How to Prove IT Is Under Control — Without More Spreadsheets

You prove IT is under control with dated, owned, repeatable evidence artifacts — not with more spreadsheets. Three kinds of artifact do the work: automated checks that verify public facts like certificates and DNS on a schedule, maintained registers that record what only your team knows with an owner and a date on every entry, and generated evidence reports that package both into something a non-technical reader can consume. The spreadsheets you already have are not the enemy — they become the starting data. The instinct to answer governance pressure by creating another spreadsheet is what fails.

This article covers why "it's in a spreadsheet somewhere" fails as proof, what management is actually asking for, the five questions leadership tends to ask and the artifact that answers each, and a realistic 30-day path from spreadsheet sprawl to a first evidence report. (For tracking renewals within a spreadsheet, see the hands-on guides to Google Sheets renewal tracking and renewal-risk spreadsheet formulas — this article is about the step after those.)

Why "It's in a Spreadsheet Somewhere" Fails as Proof

A spreadsheet can hold perfectly good data and still fail completely as proof, because proof is a property of the artifact, not the data:

• No dates. Nothing distinguishes a row verified yesterday from one entered two years ago by someone who has since left. A reader cannot tell fresh knowledge from fossil.
• No owners. Rows accumulate without names. When leadership asks "who owns this renewal?", the honest answer is the file's last-modified metadata.
• Drift and forks. The copy on the shared drive, the one attached to an email, and tracker_FINAL_v3.xlsx quietly diverge. There is no authoritative version, so there is no authoritative answer.
• Indistinguishable from neglect. This is the killer: a meticulously maintained spreadsheet looks identical to an abandoned one. The artifact carries no signal of its own reliability, so it earns no trust outside the team — and trust outside the team is the entire job of proof.

The deeper failure is structural: a spreadsheet is a working file, and working files answer "what do we know?" Proof has to answer "what was true, as of when, on whose authority?" — questions a working file is not built to hold. (The full artifact comparison, including dashboards, is in Evidence Reports vs Dashboards vs Spreadsheets.)

What Management Actually Wants to See

When a COO, CFO, or board asks for proof that IT is under control, they are asking for IT governance evidence: records that are dated (true as of a stated moment), owned (a named person stands behind each item), and repeatable (the same artifact arrives next month, so a routine is visible). They also want it readable — consumable without a walkthrough, a login, or a translation layer.

Notice what is not on that list: completeness of raw data, technical depth, or live access. Management does not want your working files; it wants the rendered conclusion of them, fixed in time. That is what the Checks + Registers → Evidence Reports model produces by design.

The Five Questions Leadership Asks — and the Artifact That Answers Each

"Are our domains and certificates okay?"

A check answers this. SSL/TLS status and expiry, DNS records, and domain registration are public facts a machine verifies daily — no spreadsheet should ever hold a certificate expiry date a check can read for free. The dated check result is stronger evidence than any manually typed row, because no human memory is involved.

"Do we know what we're paying for, and when it renews?"

A register answers this. Renewal dates, costs, and contract owners exist only in your organization's knowledge — a renewals and vendor register holds them with an owner and a review date on every entry. "CRM — renews 2027-03-01 — owner: Dana — reviewed 2026-06" is evidence; an unowned line in a budgeting sheet is a rumor.

"Do we know who has access to what?"

Two registers answer this. A people-and-accounts register records who works here and which systems each person has accounts on; periodic access reviews record that a named person confirmed the picture on a date, with revocations noted. The dated completion record is the part questionnaires and insurers ask for by name.

"Do we know what hardware and software we have?"

A register answers this. An assets register records what the company actually possesses, assigned to whom — maintained knowledge, not a scan. The honest version at this company size is a deliberately maintained list, not an automated inventory pretending to be one.

"Can you show me this is being managed over time — not just today?"

Reports answer this. A monthly generated evidence report fixes the state of checks and registers at a moment; six of them in a folder demonstrate a routine, which is the thing leadership is really asking about. The sample reports gallery shows what these look like rendered.

