How to Run a SaaS Audit in 5 Steps

What Is a SaaS Audit and When Do You Need One?

A SaaS audit is a structured review of every software subscription your company pays for, who owns it, how much it costs, and whether it still delivers value. Think of it as a health check for your software stack.

Most companies run their first SaaS audit when one of three things happens: a cost-cutting initiative lands on the CFO's desk, a compliance requirement (SOC 2, ISO 27001) demands a full vendor inventory, or someone discovers the company is paying for three project management tools that do the same thing.

Here is the reality. The average mid-market company uses 57 or more SaaS subscriptions, and research shows that 51% of SaaS licences go completely unused. That is not a rounding error. It is thousands of pounds walking out the door every month. A SaaS audit finds that money and gives you a clear plan to reclaim it.

If your company has never done a formal software audit, this guide walks you through the entire process in five steps. Expect to spend two to three hours on a manual audit, or roughly 15 minutes if you use a SaaS management platform like Cledara.

Step 1: Inventory All SaaS Applications

You cannot optimise what you cannot see. The first step in any SaaS stack audit is building a complete list of every application your company uses, including the ones nobody officially approved.

Start by pulling data from three places:

• Finance records: Credit card statements, expense reports, and accounts payable logs. Search for recurring charges to software vendors. Do not forget annual subscriptions that only appear once a year.
• SSO and identity providers: If you use Okta, Google Workspace, or Microsoft Entra, export the list of connected applications. This catches tools that employees access through single sign-on.
• Browser and endpoint data: This is where shadow IT hides. Employees sign up for free trials, freemium tools, and paid subscriptions using personal email addresses or direct credit card payments that never touch your finance systems.

Cledara's Engage browser extension automates this step entirely. It deploys across Chrome, Safari, and Firefox to discover every SaaS tool employees actually use, not just the ones the company pays for. The average Cledara customer discovers 20 or more unknown SaaS tools during their first audit. Combined with Cledara's directory of over 6,000 recognised applications, each discovered tool is automatically categorised, saving hours of manual classification.

What good looks like: A single spreadsheet (or dashboard) listing every SaaS tool by name, with no gaps. If you are doing this manually, expect to find 30% to 40% more applications than your finance team currently tracks.

Common mistake: Only checking credit card statements. This misses tools paid through invoices, expensed by individuals, or used on free plans that still create security and compliance exposure.

Step 2: Map Ownership and Contracts

Once you have your full inventory, the next step is attaching an owner, a contract, and a cost to every application.

For each tool, document:

• Business owner: The person or team responsible for the tool. Not the person who signed the contract two years ago, but whoever relies on it today.
• Contract details: Start date, renewal date, billing frequency (monthly or annual), and cancellation notice period. Pay special attention to auto-renewal clauses.
• Total cost: Annual spend including all seats, add-ons, and overages. Convert monthly subscriptions to annual figures for easier comparison.
• Payment method: Corporate card, invoice, expense claim, or departmental budget. This tells you how much spend sits outside centralised procurement.

This step often reveals uncomfortable truths. Contracts with no clear owner. Renewal dates that passed months ago without review. Multiple departments paying separately for the same tool.

What good looks like: Every application has a named owner, a documented renewal date, and a verified annual cost. You can answer the question "who owns this and when does it renew?" for any tool in under 30 seconds.

Common mistake: Skipping the ownership assignment. Without a clear owner, nobody is accountable for reviewing whether the tool is still needed at renewal time.

Step 3: Assess Utilisation and Value

This is where the real savings surface. For every tool in your inventory, you need to answer two questions: how many people actually use it, and is it worth what we pay?

Measure utilisation in three tiers:

• Active users vs. licensed seats: If you pay for 50 seats but only 20 people logged in during the past 90 days, you are paying for 30 unused licences.
• Feature adoption: Some teams use a premium tool's basic features only. If nobody uses the advanced analytics, reporting, or automation capabilities, a cheaper plan (or a simpler alternative) might deliver the same value.
• Frequency of use: A tool that gets used daily is very different from one that gets opened once a quarter. Low-frequency tools are prime candidates for consolidation or cancellation.

Cledara's spend tracking and virtual cards make this step straightforward. Because every subscription runs through its own virtual card with automatic spend limits, you get exact cost data per tool without chasing invoices. The Benchmarks feature shows how your price for a given vendor compares to the 25th and 75th percentile across other companies, so you can immediately spot where you are overpaying.

