SaaS Governance May 2026 9 min read

The forgotten SaaS audit checklist

Every business has SaaS apps no one remembers approving. Some are harmless. Some hold customer data, employee data, or production credentials. Here is the audit we run, the questions we ask, and the policy that keeps the list from growing back next quarter.

SaaS sprawl is not a security problem until it is. The risk is rarely the obvious vendor with a SOC 2 report and a procurement record. It is the free Notion workspace someone created during a hackathon, the survey tool an intern signed the company up for, the screen-recording extension a designer installed because it solved one problem on one day. Multiply that by 75 employees and three years.

Where to look (in order)

We work top-down, from the systems that have the most signal:

  1. Identity provider audit logs. Microsoft Entra or Google Workspace will tell you every OAuth grant ever issued. Export six months. This is your single richest source.
  2. Expense reports. Pull every line item under $200 from the last 18 months. The shadow IT layer lives at the bottom of expense reports, never in the procurement system.
  3. Browser extensions. If you have Intune or a managed-browser policy, you have an inventory. If you do not, this is item one on the "fix immediately" list.
  4. SSO bypasses. Any SaaS app on a personal email login is a SaaS app outside your control. Worth a separate inventory.
  5. Public app marketplaces. Slack apps, M365 add-ins, Zoom apps, Salesforce AppExchange. All have admin views of installed apps. Many companies have never opened them.

The five questions for every app you find

For each app on the list, answer these in order. Stop at the first answer that triggers action.

  1. Does anyone still use it? Login activity in the last 90 days. If no, archive and revoke.
  2. What data does it touch? Customer PII, employee PII, financials, source code, production credentials. Any of those mean it gets a real review.
  3. How does authentication work? SSO, OAuth, password. Anything not behind SSO that touches data from question two is a remediation item.
  4. Who owns it inside the company? A named human, not a department. No owner means no one will renew the security review, and no one will notice when the vendor gets breached.
  5. What is the exit plan? Can you export your data? Can you delete it? Is there a contractual obligation you did not know about? Find out before you need to.
"We tried this last year" is the most common reason audits do not get redone. The audit failed because it produced a spreadsheet, not a policy.

What to do with what you find

Tier the apps

Three buckets is enough. Sanctioned apps are reviewed, SSO-bound, and have an owner. Tolerated apps work but need remediation: usually a missing SSO or a missing data classification. Unsanctioned apps are scheduled for removal.

Communicate, then deactivate

Notify users on the unsanctioned list, give them 14 days to export anything they need, then revoke the OAuth grant or block the domain. Surprise is what breaks trust. The block itself rarely does.

Stand up the request flow

People did not adopt shadow apps to undermine you. They adopted them because the sanctioned path was too slow. If a new-tool request is "fill in a 14-field form and wait three weeks," shadow IT is rational behavior. A real fix is a two-question intake and a 48-hour SLA.

Keeping the list from growing back

Three lightweight controls do most of the work:

None of this is hard. The trap is treating it as a one-off project rather than a 60-minute quarterly habit. The first pass is the painful one. After that, it is maintenance.

If you want help

We run this audit as a fixed-scope, two-week engagement: inventory, tier, remediation plan, and a sustainable governance policy. If that fits where you are, get in touch.

Written by the CTOLogix team ← All writing