How many internal audit FTE does a 650-employee PE portco need?

Traditional benchmark: 2 to 3 internal audit FTE for a 650-employee PE portco with typical 120 controls, based on data from the IIA Pulse of Internal Audit, Protiviti Internal Audit Capabilities Report, FEI Controllers Survey, and AuditBoard State of SOX. Agent-augmented benchmark: 1.5 to 2 internal audit FTE at the same control population when continuous agent-driven testing covers 30 to 45 percent of the deterministic control families (access review, change management, ITGC baseline, entitlement-level SoD). The agent-coverage returns approximately 1,200 to 1,400 hours per year that flow to judgmental family testing, design effectiveness evaluation, deficiency management, and external auditor coordination.

What is the internal audit FTE-to-controls ratio benchmark for 2026?

Traditional ratio: 1 FTE per 40 to 60 controls under manual testing for SOX-primary programs at 300 to 1,500 emp companies, based on IIA Pulse and Protiviti Internal Audit Capabilities Report data. Agent-augmented ratio: 1 FTE per 80 to 120 controls when continuous agent-driven testing covers 30 to 45 percent of the control population. Under the traditional ratio, a 650-emp PE portco with 120 controls staffs 2 to 3 IA FTE. Under the agent-augmented ratio, the same portco staffs 1.5 to 2 FTE. Staffing below either ratio creates PCAOB inspection risk and external audit material-weakness disclosure exposure.

How many SOX testing hours per year does a typical mid-market company consume?

For 300 to 1,500 employee companies, the FEI Controllers Survey reports median total SOX program hours of 2,400 to 3,800 per year. A 650-emp PE portco with 120 controls typically consumes 2,800 to 4,200 total testing hours per year under traditional manual testing, distributed across internal audit (55 to 65 percent), management testing (15 to 20 percent), outsourced consulting (10 to 20 percent), and remediation (5 to 10 percent). Agent-driven continuous testing of deterministic control families reduces total testing hours by 30 to 40 percent through labor redistribution. Hours per control per year vary by family: access review 25 to 60, change management 18 to 40, ITGC baseline 15 to 30, reconciliation 24 to 48, journal entry review 36 to 72, estimate review 48 to 120, management review 18 to 36.

What control population size is typical at different company sizes?

Based on aggregated benchmark data from AuditBoard State of SOX, Protiviti Internal Audit Capabilities Report, and field data from mid-market design-partner engagements: 300 to 500 employees: median 55 to 90 total controls with 40 to 60 ITGC controls. 500 to 1,000 employees: median 90 to 150 total controls with 60 to 100 ITGC controls. 1,000 to 1,500 employees: median 150 to 220 total controls with 100 to 140 ITGC controls. Multi-entity companies multiply the base control population by the entity count with some overlap reduction. Industry-specific scope expansions: healthcare adds 15 to 40 HIPAA-overlap controls, defense contractor adds 40 to 110 CMMC 2.0 Level 2 controls, EU-exposed finance adds 30 to 80 DORA controls.

How does agent-driven testing change internal audit staffing?

Agent-driven continuous testing of deterministic families (access review, change management, ITGC baseline, entitlement-level SoD) covers 30 to 45 percent of a typical mid-market control population. For a 650-emp PE portco with 120 controls, agent coverage reduces testing hours on those families from approximately 1,800 hours to 400 to 600 hours, returning 1,200 to 1,400 hours per year to the IA function. Staff roles reallocate rather than eliminate: the IA Director and staff auditors shift from deterministic-family spreadsheet time to judgmental family testing, design effectiveness evaluation, deficiency management, external auditor coordination. The correct move is staff upgrade or modest reduction, not wholesale FTE elimination. Companies that deploy continuous testing but keep staffing at manual-testing ratios waste the hours returned.

What data sources inform the 2026 internal audit benchmark?

Five primary data sources plus field data from continuous-testing design partner engagements. IIA Pulse of Internal Audit (annual) provides IA headcount and focus area data by company size and industry. Protiviti Internal Audit Capabilities Report (annual since 2003) provides IA function maturity and sourcing model data. FEI Controllers Survey (annual) provides CFO-perspective compliance economics and total SOX program hours. AuditBoard State of SOX (vendor-published, directionally useful) provides control population and testing hour distributions. PCAOB inspection reports (Part I and Part II public versions) provide regulator-validated minimum staffing rigor. Mid-market design-partner field data from 2025 to 2026 continuous-testing deployments provides the agent-coverage percentages and hours-returned data that inform the agent-augmented ratio adjustments. Big 4 thought leadership and Gartner IT GRC Magic Quadrant provide directional context.

