Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature Compliance Strategy

Internal Audit KRIs: Repeat Findings, Delayed Remediation, and Weak Validation

Seven key risk indicators for internal audit health — repeat finding rates, CAP aging, failed validation, closure evidence quality, issue recurrence, management response delays, and risk acceptance patterns for high and critical findings.

Table of Contents

TL;DR

  • Audit found it. Management agreed to fix it. Six months later, audit finds it again. This is the most common and most avoidable internal audit failure pattern — and it’s a KRI problem.
  • The seven internal audit KRIs that matter: repeat finding rate, CAP aging, failed validation rate, closure evidence quality, issue recurrence, management response delay, and risk acceptance patterns for High and Critical findings.
  • The IIA’s 2025 Global Internal Audit Standards now require CAEs to establish and report performance metrics to the board — which means internal audit KRIs are no longer optional; they’re a standards requirement.
  • An internal audit function that can’t answer “what percentage of last year’s findings are still open?” without running a report it has never run before doesn’t have a KRI program. It has a status spreadsheet.

The finding was issued in October. Management agreed to remediation by December. The next audit cycle in April tested the same control — and found the same thing.

This sequence happens at most institutions at rates nobody advertises. It’s almost never caused by management failing to care. It’s caused by a corrective action plan process that treats finding closure as a paperwork event rather than a risk management outcome — and an internal audit function that doesn’t have KRIs tracking whether its findings are actually being fixed.

The IIA’s Global Internal Audit Standards, effective January 9, 2025, now require Chief Audit Executives to establish performance metrics, present them to the board for feedback and approval, and document follow-up on management remediation. That makes internal audit KRIs a standards requirement — not a practice reserved for large, mature programs.

These are the seven that close the most common gaps.


Why Internal Audit Needs Its Own KRIs

Most audit functions track findings by status: open, closed, in progress. That’s not a KRI program. It tells you what state findings are in — not whether the audit function’s work is producing durable risk reduction, whether management is genuinely engaged with remediation, or whether the audit plan is calibrated to where recurrence risk is highest.

ISACA’s 2025 follow-up audit framework frames the follow-up process as the audit function’s “impact litmus tool” — the test of whether findings produce actual change or just audit reports. The seven KRIs below operationalize that test into metrics that track across cycles.


KRI 1: Repeat Finding Rate

What it measures: The percentage of findings in the current audit cycle that appeared — fully or substantially — in the prior cycle covering the same area.

Why it matters: A repeat finding is a direct signal that prior-cycle remediation failed. Either the corrective action didn’t address the root cause, or the root cause diagnosis was wrong. Either way, the finding recurred — and that recurrence is trackable as a KRI before the next audit report is issued.

ISACA notes that repeat findings should be flagged in audit implementation status reports and that finding recurrence — particularly in previously closed findings — indicates that closing recommendations did not strengthen the control environment as intended.

ThresholdCriteria
Green<10% of current-cycle findings overlap with prior-cycle findings in the same audit area
Amber10–20% repeat rate; each instance has documented root cause re-analysis
Red>20% repeat rate; or any Critical finding repeating from the prior cycle; or repeat finding in an area with a prior regulatory commitment

Data source: Audit findings register with prior-cycle cross-reference by control area. Requires that prior-cycle findings are tagged by topic and area and remain searchable after closure — a prerequisite most programs need to build explicitly.

The control testing KRI framework is a complementary set: control testing KRIs surface exception patterns from the testing program, while internal audit KRIs track remediation quality on the findings that testing generates. A control test KRI showing rising repeat exceptions in the same area as a repeat audit finding is a strong signal of structural failure.


KRI 2: CAP Aging Rate

What it measures: The percentage of open corrective action plans past their target completion date; separately, the average age of open CAPs measured in days from finding date.

Why it matters: CAP aging is the most common early signal of remediation failure. When plans slip their target dates consistently, it signals that timelines were set unrealistically, that management commitment to remediation is insufficient, or that resources weren’t actually allocated to the fix.

OCC and FDIC examiners look at CAP aging to assess whether management’s commitment to remediation is substantive. Board and audit committee minutes should show management being asked about overdue CAPs — examiners check the minutes for this, and its absence reads as a governance gap.

ThresholdCriteria
Green<10% of open CAPs past target date; average CAP age <90 days
Amber10–25% past target; or average CAP age 90–180 days; documented extension rationale for each overdue item
Red>25% past target; or any Critical or High finding with CAP age >180 days; or board hasn’t reviewed overdue CAP summary in the prior quarter

Data source: Findings register with target completion dates, actual completion dates, and status notes. The delta between target and actual — tracked across all open CAPs — is the core data point.

For the full issue management KRI set covering aging across audit, self-identified, and regulatory findings, the issue management KRI guide covers reopen rates, missed due dates, and escalation patterns in depth.


KRI 3: Failed Validation Rate

What it measures: The percentage of findings marked “closed” that were subsequently validated independently and failed validation — meaning the reported remediation didn’t hold.