Keeping Spreadsheets Where They're Good: CSV In, Evidence Out

The point is not to abandon spreadsheets — it is to stop asking them to be the proof. Spreadsheets remain excellent at flexible data entry, bulk cleanup, and ad-hoc analysis. The working division of labor:

| | Spreadsheet | Register | |---|---|---| | Entry date | Optional, usually absent | On every record | | Owner | The file's last editor | A named person per entry | | Drift control | None — copies fork | One authoritative record, review status visible | | Bulk work | Excellent | Via CSV import/export | | Path to proof | None — it is the working file | Renders into dated evidence reports |

The bridge is literal: your existing tracker exports to CSV, the register imports it, and the knowledge survives while the chaos does not. Going the other way, registers export back to CSV whenever a spreadsheet is the right tool for a one-off job. Messy data is normal at import time — a register that flags incomplete records (a renewal missing its owner or date) turns the mess into a visible to-do list instead of a hidden liability.

A 30-Day Plan From Spreadsheet Sprawl to First Evidence Report

• Week 1 — turn on the checks. Add your domains and let automated checks start reading certificates, DNS, registration, and email-authentication records. Zero data entry; the dated trail starts accumulating immediately.
• Week 2 — import the renewals. Find the renewal/vendor tracker (or several), consolidate to one CSV, import it, and fill in owners where the spreadsheet had blanks. This is usually the highest-value register and the messiest import — do it first while motivation is fresh.
• Week 3 — add people, accounts, and assets. Import or enter who works here, which systems they have accounts on, and what hardware and software exists. Perfect completeness is not the bar; owned and dated is.
• Week 4 — generate the first report and send it. Render a first evidence report, skim it, and deliver it to whoever asked — dated, scoped, self-contained. Then put a monthly recurrence in your calendar, because the second report is what turns an artifact into a routine.

Total effort: a few focused hours a week, front-loaded. After day 30 the ongoing cost drops to roughly monthly register upkeep plus fifteen minutes to generate and skim each report.

What CertPilot Does — and Does Not Do — Here

CertPilot's registers are manual-first and CSV-friendly: you bring the knowledge, it brings structure, dating, ownership, and report output. Its checks read public signals only — SSL, DNS, RDAP/domain data, and email-authentication records, as documented on the methodology page. It does not auto-discover assets, sync directories, scan systems or content, monitor endpoints, or watch employees — the register contains exactly what your team chooses to enter or import. And it will not eliminate spreadsheets from your life entirely; it removes them from the one job they fail at, which is proof.

In Short

• Proof of IT control is made of dated, owned, repeatable artifacts: automated checks, maintained registers, and generated evidence reports.
• "It's in a spreadsheet somewhere" fails because a well-kept spreadsheet is indistinguishable from a neglected one — the artifact carries no trust signal.
• Leadership's five questions (domains? renewals? access? assets? over time?) each map to a check, a register, or a report — never to another spreadsheet.
• Spreadsheets keep their real jobs; CSV import is the bridge that carries their knowledge into owned, dated registers.
• Thirty days gets you from sprawl to a first delivered evidence report; the monthly repeat is what makes it proof of a routine.

Frequently Asked Questions

Are spreadsheets bad for IT governance?

No — unowned, undated, forked spreadsheets are. Spreadsheets are good working files and fine data-entry tools, which is exactly why CSV import and export matter: the knowledge in them is usually sound. They fail specifically as evidence, because nothing in a spreadsheet enforces dates, owners, or a single authoritative version, and nothing in one renders a management-ready artifact.

What should my first evidence report contain?

Whatever the asker's question was. For a general "is IT under control?", a monthly summary works: domain and certificate status, renewal risk with owners, and access-review counts, with a scope statement and generation date. For a specific trigger — an insurance questionnaire, say — a focused report like an access-review register fits better. Section-by-section guidance is in Management-Ready IT Evidence Reports: What to Include.

How long does setup take?

Checks: minutes — add domains and the public-signal verification starts. Registers: an afternoon per register if your spreadsheets export to CSV cleanly, longer if consolidation is needed. The 30-day plan above front-loads the work into about four focused sessions; the steady state afterward is one to two hours of register upkeep a month plus minutes per report.

What if my data is messy?

Import it anyway. Messy is the normal starting condition — that is what years of spreadsheet drift produce. A register makes the gaps visible (entries missing owners or dates get flagged as incomplete) and turns cleanup into a finite, trackable list rather than an invisible problem. An honestly incomplete register with dated entries is already better evidence than a polished spreadsheet nobody can vouch for.

Do I need management buy-in first?

No — this is one of the few governance efforts an IT manager can start unilaterally, because the first artifact is also the pitch. Checks and a first register cost a few hours and no approvals. The first dated report, delivered unasked, answers the question leadership was going to ask anyway — which is a far stronger position than requesting budget for a governance project in the abstract.