"With a relational data model that has a unifying control set, you can collect data and look at it without having to collect it again," says Melanie Achard, senior product manager at Symantec. "You can de-dupe and rationalize controls to reduce the amount of effort [required] to comply with multiple regulations."

Enterprises can customize these mappings for internal policies and controls as well as for external requirements. Mappings greatly reduce redundant efforts, enabling an "assess once, comply many" approach, so that the same information can be applied to multiple assessments and audits. For example, the same and responses regarding can be re-applied for multiple regulations.

"We have some 800 general control requirements from the IT side," says Advance Auto's Johnson. "The GRC tool helps us map requirements automatically and dig that information out when we need it. It's a much clearer way to map and manage it all."

They automate information gathering.

Questionnaires can be distributed through the IT GRC tool interface or a Web portal and collated and correlated automatically, without swapping e-mails and spreadsheets.