Cutting waste and reducing risk from uncontrolled SaaS subscriptions.
How many SaaS subscriptions does your business have? If you cannot answer that question with confidence, you are almost certainly paying for tools nobody uses, storing sensitive data in places you have forgotten about, and granting access permissions to applications that no longer serve any business purpose. This is SaaS sprawl, and it affects virtually every organisation that has grown beyond a handful of employees.
The problem accelerated dramatically during the shift to remote working, when teams adopted new cloud tools at speed with minimal oversight. What began as pragmatic problem-solving has matured into a persistent governance challenge. Individual subscriptions are inexpensive enough to fly under the radar, but in aggregate they represent a significant and growing share of IT expenditure, often exceeding the cost of core infrastructure.
This guide provides a structured approach to auditing your SaaS estate: discovering every subscription, assessing its value and risk, taking decisive cleanup action, and establishing the governance controls that prevent sprawl from returning. Work through each section methodically. The organisations that do this well typically recover 20 to 35 percent of their SaaS spend while simultaneously improving their security posture.
The scale of the problem
Most businesses dramatically underestimate the number of SaaS tools in their environment. The gap between what IT knows about and what is actually running is where the real cost and risk accumulate, often invisibly, until something forces the issue.
Shadow IT is everywhere
Research consistently shows that the average organisation uses three to four times more SaaS applications than its IT department is aware of. Employees sign up for free trials, connect tools using personal accounts, and adopt niche applications without ever involving IT or procurement. Each of these decisions is individually rational, but collectively they create an unmanaged estate of tools holding business data outside any governance framework.
The hidden cost compounds silently
A single unused subscription at ten pounds per month barely registers. Multiply that by fifty unused tools across the organisation and you are looking at six thousand pounds annually in pure waste. Add in the cost of duplicate functionality, over-provisioned licences, and premium tiers that nobody needs, and the total waste in a typical 100-person company often runs to five or six figures per year. The money leaves the business gradually enough that nobody notices until someone finally looks at the full picture.
Every unmanaged tool is a security risk
Unmanaged SaaS applications represent uncontrolled data exposure. They sit outside your identity provider, beyond your conditional access policies, and typically without multi-factor authentication. When an employee leaves, their access to these tools is rarely revoked because nobody knows the tools exist. When a vendor suffers a breach, your data may be compromised without your security team ever being notified because the application was never registered in your environment.
Compliance obligations do not disappear with ignorance
Data protection regulations apply to all personal data your organisation processes, regardless of where it is stored. If customer data sits in an unapproved SaaS tool that you did not know about, you are still responsible for it. In the event of a breach or regulatory inquiry, 'we did not know that tool existed' is not a defence. It is an admission of inadequate data governance.
Discovery methods
A thorough discovery phase is the foundation of any SaaS audit. No single method will catch everything, which is why you need to approach the problem from multiple angles. Financial records, identity systems, staff surveys, and network data each reveal a different layer of your SaaS estate.
Audit credit card and expense statements
Start with the money trail. Pull every recurring charge from company credit cards, direct debits, and employee expense claims over the last twelve months. You will find subscriptions that nobody remembers authorising, free trials that silently converted to paid plans, and charges for tools that were replaced months ago. Finance teams often hold the most complete picture of your SaaS estate because every tool eventually shows up as a line item somewhere.
Review identity provider enterprise applications
Your Azure AD or Entra ID tenant holds a registry of every application that has been granted access to your environment. Many of these were added during a quick sign-in flow when someone clicked 'Sign in with Microsoft' and never thought about it again. Each entry represents a third party with some level of access to your organisation's data. Export the full list, note the permissions each application holds, and flag anything that looks unfamiliar or overly broad.
Survey every team and department
The tools your staff actually use every day are not always the tools you think they use. Send a short, structured survey asking each team member to list every cloud application they access for work. Include browser-based tools, mobile apps, desktop software, and any personal accounts used for business purposes. The gap between what IT knows about and what staff actually use is where shadow IT lives, and that gap is usually much wider than anyone expects.