How much does outsourced SOX consulting cost versus in-house internal audit?

Outsourced SOX consulting engagements for readiness at 300 to 1,500 emp companies typically run $250,000 to $500,000 per year depending on scope. Pre-IPO readiness engagements run $300,000 to $600,000 plus execution-phase engagements continuing at $200,000 to $400,000. In-house internal audit cost: a 2 FTE IA function (Director at $150,000 to $200,000 plus Senior/Staff Auditor at $80,000 to $120,000) with benefits and overhead runs $310,000 to $470,000 per year. The in-house cost is similar to outsourced consulting but builds retained institutional knowledge, while outsourced consulting produces external deliverables without leaving in-house evidence capability. Most companies run hybrid architectures: in-house IA function plus 10 to 25 percent outsourced consulting for readiness ramps, judgmental family testing support, or specialist compliance areas.

What is the most common internal audit staffing mistake at mid-market?

Four patterns surface repeatedly. First, under-staffing at the thinnest ratio (1 FTE per 80+ controls) without agent augmentation, which creates PCAOB inspection risk. Second, over-relying on outsourced consulting during readiness without building in-house capability, which creates year-over-year cost restart and loses institutional knowledge. Third, staffing to the traditional ratio post agent-augmentation, which wastes hours returned by automation. Fourth, treating the IA function as an enforcement cost rather than a risk-reduction investment, which leads sponsors and CFOs to underfund relative to control population and surface material weakness at 404(b) attestation. The asymmetry is severe: material weakness disclosure damages the exit multiple more than the G&A saving from under-staffing.

Internal Audit Team Size to Controls Ratio Benchmark for 300–1,500 Emp Companies (2026 Data)

Q: Does PCAOB view understaffed internal audit as a deficiency?

Yes, in specific circumstances. PCAOB inspection reports from 2023 to 2025 repeatedly identified deficiencies at mid-market auditors reviewing company 404(b) programs where the company's internal audit function was understaffed relative to the control population. The PCAOB 2024 annual report on broker-dealer and emerging-growth-company inspections specifically called out insufficient testing rigor on access review and change management at programs running at the thinnest 1 FTE per 60+ control ratios. The inspection posture validates the traditional benchmark as the minimum defensible ratio under manual testing. Agent-augmented testing at higher ratios (1 FTE per 80 to 120 controls) is evaluated based on agent-evidence quality and design effectiveness rather than raw staffing ratio.

The short answer: traditional internal audit team sizing benchmarks for 300–1,500 emp PE portcos and public microcaps in 2026 run 1 FTE per 40–60 controls under manual testing, or 2 FTE per 90–130 controls in mature programs, based on data from the Protiviti Internal Audit Capabilities Report, the IIA Pulse of Internal Audit survey, FEI Controllers Survey, AuditBoard State of SOX report, and PCAOB inspection findings. The agent-coverage adjustment changes this materially: continuous agent-driven testing of deterministic control families (access review, change management, ITGC baseline) covers 30–45 percent of a typical mid-market control population and returns approximately 1,200–1,800 internal audit hours per year per FTE to judgmental work. Post-adjustment, the 2026 ratio shifts to 1 FTE per 80–120 controls with the agent covering deterministic families and the FTE concentrated on judgmental testing, design effectiveness evaluation, deficiency evaluation, and external auditor coordination. Understaffing at the traditional ratio creates quality risk; staffing to the agent-augmented ratio creates margin opportunity. The honest benchmark is below.

This post is written for the Controller, Chief Audit Executive, Internal Audit Director, CFO, or HR Director at a 300–1,500 emp PE portco, sub-$1B public microcap, or pre-IPO company evaluating how many internal audit FTE the SOX program actually requires in 2026. The reader is assumed budget-literate and specifically interested in the honest data behind internal audit sizing decisions — not a vendor's marketing claim.

What is the traditional internal audit team size benchmark for 300–1,500 emp companies?

