Internal audit performance measures: Aligning metrics with strategy

It’s no secret that internal audit services require a significant organizational investment. And while organizations ultimately make the decision to commit these resources, it’s increasingly the internal audit function’s responsibility to demonstrate tangible returns on that investment.

Stakeholders – from board and audit committee members to senior management – all want assurance that audit activities align with strategic goals and address critical business risks. However, many internal audit teams struggle to validate their contributions as a proactive, value-adding partner.

Adopting a robust performance measurement framework can change that by demonstrating the true value of audit work. Performance measurement is more than tracking or ticking boxes – it’s a tool to help transform internal audit professionals into genuine partners focused on enhancing organizational effectiveness, agility, and improvement.

• Why internal audit performance measures matter
• Designing effective internal audit performance indicators
  • SMART criteria for audit KPIs
• Implementing and reporting performance measures
• Reporting linked to continuous improvement
• Using objectives and key results (OKRs) in internal audit
• Driving engagement with internal audit
• Predicting future trends and risks
• The balanced scorecard approach
• Summing it up
• Frequently asked questions

Driving engagement with internal audit

Engagement is critical to the success of the internal audit function, particularly in relation to the new Global Internal Audit Standards. Net Promoter Scores (NPS) are a simple way to gauge internal audit’s perceived value, trust, and satisfaction among stakeholders. Although, there are some drawbacks to NPS because the surveys are not diagnostic. Instead, they are based on how people feel, but not why they feel a certain way. It is a good practice to pair NPS results with qualitative feedback. There may also be sample bias if only specific stakeholders are surveyed, such as only those with positive experiences.

Internal auditors can address challenges, such as misaligned expectations and siloed communication, by raising stakeholder awareness, involving them early in the process, using clear business-relevant language, soliciting feedback, and demonstrating impact through stories and metrics.

Internal audit teams that actively engage with stakeholders:

• Align better with business priorities
• Deliver more relevant insights
• Build trust and credibility
• Positively influence organizational culture

It is important to incentivize what the internal audit function cares about to drive behavior. This might include internal audit’s ability to be agile, flexible, adaptable, and responsive to the business, enabling them to innovate and improve not only the outcomes of their work but also how they collaborate and communicate across the organization.

The bottom line is that stakeholder engagement varies widely across organizations, but high-performing internal audit functions are moving toward structured, proactive, and collaborative engagement strategies. While the level of engagement is improving, there is still room for growth in many organizations.

Predicting future trends and risks

Internal audit should use performance measures not only to assess current operations, but also to help predict the future, especially in terms of anticipating risks, resource needs, and areas for improvement. While internal audit has traditionally been retrospective, the focus now is on insight and foresight (i.e., what is happening today and what is coming over the horizon), hence predictive performance measurement significantly supports the function to become more strategic, agile, and forward-looking.

Keep in mind, predictions are only as good as the quality and consistency of the data. Tools like data analytics, dashboards with real-time metrics, risk heat maps, scenario modeling, and stakeholder feedback loops enable internal audit to move from reactive to predictive.

Performance measures can help forecast capacity and resource needs, audit plan effectiveness, and skill gaps and training needs. Additionally, internal audit can use performance data to identify early warning signals and emerging risks, including:

• Control weakness trends. Repeated findings or delayed implementation of agreed actions may signal systemic issues or cultural resistance.
• Compliance risk. Patterns in non-compliance across departments can forecast regulatory or reputational risks.
• Operational inefficiencies. Audit findings on process delays, cost overruns, or resource waste can help predict future performance bottlenecks.
• Strategic misalignment. If audits consistently reveal disconnects between operations and strategy, this can forecast future strategic drift.

The balanced scorecard approach

A balanced scorecard can be a highly effective tool for measuring internal audit performance if it is thoughtfully designed to reflect the unique role and value of internal audit within the organization. It provides a multi-dimensional view of performance, aligning well with the unique role and value of internal audit, moving beyond financial or operational metrics to include strategic, stakeholder, and developmental perspectives.

Balanced scorecards integrate quantitative and qualitative measures across value, risk coverage, people, and process effectiveness, linking performance with strategic goals and driving continuous improvement.