Inspect browser extensions and OAuth integrations
Browser extensions and OAuth connections represent a hidden layer of your SaaS estate. A single browser extension can read page content, access cookies, and transmit data externally. OAuth integrations granted by individual users can provide third-party applications with access to mailboxes, calendars, and file storage. These connections rarely appear in any central inventory, yet they represent some of the most significant data exposure risks in modern environments.
Analyse network traffic and DNS logs
For a more technical view, review your DNS query logs and web proxy data. This reveals every cloud service that your network is communicating with, including services that were never formally approved or procured. Pattern analysis across several weeks will show you not just which services are in use, but how frequently they are accessed and by how many devices. This data-driven approach catches tools that slip through every other discovery method.
Assessment criteria
Once you have a complete inventory, every application needs to be evaluated against a consistent set of criteria. This assessment drives the decisions that follow: what to keep, what to consolidate, what to cancel, and what to secure more rigorously.
Active usage versus licences purchased
For every SaaS subscription, compare the number of licences you pay for against the number of people who actually log in regularly. Industry data consistently shows that between 25 and 40 percent of SaaS licences go unused in a typical organisation. Some users logged in once during a trial period and never returned. Others left the company months ago but their licence was never cancelled. This single metric often reveals the fastest route to cost savings.
Data sensitivity and exposure classification
Every SaaS application holds some subset of your business data, but the sensitivity varies enormously. A project management tool might contain client names and project timelines. A CRM holds detailed customer records, financial data, and communications history. A file-sharing service could contain anything from marketing collateral to board-level strategy documents. Classify each application by the sensitivity of the data it holds, because this determines the security standards it needs to meet.
Business criticality and dependency mapping
Some tools are essential to daily operations. If your accounting platform went offline tomorrow, work would stop. Others are genuinely useful but not critical. And some sit in the background providing marginal value to a handful of users. Map each application against a simple scale: critical, important, or discretionary. This classification drives every subsequent decision about investment, security controls, and whether the subscription is worth maintaining at all.
Functional overlap and duplication
SaaS duplication is one of the most common and expensive findings in any audit. Three different project management tools across three departments. Two separate file-sharing platforms because one team preferred Dropbox while another used Google Drive. Duplicate video conferencing licences because nobody centralised the decision. Each duplicate represents wasted spend, fragmented data, and increased administrative overhead. Consolidation is almost always the right answer.
Security posture and compliance alignment
For each retained application, assess whether it meets your security baseline. Is single sign-on enabled or even available? Is multi-factor authentication enforced? Does the vendor hold relevant certifications such as ISO 27001 or SOC 2? Where is the data stored geographically, and does that comply with your data residency requirements? These questions matter because a single poorly secured SaaS tool can become the entry point for a breach that affects your entire organisation.
“The average organisation uses three to four times more SaaS applications than IT is aware of. Every unmanaged tool is a cost you did not approve and a risk you cannot see.”
of SaaS licences go unused in a typical organisation, representing pure wasted spend
more cloud applications in use than IT departments are aware of, creating uncontrolled shadow IT
average SaaS cost reduction achieved by organisations that complete a structured audit
Cleanup actions
Discovery and assessment produce insight. Cleanup produces results. This is where the audit delivers tangible value: reduced costs, tighter security, and a leaner technology estate that is easier to manage and defend. Approach each action systematically, document your decisions, and prioritise the highest-impact changes first.
Cancel unused and redundant subscriptions
Once you have identified tools with zero or negligible usage, begin the cancellation process. Export any data that may be needed before terminating the account. Check contract terms for notice periods, auto-renewal dates, and early termination fees. Some vendors make cancellation deliberately difficult, burying the option behind support tickets or requiring written notice sent to a specific address. Start early and document every step. The savings from eliminating unused subscriptions typically pay for the entire audit effort several times over.
Consolidate overlapping tools onto a single platform
Where multiple tools serve the same function, choose one and migrate the others. This decision should involve the teams who use each tool, but it cannot be a democracy where everyone keeps their preferred option. Evaluate each candidate against cost, functionality, integration with your existing stack, and security features. Then commit to the consolidation, provide a clear migration timeline, and follow through. The short-term disruption is always less expensive than the long-term cost of maintaining parallel systems.
