shadowitcalculator.com
Tool / A1step-by-step audit guide

How to Run a Shadow IT Audit

A complete shadow IT audit runs in 4 weeks across five discovery methods and a remediation phase. This guide is the operational walkthrough; the audit-readiness scorer at /audit-score grades whether you are set up to run it.

4-week timeline / overview

Week 1

Scope and setup

  • Stakeholder alignment
  • All-company comms
  • Start DNS monitoring

Week 2

Technical discovery

  • DNS / SSO analysis
  • Expense audit
  • Send survey

Week 3

Analysis

  • Survey closes
  • Data consolidation
  • Risk classification

Week 4

Reporting

  • Build registry
  • Remediation plan
  • Executive readout

Phase detail

01 / Week 1

Scope and stakeholder alignment

Days 1 to 3

Audits without executive sponsorship and a clear amnesty policy surface 30 to 40% fewer apps. Get the scope, sponsor, and amnesty terms locked down before any technical work.

Tasks

  • 01Define audit scope: which departments, which data classifications, which categories to prioritize
  • 02Obtain sign-off from CISO, CTO, or CEO depending on org size
  • 03Assign an audit lead from IT or security who owns the registry
  • 04Send all-company communication explaining purpose and amnesty policy
  • 05Confirm no employee will face discipline for tools disclosed during amnesty
  • 06Set a 30-day audit window with a clear end date

Output

Audit charter, stakeholder sign-off, all-company comms sent

02 / Week 2

Technical discovery (DNS and SSO)

Days 3 to 14

DNS analysis and SSO gap analysis together surface 60 to 80% of shadow apps without any employee involvement. Run them in parallel.

Tasks

  • 01Enable DNS query logging if not already active (Cloudflare Gateway, Cisco Umbrella, or DNS filter)
  • 02Pull 30 days of outbound DNS requests and filter by SaaS domain patterns
  • 03Export OAuth-connected apps from Google Workspace, Okta, or Entra
  • 04Cross-reference against the approved application catalog
  • 05Flag all apps in active use that are not connected to SSO
  • 06Group findings by department using login patterns and expense data

Output

DNS shadow app list, SSO gap list, combined technical discovery sheet

03 / Week 2

Financial discovery (expense audit)

Days 5 to 12

Pull 12 months of corporate card transactions. Filter for software MCC codes and recurring charges. Every unauthorized recurring SaaS charge is a confirmed shadow app with a known cost.

Tasks

  • 01Request 12 months of corporate card transactions from Finance
  • 02Filter for MCC 7371, 7372, 7374, 7379 (software and IT services)
  • 03Filter keywords: subscription, monthly plan, annual plan, SaaS, license
  • 04Cross-reference vendor names against the approved catalog
  • 05Sum unauthorized recurring charges by vendor and by department
  • 06Ask Finance to flag new recurring SaaS charges going forward

Output

Financial shadow app list with annual spend per vendor and department

04 / Week 2 to 3

Employee amnesty survey

Days 7 to 14

The highest-coverage method for tools on personal devices and personal accounts, especially AI. Frame clearly: the goal is to understand what staff need, not to enforce policy without alternatives.

Tasks

  • 01Draft survey in Google Forms, Microsoft Forms, or Typeform
  • 02Sections: project mgmt, comms, file storage, AI writing and coding, design, analytics
  • 03Open field: which tools should be officially approved
  • 04Prominent amnesty statement at the top
  • 05Send via Slack or email with a 5-business-day deadline; reminder at day 3
  • 06Target 70% response rate

Output

Employee-reported shadow app list with use cases and department breakdown

05 / Week 3

Registry and risk classification

Days 15 to 21

Consolidate all four sources into a single registry. For each unique app record data class, user count, monthly cost, compliance relevance, SSO status, and risk score.

Tasks

  • 01Merge DNS, SSO, financial, and survey results
  • 02Deduplicate to one row per unique app
  • 03Capture: app name, vendor, category, user count, monthly cost, data accessed, compliance relevance
  • 04Assign risk tier: High (regulated data), Medium (internal), Low (no company data)
  • 05Identify the business owner (the team driving adoption)
  • 06Recommended disposition: Approve, Migrate, Remove, or Investigate

Output

Shadow app registry with risk tiers and recommended dispositions

06 / Week 4

Remediation planning and reporting

Days 22 to 28

Prioritize the top 20 highest-risk apps for action. Assign owners, set 90-day deadlines, and present an executive summary to leadership inside the audit window.

Tasks

  • 01Sort registry by risk tier then by user count
  • 02Assign IT security lead for each High risk app
  • 03Define remediation path: Approve with controls, Migrate, or Remove with data recovery
  • 04Set 30 / 60 / 90 day milestones for each High risk item
  • 05Calculate annual unauthorized spend and breach exposure for the executive summary
  • 06Present findings and remediation plan to IT leadership and the executive sponsor

Output

Remediation plan, executive summary report, 90-day milestone tracker

5 common mistakes

  • 01 Skipping the amnesty communication

    Employees hide tools they fear will be removed. Survey response drops to 30 to 40%. You miss the highest-risk AI tools on personal accounts.

  • 02 Running only one discovery method

    No single method covers more than 80%. DNS misses personal devices, SSO misses non-OAuth, surveys miss tools employees forgot about.

  • 03 Treating the registry as a one-time deliverable

    New shadow apps are adopted continuously. A registry not updated quarterly becomes stale within 60 days as teams adopt new AI and SaaS.

  • 04 Prioritizing by cost instead of by risk

    A small personal AI subscription uploading customer proposals is far more dangerous than a project management tool with no data exposure.

  • 05 Removing tools before providing alternatives

    Removal without alternatives drives shadow apps to personal devices where you have no visibility.

Next step

Score your readiness before kicking off

10 yes / no questions, traffic-light score, gap analysis. If you score below 7, close the gaps before you start.

Run the readiness scorer

FAQ

Common questions

01How long does a shadow IT audit take?

A complete audit using all five discovery methods takes 4 to 6 weeks for a 100 to 500 person organization. Discovery is 2 to 3 weeks; analysis and risk classification is 1 week; registry assembly and reporting is a further 1 to 2 weeks. Remediation itself is an ongoing 6 to 12 month process, not a one-time project.

02Who should run the audit?

Most mid-market organizations assign a SaaS Operations or IT Security lead as the audit owner, with executive sponsorship from the CIO or CISO. Larger organizations may give the work to a dedicated governance, risk, and compliance (GRC) team. Smaller organizations often outsource discovery to a consultant for the first cycle then bring it in-house.

03What is the single highest-yield discovery method?

IdP-connected app exports give the cleanest signal: any OAuth grant is a real, in-use shadow app, named, and timestamped. Run that first. DNS analysis catches non-OAuth shadow tools and gives you a fuller picture; layer it second. The survey closes the long tail.

Related tools

Tool / 05

Audit readiness

Pre-flight check before you spend the 4 weeks.

Tool / 01

Cost calculator

Frame the audit business case in dollars.

ext / external

Audit checklist (deep-dive)

Editorial complement on shadowitcost.com.