Summing it up

Performance measurement is essential in internal audit as it enhances stakeholder trust by ensuring that audit activities align with strategic objectives and foster a culture of agility and innovation. It serves as a tool to demonstrate the value of the internal audit function, driving accountability and supporting continuous improvement. By implementing effective performance measurement, it assists internal audit in seeing the unseen and identifying the impact of internal audit on the organizations i.e., providing stakeholders with the assurance that their investment is yielding tangible returns.

Frequently asked questions

We’ve asked Liz Sandwith to review the most frequently asked questions and provide her informed responses for additional consideration and clarity.

Q: How do you sell performance measures to docile Board, Audit Committee, and CEO and Senior Management?

• Start with the “Why” — Link to Organizational Value
• Speak Their Language — Use Business Outcomes
• Highlight External Expectations and Standards
• Show the Benefits — What’s In It for Them?
• Make It Easy and Actionable
• Use Stories and Case Studies
• Address Concerns Upfront
• Invite Their Input
• Create an Elevator Pitch - “Performance measurement isn’t just an internal audit requirement—it’s a strategic tool that helps to show how internal audit delivers value, which manages risk, and supports your goals. With a few focused, meaningful metrics, we can give you confidence, drive improvement, and ensure we’re always aligned with what matters most to you and the organization.”

Q: Should internal quality assurance reviews include metrics?

Yes, there should be performance measures for quality assurance (QA) processes in internal audit. This is not only best practice but is also explicitly required by the Global Internal Audit Standards (see Standard 8.3 and Standard 12.1).

Examples of measures could include:

• Conformance % of audits reviewed that conform to internal audit methodology/standards
• Timeliness % of QA reviews completed within the planned timeframe
• Improvement actions % of QAIP recommendations implemented within the agreed timescale
• External assessment rating/outcome of external quality assessment (e.g., “generally conforms”)
• Internal assessment number of process improvements initiated from QAIP findings
• Training % of staff trained on QAIP findings or new quality procedures
• Stakeholder feedback satisfaction with the quality of audit reports/process (from board, management, auditees)
• Documentation % of audits with complete and accurate workpapers as per QA review

Q: Would you choose to leave out metrics that are somewhat dependent on others for their success (e.g., where management action plan response times are often delayed as there are other prioritized items needing response)?

No, internal audit should not leave out these metrics—but they should be clearly identified as “indicators” rather than direct “measures” of internal audit performance and interpreted with care.

IIA Performance Measurement Tool document recommends tracking the percentage of recommendations implemented as a key indicator, but notes that this is not solely within internal audit’s control.

Don’t leave out these metrics. Instead, use them thoughtfully, label them clearly, and provide context. They are valuable for showing internal audit’s influence and for driving improvement across the organization.

Q: Should key performance indicators (KPIs) be reported to the audit committee quarterly? Is it best practice for each quarter's results to be cumulative, or should results be restricted to each quarter's individual performance, with a YTD cumulative measure?

Best practice is to report both the quarter’s individual performance and the year-to-date (YTD) cumulative results when presenting internal audit KPIs to the audit committee. 

Use both because:

• Quarterly (Individual) Results:
  • Show how the function performed in the most recent period. This helps identify short-term trends, issues, or improvements (e.g., a spike in overdue actions, a drop in stakeholder satisfaction, or a surge in completed audits).
• Year-to-Date (Cumulative) Results:
  • Provide a holistic view of progress against annual targets and allow the audit committee to see whether the function is on track for the year as a whole.

Q: What is the difference between OKRs (objective key results) and KPIs (key performance indicators)?

OKRs are designed to set ambitious goals and track progress toward achieving them. They’re forward-looking and often stretch beyond current capabilities.

KPIs are ongoing metrics that measure performance against predefined benchmarks. They’re more static and focused on business-as-usual activities.

However, they both matter in Internal Audit:

• OKRs help auditors understand whether the organization is moving in the right strategic direction.
• KPIs help auditors verify that day-to-day operations are under control and risks are being managed.

Together, they offer a holistic view—OKRs show where the organization wants to go, and KPIs show how well it's functioning on the way there.

Q: When considering using qualitative performance measures customer feedback is sometimes misleading. How should we overcome this?

