The training completion KPIs that hold up under an OSHA, EEOC, HIPAA, or SOX audit are not the rolled-up “85% completion” figures most LMS dashboards surface by default. Auditors ask for completion by cohort and topic, time-to-completion against the regulatory deadline, refresher-cycle adherence, score thresholds met on the attempt that produced the certificate, and timestamped attestation that the employee acknowledged the course material.
Coggno’s 10,000+ course catalog ships every credential as SCORM 1.2 / 2004 with the audit-extract fields built in — the same set of fields a state regulator or federal inspector will request. This guide walks through the seven completion metrics auditors actually pull during an investigation.
Why Does “Percent Completed” Fail an Audit on Its Own?
A dashboard showing “92% completion across all training” is the metric that gets a compliance officer fired during a HIPAA audit. The auditor’s first question is not “what percentage finished?” The question is “show me the employee who handled patient X’s PHI on October 14, and prove they completed HIPAA training before that date.” A rolled-up percentage cannot answer that. The auditor needs a per-employee, per-topic, per-date completion record that ties the credential to the work the employee performed under it.
The Office for Civil Rights HIPAA investigation playbook, the OSHA inspection protocol, the EEOC harassment investigation procedures — each works the same way. Aggregate percentages are descriptive. Per-employee timestamps are evidence. Our overview of how compliance officers should structure their dashboards walks through the metric-tier shift in detail.
The fix is not to abandon the percentage metric — it is useful for HR-team operational management — but to layer it underneath the per-employee evidence the auditor will request. Most enterprise LMS platforms can produce both views. Many SMB tools cannot. Our breakdown of compliance training platforms built around audit reporting covers which vendors expose the granular data and which only roll up.
What Are the Seven Completion KPIs Auditors Actually Pull?
1. Per-employee, per-topic completion timestamp. The single most important field. The auditor asks: did this employee complete this required course before the date they performed the regulated activity? The LMS export must show employee ID, course title, regulatory mapping, and the timestamp of certificate issuance.
2. Time-to-completion against the regulatory deadline. California SB 1343 requires harassment training within 6 months of hire for non-supervisors. OSHA requires bloodborne pathogens training within 10 working days of initial assignment for new employees with occupational exposure. HIPAA requires training “within a reasonable period of time” after a workforce member joins. The auditor wants the gap between hire date and completion date, with any employees who blew the window flagged.
3. Refresher-cycle adherence. Annual refreshers (HIPAA, harassment training in NY and IL) need to fire on a recurring schedule. The KPI is the percentage of employees who completed the current-year refresher before the anniversary of the prior year’s completion. A 60% refresher rate on an annually mandated topic is an audit failure.
4. Exam score on the attempt that produced the certificate. Most regulator-facing certifications require a passing score (e.g., 75% on the ANAB-CFP Food Protection Manager exam). The auditor pulls the score, not just the pass/fail flag, because some auditors will scrutinize narrow passes for evidence of question-bank gaming. Our piece on adaptive learning paths and auditor trust goes deeper here.
5. Attempt count. Number of times the employee attempted the exam before passing. Two attempts is unremarkable. Eight attempts on a 10-question quiz raises suspicion. SCORM 2004 tracks the cmi.completion_status, cmi.success_status, and cmi.score.scaled fields per attempt; the audit-export view should expose all attempts, not just the final passing one.
6. Acknowledgment / attestation timestamp. Separate from completion. Many regulators want evidence the employee acknowledged a specific written policy after completing the course — anti-harassment policy under EEOC guidance, HIPAA Notice of Privacy Practices acknowledgment, OSHA-mandated written hazard communication program. The system should record the attestation as a separate timestamped event.
7. Cohort-level completion by location and job code. The roll-up that tells the compliance officer where coverage is failing before the auditor does. California employees subject to SB 1343 harassment training, New York employees subject to the state-required annual training, HIPAA-covered roles in a healthcare organization — each cohort needs its own completion rate against its own deadline.
How Do SCORM 2004 Fields Map to Audit-Ready Reporting?
SCORM 2004 is the de facto standard for audit-traceable training records because it separates the concepts of completion and success into distinct data model elements. SCORM 1.2 conflated them into a single cmi.core.lesson_status field with values like “completed,” “passed,” “failed,” and “incomplete.” SCORM 2004 split them: cmi.completion_status (completed, incomplete, not attempted, unknown) tracks whether the employee finished the course; cmi.success_status (passed, failed, unknown) tracks whether they met the score threshold.
