Feature Compliance Strategy
Internal Audit KRIs: Repeat Findings, Delayed Remediation, and Weak Validation
Seven key risk indicators for internal audit health — repeat finding rates, CAP aging, failed validation, closure evidence quality, issue recurrence, management response delays, and risk acceptance patterns for high and critical findings.
Table of Contents
TL;DR
- Audit found it. Management agreed to fix it. Six months later, audit finds it again. This is the most common and most avoidable internal audit failure pattern — and it’s a KRI problem.
- The seven internal audit KRIs that matter: repeat finding rate, CAP aging, failed validation rate, closure evidence quality, issue recurrence, management response delay, and risk acceptance patterns for High and Critical findings.
- The IIA’s 2025 Global Internal Audit Standards now require CAEs to establish and report performance metrics to the board — which means internal audit KRIs are no longer optional; they’re a standards requirement.
- An internal audit function that can’t answer “what percentage of last year’s findings are still open?” without running a report it has never run before doesn’t have a KRI program. It has a status spreadsheet.
The finding was issued in October. Management agreed to remediation by December. The next audit cycle in April tested the same control — and found the same thing.
This sequence happens at most institutions at rates nobody advertises. It’s almost never caused by management failing to care. It’s caused by a corrective action plan process that treats finding closure as a paperwork event rather than a risk management outcome — and an internal audit function that doesn’t have KRIs tracking whether its findings are actually being fixed.
The IIA’s Global Internal Audit Standards, effective January 9, 2025, now require Chief Audit Executives to establish performance metrics, present them to the board for feedback and approval, and document follow-up on management remediation. That makes internal audit KRIs a standards requirement — not a practice reserved for large, mature programs.
These are the seven that close the most common gaps.
Why Internal Audit Needs Its Own KRIs
Most audit functions track findings by status: open, closed, in progress. That’s not a KRI program. It tells you what state findings are in — not whether the audit function’s work is producing durable risk reduction, whether management is genuinely engaged with remediation, or whether the audit plan is calibrated to where recurrence risk is highest.
ISACA’s 2025 follow-up audit framework frames the follow-up process as the audit function’s “impact litmus tool” — the test of whether findings produce actual change or just audit reports. The seven KRIs below operationalize that test into metrics that track across cycles.
KRI 1: Repeat Finding Rate
What it measures: The percentage of findings in the current audit cycle that appeared — fully or substantially — in the prior cycle covering the same area.
Why it matters: A repeat finding is a direct signal that prior-cycle remediation failed. Either the corrective action didn’t address the root cause, or the root cause diagnosis was wrong. Either way, the finding recurred — and that recurrence is trackable as a KRI before the next audit report is issued.
ISACA notes that repeat findings should be flagged in audit implementation status reports and that finding recurrence — particularly in previously closed findings — indicates that closing recommendations did not strengthen the control environment as intended.
| Threshold | Criteria |
|---|---|
| Green | <10% of current-cycle findings overlap with prior-cycle findings in the same audit area |
| Amber | 10–20% repeat rate; each instance has documented root cause re-analysis |
| Red | >20% repeat rate; or any Critical finding repeating from the prior cycle; or repeat finding in an area with a prior regulatory commitment |
Data source: Audit findings register with prior-cycle cross-reference by control area. Requires that prior-cycle findings are tagged by topic and area and remain searchable after closure — a prerequisite most programs need to build explicitly.
The control testing KRI framework is a complementary set: control testing KRIs surface exception patterns from the testing program, while internal audit KRIs track remediation quality on the findings that testing generates. A control test KRI showing rising repeat exceptions in the same area as a repeat audit finding is a strong signal of structural failure.
KRI 2: CAP Aging Rate
What it measures: The percentage of open corrective action plans past their target completion date; separately, the average age of open CAPs measured in days from finding date.
Why it matters: CAP aging is the most common early signal of remediation failure. When plans slip their target dates consistently, it signals that timelines were set unrealistically, that management commitment to remediation is insufficient, or that resources weren’t actually allocated to the fix.
OCC and FDIC examiners look at CAP aging to assess whether management’s commitment to remediation is substantive. Board and audit committee minutes should show management being asked about overdue CAPs — examiners check the minutes for this, and its absence reads as a governance gap.
| Threshold | Criteria |
|---|---|
| Green | <10% of open CAPs past target date; average CAP age <90 days |
| Amber | 10–25% past target; or average CAP age 90–180 days; documented extension rationale for each overdue item |
| Red | >25% past target; or any Critical or High finding with CAP age >180 days; or board hasn’t reviewed overdue CAP summary in the prior quarter |
Data source: Findings register with target completion dates, actual completion dates, and status notes. The delta between target and actual — tracked across all open CAPs — is the core data point.
For the full issue management KRI set covering aging across audit, self-identified, and regulatory findings, the issue management KRI guide covers reopen rates, missed due dates, and escalation patterns in depth.