The IIA (Institute of Internal Auditors) Pulse of Internal Audit survey, published annually, provides the foundational benchmark. For companies in the 300–1,500 employee band, the IIA Pulse data historically indicates 1–4 internal audit FTE depending on regulatory scope (404(a) vs 404(b)), public-company status, multi-entity complexity, and industry regulatory overlap.

Protiviti's Internal Audit Capabilities Report, published annually since 2003, adds industry-specific context. For middle-market companies (sub-$1B revenue), the Protiviti data indicates median internal audit headcount of 2 FTE with an interquartile range of 1–4 FTE. PE-backed portcos skew toward the lower end of this range due to sponsor margin pressure; public microcaps skew toward the middle; multi-entity roll-ups and healthcare mid-market skew toward the upper end.

Financial Executives International (FEI) publishes the annual Controllers Survey which complements the IIA and Protiviti data from the CFO perspective. For 300–1,500 emp companies, FEI reports median total SOX program hours of 2,400–3,800 per year, distributed across internal audit (55–65 percent), management testing (15–20 percent), outsourced consulting (10–20 percent), and remediation (5–10 percent).

The AuditBoard State of SOX report (industry-specific, SOX-focused) complements the headcount data with control-population benchmarks. For mid-market companies at 300–1,500 emp:

300–500 employees: median 55–90 total controls, 40–60 ITGC controls
500–1,000 employees: median 90–150 total controls, 60–100 ITGC controls
1,000–1,500 employees: median 150–220 total controls, 100–140 ITGC controls

The aggregate traditional benchmark: approximately 1 FTE per 40–60 controls under manual testing for SOX-primary programs, or 1 FTE per 60–80 controls for SOX-plus-SOC 2 multi-framework programs. A 650-emp PE portco running 120 total controls typically staffs 2–3 internal audit FTE.

What does the hours-per-control-per-year benchmark show?

Hours per control per year is the second-order metric that reveals efficiency variance. The median across the benchmark data:

Access review controls: 25–60 hours per control per year (wide variance by user population size)
Change management controls: 18–40 hours per control per year
ITGC baseline controls (backup, job scheduling, incident response): 15–30 hours per control per year
Reconciliation controls: 24–48 hours per control per year
Journal entry review controls: 36–72 hours per control per year
Estimate review controls: 48–120 hours per control per year
Management review controls: 18–36 hours per control per year

A 650-emp PE portco with 120 total controls distributed across these families typically consumes 2,800–4,200 total testing hours per year in traditional manual testing. Divided across 2–3 internal audit FTE plus occasional management testing plus outsourced consulting, the math roughly balances.

The PCAOB inspection findings add an important constraint. Inspection reports from 2023–2025 repeatedly identify deficiencies at mid-market auditors reviewing company 404(b) programs where the company's internal audit function was understaffed relative to the control population. The PCAOB's 2024 annual report on broker-dealer and emerging-growth-company inspections specifically called out insufficient testing rigor on access review and change management at programs running at the thinnest 1 FTE per 60+ control ratios. The inspection posture has validated the traditional benchmark as the minimum defensible ratio.

How does agent-driven testing adjust the ratio?

Agent-driven continuous testing of deterministic control families changes the math by shifting hours rather than reducing total testing rigor. The families that agents test credibly today — access review, change management, ITGC baseline, entitlement-level SoD — collectively represent 30–45 percent of a typical mid-market control population and consume a disproportionate share of testing hours (45–55 percent of total SOX hours at traditional testing) because these families have large populations that are labor-intensive at manual sampling.

The agent-coverage arithmetic: for a 650-emp PE portco with 120 controls and traditional 3,500 testing hours per year, agent coverage of 35 percent of the control population (42 controls across access, change management, and ITGC) reduces testing hours on those families from approximately 1,800 hours to 400–600 hours (calibration, exception review, control-owner sign-off). Net return to the internal audit function: 1,200–1,400 hours per year.

The reallocated hours do not disappear — they flow to higher-judgment work. The agent-covered families no longer require staff-auditor spreadsheet time; the IA Director evaluates design effectiveness of the agent-covered population, tests judgmental families (estimate review, complex revenue recognition, journal entry review), manages deficiency evaluation, coordinates the external auditor walkthrough, and oversees the control environment at the entity level. This is higher-value work than spreadsheet reconciliation.