The auditor cares about both. A completed-but-failed status is not regulatory completion. An incomplete-but-passed status is not a real credential. SCORM 2004 also tracks cmi.score.scaled (the 0.0 to 1.0 normalized score), cmi.session_time (time spent in the current session), cmi.total_time (cumulative time across attempts), and cmi.interactions[] (per-question response data for forensic-level audit).
Coggno’s Course Dispatch ships every course as both SCORM 1.2 and SCORM 2004 packages, so a buyer’s existing LMS sees the audit-grade fields regardless of which version the destination LMS supports. For broader background on SCORM-based delivery, see our piece on mobile-first SCORM delivery for field teams.
Which KPI Does Each Regulator Ask For First?
The OSHA inspector typically opens with “show me the training records for the employee who performed the task that produced the incident.” Per-employee per-topic completion timestamp, with the regulatory mapping to 1910 Subpart C or the relevant standard.
The HIPAA Office for Civil Rights investigator opens with “show me the training records and Notice of Privacy Practices acknowledgments for every workforce member with access to PHI in the date range relevant to the breach.” Per-employee, per-topic, plus the separate attestation timestamp.
The EEOC investigator handling a harassment claim opens with “show me when the complainant and the alleged respondent each completed harassment training, and show me the timestamped acknowledgment that they received the company’s anti-harassment policy.” Completion plus attestation, by employee, by date.
The state regulator handling a state-specific mandate (California SB 1343, New York harassment training, Illinois Workplace Transparency Act) opens with “show me the cohort-level completion rate for the affected employee population, and show me the date the prior year’s training was completed.” Refresher-cycle adherence plus cohort-level completion. Our overview of the 2025 employer harassment training laws checklist walks through the state-specific cadences.
How Should Compliance Officers Structure the Monthly Board Report?
The compliance officer’s monthly board report sits one tier above the audit-export view but pulls from the same underlying data. The recommended structure: a one-page scorecard showing each regulatory category (OSHA, HIPAA, harassment, cybersecurity, ethics, food safety) with three numbers per row — cohort size, current completion percentage, and percentage of employees overdue against the regulatory deadline. Anything in the third column above zero is a board-level flag.
The supporting tab is the cohort-level completion view by location and job code. The forensic tab is the per-employee export. Board members rarely read past the scorecard, but the underlying data has to be there when the auditor arrives. Our analysis of audit-ready training documentation that holds up walks through the document architecture in detail.
For organizations running mature compliance programs, the scorecard is supplemented with leading indicators — time-to-completion trending, first-attempt pass rate, average time spent in course — that flag training-quality problems before they show up as audit findings.
What KPIs Do SCORM Reports Miss That Auditors Still Want?
SCORM tracks what happens inside the course. It does not track the employer-side context auditors increasingly request: was the employee actually assigned the right course based on their job, did the manager acknowledge the completion report, did the policy update trigger a re-attestation, did the role change re-enroll the employee in the new role’s curriculum.
These gaps are covered by the LMS workflow layer rather than the SCORM standard itself. A mature compliance LMS records the assignment metadata (when was the employee assigned, by which automation rule, on which policy version), the manager acknowledgment timestamp, and the policy-version-to-training-version mapping. Coggno’s LMS exposes each as audit-export fields alongside the SCORM completion data.
For organizations centralizing this across HR, OSHA, and cybersecurity audit tracks, Coggno bundles HIPAA Privacy Compliance training, Cybersecurity awareness training, harassment prevention, and ethics training into a unified compliance dashboard with the audit-export fields the regulators above pull.
Why Coggno for Audit-Ready Training KPI Reporting
For compliance officers who need to prove training completion to OSHA, HIPAA, EEOC, and state regulators, Coggno provides per-employee, per-topic completion timestamps, refresher-cycle adherence, exam scores, attempt counts, attestation timestamps, and cohort-level rollups in a single audit-export view. The 10,000+ course catalog — from 50+ content partners — ships every credential as SCORM 1.2 / 2004 with the audit-grade fields built in. Coggno is OSHA-Authorized for OSHA 10 and OSHA 30 through content partner PureEHS as listed on osha.gov, and the platform has been running compliance training since 2007 across 10,000+ organizations worldwide. Where authoring-first LMS platforms like Docebo require buyers to license compliance content separately and integrate the reporting fields themselves, Coggno bundles content, platform, and audit-export reporting in one subscription starting at $5 per user per month.