What good looks like: A utilisation score for each tool (high, medium, low) paired with its annual cost. This gives you a clear cost-per-active-user figure that makes prioritisation easy.

Common mistake: Treating all underused tools the same. A low-utilisation security tool that protects your entire infrastructure is very different from a low-utilisation design tool that three people tried once. Context matters.

Step 4: Identify Risks (Security, Compliance, Redundancy)

A SaaS audit is not just about cost. It is also about risk. Every third-party tool your employees use is a potential vector for data breaches, compliance violations, and operational disruption.

Evaluate each application across three risk dimensions:

• Security posture: Does the vendor hold SOC 2 Type II, ISO 27001, or other relevant certifications? Do they support SSO and multi-factor authentication? Is company data encrypted at rest and in transit?
• Compliance alignment: If your organisation must comply with GDPR, HIPAA, or industry-specific regulations, every SaaS vendor that touches regulated data needs to meet those standards. An unapproved tool handling customer data can create a compliance gap overnight.
• Redundancy and overlap: Flag tools that serve the same function. Three different survey platforms, two overlapping CRM systems, or five separate file-sharing tools are not just wasteful; they fragment data and make governance harder.

Cledara's certification tags streamline this step by showing each vendor's compliance status at a glance. You can filter your entire software stack by certification type and instantly see which tools lack the security credentials your organisation requires.

For a deeper look at how unapproved tools create risk, see our guide on shadow IT and how to bring informal SaaS under control.

What good looks like: A risk rating (high, medium, low) for every tool, with specific flags for missing certifications, unsupported authentication standards, and redundant functionality.

Common mistake: Focusing only on cost and ignoring compliance. A cheap tool that exposes customer data to a breach is the most expensive tool in your stack.

Step 5: Build the Action Plan

The audit is only useful if it leads to action. Take your findings from Steps 1 through 4 and sort every application into one of four categories:

• Keep as is: High utilisation, reasonable cost, compliant, no redundancy. No changes needed.
• Renegotiate: Valuable tool, but you are overpaying or have too many seats. Flag for renewal negotiation. Use benchmarking data to build your case.
• Consolidate: Multiple tools serving the same purpose. Pick the best one, migrate users, and cancel the rest. For guidance on this process, read our SaaS spend management and consolidation guide.
• Cancel: Low utilisation, high cost, poor compliance posture, or no clear business owner. These are your quick wins.

Prioritise by impact. Start with the highest-cost, lowest-value tools. A single unused enterprise subscription costing thousands per year delivers more savings than cancelling five small tools at ten pounds each.

Set a timeline. Assign owners to every action item with a deadline. Quick wins (cancellations, seat reductions) should happen within 30 days. Renegotiations align to renewal dates. Consolidation projects may take 60 to 90 days depending on data migration requirements.

What good looks like: A prioritised action list with owners, deadlines, and estimated savings per line item. Total projected savings should be visible at the top of the document.

Common mistake: Creating the plan but never following through. Without deadlines and owners, the audit becomes a report that sits in a shared drive. Schedule a 30-day check-in to review progress.

How Cledara Automates Your SaaS Audit

Running a SaaS audit manually works, but it takes hours of detective work across spreadsheets, bank statements, and HR systems. Cledara collapses the entire process into minutes.

Step 1 (Inventory) is handled automatically by the Engage browser extension, which discovers every SaaS tool in use across your organisation, including shadow IT that never appeared in your finance records. Every discovered tool is matched against Cledara's directory of 6,000+ applications and categorised instantly.

Steps 2 and 3 (Ownership, Contracts, Utilisation) are built into the platform. Every subscription paid through Cledara's virtual cards has a named owner, tracked spend, and usage data attached. The Negotiation Copilot surfaces benchmarking data and generates pre-filled negotiation emails when renewal dates approach.

Step 4 (Risk) is simplified through certification tags and compliance tracking. Filter your stack by SOC 2, ISO 27001, or GDPR status and flag gaps in seconds rather than hours of manual vendor research.

Step 5 (Action Plan) becomes execution. Because Cledara controls the payment card for each subscription, cancelling a tool is as simple as freezing the card. No vendor runaround, no forgotten renewals that auto-charge for another year.

The average Cledara customer achieves a 23% reduction in SaaS costs and saves over 13 hours per month on software administration. That is the difference between a SaaS audit that sits in a spreadsheet and one that actually drives results.

Run your first SaaS audit in minutes, not weeks. See how Cledara works.