Feedback can be misleading due to:

• Emotional reactions to critical findings or recommendations
• Misunderstanding of audit’s role or scope
• Bias based on personal relationships or expectations
• Fear or defensiveness if the audit exposed weaknesses
• Lack of context (e.g., rating the audit team poorly due to dissatisfaction with the findings)

Combine quantitative ratings with qualitative comments. Use discussions or debriefs to explore feedback in more depth. This helps clarify whether negative feedback is about the process or the message.

Don’t overreact to a single negative response. Trend feedback over time and across engagements to identify consistent issues or strengths.

Help stakeholders understand the purpose of feedback:

• It’s about improving the audit process, not agreeing with findings
• Their input helps internal audit deliver more relevant and effective assurance

Triangulate with other measures i.e., compare feedback with:

• Implementation rates of recommendations
• Timeliness of audit delivery
• Quality assurance reviews

This helps validate whether feedback aligns with actual performance.

Q: How do we include the client feedback within the qualitative feedback?

Including client (stakeholder) feedback within qualitative performance measures is not only valuable—it’s essential for demonstrating the impact, relevance, and quality of internal audit services. 

Use structured methods to gather feedback:

• Post-engagement surveys with open-ended questions
• Debriefing meetings with notes on stakeholder comments
• Interviews or informal conversations documented in audit files
• Annual stakeholder satisfaction surveys

Group feedback into themes (e.g., communication, professionalism, value added). Classify feedback as positive, neutral, or negative.

Q: Stakeholder feedback requests from internal audit can cause customer feedback fatigue as they are often wary of surveys. How might we deal with this?

Customer feedback fatigue is a real and growing challenge—especially in public sector or regulated environments where stakeholders are frequently surveyed. Internal audit can handle this sensitively and strategically by focusing on quality over quantity, timing, and purposeful engagement.

Only ask when it matters. Don’t send a survey after every minor engagement.

Prioritize feedback for:

• High-risk or high-impact audits
• First-time engagements with a stakeholder group
• Strategic or cross-functional audits
• Keep it short and focused

Send the survey after the final report or closing meeting, when the experience is fresh but not overwhelming.

Avoid sending surveys during peak business periods or immediately after a critical finding. Use short debrief conversations or informal feedback sessions rather than formal surveys.

Let stakeholders know why you’re asking for feedback and how it will be used.

Q: Do you have an example of a customer satisfaction survey, questionnaire?

There needs to be some general administrative information initially, and then you could focus on the following:

• Audit Process Evaluation
  • Value delivered e.g., How satisfied are you with the overall value provided by the audit? Did the audit help improve your understanding of risks and controls?
• Open Feedback
  • This format balances quantitative ratings with qualitative insights, helping internal audit teams refine their approach.

Q: When you have qualitative measures like a debriefing meeting after a project or conversation with stakeholders, do you think (or when would you think) it is worth trying to quantify these?

Absolutely, it can be worth quantifying qualitative measures like debriefing meetings or stakeholder conversations—but only if done thoughtfully and ethically. 

Quantifying feedback (e.g., rating satisfaction or perceived value on a scale) allows you to monitor changes and improvements across engagements.

Internal audit functions often need to report performance to the audit committee or senior leadership. Quantified qualitative data adds credibility and structure.

When quantifying don’t oversimplify:

• Numbers can mask nuance: Use them to support—not replace—narrative insights.
• Avoid bias: Ensure feedback is collected consistently and anonymously where possible.
• Respect context: A single critical comment may be more valuable than a dozen generic ratings.

Q: How do you measure qualitative measures?

Measuring qualitative performance measures involves converting subjective, descriptive, or narrative data into structured insights that can be tracked, compared, and used for decision-making.

Group narrative feedback into themes or categories and count frequency.

Assess the tone of qualitative feedback (positive, neutral, negative). You can manually tag sentiment or use tools for automated analysis.

Use trend analysis to show how qualitative performance is evolving, e.g., stakeholder satisfaction with audit communication improved from 3.8 to 4.4 over the past three quarters.

Q: With the Standards' emphasis on competency, do you see this as a stronger reason to include staff education as a performance measure?