KRI 3: Failed Validation Rate
What it measures: The percentage of findings marked “closed” that were subsequently validated independently and failed validation — meaning the reported remediation didn’t hold.
Why it matters: Failed validation directly measures whether the corrective action worked — not whether it was completed. It’s distinct from a repeat finding in the next full audit cycle, which may be 12–18 months later. Failed validation can surface within 30–90 days of closure if the validation process is built into the closure workflow.
Origami Risk’s audit findings lifecycle framework identifies independent closure validation as a mandatory step — covering design effectiveness (was the right control implemented?) and operating effectiveness (is it working in practice?). Without it, closure evidence tells you the action was taken, not that the risk was reduced.
| Threshold | Criteria |
|---|---|
| Green | <10% failed validation rate; all High/Critical findings validated independently before closure |
| Amber | 10–20% failed validation; patterns show specific control types or business lines with higher failure rates |
| Red | >20% failed validation; or any Critical finding failing validation; or validation performed by the same business line that implemented the fix |
Data source: Closure documentation linked to validation results. Requires a defined validation process: who validates, when, and what constitutes evidence of effective remediation. The validator should be independent of the team that remediated the finding.
KRI 4: Closure Evidence Quality Rate
What it measures: The percentage of “closed” findings with documented, independent evidence of remediation — vs. self-certification by the business line only.
Why it matters: Self-certified closures are the most common internal audit program weakness flagged in external quality assurance reviews. When the business line that generated the finding is also the entity certifying its closure, there’s no independent check that the root cause was addressed.
The FieldGuide KRI framework for risk advisory and internal audit highlights closure evidence quality as a leading indicator of audit program effectiveness — programs with high self-certification rates have lower demonstrated remediation durability, because self-certification can reflect completion of stated actions without confirmation that the underlying risk was actually reduced.
| Threshold | Criteria |
|---|---|
| Green | ≥90% of closed findings have second-line or internal audit validation evidence; 100% of High/Critical closures have independent validation |
| Amber | 75–90% have independent validation; High/Critical self-certs have compensating review documented |
| Red | <75% have independent validation; or any Critical closure via self-certification only; or closure “evidence” is a management memo rather than test results |
Data source: Closure records linked to validation artifacts. Requires a distinction in your findings tracker between “management confirms action complete” and “second-line or internal audit confirms issue resolved.” These should be separate fields, not the same status flag.
KRI 5: Issue Recurrence Rate
What it measures: The percentage of findings closed in the prior 12–18 months that were subsequently reopened — whether by audit, monitoring, or examiner request.
Why it matters: Recurrence is the long-lag signal of structural remediation failure. CAP aging and failed validation catch problems early. Recurrence catches the cases where the fix worked short-term but wasn’t durable — particularly for findings where root cause analysis identified a people or training issue.
Training-based remediations have the highest recurrence rates: the knowledge transfers, the trained staff turns over, the finding resurfaces 14 months later. Recurrence rate tracked by finding type and root cause category tells you which remediations are failing structurally.
| Threshold | Criteria |
|---|---|
| Green | <5% recurrence rate for findings closed in the prior 18 months |
| Amber | 5–15% recurrence rate; patterns analyzed by finding type and business line |
| Red | >15% recurrence rate; or any Critical finding recurring; or recurrence concentrated in a specific business line or process area with prior regulatory commitments |
Data source: Findings register with reopen events tagged to the original finding ID. Requires keeping finding records beyond closure — most programs archive closed findings in ways that make them invisible to current-cycle analysis.
KRI 6: Management Response Delay Rate
What it measures: The percentage of findings where the management response was submitted past the required response deadline — typically 30 days from finding issuance.
Why it matters: A delayed management response is a governance signal, not a scheduling problem. When business lines consistently miss response deadlines, it indicates that audit findings are not being treated as priority items by management. That’s exactly what an examiner or external auditor reads it as when they review audit committee reporting.
AuditBoard’s KRI development framework notes that tracking escalation and follow-up behaviors — not just finding statuses — gives the audit committee visibility into management engagement quality, which is a distinct risk dimension from finding severity. A business line producing no High findings but consistently submitting responses 45 days late has a different risk profile than one with frequent findings and prompt responses.
| Threshold | Criteria |
|---|---|
| Green | <10% of management responses past deadline; no High/Critical responses past deadline |
| Amber | 10–25% past deadline with documented reasons; or repeated delays from the same business unit |
| Red | >25% past deadline; or any Critical finding with management response >45 days past deadline; or audit committee not informed of chronic delay patterns |
Data source: Findings issuance dates and management response submission dates. Track by business unit — chronic non-responders should be identifiable without building a custom report each cycle.
KRI 7: Risk Acceptance Rate for High and Critical Findings
What it measures: The percentage of open High or Critical findings where management has formally elected to accept the associated risk rather than remediate.