Why it matters: Failed validation directly measures whether the corrective action worked — not whether it was completed. It’s distinct from a repeat finding in the next full audit cycle, which may be 12–18 months later. Failed validation can surface within 30–90 days of closure if the validation process is built into the closure workflow.

Origami Risk’s audit findings lifecycle framework identifies independent closure validation as a mandatory step — covering design effectiveness (was the right control implemented?) and operating effectiveness (is it working in practice?). Without it, closure evidence tells you the action was taken, not that the risk was reduced.

ThresholdCriteria
Green<10% failed validation rate; all High/Critical findings validated independently before closure
Amber10–20% failed validation; patterns show specific control types or business lines with higher failure rates
Red>20% failed validation; or any Critical finding failing validation; or validation performed by the same business line that implemented the fix

Data source: Closure documentation linked to validation results. Requires a defined validation process: who validates, when, and what constitutes evidence of effective remediation. The validator should be independent of the team that remediated the finding.


KRI 4: Closure Evidence Quality Rate

What it measures: The percentage of “closed” findings with documented, independent evidence of remediation — vs. self-certification by the business line only.

Why it matters: Self-certified closures are the most common internal audit program weakness flagged in external quality assurance reviews. When the business line that generated the finding is also the entity certifying its closure, there’s no independent check that the root cause was addressed.

The FieldGuide KRI framework for risk advisory and internal audit highlights closure evidence quality as a leading indicator of audit program effectiveness — programs with high self-certification rates have lower demonstrated remediation durability, because self-certification can reflect completion of stated actions without confirmation that the underlying risk was actually reduced.

ThresholdCriteria
Green≥90% of closed findings have second-line or internal audit validation evidence; 100% of High/Critical closures have independent validation
Amber75–90% have independent validation; High/Critical self-certs have compensating review documented
Red<75% have independent validation; or any Critical closure via self-certification only; or closure “evidence” is a management memo rather than test results

Data source: Closure records linked to validation artifacts. Requires a distinction in your findings tracker between “management confirms action complete” and “second-line or internal audit confirms issue resolved.” These should be separate fields, not the same status flag.


KRI 5: Issue Recurrence Rate

What it measures: The percentage of findings closed in the prior 12–18 months that were subsequently reopened — whether by audit, monitoring, or examiner request.

Why it matters: Recurrence is the long-lag signal of structural remediation failure. CAP aging and failed validation catch problems early. Recurrence catches the cases where the fix worked short-term but wasn’t durable — particularly for findings where root cause analysis identified a people or training issue.

Training-based remediations have the highest recurrence rates: the knowledge transfers, the trained staff turns over, the finding resurfaces 14 months later. Recurrence rate tracked by finding type and root cause category tells you which remediations are failing structurally.

ThresholdCriteria
Green<5% recurrence rate for findings closed in the prior 18 months
Amber5–15% recurrence rate; patterns analyzed by finding type and business line
Red>15% recurrence rate; or any Critical finding recurring; or recurrence concentrated in a specific business line or process area with prior regulatory commitments

Data source: Findings register with reopen events tagged to the original finding ID. Requires keeping finding records beyond closure — most programs archive closed findings in ways that make them invisible to current-cycle analysis.


KRI 6: Management Response Delay Rate

What it measures: The percentage of findings where the management response was submitted past the required response deadline — typically 30 days from finding issuance.

Why it matters: A delayed management response is a governance signal, not a scheduling problem. When business lines consistently miss response deadlines, it indicates that audit findings are not being treated as priority items by management. That’s exactly what an examiner or external auditor reads it as when they review audit committee reporting.

AuditBoard’s KRI development framework notes that tracking escalation and follow-up behaviors — not just finding statuses — gives the audit committee visibility into management engagement quality, which is a distinct risk dimension from finding severity. A business line producing no High findings but consistently submitting responses 45 days late has a different risk profile than one with frequent findings and prompt responses.

ThresholdCriteria
Green<10% of management responses past deadline; no High/Critical responses past deadline
Amber10–25% past deadline with documented reasons; or repeated delays from the same business unit
Red>25% past deadline; or any Critical finding with management response >45 days past deadline; or audit committee not informed of chronic delay patterns

Data source: Findings issuance dates and management response submission dates. Track by business unit — chronic non-responders should be identifiable without building a custom report each cycle.


KRI 7: Risk Acceptance Rate for High and Critical Findings

What it measures: The percentage of open High or Critical findings where management has formally elected to accept the associated risk rather than remediate.

Why it matters: Risk acceptance is a legitimate governance mechanism — not every finding requires a corrective action plan. But the rate of risk acceptance for material findings is a KRI. A rising acceptance rate may signal that severity ratings are being negotiated down before acceptance decisions, that stated risk appetite and actual risk-taking are diverging, or that audit findings aren’t calibrated to business line realities.

The IIA’s 2025 Global Internal Audit Standards require that findings be rated and prioritized and that the audit function track their disposition. Risk acceptance at the High/Critical tier without board-level notification is a governance failure regardless of whether the underlying business decision was reasonable.

