Special thanks to Terry Owen for contributing this article on internal audit KPI metrics.
Do you manage your audit projects or do they manage you?
I worked in a high-volume audit shop where our team of 12 auditors and 2 support staff issued nearly 100(!) audit reports each year. Additionally, we performed risk analysis of potential audit objectives, followed up on previous audits, attended regular training, and responded to inquiries by anyone that had an axe to grind or a bone to pick.
Our world without solid internal audit KPI metrics
Each audit project was tracked by the auditor on a spreadsheet on our shared drive. The process was prone to error, so management didn’t always trust the statuses found in the spreadsheet.
Too often audit projects would fall through the cracks. It was always THAT audit. You know the one…the kind that triggers unwanted attention for your organization.
We also tended to either overload or underload auditors with audits and work.
The team leaders that scheduled audits estimated, based upon their experience, how long each phase of an audit would take. They set budgets based upon their guess-ti-mates as well.
Auditors in the trenches know that no two audits are alike, at least not if you’re really performing risk-based auditing. You never know what you will find until you start digging into the audit evidence.

We also didn’t have solid data on how much time audit staff were attending training, meetings, and non-audit functions instead of performing actual audit work. More often than not, the goals set for each auditor were unreasonable and unachievable. Consequently, that’s a morale buster for even the most professional among us.
In short, we didn’t have internal audit KPI metrics to help us manage our work and audit risk. (KPI stands for key performance indicators, by the way.)
The pain pushed us to improve
We intuitively knew a large number of other pain points in our processes, too. They prevented us from working more efficiently, assessing risk more accurately, and completing more audits with the same staff levels.
Luckily, our dedicated staff came with a wide-range of experience from 3 months to over 25 years. We heard plenty of new ideas as well as hard-earned wisdom. Our diverse staff had one thing in common: They knew we could do better. They were willing to roll up their sleeves and get to work. But, where to begin?
We stopped and redesigned our processes
Our team spent two entire days combing through our processes, step-by-step, to understand the current state. We also identified all of the tasks, sub-tasks, redundancies, and inefficiencies.
In some cases, the way we thought things worked, was not how they worked at all.
We weren’t capturing information, including the risk areas for a given audit. If we had the information, we knew it would help us understand when or if the same area should be audited again in the future.
In summary, we weren’t capturing high-value information to help us assess future risks and become more effective as an organization.
From that exercise we developed an ideal state.
Our ideal state
As Peter Druker said, “You can’t manage what you can’t measure.” So, we added collecting internal audit KPI metrics to each audit. Our ideal state:
From our quest to find the ideal state, we developed a virtuous cycle addressing most of our pain-points, while eliminating redundancies. We discovered a lot of wasted effort in our processes.
In other words, an effective audit shop needs reliable and relevant internal audit KPI metrics and a system in place to track them.
We needed IT support and leading indicators
With the support of IT professionals, we developed a web-based solution to track each audit near-real-time. At the conclusion of each audit, the auditor calculated a new risk score and populated that information into the tool.
The more we learned, the more we relied on leading indicators of risk rather than lagging indicators.
Internal audit KPI metrics allowed management to reduce waste
Team leaders used all this captured information when they created subsequent annual audit plans. As a result, they cut planning time over 25% in the first year. Management clearly saw why a particular audit was included in the plan based upon hard data, rather than by whim.
We collected hours of data for each phase of each audit. Additionally, hours for training, meetings, and non-audit functions were captured to give us a staff-utilization rate, plus a clearer picture of where we spent our time.
When management and staff reviewed this information, they clearly saw where time and effort were wasted.
Each audit project was given a numerical complexity score. The higher the number, the more complex the audit was likely to be. Then, we developed a range of reasonable hours values for each phase of an audit based upon the complexity of a given audit.
The total hours for each phase were used to assign audits and budget total hours for each staff member. The tool tracked negotiated completion dates for each audit to aid staff and management to schedule and manage the project.
The results were worth the effort
Now, everyone quickly saw how each audit progressed and what phase of the audit it was in! As a result, over-scheduling and under-scheduling of auditors’ assignments was cut in half over a two-year period. Improvement continued as we collected more data.
It required almost an entire operating cycle for audit staff to realize that taking a couple of minutes each day to capture this information saved them both hours of time and the frustration of trying to manage too many projects.
Also, it saved management the embarrassment of over-promising and under-delivering on the annual audit plan.
Obviously, we didn’t solve every problem identified; however, we found solutions for those to give us the most bang for the buck.
It became easier to track each audit project and where it was at in the process. The days of an audit falling through the cracks were in the past because each staff member had a dashboard listing all audits assigned to them.
The fruit of our labor was dramatic. Developing and refining these internal audit KPI metrics made our audit shop rock in just one operating cycle. By the end of year two, we refined our processes even more.
We also provided training to staff members on project management techniques and other skills to make them more effective team members. These critical skills not only helped them be better auditors, it made them better business professionals.
The result was to finally manage our audit projects, instead of the audit projects managing us.
Retention of staff improved and everyone felt a sense of pride and ownership for what they had achieved.
Looking for high-quality and convenient CPE?
We have you covered! Our live webinars are a great choice if you want the learning to come to you. Just log on at the scheduled time and enjoy wherever you are! Here are a few of our upcoming courses:
- Mar 21: Microsoft 365 Deep Dive for Government Auditors (4 CPE hours)
- Mar 24-28: Virtual Audit Bootcamp (20 hours + 7 bonus self-study hours = 27 CPE hours)
- Mar 31: Audits That Matter: The Role of Engagement (2 CPE hours)
- Apr 8: Smarter Risk Assessments for Government Auditors (4 CPE hours)
- Apr 10: Generative AI Case Studies: Lessons Learned in Public Sector Audit Shops (2 CPE hours)
Need to do things at your own speed, but still get all your credits? Plan your CPE around your life, not the other way around! Yellowbook-CPE.com has dozens of self-study courses, including the Jumbo Bundle. This great value provides access to ALL our entertaining self-study courses for one full year at a low price.