Cadres Meridian

Audit and compliance without the screenshot ritual.

Meridian is the Cadres compliance platform for evidence, programs, SOX, risk register, access reviews, auditor workflows, remediation, and leadership reporting. It handles multi-framework GRC — SOC 2, ISO 27001, HIPAA, NIST CSF, GDPR, CCPA, COSO, TISAX — with a deterministic intelligence layer that scores control fit, detects gaps and duplicates, and surfaces cross-framework coverage without calling any external API. Built for teams that need their control posture to exist as a real operating system instead of a spreadsheet that comes out before an audit.

Start Trial See Documentation Back to Cadres

Evidence Multi-framework SOX Risk register Access reviews Auditor portal Trust center Remediation bridge

Meridian Scope

Built for the real lifecycle of control evidence.

Multi-framework programs with built-in intelligence

SOC 2, ISO 27001, HIPAA, NIST CSF 2.0, GDPR, CCPA, COSO, and TISAX are seeded frameworks with ~100 cross-mappings between them. Add a second framework and the system calculates how much of it your existing controls already cover. The Control Intelligence engine scores every control candidate from five deterministic signals — requirement overlap, framework domain, governance peers, evidence overlap, and text similarity — and surfaces gaps and near-duplicates without calling any external API. Dismissed suggestions re-surface automatically when their score drifts more than 10 points.

Audit workflow with real evidence accountability

An audit cycle runs planning → fieldwork → reporting → complete. Test executions are recorded with samples, results, and evidence attachments and are immutable once saved. Cycle closure is gated: any control test with zero executions in the fieldwork window blocks completion, with an override path that requires a minimum-length reason and produces an audit record of every skipped test. Evidence packages are deterministic SHA-256 manifest ZIPs. HMAC-signed share tokens reveal their URL exactly once, so the auditor gets the file and you know when it was opened.

SOX from ICFR to audit committee

SOX programs run COSO controls across financial accounts with PCAOB assertion linkage. The RCM joins controls, risks, accounts, assertions, open finding counts, and latest test results into one view. Walkthroughs trace transactions step-by-step with enforced separation of duties — the preparer cannot approve their own work, enforced at the backend on every request. §302 sub-certifications dispatch to named respondents who are personally accountable for their response; only the named respondent can complete or decline. The audit committee dashboard aggregates deficiency scoring, test completion, remediation status, attestation progress, control coverage, and a six-period deficiency trend in a single response.

Remediation that actually closes

The remediation bridge opens Jira tickets automatically when a finding is finalized or a control test fails — not just when someone manually clicks "create ticket." Event subscriptions route alerts, findings, and MAP items to the bridge and can override the target Jira project per subscription. Ticket status syncs back on schedule and drives the internal state machine. When Jira marks a ticket done, the linked MAP action item auto-advances. Finding root cause analysis — categorized across eight types including process, technology, policy, and configuration — remains editable through the full finding lifecycle, so what you learned during remediation lands where it belongs.

Why Teams Start Here

Meridian gives leadership a clearer answer to readiness, exposure, and follow-through.

What is our actual control posture right now?

The executive summary aggregates readiness percentage, trend sparkline from daily snapshots, open alerts and findings, and per-framework coverage in a single board-ready view. Readiness is calculated from test results, not self-assessment: controls fully passing plus controls with documented exceptions, divided by applicable controls. For SOX programs, the audit committee dashboard runs in parallel — deficiency classification, test completion percentage, attestation status, and a six-period deficiency trend, all from live data.

Are auditors actually seeing verified evidence?

External auditors are not Meridian platform users. They accept an invite via OTP, access a read-only portal scoped to a single cycle, and navigate controls, evidence, and findings. If they need more, they submit information requests through the information request list workflow — the compliance team fulfills them inside the platform without sending files over email. Every evidence download is SHA-256 verified: if the file does not match what was stored, the download fails rather than delivering a silent corruption. Every portal page view is audit-logged with actor, path, and timestamp.

Do findings drive remediation, or just produce a to-do list?

When a finding is finalized or a control test fails, the remediation bridge opens a Jira ticket automatically via event subscription — no one has to remember. The ticket lifecycle syncs back into Meridian and drives the MAP item state machine. When Jira marks a ticket done, the MAP action item auto-advances. Management Action Plans block the finding from moving to remediated until they exist, and the auto-verification sweep advances a MAP to implemented when all linked control tests pass without anyone manually intervening.

Evaluation

Evaluate Meridian when compliance needs to be something you can show an auditor, not just explain to one.

Meridian stands on its own for compliance programs, SOX, evidence, risk management, and access reviews. It pairs naturally with Portal and Keystone when identity posture and financial operations need to be inside the same evidence model.

Start Trial Back to Cadres