Why it matters: Risk acceptance is a legitimate governance mechanism — not every finding requires a corrective action plan. But the rate of risk acceptance for material findings is a KRI. A rising acceptance rate may signal that severity ratings are being negotiated down before acceptance decisions, that stated risk appetite and actual risk-taking are diverging, or that audit findings aren’t calibrated to business line realities.
The IIA’s 2025 Global Internal Audit Standards require that findings be rated and prioritized and that the audit function track their disposition. Risk acceptance at the High/Critical tier without board-level notification is a governance failure regardless of whether the underlying business decision was reasonable.
| Threshold | Criteria |
|---|---|
| Green | <15% of High/Critical findings accepted as residual risk; each acceptance formally approved at senior management level or above |
| Amber | 15–25% acceptance rate; audit committee informed of pattern; acceptance rationale documented for each instance |
| Red | >25% acceptance rate for High/Critical findings; or risk acceptance decisions made below the required approval level; or board not informed of material risk acceptance decisions within 30 days |
Data source: Findings register with disposition codes: remediate, accept, transfer, partially remediate. Track by severity, business unit, and approver level.
Presenting Internal Audit KRIs to the Audit Committee
The IIA’s 2025 Global Internal Audit Standards require the CAE to establish performance metrics and present them for board feedback and approval. These seven KRIs are the right content — not findings summaries by severity, but metrics indicating whether the audit function’s work is producing durable risk outcomes.
| KRI | Current Quarter | Target | Prior Quarter | YoY |
|---|---|---|---|---|
| Repeat finding rate | — | <10% | — | — |
| CAP aging (% past target) | — | <10% | — | — |
| Failed validation rate | — | <10% | — | — |
| Closure evidence quality | — | ≥90% | — | — |
| Issue recurrence rate | — | <5% | — | — |
| Mgmt response delay rate | — | <10% | — | — |
| Risk acceptance rate (High+) | — | <15% | — | — |
The “Prior Quarter” column shows trend direction. An audit committee that sees a declining repeat finding rate for three consecutive quarters knows the remediation program is improving. One that sees a rising rate has documented grounds to ask management why.
So What?
The audit finding is not the deliverable. The durable risk reduction that follows is. A KRI program that measures whether that reduction happened — and tracks when it didn’t — is how an internal audit function demonstrates its own effectiveness.
Most audit functions are measured by findings count, coverage, and report timeliness. Those are operational metrics. The seven KRIs above are outcome metrics — measuring whether audit’s work changed the risk environment, whether management’s commitments held, and whether the board has visibility to ask the right questions.
The compliance KRIs and program health monitoring framework tracks the four CMS pillars, with the independent audit/review pillar feeding directly into audit closure quality metrics. Cross-reference internal audit KRIs against compliance KRIs quarterly — a monitoring exception rate rising alongside audit repeat findings in the same business line is a signal neither data source communicates alone.
If your audit committee is getting finding summaries but not KRI trends, the Compliance Essentials bundle includes the documentation frameworks and tracking structures that support this level of reporting — including the evidence management and commitment tracking templates that feed directly into closure evidence quality and validation completeness. Get the Compliance Essentials bundle.
◆ Need the working template?
Start with the source guide.
These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.
◆ Related template
Compliance Essentials
Multi-domain compliance coverage: data privacy, incident response, BCP/DR, and SOC 2 — 43% off.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
What are the most important KRIs for internal audit health?
What does a 'repeat finding' mean in internal audit?
How do regulators view a high CAP aging rate?
What's the difference between closure evidence quality and validation completeness?
What is 'risk acceptance' as a KRI for internal audit?
How do the IIA's 2025 Global Internal Audit Standards change how CAPs should be tracked?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
Compliance Essentials
Multi-domain compliance coverage: data privacy, incident response, BCP/DR, and SOC 2 — 43% off.
◆ Keep reading
Related posts.
Compliance Strategy
FinCEN's June 2026 Update Turns Section 314(b) Into a Real-Time Fraud-Fighting Tool
FinCEN's June 12, 2026 guidance expanded the Section 314(b) safe harbor to explicitly cover fraud—wire fraud, bank fraud, mail fraud, computer fraud—without requiring an institution to connect the activity to money laundering first. Here's what changed, why it matters for BSA programs, and what enrollment and real-time sharing actually look like in practice.
Jul 8, 2026
Compliance Strategy
Risk Register Template: Free Download vs. Paid vs. Building Your Own
Free risk register template, paid toolkit, or build from scratch? An honest three-way comparison — time to deploy, coverage, maintenance, and when each wins.
Jul 8, 2026
Compliance Strategy
OCC's 2026 Exam Rightsizing: What Community Banks Should Stop Doing—and What Still Gets You Written Up
Effective January 1, 2026, OCC Bulletin 2025-24 eliminated mandatory examination activities that aren't required by law for community banks. That means fair lending risk assessments and flood insurance transaction testing are no longer mandatory every exam cycle. Here's what actually changed, what didn't, and where compliance teams are misreading this shift.
Jul 7, 2026