ThresholdCriteria
Green<15% of High/Critical findings accepted as residual risk; each acceptance formally approved at senior management level or above
Amber15–25% acceptance rate; audit committee informed of pattern; acceptance rationale documented for each instance
Red>25% acceptance rate for High/Critical findings; or risk acceptance decisions made below the required approval level; or board not informed of material risk acceptance decisions within 30 days

Data source: Findings register with disposition codes: remediate, accept, transfer, partially remediate. Track by severity, business unit, and approver level.


Presenting Internal Audit KRIs to the Audit Committee

The IIA’s 2025 Global Internal Audit Standards require the CAE to establish performance metrics and present them for board feedback and approval. These seven KRIs are the right content — not findings summaries by severity, but metrics indicating whether the audit function’s work is producing durable risk outcomes.

KRICurrent QuarterTargetPrior QuarterYoY
Repeat finding rate<10%
CAP aging (% past target)<10%
Failed validation rate<10%
Closure evidence quality≥90%
Issue recurrence rate<5%
Mgmt response delay rate<10%
Risk acceptance rate (High+)<15%

The “Prior Quarter” column shows trend direction. An audit committee that sees a declining repeat finding rate for three consecutive quarters knows the remediation program is improving. One that sees a rising rate has documented grounds to ask management why.


So What?

The audit finding is not the deliverable. The durable risk reduction that follows is. A KRI program that measures whether that reduction happened — and tracks when it didn’t — is how an internal audit function demonstrates its own effectiveness.

Most audit functions are measured by findings count, coverage, and report timeliness. Those are operational metrics. The seven KRIs above are outcome metrics — measuring whether audit’s work changed the risk environment, whether management’s commitments held, and whether the board has visibility to ask the right questions.

The compliance KRIs and program health monitoring framework tracks the four CMS pillars, with the independent audit/review pillar feeding directly into audit closure quality metrics. Cross-reference internal audit KRIs against compliance KRIs quarterly — a monitoring exception rate rising alongside audit repeat findings in the same business line is a signal neither data source communicates alone.

If your audit committee is getting finding summaries but not KRI trends, the Compliance Essentials bundle includes the documentation frameworks and tracking structures that support this level of reporting — including the evidence management and commitment tracking templates that feed directly into closure evidence quality and validation completeness. Get the Compliance Essentials bundle.

◆ Need the working template?

Start with the source guide.

These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

What are the most important KRIs for internal audit health?
The seven KRIs that best indicate internal audit program health are: repeat finding rate (same issue in consecutive audit cycles), CAP aging (days from finding to target vs. actual completion), failed validation rate (findings closed then re-failed on independent test), closure evidence quality rate (% with documented independent evidence vs. self-cert), issue recurrence rate (findings reopened within 12–18 months of closure), management response delay rate, and risk acceptance rate for high and critical findings.
What does a 'repeat finding' mean in internal audit?
A repeat finding occurs when internal audit identifies an issue in one cycle, management commits to remediation, and the same finding appears — fully or substantially — in the next audit cycle covering the same area. Repeat findings signal that either the remediation was ineffective or the root cause diagnosis was wrong. The IIA's 2025 Global Internal Audit Standards require audit functions to rate and prioritize findings and track follow-up; repeat rates above 15–20% of total findings are treated as a program-level issue.
How do regulators view a high CAP aging rate?
OCC and FDIC examiners treat CAP aging as a management commitment quality signal. When corrective action plans consistently run past their target dates — particularly for High or Critical findings — examiners interpret this as evidence that management commitment to remediation is weak. Board meeting minutes should reflect that management has been asked about overdue items; if they don't, examiners read the absence as a governance gap, not just an oversight.
What's the difference between closure evidence quality and validation completeness?
Closure evidence quality asks whether there is any documentation supporting the closure. Validation completeness asks whether that documentation was produced by an independent reviewer — second-line or internal audit — rather than the business line that generated the finding. A finding with self-certification has evidence but lacks independent validation. Examiners and external auditors distinguish between these, particularly for High and Critical findings.
What is 'risk acceptance' as a KRI for internal audit?
Risk acceptance occurs when management formally elects to accept a finding's associated risk rather than remediate the underlying control. It's a legitimate governance mechanism — but risk acceptance rates for High and Critical findings are a KRI. A rising acceptance rate for material findings signals that management may be accepting risk inconsistent with stated risk appetite, or that audit severity ratings are not calibrated to management's actual risk tolerance.
How do the IIA's 2025 Global Internal Audit Standards change how CAPs should be tracked?
The IIA's Global Internal Audit Standards, effective January 9, 2025, require the Chief Audit Executive to establish performance metrics for the internal audit function and present them to the board for feedback and approval. The standards also require that findings be rated and prioritized, and that follow-up on management remediation be documented. This means the board should now receive internal audit KRIs — including CAP aging and repeat finding rates — as part of standard audit committee reporting, not just findings summaries.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

Compliance Essentials

Multi-domain compliance coverage: data privacy, incident response, BCP/DR, and SOC 2 — 43% off.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.