Solving the Spreadsheet Dependency for Managing Delegation of Authority
Definition: Delegation of authority (DOA) is the formal framework by which an organization assigns decision-making rights, approval limits, and signatory authority from the board of directors through successive levels of management. A functioning DOA framework connects policy, authority matrix, individual delegations, and system enforcement into a single governed system. For a comprehensive introduction, see Delegation of Authority 101.
Most enterprises still manage their delegation of authority in spreadsheets. The EY and Society for Corporate Governance 2025 study found that 78 percent of organizations host their DOA on an intranet or shared drive, and only 14 percent use a dedicated IT system. That means the vast majority of authority frameworks live in files that cannot enforce rules, cannot track changes with effective dates, and cannot produce point-in-time audit evidence on demand.
The consequences are not theoretical. Research by Raymond Panko at the University of Hawaii, spanning multiple studies of operational spreadsheets, found that 88 percent of audited spreadsheets contained errors. For delegation of authority, every error is a governance gap: a stale approval limit, a departed employee still listed as an approver, a temporary delegation that was never revoked. APQC's 2024 research across 311 finance professionals found that 29 percent of organizations rate their delegation of authority as less than effective. The spreadsheet dependency is the common thread.
Why spreadsheets fail for delegation of authority
Spreadsheet-based authority management breaks down in three predictable ways, each creating measurable governance exposure for public and regulated companies.
Authority records drift from organizational reality. The EY/SCG study found that 28 percent of organizations cite time-consuming updates as a key DOA challenge, and 27 percent cite maintaining current versions. In a spreadsheet, every promotion, departure, reorganization, or entity change requires someone to remember to update the file, distribute the new version, and confirm that downstream systems reflect the change. When that manual chain breaks, and it always does, the documented authority framework diverges from the actual decision rights people are exercising. For a structured approach to preventing this drift, see the Authority Change Management Playbook.
Audit evidence cannot be reconstructed. Auditors routinely ask: "Who had authority to approve this transaction on this date?" A spreadsheet that was overwritten six months ago cannot answer that question. There is no version history with effective dates, no point-in-time recall, and no audit trail showing who changed what and when. The ACFE's 2024 Report to the Nations found that 51 percent of occupational fraud losses stem from absent or overridden authorization controls, with a median loss of $145,000 per case. The inability to prove authority state at a past date is not just an inconvenience; it is a control gap that auditors will flag. For the compliance implications, see DOA and SOX/Internal Controls.
Enforcement is disconnected from documentation. The EY/SCG study found that 35 percent of organizations cite difficulty tracking delegations across entities and geographies. A spreadsheet can document authority rules, but it cannot enforce them. The approval routing in your ERP, procurement system, contract management platform, and banking portals operates independently from the spreadsheet. When those systems and the spreadsheet disagree, the system wins, and the spreadsheet becomes a compliance artifact rather than an operating tool.
The regulatory pressure is global and increasing
The shift away from spreadsheet-based authority management is not discretionary. Regulatory frameworks across major jurisdictions require structured, auditable, and current delegation of authority controls that static documents cannot reliably provide.
The table below maps the key regulatory frameworks that drive formal DOA requirements across six jurisdictions. Each framework creates specific obligations around authorization controls, audit trails, and governance documentation that spreadsheet-based approaches struggle to meet consistently.
Five signs your authority framework has outgrown spreadsheets
If you recognize three or more of these patterns, your organization has likely outgrown what spreadsheets can deliver for authority management.
You cannot answer "who had authority on this date?" for any past date. If reconstructing historical authority state requires searching email archives, SharePoint version histories, or asking colleagues what they remember, your authority records lack the point-in-time recall that auditors and regulators expect.
Authority updates take more than 48 hours to propagate. When someone is promoted, transfers to a new role, or leaves the organization, how long does it take for their authority to be updated across all systems? West Monroe's 2026 research found that 73 percent of C-suite executives link decision speed to revenue impact of 5 percent or more. Slow authority updates contribute directly to the approval delays that erode that revenue.
You have discovered approvals made by people who no longer hold the relevant authority. This is the clearest signal that your authority records and your enforcement systems have diverged. It means transactions are being approved based on stale authority mappings, which is precisely the control gap that SOX Section 404 and UK Corporate Governance Code Provision 29 are designed to prevent.
Your audit preparation requires manual assembly from multiple spreadsheets. If producing an authority evidence package for internal or external auditors requires consolidating data from multiple files across multiple owners, the process is not sustainable at scale and will produce inconsistent results each time.
