How to audit your SaaS stack in 7 steps: a practical framework for procurement and IT

Why this audit catches what your finance tool misses

A finance dashboard tells you what you paid last month. A saas stack audit tells you what you actually use, what auto-renews next quarter, and which contract has a 60-day cancellation window that closes in three weeks. Those are different jobs. Finance tooling like Spendesk or Ramp shows you the credit card line items it can parse, but it cannot see the Notion workspace your VP of Marketing spun up on her personal Amex, the Datadog seats that 14 ex-employees still appear to occupy because nobody deprovisioned them, or the Zendesk renewal that quietly stepped up 22 percent because your three-year promo expired.

Shadow IT alone accounts for a serious chunk of waste. BetterCloud's 2024 State of SaaSOps report found that the average mid-market company runs 112 SaaS applications and IT only knows about 60 percent of them. License utilization is the second blind spot. Single sign-on tells you who has access, not who logs in, and the gap is usually 30 to 50 percent on collaboration tools. The third blind spot is the auto-renewal cliff, where contracts roll over for another 12 months because nobody opened the inbox folder where the vendor notice landed.

Add it up and the typical reclaim is around 1,200 dollars per employee per year, according to Vendr's 2024 SaaS spend benchmarks. For a 200-person company, that is a quarter of a million dollars sitting in plain sight.

The 7-step framework

This is the sequence I use when a CFO calls and asks where the SaaS budget went. It works for companies between 30 and 500 employees. Above that you need procurement software, but the logic is identical. Run the steps in order. Skipping ahead to the cancellation list before you finish the owner interviews is how good audits become bad layoffs of useful tools.

1. Pull statements, not SSO exports

   Start with the last 12 months of credit card and ACH statements from finance, plus expense reports filed by department heads. SSO covers maybe 70 percent of your real stack. The other 30 percent lives on personal cards and one-off invoices, which is where the surprises hide. Cross-reference the statement list against your SSO export and flag every delta.

2. Per-tool utilization, not seat count

   For every tool over 500 dollars per month, pull last-30-day active users from the admin console. Slack will give you weekly active members, Notion shows page edits per seat, Datadog shows logged-in users versus provisioned. Compare that number to seats you are paying for. A seat that has not logged in for 60 days is a seat you are renting for nothing.

3. Owner interview, 15 minutes per tool

   Every tool needs one named owner who can answer two questions. What breaks if we cancel this tomorrow? What would you replace it with? Skip this step and you will cancel the wrong thing. The Notion workspace that looks dead because it has six logins per week might be where your top three customers keep their shared roadmap documents.

4. Contract terms scan

   Pull the master services agreement and order form for every contract over 1,000 dollars per month. Look for three things: renewal notice period, price step-up clauses, and minimum seat commits. A 60-day notice window means you decide in two months for a renewal nine months out. Miss it and you are locked in another year at the new price.

5. Redundancy detection

   Map every tool to a job-to-be-done. You will almost always find two project management tools, two video tools, two document collaboration tools, and at least one team running a parallel CRM in spreadsheets. Pick one per category and propose a consolidation. The savings here are usually larger than the seat-rightsizing savings.

6. Renewal calendar

   Build a 12-month rolling calendar of every contract renewal date, the notice deadline, and the named owner. This single document is worth more than any procurement tool you can buy. Share it with finance and put each notice deadline on a shared calendar with a 30-day pre-alert.

7. Deliverable plus decision

   Produce one page. Not a deck, not a Notion database, one page that fits on a single sheet of paper and lists every tool, monthly cost, utilization rate, contract end date, recommendation, and estimated saving. If your CFO cannot scan it in 90 seconds and sign off, you have written the wrong document.

The audit deliverable that gets signed

I have watched 40-page audit reports die in a CFO's inbox while one-page tables get approved in the same meeting they are presented. The pattern is consistent. A CFO needs to see the total reclaim, the per-tool decision, and the cancellation deadline in a single visual sweep. Anything that requires scrolling fails. Use the template below, sorted by estimated saving descending so the biggest wins sit at the top.

When I ran this for a 60-person fintech, the first surprise was that two of the top three savings lines were not cancellations, they were downgrades. Slack Business Plus to Pro saved 14,000 dollars because they were paying for SAML they did not use. Datadog Pro to a metered tier saved another 22,000 dollars because their log volume had dropped 70 percent after they migrated to Cloudflare Workers. Nobody had reviewed the plan tier in three years.

The table needs exactly six columns. Add a seventh and the eye loses the row. Numbers should be rounded to whole dollars. The recommendation column should use four verbs only: keep, downgrade, consolidate, cancel. No conditional language. The CFO is reading this to decide, not to discuss.

The 3 mistakes that kill audit outcomes

The first mistake is cutting too fast. An audit produces a list of low-utilization tools by week two, and the temptation is to send cancellation notices the same afternoon. Resist it. Half the tools that look dormant in an SSO report are quietly running a critical workflow for one team or one customer. The owner interview from step three exists precisely to catch this. Productiv's 2024 SaaS management research shows that 37 percent of tools tagged as unused in initial audits are reinstated within 90 days, usually after a customer complaint or a missed integration breaks production. Reinstating costs more than the seat ever did because you also pay for the migration back.

The second mistake is missing the auto-renewal cliff. Most enterprise SaaS contracts include a 60 or 90 day notice period before the renewal date. If you finish the audit in March and identify a Datadog cancellation, but the renewal date is April 15 with a 60-day notice, you missed it on February 14. You are locked in another year. Build the renewal calendar in step six before you build the recommendation list, because the calendar tells you which decisions are urgent versus which can wait one quarter.

The third mistake is killing tools that look unused but are critical for one customer. A small SaaS company I advised cancelled a Twilio sub-account because activity had dropped to near zero. It turned out to be the SMS notification channel for the second-largest customer's overnight monitoring alerts. The customer found out on Monday morning. Always tag tools by customer dependency before recommending cancellation, and never cancel anything tagged to a top-20 account without the account manager signing off in writing.

When to repeat the audit

Quarterly is the baseline if you are growing faster than 30 percent year on year, because at that pace your stack changes faster than your finance system can track it. Semi-annual works if budget pressure is low and headcount is stable. Run a full audit before every fundraise because investors will dig into spend efficiency and you want clean numbers before they ask. Run another after any headcount change of 20 people or more, up or down, because that is the threshold where seat math, tier eligibility, and renewal commits all shift at once. A growing company crosses pricing tiers, a shrinking one strands seats. The audit pays for itself every time you run it, and the second pass takes a third of the effort of the first because your renewal calendar and owner list already exist.