Artificial intelligence and GRC internal audit: opportunities and risks for Canadian organizations
AI offers considerable productivity gains for internal audit teams. But it also raises complex questions of governance, ethics and compliance with Law 25. A complete guide to navigating this technological shift.
Large language models (LLMs) and generative AI tools have entered offices in 2024-2025. Internal audit teams are directly affected: analysis of large documents, automatic report drafting, anomaly detection in transactions, audit question generation. The productivity gains are real. But so are the risks, and Canadian organizations have specific obligations under Law 25.
Law 25 obligation: automated decision-making
Law 25 specifically governs automated decision-making with a significant impact on a person. Any GRC decision based exclusively on AI (e.g. employee risk classification, automated audit decision) must be explainable and contestable.
Real AI opportunities for GRC auditing
- Continuous audit: analysis of 100% of transactions rather than samples. Detection of anomalies that sampling tests would have missed.
- Automated drafting: LLMs can generate first drafts of audit reports, policies and corrective action plans in seconds.
- Document analysis: automated review of contracts, policies and procedures to verify compliance with regulatory requirements.
- Risk scoring: predictive models to identify high-risk processes before an incident occurs.
- Estimated time savings: organizations that have adopted AI in internal audit report a 30 to 50% reduction in time spent on administrative tasks.
Specific risks to manage
- Data confidentiality: using cloud AI tools (ChatGPT, Claude, Copilot) with customer or employee data may violate Law 25 and OSFI requirements.
- Algorithmic bias: models trained on historical data may perpetuate biases in audit decisions.
- Decision opacity: an auditor cannot justify a conclusion based on a black-box model before an audit committee or regulator.
- Hallucinations: LLMs can generate false information presented with confidence. Human validation remains indispensable.
- Over-reliance: atrophy of human skills in case of AI tool failure.
AI governance framework for internal audit
- Acceptable AI use policy: define which tools are authorized, for which tasks and with which data
- Confidentiality clause: only use AI tools with contractual clauses guaranteeing that data is not used to train models
- Systematic human validation: any conclusion generated by AI must be validated by a qualified auditor before being included in an official report
- PIA for AI tools: conduct a Privacy Impact Assessment before any AI deployment processing personal information
- Auditor training: skills in critically evaluating AI outputs and detecting hallucinations
CapGRC: humans at the heart of GRC auditing
Approval workflows that keep humans at the center of decisions, with AI as an assistant — not a decision-maker.