Modernizing Internal Audit for Better Risk Visibility

"We were providing assurance based on sampling 5% of transactions — and hoping the other 95% was fine. In today's world, that's not assurance. That's gambling." Robert Chen, Chief Audit Executive at Meridian Financial Group, a Fortune 500 diversified financial services company with $380 billion in assets under management, was frustrated. His team of 65 internal auditors was working harder than ever, yet the board and audit committee were asking questions they couldn't confidently answer.

Meridian's internal audit function was stuck in the past. Audit procedures were primarily manual, relying on spreadsheets, email, and sample-based testing. Auditors would request data extracts from IT, wait days or weeks for delivery, then spend countless hours cleaning and formatting the data before any analysis could begin. By the time an audit report was issued — often nine months after fieldwork began — the business had already changed, and the findings were stale.

The limitations of traditional audit methods were becoming painfully apparent. A typical audit of the accounts payable process might review 100 transactions out of 500,000 — a coverage rate of 0.02%. Auditors relied on judgmental sampling that could easily miss fraud, errors, or control failures hiding in the untested population. When a significant control weakness was eventually discovered by regulators, it had existed for 18 months and impacted millions of dollars in payments — all while internal audit had given a "satisfactory" rating.

Audit planning was equally problematic. The annual risk assessment process was subjective and document-heavy, relying on interviews and surveys rather than data-driven insights. The audit plan was fixed for the year, with no mechanism to pivot when new risks emerged. When a major acquisition closed in Q2, internal audit had no capacity to provide assurance on integration risks because the plan was already locked. Business leaders grew frustrated with an audit function they saw as slow, bureaucratic, and disconnected from real business challenges.

Data access was a constant struggle. Meridian operated over 200 core systems across banking, wealth management, insurance, and capital markets. Each audit required navigating complex data landscapes with inconsistent formats, poor documentation, and strict access controls. Auditors spent 60% of their time on data acquisition and preparation — leaving only 40% for actual analysis and insight generation. The most talented auditors were leaving for roles in data analytics and consulting where they could use modern tools.

The audit function's challenges were systemic:

• 9-month audit cycle from planning to report issuance — insights were stale on arrival.
• Sample-based testing covering less than 5% of transactions on average.
• 60% of auditor time spent on data acquisition and manual preparation.
• Fixed annual audit plan unable to respond to emerging risks.
• 200+ disparate systems with no unified data access strategy.
• Manual control testing requiring onsite visits and spreadsheet documentation.
• No continuous monitoring — risks identified only during periodic audits.
• Talent attrition as auditors sought more modern, data-driven roles.
• Regulatory findings related to inadequate audit coverage and timeliness.
• Board and audit committee demanding more forward-looking risk insights.

The regulatory environment was intensifying. Banking regulators were issuing guidance on "effective audit practices" that emphasized data analytics, continuous monitoring, and real-time risk assessment. Peer institutions were investing heavily in audit transformation. Meridian's audit committee, composed of former regulators and seasoned executives, was pressing for modernization. The message was clear: transform internal audit into a data-driven, continuous assurance function, or risk regulatory sanctions and loss of credibility.

Meridian needed to completely reimagine internal audit — from periodic, sample-based testing to continuous, full-population monitoring. They needed to arm auditors with modern tools and skills. And they needed to deliver real-time risk visibility to the board. Tatras Data was engaged to lead this audit transformation.

"We needed to move from 'what happened last year' to 'what's happening right now.' Tatras Data showed us how to make that leap — and gave us the technology and skills to sustain it."

Tatras Data led a comprehensive internal audit modernization — deploying continuous auditing technology, AI-powered anomaly detection, and dynamic risk dashboards that transformed audit from periodic to perpetual.

We built a centralized audit data warehouse in Snowflake, ingesting data from 200+ source systems via automated pipelines. ACL (Diligent) and Alteryx workflows automated 80+ standard audit tests — from journal entry analysis to vendor duplicate payment detection — running continuously rather than annually. Python-based anomaly detection models flag unusual patterns in real-time, alerting auditors to emerging risks. Tableau dashboards provide the board and management with live risk visibility.

Key components:
• Continuous Auditing Platform — 80+ automated tests running daily on 100% of transactions.
• Audit Data Warehouse (Snowflake) — unified data from 200+ systems, refreshed in real-time.
• AI Anomaly Detection — Python models identify outliers and unusual patterns automatically.
• Process Mining (Celonis) — end-to-end visibility into process compliance and bottlenecks.
• Dynamic Risk Dashboards (Tableau) — real-time risk heatmaps for board and management.
• Automated Workpapers — Alteryx workflows eliminate manual documentation and tick-marking.
• Audit Analytics Academy — upskilling program to build data fluency across the audit team.
The transformation delivered immediate impact: audit cycle time reduced by 73%, transaction coverage increased from 5% to 100%, and $12M was identified in duplicate payments, unclaimed credits, and process inefficiencies. The audit function is now viewed as a strategic partner delivering real-time assurance.

The result: internal audit transformed from a backward-looking compliance function to a forward-looking strategic advisor.