into a single internal-audit KRI workbench updated weekly.
- Step 6. Review monthly and quarterly: Audit leadership reviews KRIs weekly during fieldwork-heavy periods and monthly otherwise. The audit committee reviews the elevated 8 to 12 KRIs each quarter alongside the audit-plan progress report and the management-action remediation update. Recalibrate thresholds after each external QAR.
Common Pitfalls in Key Risk Indicators for Internal Audit
Implementation failures around Key Risk Indicators for Internal Audit repeat at every audit-function size.
Fortune 500 CAE organizations and 5-person internal-audit shops alike, the traps below show up in QAR external assessments, IIA conformance findings, and audit-committee post-mortems.
| Pitfall | Root cause | Remedy |
| Hours utilization reported as the only metric | Audit-function performance reduced to billable-hours-equivalent thinking | Track hours utilization as one KPI; pair with risk-coverage and finding-closure KRIs that measure outcome rather than activity |
| Findings-aging blind spot | Open findings counted at year-end; aging tracked once a year for the audit committee | Track open findings > 180 days, high-severity > 60 days, and overdue management actions monthly with escalation thresholds |
| Continuous-auditing aspiration without delivery | Roadmap signed; rule coverage stuck below 30% | Track continuous-auditing rule coverage as a standing KRI; tie audit-team performance reviews to deployed rules |
| QAR aging quietly past five years | External QAR planned and slipped year over year | Track external QAR aging as a single KRI with red at >5 years; align with IIA Standards conformance requirement |
| Independence findings buried | Non-audit consulting work tracked separately from audit hours | Track non-audit consulting as a percentage of total hours; surface independence findings as a standing KRI |
| Stakeholder survey gamed | Survey scope limited to engaged business owners | Add audit-committee chair score, external auditor reliance score, and regulator-feedback score as separate KRIs |
| Vanity dashboards | Beautiful charts the audit committee never references | Tie each amber / red band to a triggered action; track action closure as a meta-KRI |
Frequently Asked Questions About Key Risk Indicators for Internal Audit
What are the most important Key Risk Indicators for Internal Audit?
The seven most important Key Risk Indicators for Internal Audit are annual audit-plan completion, high-risk audit-universe coverage, open findings > 180 days, high-severity findings open, external QAR aging, continuous-auditing rule coverage, and open management actions overdue.
Together they cover the dominant 2026 internal-audit risk drivers across plan, execution, findings, conformance, and analytics. Add 25 to 40 more across the six categories for a complete CAE program aligned to the IIA Global Internal Audit Standards.
How many Key Risk Indicators for Internal Audit should a function track?
Most US Fortune-500 internal-audit functions run 35 to 50 Key Risk Indicators for Internal Audit in total, with 8 to 12 elevated to the audit committee each quarter. Tracking fewer than 25 leaves blind spots that surface in the next external QAR or audit-committee chair pre-brief.
Tracking more than 60 invites monitoring fatigue and dilutes audit-committee attention. The right number scales with audit-function size, audit-universe scope, and IIA Standards conformance posture, not with the size of the audit-management platform catalog.
How do Key Risk Indicators for Internal Audit differ from KPIs?
Key Risk Indicators for Internal Audit measure exposure against a tolerance, while KPIs measure progress against a plan target. A KPI tells the audit director whether the engagement closed on time.
A KRI tells the audit committee whether the function’s coverage gap on top-10 enterprise risks is heading toward an external-auditor reliance reduction.
The same metric (engagement cycle time, finding closure rate, plan completion) can serve both purposes if its threshold (KRI) and target (KPI) are documented separately and reported side by side in the audit-committee paper.
Which standards govern Key Risk Indicators for Internal Audit?
The dominant references are the IIA Global Internal Audit Standards (2024, effective January 9, 2025), the IIA International Professional Practices Framework, the IIA Three Lines Model (2020), COSO Internal Control – Integrated Framework, COSO ERM 2017, ISO 31000:2018, and ISO 19011:2018.
US public companies add SOX Section 404 and the PCAOB Auditing Standards. Banks add OCC Heightened Standards and the FFIEC IT examination handbook.
Healthcare adds the HHS-OIG audit framework. Defense contractors add CMMC 2.0 and DCAA audit guidance. SaaS providers add SOC 2 Type II as a customer-contractual driver.
How often should Key Risk Indicators for Internal Audit be reviewed?
Internal-audit KRIs should be measured continuously where the audit-management system, GRC tool, and continuous-auditing rule engine permit.
Audit leadership reviews them weekly during fieldwork-heavy periods, monthly at the audit-leadership team meeting, and quarterly at the audit committee.
