A SaaS and cloud spend audit has a specific output: a complete list of every tool running in the company, with its contract status, current cost, renewal date, and data classification. Most companies that attempt this internally get partway through and stop, not because the process is technically complex, but because the data is distributed across systems that were not designed to talk to each other. Finance has the invoices. IT has the access records. Procurement has the contracts. Individual team budget owners have the corporate card charges. None of these sources, on its own, produces a complete picture.
This guide covers how to complete the audit, step by step. The process does not require a specialist tool to begin. It requires access to the right data sources and a structured approach to consolidating them. The output, a complete portfolio map with risk flags for uncontracted spend and compliance gaps, is the starting point for every piece of vendor risk management and spend optimisation work that follows.
When to Run a SaaS and Cloud Spend Audit
A SaaS and cloud spend audit should be run when a company does not have a current, complete view of every software and cloud tool it is paying for, what those tools cost, and when each one renews. For most mid-size companies, this condition is permanent rather than occasional: the complete picture does not exist in any single system in any organisation that has been growing for more than two years without a formal portfolio management process.
Four specific triggers typically prompt companies to begin: an unexpected invoice that could not be matched to any approved contract; a finance reconciliation revealing software costs significantly above the budgeted figure; a CISO or IT Director request for a complete software inventory after a security incident or regulatory inquiry; or the start of a vendor negotiation programme that requires a current portfolio baseline. The audit should not wait for these triggers. The information it produces is useful before any of them occur.
What a Complete SaaS and Cloud Audit Covers
A complete audit covers five areas. An audit covering fewer than all five produces a partial picture, which is better than nothing but insufficient as a risk management or spend optimisation baseline.
Active contracts and their terms. Every formally contracted SaaS and cloud tool, with the current price, contracted licence count, renewal date, notice period, and escalation clause. This data should come from the signed contracts themselves, not from invoices. Vendors sometimes reference terms in invoices that differ from what was agreed at signing, and the contract governs.
Uncontracted spend. Every SaaS tool the company is paying for without a formal contract. This is identified by cross-referencing accounts payable records against the formal contract database. Any recurring software charge without a corresponding signed contract is an uncontracted spend item.
Usage versus contracted licences. For every tool with a seat or licence-based pricing model: how many licences are contracted, and how many are actively used? This data comes from the tool's admin console or IT asset management records. The gap between contracted and active licences is the basis for right-sizing conversations at the next renewal.
Data classification for each tool. What type of data does each tool handle: internal operational data, employee data, customer data, or financial data? This classification drives the compliance and security components of the risk assessment that follows the audit. A tool handling only internal operational data carries different compliance requirements from a tool handling customer personal data.
Renewal dates and notice periods. Every tool with a renewal date in the next 12 months, with the applicable notice period mapped, so that the windows for renegotiation and review can be scheduled before those windows close. This is the output that feeds directly into a renewal management calendar.
The Four-Step Audit Process
Step 1: Pull all recurring software payments from accounts payable.
Export every recurring software and cloud payment from the last 12 months from the finance or accounts payable system. Include all payment methods: corporate card charges, direct invoices, and any cloud marketplace charges (AWS Marketplace, Azure Marketplace, Google Cloud Marketplace). This is the most complete initial view of active spend because it captures everything the company is paying for regardless of how it was purchased. Do not rely on the software budget as the source: that reflects what was budgeted, not what is actually being paid.
Step 2: Match each payment to a contract.
For every line item from Step 1, search for a corresponding signed contract in the contract management system, email archive, or procurement records. Flag any item that cannot be matched as uncontracted spend. For items that are matched, note the renewal date and notice period from the contract, not from the invoice. If the contract cannot be located for a tool the company is actively paying for, treat it as uncontracted for the purposes of the audit.
Step 3: Pull usage data for each contracted tool.
For every tool with a seat or licence-based model, pull the current usage from the admin console. Record: licences contracted, licences assigned to users, and licences actively used in the past 30 days. Tools where active usage is below 70% of contracted licences are candidates for right-sizing at the next renewal conversation. For cloud commitments, pull reserved instance and committed use data from the cloud provider's cost management dashboard and compare against actual consumption over the same period.
Step 4: Classify by risk priority and action window.
Rate each tool across three dimensions: financial priority (annual cost and estimated distance from market rate), compliance priority (data classification and whether a data processing agreement is in place), and renewal urgency (days until the notice period closes). Assign each tool to one of three action windows: address this quarter, address at the next scheduled renewal, or scheduled for the annual review cycle. The output is a sequenced action list, not a static inventory.