Post-adjustment benchmark for 2026:

300–500 employees, SOX-primary, agent-augmented: 1–1.5 FTE internal audit
500–1,000 employees, SOX-primary, agent-augmented: 1.5–2.5 FTE internal audit
1,000–1,500 employees, SOX-primary, agent-augmented: 2.5–4 FTE internal audit
500–1,000 employees, SOX + SOC 2 + DORA/CMMC, agent-augmented: 2.5–4 FTE compliance/IA

The ratio shifts from 1 FTE per 40–60 controls (manual) to 1 FTE per 80–120 controls (agent-augmented). This is not staff reduction — it is staff upgrade. The controller who staffs to the agent-augmented ratio gets the same or better SOX program quality with the IA function concentrated on work that creates the most audit value.

How does the ratio differ by company archetype?

The benchmark data supports different ratios for different PE portco and mid-market archetypes.

PE portfolio company, 300–1,500 emp, SOX-primary (404(a) or early 404(b)): traditional 1 FTE per 40–60 controls; agent-augmented 1 FTE per 80–120 controls. PE portcos under sponsor margin pressure lean toward the agent-augmented ratio to return G&A to the P&L.

Pre-IPO 300–1,500 emp, 12–24 months from S-1: traditional 1 FTE per 40–50 controls during readiness ramp (heavier staffing to build the evidence infrastructure); agent-augmented 1 FTE per 70–100 controls during readiness. Readiness staffing typically higher than steady-state post-IPO.

Public microcap under $1B, active 404(a) or 404(b): traditional 1 FTE per 50–70 controls; agent-augmented 1 FTE per 90–120 controls. Microcaps balance IA rigor against G&A sensitivity.

Multi-entity mid-market (3–12 subsidiaries): traditional 1 FTE per 30–50 controls per entity; agent-augmented 1 FTE per 60–90 controls per entity. Multi-entity complexity increases consolidation overhead that agents do not directly address.

Healthcare mid-market (SOX + HIPAA + HITRUST overlap): traditional 1 FTE per 35–55 controls; agent-augmented 1 FTE per 70–110 controls. The multi-framework overlap creates additional compliance hours that scale less with automation than single-framework SOX.

Family office operating holding (SOX-equivalent governance, privately held): traditional 1 FTE per 50–70 controls (lighter rigor); agent-augmented 1 FTE per 100–140 controls. Family office CFOs often run the function as 0.5–1 FTE for smaller holdings.

Defense contractor PE portco (SOX + CMMC 2.0): traditional 1 FTE per 30–45 controls (CMMC triples the testable surface); agent-augmented 1 FTE per 65–90 controls. The CMMC overlap with SOX ITGC and SOC 2 CC6–CC8 is where consolidation returns the most hours.

What data sources inform the 2026 benchmark?

The benchmark integrates five data sources plus field data from mid-market design-partner engagements through 2025–2026.

IIA Pulse of Internal Audit (annual): IA headcount, focus areas, emerging risks, CAE priorities. The authoritative source for internal audit staffing by company size and industry.

Protiviti Internal Audit Capabilities Report (annual since 2003): IA function maturity, technology adoption, sourcing models. The authoritative source for IA function design.

FEI Controllers Survey (annual): Controller priorities, compliance burden, SOX total program cost. The authoritative source for CFO-perspective compliance economics.

AuditBoard State of SOX (industry-specific, published by a SOX platform vendor): control population benchmarks, testing hour distributions, SOX program cost components. Vendor-published, so data is directionally useful with the typical vendor-source caveats.

PCAOB inspection reports (annual, including Part I and Part II public versions): inspection findings that validate or challenge staffing ratios. The authoritative source for what the regulator considers minimum defensible testing rigor.

FEI Financial Reporting Benchmark (annual): total finance function headcount, SOX as a percentage of finance function, IA as a percentage of total finance. The authoritative source for finance function benchmarking.

Big 4 audit technology thought leadership (PwC, EY, KPMG, Deloitte publish regularly): emerging practice, automation adoption, evidence format evolution. Directionally useful as a trend indicator.

Gartner IT GRC Magic Quadrant (annual): platform vendor positioning, customer references, market share trends. Useful for platform-selection context.

Mid-market design-partner field data from Cohort 1 (2026): agent-coverage percentages achieved, hours returned, IA function reallocation patterns. This is the primary source for the agent-augmented adjustments to the benchmark.

