How to Audit Your SaaS Stack in a Week (Without an Audit)

Why finance, not IT, should run this

IT teams typically know what's in the IdP catalog. Finance teams know what's in the AP ledger. The two lists overlap by 60–75% at most mid-market companies — the rest is either shadow IT (in AP, not in IdP) or deprovisioned-but-still-licensed (in IdP, not in AP). Reconciling the two is fundamentally an accounting motion, not a technical one. Finance owns the data sources that surface the largest gaps.

There's also an incentive alignment argument. IT teams are measured on uptime, security, and user experience. Cutting seats and consolidating tools sometimes hurts those metrics in the short term, even when it's the right call on a 12-month basis. Finance is measured on cost. Putting finance in the lead seat for the audit aligns the metric with the work.

What good looks like at the end of week one

• A reconciled vendor list with annual cost, owner, renewal date, and category for every line item over $1K/year.
• A renewal calendar covering the next 12 months, with auto-renewal trigger dates and notice windows.
• A duplicate-tools shortlist with a recommended consolidation path for each (which tool wins, by when, on what timeline).
• A zombie-license list with a recommended deprovisioning batch — usually executed at the next renewal, not mid-term.
• A one-page executive summary: total stack cost, identified recovery, and the three contracts to focus on next quarter.

When a finance leader inherits a 200-person company's SaaS stack, the first instinct is to commission an audit. Don't. A week of focused work using the data you already own will surface 80% of the value a six-figure consulting engagement would. Here's the playbook.

What you're actually looking for

The audit isn't about cataloguing every tool. It's about finding three categories of waste:

1. Duplicates — multiple tools doing the same job (e.g. Loom and Vidyard, Notion and Confluence, Asana and Monday).
2. Zombies — paid licenses assigned to people who left or never used the tool.
3. Cliff renewals — contracts auto-renewing in 30 days that nobody calendared.

The five-day plan

Day 1 — Source the data

• Export 12 months of card and AP data tagged 'Software' or 'SaaS' from Brex, Ramp, or your ERP.
• Pull every Stripe and Mercury subscription receipt from the company Gmail or Outlook (search 'invoice OR receipt OR renewal').
• Export the IdP app catalogue (Okta, Google Workspace, Entra) with last-login dates.
• Export employee status from your HRIS (active, terminated, contractor) for the past 12 months.

Day 2 — Build the master list

Reconcile the four data sources into one spreadsheet keyed by vendor name. Normalize naming aggressively — 'Atlassian Cloud', 'Jira Software', and 'Confluence' all roll up to 'Atlassian'. Add columns: annual cost, seat count, owner, renewal date, last login.

Day 3 — Find the duplicates

Group by category. Where you have two or more tools in the same category, list which teams use which. Most duplicates are not 'we don't need this' — they're 'we need to pick one and sunset the other in 90 days.'

Day 4 — Find the zombies

Cross-reference seat counts against IdP last-login dates. Any seat that hasn't logged in for 60+ days is a candidate for revocation. Cross-reference seat assignments against HRIS-terminated employees — these are the easiest savings, recoverable at the next renewal.

Day 5 — Build the renewal calendar

Map every contract to its renewal date and auto-renewal window. Anything renewing in 90 days is a focused negotiation; anything in 90–180 days is on a watchlist. This calendar becomes your operating cadence.

Typical findings

Anti-patterns we see

• Trying to catalog every tool below $500/year. The cost of cataloging exceeds the savings; standardize the long tail through expense policy instead.
• Confusing the audit with a procurement freeze. Don't stop new purchases during the audit; the audit is supposed to be invisible to the business.
• Skipping the HRIS reconciliation. Terminated employees with active seats are the easiest savings of the entire exercise; missing them undercuts the credibility of every other finding.
• Presenting findings as 'IT did a bad job.' The audit should be presented as 'we now have a shared view of stack cost'; finger-pointing kills the cross-functional relationship the rituals depend on.

A worked example

A 240-person Series C SaaS company we worked with in 2024 ran this five-day audit with a finance manager and a senior IT generalist. They started from a stated $1.9M annual SaaS spend across 87 known vendors. By Friday they had a reconciled list of 134 vendors and a recovery plan totaling $314K (16.5% of stack). The breakdown:

The week-long audit cost the company about 60 person-hours. The same scope quoted by two SaaS-management consultancies came in at $85K and 6 weeks. The in-house version found ~92% of the same waste in 12% of the time at no incremental cost.

Sources and further reading

• Gartner 2024 SaaS Spend Management Survey — average mid-market waste rates of 12–18%.
• Productiv State of SaaS 2024 — license utilization data across 1,000+ companies.
• Internal RenewalPad data: 38 first-cycle audits at 50–500 person companies, 2023–2025.

Frequently asked questions