For the risk assessment framework that applies once the audit is complete, see What Is a SaaS Vendor Risk Assessment and How Does It Work?. For the broader context on vendor risk across the SaaS and cloud portfolio, see SaaS and Cloud Vendor Risk Management: The Complete Guide for Mid-Size Companies.
What the Audit Typically Reveals
Companies completing a full spend audit for the first time consistently find three things they did not expect.
The total software spend is higher than any budget figure shows. Because uncontracted tools are processed as operational expenses rather than software budget line items, the actual spend on SaaS and cloud is typically higher than the finance team's estimate before the audit. The gap reflects tools the budget did not anticipate, not tools that were approved and overspent.
The uncontracted portion is larger than the IT or procurement team estimated. Most companies discover their uncontracted spend is not two or three small tools on a corporate card but a material segment of the total: tools that have been running for years, paying list price at every automatic renewal, with no review record and no compliance documentation. This is particularly common in companies that grew rapidly and in companies where team managers have purchase authority below a meaningful threshold.
The renewal calendar is more pressing than it appeared. When renewal dates are pulled from contracts rather than from memory or invoice records, the 90-day windows requiring action are often overlapping. Multiple high-value contracts renewing within the same quarter, with notice periods that have already begun closing, require immediate scheduling rather than planned review.
What to Do With the Audit Results
The audit output is a prioritised action plan. The sequencing matters: not every finding requires the same response or the same urgency.
For uncontracted tools above a cost or data classification threshold: formalise the agreement before the next auto-renewal or, if the tool is not actively used, exit before that date. For contracted tools with compliance gaps: address the data processing agreement and data residency terms at or before the next renewal event, since the renewal is the natural leverage point for updating contract language without triggering a full renegotiation. For tools with usage below contracted levels: initiate a right-sizing conversation at the 90-day mark, before the notice period closes and the renewal commits the company to another term at the current licence count.
For tools where pricing is above market: the audit output, combined with current market benchmarks, is the foundation for a vendor negotiation. For a complete view of how that negotiation process works and what to prepare before the vendor conversation, see SaaS and Cloud Spend Optimization: The Complete Guide for Mid-Size Companies.
CostRoom conducts the full spend audit and risk assessment as part of the free spend analysis. The portfolio map, risk flags by category, and 90-day action plan come with the analysis. CostRoom's Spend Analysis and Optimization and Renewal Management products then manage the portfolio on an ongoing basis.
Run Your Spend Audit With CostRoom
CostRoom conducts the full spend audit and risk assessment as part of a free spend analysis. No internal team required.
Book a Demo Call
Frequently Asked Questions
How do you audit SaaS spend? A SaaS spend audit follows four steps. First, export all recurring software and cloud payments from accounts payable for the past 12 months, covering all payment methods including corporate cards. Second, match each payment to a signed contract; anything without a match is uncontracted spend. Third, pull usage data from each contracted tool's admin console to identify licences contracted but not actively used. Fourth, classify each tool by financial priority, compliance priority, and renewal urgency, producing a sequenced action list. The audit output is a current, complete portfolio map with specific remediation priorities.
What does a SaaS spend audit involve? A complete SaaS spend audit covers five areas: active contracts and their terms, uncontracted spend identified by cross-referencing payments against the contract database, usage versus contracted licences for licence-based tools, data classification for each tool, and renewal dates with notice periods mapped across the next 12 months. An audit covering fewer than all five areas will produce a partial picture that is insufficient as a risk management or negotiation baseline.
How do you find uncontracted SaaS tools in your portfolio? Uncontracted SaaS tools are identified by cross-referencing all recurring software payments from accounts payable against the formal contract database. Any payment without a corresponding signed contract is an uncontracted spend item. This cross-reference requires pulling all payment methods, including corporate card charges, which are often not captured in standard procurement or contract management systems. Tools adopted through free trial conversions and direct team purchases are the most common sources of uncontracted spend.
What are the steps to audit company software spend? The four steps are: pull all recurring software payments from accounts payable including all payment methods; match each payment to a signed contract and flag unmatched items as uncontracted; pull usage data for licence-based tools and calculate the gap between contracted and active licences; classify each tool by risk priority and action window across financial, compliance, and renewal dimensions. The output is a sequenced action plan with tools grouped by urgency.
How do you build a complete SaaS inventory? A complete SaaS inventory starts with accounts payable data, not with a list of approved tools. The approved tool list reflects what procurement knows about; accounts payable data reflects what is actually being paid for. Export 12 months of recurring charges, match them to contracts, and add any tools identified through IT access records or HRIS system integrations that may not appear in the payment data. The intersection of payment data, contract data, and access records produces the most complete inventory available without deploying a specialist discovery tool.