The aggregate benchmark prioritizes IIA, Protiviti, FEI, and PCAOB as authoritative; uses AuditBoard and Big 4 data as directional; and validates against field data from continuous-testing deployments.

What are the most common staffing mistakes at the 300–1,500 emp tier?

Four patterns surface repeatedly in field data.

Under-staffing at the thinnest ratio (1 FTE per 80+ controls) without agent augmentation. This is the pattern that creates PCAOB inspection risk and frequently results in control deficiencies at external audit walkthrough. The cost of remediation plus the cost of material-weakness disclosure usually exceeds the cost of the incremental FTE.

Over-relying on outsourced consulting at the readiness phase without building in-house capability. Outsourced SOX consulting at $300K–$500K per year produces external deliverables (walkthrough memos, control matrices, test workpapers) without leaving in-house evidence capability, which means the next testing cycle restarts the cost clock. A pre-IPO company that outsources readiness and tries to internalize the program post-IPO loses 12–18 months of institutional knowledge.

Staffing to the traditional ratio post agent-augmentation. A portco that deploys continuous agent testing but keeps the IA team at the traditional manual-testing ratio wastes the hours returned by automation. The correct move is to either reduce FTE count (if G&A return is the goal) or upgrade the role mix (if audit quality is the goal) — not to leave the team running at manual ratios while agents cover the work.

Treating the IA function as an enforcement cost rather than a risk-reduction investment. Sponsors and CFOs who underfund the IA function relative to the control population frequently surface material weakness at the 404(b) attestation, which damages the multiple at exit more than the G&A saving. The asymmetry is severe.

How should a Controller benchmark their own program?

Six questions benchmark a specific IA function against the 2026 data.

What is the total control population, counted from the current walkthrough workpaper, not the aspirational matrix? The matrix that hasn't been updated in three years overstates scope and corrupts the benchmark.

How many hours did the IA function spend on SOX testing in the last full fiscal year, by family? Without family-level hours, the agent-coverage calculation cannot be run.

How many IA FTE does the function currently have, distinguishing from the CAE, Director, Manager, Senior, and Staff levels? The ratio sensitivity is different at each level.

What is the agent-coverage opportunity in your specific control population? Count access review, change management, ITGC baseline, and entitlement-level SoD controls, then apply the 30–45 percent agent-coverage range to estimate hours returned.

What is the current outsourced consulting spend and what portion is structural versus readiness? Readiness-phase consulting is temporary; structural consulting indicates in-house capability gaps the IA function design should close.

What is the external audit partner's feedback on current staffing adequacy? Partners comment on staffing in management letters when they see under-investment; silence typically indicates staffing is adequate or they have not yet surfaced the concern.

The takeaway

Internal audit team size for 300–1,500 emp PE portcos, pre-IPO companies, and public microcaps has a defensible benchmark anchored in IIA, Protiviti, FEI, and PCAOB data. The traditional benchmark runs 1 FTE per 40–60 controls under manual testing; the agent-augmented benchmark runs 1 FTE per 80–120 controls.

Under-staffing at the thinnest ratio (1 FTE per 80+ controls without agent augmentation) creates PCAOB inspection risk and external audit material-weakness disclosure exposure that usually exceeds the G&A saving.

Agent-augmentation is not a staff reduction tool — it is a staff upgrade tool. The hours returned by agents on deterministic families flow to judgmental family testing, design effectiveness evaluation, deficiency management, and external auditor coordination, which is higher-value IA work.

Staffing to the agent-augmented ratio without deploying the agent infrastructure leaves the IA team under-resourced at the traditional ratio. Staffing to the traditional ratio with agent infrastructure deployed wastes the hours returned. The correct move pairs staffing decisions with the testing paradigm decision.

If you are the Controller, CAE, or CFO at a PE portfolio company, pre-IPO 300–1,500 emp company, public microcap, or multi-entity mid-market running an understaffed IA function against a growing control population, the next step is concrete: run the agent-coverage assessment on your specific control population and recalculate the FTE requirement. Request a design partner slot to walk through the ratio recalibration with your specific SOX scope. Related reading: SOX automation for PE portfolio companies, AuditBoard alternatives comparison, and continuous control testing primer. Citation-ready data is in Prova Facts.