Yes, including staff education, training as a performance measure is strongly supported by the Standards’ emphasis on competency—and it is considered best practice.

• Competency is foundational to delivering high-quality, value-adding audit work
• Education and development ensure the team stays current with emerging risks, technologies, and best practices
• Demonstrates commitment to continuous improvement and professional standards

Including staff education as a performance measure is not only justified by the Standards’ focus on competency—it is essential for demonstrating compliance, supporting quality, and driving continuous improvement in your internal audit function.

Q: What are some examples of IT qualitative measures and quantitative measures:

In terms of quantitative measures, here are some examples:

• % of critical vulnerabilities remediated within SLA (service level agreement)
• Number of security incidents detected and resolved per month
• System uptime/availability (%)
• Average time to resolve IT helpdesk tickets
• % of IT projects delivered on time and within budget
• Number of failed backup jobs per month
• % of users completing mandatory security awareness training
• Patch compliance rate (%)
• Number of unauthorized access attempts detected
• Mean time to detect (MTTD) and mean time to respond (MTTR) to incidents

In terms of qualitative measures, here are some examples:

• Stakeholder satisfaction with IT services
• Perceived effectiveness of IT risk management
• Quality of IT governance processes
• User feedback on new system implementations
• Assessment of IT culture and awareness
• Narrative on lessons learned from major incidents
• Alignment of IT strategy with business objectives
  
  

Quantitative measures are great for dashboards, trend analysis, and benchmarking

Qualitative measures provide context, explain “why” behind the numbers, and capture value that’s hard to quantify

Q: Do you have any tips for developing achievable performance indicators in a highly bureaucratic public sector?

Here are some suggestions:

• Focus on outcomes that matter to the public and the organization’s mission (e.g., transparency, compliance, service delivery)
• Ensure measures reflect statutory or regulatory requirements
• Use clear, jargon-free language so all staff and stakeholders understand what is being measured and why
• Use surveys, interviews, and narrative feedback to capture value and impact that numbers alone may miss (e.g., stakeholder satisfaction, perceived value)

It is important that you measure the right things to help you achieve your purpose. As the saying goes, ‘what gets measured gets managed,’ but equally, more measures do not mean better performance.

Q: Based on your experience, in what work environments is intrinsic motivation more effective than extrinsic motivation?

Intrinsic motivation tends to be more effective than extrinsic motivation in work environments that foster autonomy, purpose, and mastery. Examples include internal audit, research, consulting, design, and software development.

Why it works: These roles often require problem-solving, critical thinking, and innovation—areas where personal interest and intellectual curiosity drive performance more than external rewards.

Intrinsic motivation is especially powerful when:

• Auditors are trusted to make judgment calls
• They are involved in strategic discussions
• Their work is aligned with organizational improvement and risk reduction
• They are given opportunities to innovate (e.g., using AI (artificial intelligence) or data analytics in audits)

Q: What are some examples of metrics that move the focus away from % delivery achieved towards measurement of the impact of a specific audit?

Shifting from delivery-focused metrics (like "% of audits completed") to impact-focused metrics is a powerful way to demonstrate the strategic value of internal audit.  

Impact-Focused Audit Metrics include:

1. Implementation Rate of Recommendations
   • What it shows: How many audit recommendations were accepted and implemented within a defined timeframe.
   • Why it matters: Indicates the relevance and practicality of audit findings.
2. Risk Reduction Achieved
   • What it shows: The degree to which identified risks were mitigated post-audit, and
   • How to measure: Use pre- and post-audit risk scores or heat maps.
     • Example: Reduction in likelihood or impact of a cybersecurity breach after control enhancements.
3. Control Maturity Improvement
   • What it shows: Improvement in control design or operating effectiveness.
   • How to measure: Use a control maturity model (e.g., COBIT or a custom scale from 1–5).
     • Example: A process moving from “Defined” to “Managed” after audit intervention.
4. Stakeholder Confidence
   • What it shows: Perceived value and trust in the audit function.
   • How to measure: Through targeted interviews or short pulse surveys (avoiding fatigue).
     • Example: “How confident are you that the audit added value to your area?” rated on a scale.
5. Strategic Alignment
   • What it shows: How well the audit supports organizational goals.
   • How to measure: Map audit engagements to strategic risks or objectives.
     • Example: % of audits directly linked to the top 5 enterprise risks.
6. Time to Resolution
   • What it shows: How quickly issues identified in audits are resolved.
   • Why it matters: Reflects responsiveness and effectiveness of follow-up.
7. Innovation or Process Improvement Triggered
   • What it shows: Whether the audit led to new ideas, automation, or redesign.  
   • How to measure: Count or describe tangible improvements initiated post-audit.
     