Right-size licences to match actual usage
For the tools you keep, adjust licence counts to match reality. If you are paying for 50 licences but only 30 people use the service, reduce to 35 to allow a small buffer for new starters. Downgrade premium licences to standard tiers where the advanced features are not being used. Review billing cycles and switch from monthly to annual plans where the discount justifies the commitment. These adjustments individually seem small, but across a portfolio of 40 or 50 SaaS applications, the aggregate savings are significant.
Revoke unnecessary permissions and integrations
During the assessment phase, you will have identified OAuth integrations and API connections that are overly broad or no longer needed. Revoke them. Remove enterprise application registrations from your identity provider for services that have been cancelled. Audit the remaining integrations to ensure they follow the principle of least privilege, holding only the minimum permissions required for their function. Every unnecessary permission is an attack surface that serves no business purpose.
Enforce security baselines on retained applications
For every SaaS application that survives the audit, ensure it meets your minimum security standard. Enable SSO integration where the vendor supports it. Enforce MFA for all users. Configure session timeouts, IP restrictions, and data loss prevention policies where available. Disable features that create risk without adding value, such as public sharing links or anonymous access. Document the security configuration for each application so it can be verified during future reviews.
Ongoing governance
An audit is a point-in-time exercise. Without ongoing governance, SaaS sprawl will return within months as new tools are adopted, teams grow, and processes drift. The controls below are designed to keep your SaaS estate managed, visible, and aligned with your business needs on an ongoing basis.
Establish a formal procurement approval process
Every new SaaS subscription should go through a defined approval workflow before anyone enters payment details. This does not need to be bureaucratic. A simple form covering the business need, estimated cost, data that will be stored, and security requirements is sufficient. The goal is not to slow people down but to ensure that every new tool is evaluated against your existing stack before it is added. Without this gate, shadow IT will re-emerge within weeks of completing your audit.
Maintain a centralised SaaS register
Create and maintain a single, authoritative register of every approved SaaS application in your organisation. Include the vendor name, contract owner, renewal date, cost, licence count, data classification, and security configuration status. This register becomes your primary tool for ongoing management. Review it monthly, update it when changes occur, and make it accessible to anyone involved in IT, finance, or procurement decisions. The register is only valuable if it stays current.
Conduct quarterly usage and spend reviews
Schedule a quarterly review that examines usage data, licence utilisation, and total spend across your entire SaaS portfolio. Compare actual usage against the previous quarter to identify trends. Flag any application where usage has dropped significantly, as this often indicates that a team has informally adopted an alternative. Use the review to make proactive decisions about renewals, consolidation, and licence adjustments rather than discovering problems only when the annual invoice arrives.
Integrate SaaS into your offboarding process
When someone leaves your organisation, their access to SaaS applications must be revoked as part of a structured offboarding process. This goes beyond disabling their Microsoft 365 account. It means revoking access to every third-party application they used, transferring ownership of shared accounts or data, and cancelling any licences that are no longer needed. Without this step, former employees retain access to business data through services that sit outside your identity provider, sometimes for months or years after departure.
Set policy for personal and departmental purchases
Many SaaS sprawl problems originate from well-intentioned employees who signed up for a tool using a personal credit card because the formal process felt too slow. Address this directly with a clear, published policy. Define what qualifies as an approved purchase, who can authorise exceptions, and what happens when an unapproved tool is discovered. Make the approved procurement route fast enough that people prefer it over going around it. Policy without convenience simply drives behaviour underground.
“SaaS sprawl is not a technology problem. It is a governance problem. The tools are not the issue. The absence of a process for choosing, managing, and retiring them is.”
Need help auditing your SaaS estate?
Running a SaaS audit alongside your day-to-day responsibilities is difficult. The discovery phase alone requires access to financial systems, identity platforms, and network data that most teams struggle to pull together. We help organisations cut through the complexity, identify every subscription, eliminate waste, and put governance controls in place that last.
Whether you need a one-off audit or ongoing SaaS management as part of a broader IT strategy, we can help. Book a call to discuss your situation, or explore our advisory services to see how we work with businesses like yours.