Plan-coverage and findings-aging KRIs warrant real-time alerts. QAR aging and conformance KRIs run on annual cycles.
Continuous-auditing and analytics KRIs anchor on monthly review of rule performance and exception aging. Recalibrate thresholds after each external QAR and at each plan-refresh cycle.
How does the new IIA Global Internal Audit Standards change Key Risk Indicators for Internal Audit?
The IIA Global Internal Audit Standards effective January 9, 2025 sharpened performance-measurement and accountability expectations across Domains III and IV. CAEs now report explicitly to the board on internal-audit performance, conformance, and the function’s ability to fulfill its mandate.
The change moved external QAR aging, conformance rating, plan-coverage gaps, and stakeholder-survey scores from internal scorecards to audit-committee-paper KRIs. Most US Fortune-500 functions completed a KRI catalog refresh through 2024 and 2025 to align.
How do Key Risk Indicators for Internal Audit support the audit committee?
Internal-audit KRIs feed the quarterly audit-committee paper through a tiered rollup. Function-level dashboards aggregate to the enterprise heat map, with the top 8 to 12 indicators reaching the audit committee on the same agenda as the audit-plan progress report and the management-action remediation update.
The committee paper should show trend, threshold breach history, owner, and remediation status, anchored to the audit-committee-approved risk appetite. Without that structure, the committee sees activity color rather than decision support, and the next 10-K internal-control disclosure inherits the same blind spots.
Can small internal-audit functions use the same Key Risk Indicators for Internal Audit as Fortune 500?
Yes, with calibration. A 3-to-10-person internal-audit shop can use the same Key Risk Indicators for Internal Audit catalog but should narrow scope to 15 to 20 indicators that match the actual audit-universe size, audit-committee cadence, and conformance posture.
Thresholds change with revenue scale, regulatory tier, and audit-committee maturity, but the metric definitions do not. Small functions typically adopt the catalog ahead of an external QAR, an IPO, or a major control-environment change such as a material acquisition or new SOX-issuer status.
Looking Ahead: Key Risk Indicators for Internal Audit in 2026 and 2027
IIA Global Internal Audit Standards conformance pressure intensifies through 2026. External QAR teams test against the new five-domain, 15-principle structure rather than the 2017 IPPF mandatory elements.
Plan-coverage gaps, findings aging, and conformance ratings move higher on quarterly audit-committee papers.
GenAI and analytics adoption accelerates further. CAE GenAI use rose from 15% to 40% in one year per the IIA Pulse. New KRIs emerge: AI tools deployed in audit, AI model assurance coverage, and prompt-engineering-quality findings.
Continuous-auditing rule coverage on critical processes (manual journals, vendor master, privileged-access exceptions) becomes table stakes.
ERM, fraud, and SOX remain the dominant CAE additional responsibilities. Approximately one-third of CAEs hold ERM oversight, 47% hold fraud, and 36% hold SOX per the IIA’s 2025 Pulse. The Macy’s case continues to drive findings-aging and continuous-monitoring KRI tightening across CFO and audit-committee papers.
A live KRI dashboard with quarterly recalibration and a clear integrated risk management approach is what holds up under external QAR, audit-committee, regulator, and external-auditor reliance review. Without it, the audit function rotates through the same concerns until the next Macy’s-scale event or conformance finding forces one of them to the top of the agenda.
Ready to Operationalize Key Risk Indicators for Internal Audit?
At riskpublishing.com we help US chief audit executives build Key Risk Indicators for Internal Audit that hold up under audit-committee review and external QAR conformance assessment.
The work usually includes the KRI catalog, a threshold-calibration workshop tied to peer benchmarks and the IIA Pulse data, a function-to-enterprise rollup model, and a quarterly audit-committee paper template anchored to the IIA Global Internal Audit Standards, COSO Internal Control – Integrated Framework, COSO ERM 2017, ISO 31000:2018, and ISO 19011:2018.
Explore our risk advisory services, or contact us to scope an internal-audit KRI maturity review tailored to the audit-universe size, audit-committee cadence, and 2026-2027 conformance obligations.
Related reading on riskpublishing.com (KRI library): Key Risk Indicators examples, how to develop Key Risk Indicators, how to use Key Risk Indicators, Key Risk Indicators dashboard, and Key Risk Indicators in Enterprise Risk Management.
Related reading (audit and assurance): the risk-based internal audit guide, guide to audit risk assessment, guide to risk and control self assessment (RCSA), RCSA risk management, and compliance risk analysis.
Related reading (ERM and frameworks): enterprise risk management framework, ISO 31000 vs COSO ERM Framework, integrated risk management approach, risk appetite statements examples, and operational risk management framework.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.