How to audit your SaaS stack in 90 minutes

Most SaaS audits never finish. The finance lead asks for a list of tools, the IT lead pulls a list, the team lead disputes some of it, and three weeks later nothing has changed. The audit becomes a project. The project gets deprioritized. The renewal happens anyway.

The version below takes 90 minutes. You finish with a real list, real costs, real owners, and real cuts. You can run it solo or with finance.

What you need before you start

Admin access to your SSO (Okta, Google Workspace, Microsoft Entra, JumpCloud, or whatever you use) View access to your last 90 days of card and ACH spend (Brex, Ramp, Mercury, your bank, or your accounting tool) * A blank spreadsheet, the Cubbie subscription registry, or our free template

Step 1: pull the auth list (10 minutes)

Open your SSO admin. Export the full app list, including inactive apps your team has SSO''d into at any point in the last year. This catches the tools paid through someone''s personal card, free trials that quietly converted, and apps that one team uses without telling anyone else. If you don''t have SSO in place, skip this step. The card statement step covers most of the gap.

Step 2: pull the spend list (15 minutes)

Filter your last 90 days for any vendor that looks like SaaS. Vendor names with words like Inc, Cloud, Labs, AI, .io, .co, or .com. Ignore office supplies, food, and services. Sort by total spend descending. The top 20 lines usually represent 80 percent of total SaaS spend.

Step 3: merge the two lists (10 minutes)

Match the two lists by vendor name. Three buckets emerge.

SSO without spend tells you about free apps people are using. Spend without SSO tells you about apps you don''t have central visibility on. * Both lists tells you about your real production stack.

The third bucket is what you focus on for the rest of the audit.

Step 4: assign owners (15 minutes)

For each tool in the third bucket, write down a person. Not a team. A name. The owner is the person whose job depends on the tool working. If you can''t name an owner in 60 seconds, the tool is either redundant, vestigial, or owned by someone who left.

Step 5: fill in costs (15 minutes)

Pull annualized cost. Annual contracts go in at face value. Monthly bills get multiplied by twelve. Per-seat tools get the seat count from the SSO export multiplied by the per-seat cost. The number you want is dollars per year, not dollars per month, because renewals happen on the annual cycle.

Step 6: cut, consolidate, renegotiate (25 minutes)

Run three quick passes through the list.

Cut. Any tool with no named owner, no recent SSO logins, or duplicate functionality with another tool you already pay for. Most teams find 8 to 15 percent of their SaaS line in this bucket on the first pass.

Consolidate. Any category where you pay for two or more tools that could be one. The classic offenders: project management (Asana plus Jira plus Linear), team chat (Slack plus Teams), product analytics (Mixpanel plus Amplitude plus Heap), error tracking (Sentry plus Bugsnag plus Rollbar). Pick a winner per category.

Renegotiate. Any tool above $20K per year where the renewal is in the next 90 days. The best leverage is the renewal calendar plus a credible alternative. You don''t have to switch. You have to be willing to.

What you have at the end

A spreadsheet (or Cubbie registry) with vendor, owner, annual cost, last login activity, and a status of keep, cut, or renegotiate. That artifact is the input to every conversation with finance, your CFO, and your renewal owner for the rest of the year.

The audit takes 90 minutes the first time. After you connect your SSO and your spend system to a tool that does the merge for you, the same audit takes 5 minutes per quarter.