Wed, Jan 2, 2019
ByProtiviti KnowledgeLeader

An effective business process is built on a set of well-defined and clearly stated business objectives. These key objectives articulate the ideal performance results that the company expects from that process. To monitor a business process so that it stays focused on reaching the key objectives, the company chooses appropriate performance measures. Careful selection of the performance measures takes a company a long way toward improving a business process. Thus, to build and continually improve an effective business process, a company establishes:

  • Key objectives to articulate the performance results the company expects from the business process
  • Outcome measures to determine whether the company has reached the key objectives
  • Activity measures to monitor the performance of those activities that are instrumental in reaching the key objectives.

The following table shows key objectives for conducting internal audits, the outcome measures associated with each objective and the activity measures that drive each outcome measure. A link connects each outcome measure with its corresponding formula and analysis of the formula. The list provides a starting point from which companies may select a set of five to nine measures to track. A company chooses one or two key objectives and begins measuring the corresponding outcome and activity measures to start tracking performance. As these objectives are attained, the company may change its focus to other objectives and related measures.

Key Objective Outcome Measures Activity Measures
Minimize financial loss due to inside fraud. Revenue lost to fraud.
  • Amount lost to fraud detected from financial compliance audits.
  • Amount lost to fraud detected by internal audit (IA) through data mining and data extraction.
  • Amount unaccounted for through revenue reconciliation and operating expenses.
  Total annual number of fraudulent occurrences.
  • Percentage of employees who receive ethics compliance training.
  • Number of calls to fraud hotline.
  • Number of fraudulent activities discovered.
Build the IA department as an internal knowledge resource. Percentage of audit customers who say they are "highly satisfied" with IA.
  • Number of audit requests.
  • Percentage of audit recommendations implemented.
  • Percentage of audit customers audited by the same auditor within the past three years.
  • Percentage of new business initiatives in which IA is invited to participate during planning sessions.
  Percentage of audits performed by third-party providers.
  • Percentage of auditors with certification.
  • Percentage of auditors with non-audit business experience.
  • Percentage of staff auditors who "own" specific business unit audit duties.
  • Percentage of audit customers who request outside expertise to conduct audits.
  Percentage of IA budget resources devoted to orientation, work paper reviews and training.
  • Internal audit turnover rate.
  • Average years of experience of new hires.
  • Average tenure of each staff auditor.
  • Average number of hours to complete an audit.
  • Number of audits performed per year per auditor.
Minimize exposure to unexpected risk. Percentage of business units undergoing annual risk assessments.
  • Percentage of business units for which the company has a risk management strategy.
  • Percentage of business units with ongoing risk assessments.
  • Percentage of managers trained to assess their own risk.
  • Percentage of business units with a pre-determined risk threshold to trigger audits.
Create a highly flexible IA department. Percentage of total audits not scheduled in the annual audit plan.
  • Lead time to fulfill audit requests.
  • Percentage of risk-based audits.
  • Percentage of audits requested by business managers.
  • Percentage of unfulfilled audit requests.
Minimize third-party risk. Percentage of business partners and suppliers that IA assesses for risk.
  • Percentage of potential mergers or acquisitions in which IA contributes to due diligence review.
  • Percentage of service providers that undergo IA risk assessments.
  • Percentage of suppliers and business partners that undergo IA risk assessments.
  • Percentage of joint ventures in which the IA function is pre-determined.


The following resources on KnowledgeLeader provide additional information on how to make an internal audit department a strategic partner to the entire organization: