"People are doing IT GRC whether they are calling it that or not, but they are document-centric [solutions], using spreadsheets and other documents, SharePoint," says Michael Rasmussen, president of Corporate Integrity. "Spreadsheets are a recipe for disaster. Eventually, they outgrow this; they don't have proper audit trails and it becomes unmanageable."

IT GRC challenges include:

Compliance with most regulations and standards can be maintained mainly through overlapping policies and controls. The same or similar access controls, data encryption, password standards, and strong authentication requirements may satisfy the demands of multiple regulations. But enterprises typically fall short in mapping those controls to applicable regulations and using that knowledge to reduce redundancy from one audit to the next.

In the absence of centralized policy and control standards, each regulation is dealt with separately and audits are done individually. Enterprises and their business units and departments go through each audit as a discrete exercise.

IT regulatory requirements are intended to enforce good security policies and controls. Ironically, the enormous effort required to audit a large enterprise for compliance often distracts from a company's ability to focus on identifying its true level of exposure. Uncoordinated information gathering makes risk assessment difficult.