Change control can be effective and speedy iff it uses a risk based model. Low risk changes should whiz through, while high risk ones need to go through change control in the usual torturous manner. Every minor tweak to a stand alone system need not go through the torture chamber of central IT.
Aside from that, spreadsheets and other desktop tools are what I call 'end user computing'. The local manager and her boss sign off on the risks and, hey, more power to them if they want to take down the company running a 100million deal through untested code.
My approach was every two years do an audit of the active end user tools, sit down with the management, and decide which ones were stable enough to 'productionize' using a more traditional spec, code, test cycle. It was like mowing the grass. let it grow, then once in a while knock it back. The quants, etc actually like this, because they ended up with less to support.
Taking a holistic view to the problem generally yields good results.