Blog/

Audit /

Compliance /

Workflows to transform your GRC and audit program

Your organization runs hundreds, maybe thousands, of workflows to support GRC and audit efforts. But which ones need automation? Which require human expertise? And where does AI fit in?

The answer isn’t choosing one over another. It’s understanding how automation, AI, and human review work together to close the audit gap—that persistent disconnect between compliance teams preparing for audits and what auditors actually need.

As GRC programs outgrow spreadsheets and manual processes, the path forward requires strategic implementation of technology that enhances, rather than replaces, human expertise.

The three pillars of modern GRC and audit programs

Closing the audit gap requires three interconnected capabilities, each serving distinct but complementary roles in your compliance ecosystem.

1. Automated workflows

Automation excels at repetitive, rule-based tasks that drain your team’s time and energy. System integrations will pull evidence directly from AWS, HR tools, or Jira, and eliminate the traditional scramble of screenshot requests and email chains. Configuration checks will run continuously, ensuring encryption remains enabled and security controls stay in place.

Beyond evidence gathering, automation can handle the administrative backbone of your program:

  • Project management workflows set audit milestones, send reminder emails, and track deadlines without human intervention.
  • Third-party risk reviews follow predetermined schedules.
  • Tasks get assigned to control owners automatically.

This foundation of automated workflows maintains your baseline security posture year-round, not just during audit season.

2. AI-powered task completion

While automation follows the same steps every time, AI adapts and analyzes. As Elise Spitzer, Senior Customer Success Manager at Thoropass, explains, “Automation is, ‘Do this the same way every time.’ AI is more, ‘Look at this in a smarter way every time.'”

AI transforms raw data into actionable insights. It can compare user access across systems to flag terminated employees who still have permissions. It can map control requirements across SOC 2, PCI, and HITRUST to eliminate redundant work. It can even screen evidence collections before submission, predicting what auditors will accept.

For overwhelmed GRC teams asked to do more with less, AI provides the intelligence layer that helps prioritize based on risk rather than emotion.

3. Human Review

Technology accelerates and enhances, but human judgment remains irreplaceable. While AI is rapidly evolving, it still makes mistakes. That’s why complex business contexts, ethical considerations, and accountability requirements demand human oversight.

The push for efficiency through technology creates a fundamental tension. While there’s a strong precedent for organizations to implement AI and automation as a way to augment work for velocity and greater efficiency, “If something goes wrong, it’s the humans that are going to be responsible,” says Spitzer.

Chris Beiro, Senior Director of InfoSec Solutions at Thoropass, emphasizes this balance, saying, “You need to have a method to spot-check and to validate your workflows. If you take some of the responses for granted, you may be making misinformed decisions.”

The human element isn’t just about catching errors. It’s about understanding business context, meeting the spirit (not just the letter) of your requirements, and maintaining the trust that underpins every successful audit.

How to close the audit gap with automation, AI, and human review

Understanding these three pillars is one thing. Implementing them effectively requires careful planning, clear priorities, and best practices.

The top-to-bottom role of automation in GRC

Organizations that successfully close the audit gap implement a dual automation approach: customer-facing automation streamlines evidence collection and submission, while behind-the-scenes automation drives operational efficiency.

Start with high-impact, low-risk processes. “Automation is great for anything that’s really repeatable, really rule-based,” explains Spitzer. “Things like automating evidence through integrations, pulling logs, pulling things that would historically require screenshots or system configs.”

Beiro describes the practical impact, saying, “There are system integrations into the GRC tool, like AWS, their HR system, maybe JIRA for change management. Automation can pull down information needed for various evidence requests.”

Beyond evidence collection, automation should handle:

  • Assigning tasks to control owners
  • Sending reminders and tracking deadlines
  • Managing milestone notifications
  • Coordinating third-party risk reviews

The goal extends beyond immediate audit preparation. Your automation layer should maintain baseline security posture with continuous monitoring. “A lot of audits are point-in-time, but these integrations give you insight throughout the year,” says Spitzer.

Using AI to surface the right information

The promise of AI in GRC is significant. According to The Audit Gap Report, 62% of those surveyed say that budget increases are driven primarily by the implementation of AI/automation tooling.

Since AI excels at helping busy GRC teams prioritize based on risk and importance, it can remove emotional decision-making from the equation. Two key implementations demonstrate this value:

  • Thoropass’ First Pass AI provides an initial review of client evidence before audit submission. Beiro explains that, “This prevents a lot of auditor loops—where the auditor gets information, but it’s not sufficient, so they go back to the client.”
  • Copilot AI by Thoropass assists auditors with control testing documentation by analyzing client controls, test procedures, and evidence to generate initial write-ups that auditors then review and validate.