     

Q: Is it mandatory to submit or present performance indicators to the board or audit committee for review? This requirement isn’t explicitly mentioned in the Standards.

While the Standards do not use the word “mandatory presentation,” they clearly establish that the Chief Audit Executive (CAE) must:

• Develop an internal audit strategy aligned with stakeholder expectations
• Establish performance measures to assess the function’s effectiveness
• Engage the board, audit committee, and senior management in reviewing and agreeing on these measures

This is outlined in:

• Standard 9.2 – Internal Audit Strategy
• Standard 12.2 – Performance Measurement
• Standard 8.1 – Board Interaction

The CAE is expected to collaborate with the board, audit committee, and senior management on strategy and performance measures. This includes discussing, gaining feedback, and securing agreement on what success looks like for internal audit

Performance indicators should be aligned with the strategy and reviewed periodically. The board/audit committee should be informed of progress, challenges, and improvements.

Even though the Standards don’t mandate a formal “submission,” they expect active engagement with the board/audit committee. 

This means:

• Presenting performance indicators is not just best practice — it’s part of conformance
• The board / audit committee should be involved in setting, reviewing, and challenging these metrics

Q: Is it the function of the chief audit executive / internal auditors to develop performance measures? In some organizations it is a co-function of management to develop the performance measurement. Is this appropriate?

Under Standard 12.2 – Performance Measurement, the Chief Audit Executive (CAE) is responsible for:

• Developing and assessing performance objectives for the internal audit function
• Ensuring these objectives reflect stakeholder expectations
• Promoting continual improvement

So yes, the CAE leads the development of performance measures. While the CAE owns the process, the Standards explicitly encourage collaboration with:

• Senior management
• The board or audit committee
• This ensures that:
  • Performance measures are aligned with organizational priorities
  • Internal audit is seen as a strategic partner, not just a compliance function

Q: Outside of using a timesheet, how else can we measure the efficiency of the internal audit team, if we don’t have any software?

While timesheets are a common tool for tracking effort, they don’t fully capture the efficiency or effectiveness of an internal audit team. 

Audit Cycle Time

• Definition: Time taken from audit planning to final report issuance
• Why it matters: Shorter cycle times (without compromising quality) indicate streamlined processes and effective execution

Planned vs. Actual Delivery

• Definition: Comparison of planned audit activities vs. those completed within the timeframe
• Efficiency indicator: Helps assess resource utilization and scheduling accuracy

Stakeholder Responsiveness

• Definition: Time taken to respond to stakeholder queries or provide requested information
• Efficiency indicator: Reflects agility and service orientation

Continuous Improvement Contributions

• Definition: Number of process improvements or innovations suggested by internal auditors
• Efficiency indicator: Shows proactive thinking and value beyond assurance

Peer and QA Reviews

• Definition: Internal reviews of audit files for completeness, clarity, and adherence to methodology
• Efficiency indicator: Helps identify bottlenecks or inconsistencies in execution

Q: What are the significant "unseen" issues and the impact on internal audit?

The emergence of “unseen” issues — those not previously captured or anticipated in audit planning or performance measures — is highly significant for internal audit, especially when they come to light as a result of performance measures having been established.

Unseen issues often indicate that existing risk assessments or audit scopes may have missed emerging or systemic risks. This challenges the completeness of the audit plan and the relevance of current performance indicators. As internal audit, we need to document how the audit uncovered unseen issues and what actions or improvements followed.

These stories can be shared with the board to demonstrate value beyond delivery metrics.

Unseen issues are not a failure of planning — they are a signal of evolving risk. Recognizing and integrating them into performance measurement helps internal audit:

• Stay relevant
• Demonstrate strategic foresight
• Build a culture of learning and adaptability