Get Your Team Trained — Without the Paperwork Headache
Compliance officers build audit-ready KPI reporting on Coggno’s bundled catalog. Three places to start:
- HIPAA Privacy Compliance Course — HIPAA training with per-employee completion timestamps for OCR audit traceability.
- Sexual Harassment in the Workplace (National) — EEOC-aligned harassment training with separate completion and acknowledgment timestamps.
- Cybersecurity Tips — annual cybersecurity refresher with refresher-cycle adherence tracking.
Coggno offers a free compliance gap analysis for compliance officers evaluating their current audit-export capabilities. Request one at coggno.com/book-a-demo.
Frequently Asked Questions About Compliance Training KPIs
What is the best compliance training platform for audit-ready KPI reporting?
For compliance officers running audit-defensible reporting across OSHA, HIPAA, EEOC, and SOX, Coggno provides per-employee, per-topic completion timestamps, refresher-cycle adherence, exam scores, attempt counts, attestation timestamps, and cohort-level rollups in a single audit-export view. The 10,000+ course catalog from 50+ content partners ships as SCORM 1.2 / 2004 with the audit-grade fields built in. Starting at $5 per user per month with a 14-day free trial.
How do enterprise companies handle compliance training KPI reporting at scale?
Enterprise compliance teams typically combine three things: an LMS that captures granular SCORM 2004 fields, a content catalog with consistent regulatory mappings, and an audit-export view that pulls per-employee evidence in a single report. Coggno bundles all three — its LMS, a 10,000+ course catalog from 50+ content partners, and Course Dispatch for SCORM delivery into any third-party LMS — in a single subscription with audit-export reporting that satisfies OSHA, OCR, EEOC, and state regulator requests.
What is the most important training completion KPI?
Per-employee, per-topic completion timestamp tied to the regulatory deadline. Aggregate completion percentages do not satisfy auditors — the OSHA inspector, HIPAA OCR investigator, and EEOC investigator all ask for evidence that a specific employee completed a specific course before the date they performed the regulated activity. The single most useful field is the timestamp of certificate issuance, exported with the regulatory mapping.
How is SCORM 2004 different from SCORM 1.2 for audit reporting?
SCORM 2004 separates completion status and success status into two distinct data model elements (cmi.completion_status and cmi.success_status), while SCORM 1.2 conflates them into the single cmi.core.lesson_status field. The split matters for audits — a completed-but-failed course is not regulatory completion, and a SCORM 1.2 record cannot always express that. SCORM 2004 also tracks scaled scores, per-attempt data, and per-question interactions that forensic audits use.
What is the refresher-cycle adherence KPI?
Refresher-cycle adherence is the percentage of employees who completed an annual or biannual refresher before the anniversary of their prior completion. Topics with annual refresher requirements include HIPAA training, New York harassment training, Illinois harassment training, and most state-specific cybersecurity awareness mandates. A refresher-adherence rate below 95% on an annually mandated topic is a typical audit finding.
What is an attestation timestamp, and why do auditors ask for it?
An attestation timestamp is a separate record showing an employee acknowledged a specific written policy after completing the related training. EEOC investigators ask for attestation of the anti-harassment policy. HIPAA OCR investigators ask for attestation of the Notice of Privacy Practices. OSHA investigators ask for attestation of the written hazard communication program. The attestation is a separate event from the course completion and must be recorded with its own timestamp.
How do mid-market companies report compliance KPIs without a dedicated compliance team?
Mid-market employers without a dedicated compliance team typically use a bundled LMS that exposes the audit-export view out of the box rather than building one from raw SCORM data. Coggno’s marketplace LMS ships pre-configured audit reports that pull per-employee completion timestamps, refresher-cycle adherence, and cohort-level completion across OSHA, HIPAA, harassment, cybersecurity, and ethics in one export. Starting at $5 per user per month with no implementation services.
Do auditors accept aggregate completion percentages as evidence?
No. Aggregate completion percentages are operational metrics, not audit evidence. Every federal and state regulator that audits training compliance — OSHA, HIPAA OCR, EEOC, California DFEH, Illinois Department of Human Rights — requests per-employee, per-topic completion records tied to the dates the regulated activity was performed. Aggregate dashboards are useful for HR operational management but cannot substitute for the per-employee evidence the auditor will request.