Critical implementation considerations

Success with AI requires a foundation of strong governance—without it, your data and compliance efforts are at risk. “If your employees are using whatever tools that are publicly available and you’re not controlling that, then your data is going to be out there, being used for training these language models,” Beiro warns.

Establishing authorized enterprise tools solves the immediate data exposure problem, but creates a new challenge: tech sprawl. Organizations often accumulate AI solutions that operate in silos, duplicating efforts and increasing complexity.

Without measurement, organizations can’t determine if their AI investments deliver promised efficiencies or simply add complexity. Elise Spitzer frames the essential question every organization must answer: “Is it actually providing that degree of velocity that we are thinking it is going to introduce?” Measurable KPIs transform AI implementation from hopeful experimentation into proven value delivery.

Maintaining Human Oversight

The Audit Gap Report reveals that almost half of organizations spend 251 to 1000 hours per year on audit activities. By reducing manual tasks through automation, teams can redirect human expertise to areas requiring judgment and context.

But this redistribution of effort requires careful planning—knowing not just what to automate, but understanding precisely where human review adds irreplaceable value.

Spitzer addresses a fundamental truth: “AI will never be fully trusted in the compliance space. There needs to be a level of human scrutiny to ensure compliance posture.”

This manifests across four key areas:

  1. Audit evidence validation: AI screens documents, but auditors verify assessments. An auditor needs to follow behind and validate whether the evidence is sufficient or not.
  2. Compliance control testing: For quarterly access reviews, AI can analyze user listings, but humans must spot-check, sign off, and accept responsibility.
  3. Layered review processes: AI handles the initial administrative work, then experienced staff review for business context and nuance before submission.
  4. Ethical and accountability decisions: When real stakes exist, human oversight is non-negotiable. Organizations can’t say that AI is ultimately responsible for decisions.

Transform Your GRC Program

The audit gap won’t close through technology alone. Success requires balancing automation’s efficiency, AI’s intelligence, and the irreplaceable judgment of human oversight.

The organizations that thrive won’t be those with the most advanced AI or the most extensive automations. It’ll be the ones that thoughtfully craft workflows that enhance human capabilities, rather than attempting to replace them.

Ready to dive deeper into closing the audit gap? Download The Audit Gap Report for comprehensive insights into how leading organizations are transforming their GRC and audit programs through strategic technology implementation.

icon-arrow-long
icon-arrow-long
icon-arrow-long
icon-arrow-long
icon-arrow-long

Thoropass Team

See all Posts

Related Posts

How Sinch modernized their audit process with Thoropass

Most compliance teams have defaulted to the mindset that audits are, by nature, painful—a necessary evil that the organization must survive. But what if that mindset is exactly what’s holding your business back?

Read Article

Reducing risk and increasing ROI: why new industries are increasingly turning to HITRUST for certification

For years, HITRUST certification has been closely tied to healthcare. But we recently sat down with Ryan Patrick, VP of Market Research and Strategy for HITRUST, to learn more about the certification and how they’re supporting organizations across a much wider range of industries. From reducing risk to unlocking new business opportunities, HITRUST has become a standard worth considering regardless of your sector. Here are the main takeaways from our conversation.

Read Article

Stay connected

Subscribe to receive new blog articles and updates from Thoropass in your inbox.


Want to join our team?

Help Thoropass ensure that compliance never gets in the way of innovation.

View Open Roles

Have any feedback?

Drop us a line and we’ll be in touch.

Contact us
Get Started

Solutions

Get CompliantMaintain ComplianceIT Security Audits

Products & Services

Thoropass AuditCompliance AutomationPentestingThoropass AIAccess ReviewsSecurity QuestionnairesRisk AssessmentTrust CenterIntegrations and APIs

Frameworks

SOC 1SOC 2HIPAAHITRUSTCyber EssentialsGDPRISO 27001ISO 27018ISO 42001CMMC Level 1NIST CSF 2.0PCI DSSOther Frameworks

Industries

HealthcareSaaSFinTechOther Industries

Company

Our DifferenceMeet the ExpertsNewsroomCareersIndependence and ExcellenceBecome a PartnerTrust CenterContact us

Resources

Case StudiesBlogGuidesEventsHelp Center

Legal

MSADPAReport an IssueTerms and ConditionsPrivacy Policy

Leading by Example: Thoropass' Certifications

© Copyright 2025 Thoropass, Inc.