Temporary delegations are still active months after they should have expired. Without automatic expiry, every "just for two weeks" delegation becomes a permanent authority grant. This is the single largest source of authority drift in most organizations and a problem that spreadsheets structurally cannot solve.
What purpose-built authority management looks like
Purpose-built authority management platforms address the structural limitations that make spreadsheets unsuitable for delegation of authority at enterprise scale.
APQC's research found that 75 percent of organizations using technology for DOA management report it as effective, compared to 64 percent of those without technology. The gap is driven by capabilities that spreadsheets fundamentally cannot provide: version-controlled authority records with effective dates and point-in-time recall, automated delegation lifecycle management that issues, tracks, and expires authority grants without manual intervention, enforcement synchronization with ERP, procurement, contract management, treasury, and identity systems, complete audit trails with attribution, timestamps, and exportable evidence packages, and role-based access so the right people can find, understand, and act on their authority without navigating complex spreadsheets.
Aptly is purpose-built for this category. It replaces static spreadsheets and policy documents with a dynamic authority registry that connects delegation of authority, signatory management, and approval governance in a single platform. For the structural framework that a platform should support, see How to Build a Delegation of Authority Matrix.
Why the shift is accelerating now
Three forces are converging to make the move from spreadsheets to purpose-built platforms urgent rather than aspirational.
Regulatory pressure is tightening globally. SOX modernization efforts, the UK Corporate Governance Code 2024 revisions, the EU Corporate Sustainability Reporting Directive, and emerging AI governance frameworks (including the EU AI Act's high-risk provisions effective August 2026) all increase the documentation, auditability, and enforcement requirements for authorization controls. Static documents are increasingly insufficient to meet these standards.
Organizations are investing. According to Grand View Research, the enterprise governance, risk, and compliance market reached $62.92 billion in 2024 and is projected to reach $134.86 billion by 2030, a 13.2 percent compound annual growth rate. APQC's research found that 67 percent of organizations with effective DOA policies report better decision-making, and 49 percent report a reduction in bottlenecks. The business case for moving beyond spreadsheets is supported by data from multiple independent sources.
Decision speed is becoming a competitive differentiator. West Monroe's 2026 research found that 73 percent of C-suite executives link decision speed to revenue impact of 5 percent or more, and 44 percent of managers have accepted slow decision-making as normal. Clear, accessible, system-enforced authority rules are a prerequisite for the decision velocity that enterprise leadership increasingly demands.
Frequently asked questions
Can we keep our existing DOA matrix structure when moving to a platform?
Yes. Purpose-built platforms are designed to digitize your existing authority structure, not replace it. Your current decision types, approval thresholds, role levels, and conditions translate directly into the platform. The change is in how the framework is maintained, enforced, and audited, not in its fundamental design. Most implementations begin by importing the existing matrix as the baseline.
How long does it take to implement a DOA management platform?
Implementation timelines vary by organizational complexity, but most organizations can have their core authority matrix digitized and operational within 30 to 60 days. The first phase typically focuses on migrating the existing framework and establishing the system of record. Subsequent phases add integrations, automated lifecycle management, and reporting. The key factor is not the technology deployment but the organizational readiness of the authority data itself.
What happens to our audit trail during the transition from spreadsheets?
The platform establishes a new, complete audit trail from the point of implementation forward. Historical spreadsheet records should be archived as the pre-platform baseline. From the implementation date onward, every change is automatically versioned, attributed, and timestamped, eliminating the gap that spreadsheets create.
Do we need to change our DOA policy to use authority management software?
Typically not. The policy defines the governance principles; the platform operationalizes them. However, many organizations find that the process of digitizing their framework reveals policy gaps or inconsistencies that were hidden in the spreadsheet format. This is a benefit, not a risk: addressing those gaps strengthens the overall governance posture. For guidance on policy design, see Writing a DOA Policy People Will Actually Follow.
Sources
- EY and Society for Corporate Governance. "The Delegation Edge: Corporate Governance in Focus." 2025.
- Panko, Raymond R. "What We Know About Spreadsheet Errors." University of Hawaii, Spreadsheet Research (SSR) Website.
- APQC. "The CFO's Guide to an Effective Delegation of Authority Policy." 2024.
- Association of Certified Fraud Examiners. "Occupational Fraud 2024: A Report to the Nations." 2024.
- West Monroe. "Speed Wins: The C-Suite Mandate for Decision Velocity." 2026.
- Grand View Research. "Enterprise Governance, Risk and Compliance Market To Reach $134.86 Billion By 2030." February 2025.
