"You have to do due diligence and assess vendors, but the scope is beyond corporate resources," says John Ambra, director of technical services at Modulo. "We have clients with 10,000 vendors and a huge vendor-management team--20 people just doing calls."

IT GRC tools provide coordination and standardization of policies and controls.

They offer a common interface for users and create a common repository for information covering internal and regulatory requirements, and for data gathered from documents, questionnaires, and other security and IT systems.

They map policies and controls to regulations and standards.