How does a Canadian mid-market operator actually run the vendor stack audit?

1. Why does the audit nobody wants to run produce the highest ROI?

Mid-market operators we audit consistently surface $60-120K of annual SaaS spend that shouldn't be there. Sometimes more. The pattern: vendor relationships that accumulated organically across 3-5 years without governance. Auto-renewals nobody tracks. Duplicate tools where one team chose Slack and another chose Teams. Specialty platforms that outlived their original purpose.

The audit takes two days. The consolidation takes 30. The savings are captured for the rest of the operator's existence. No other IT exercise we've seen produces this ROI ratio.

Three reasons the audit doesn't happen:

• Bandwidth. Q1 close, Q2 audit, Q3 budgeting, Q4 planning - when is there time?
• Discomfort. Surfaces decisions that were made and forgotten. Some embarrassment is inherent.
• Friction. Each tool has a champion who'll resist cutting. Cumulative friction feels like it exceeds the savings.

None of those reasons hold up against the math. Two days of focused work produces $60-120K in recovered budget annually.

2. How do you set up the two-day audit?

Block two consecutive days. Same room or same Teams call. No drop-ins. Eight ninety-minute sessions with 30-minute breaks between them.

Who's in the room

• CFO - full two days
• IT lead - full two days
• Head of operations - present for sessions 3, 5, 7 (Accounting, Security, OT/Field)
• Optional: fractional CIO as facilitator

Materials needed

• Vendor invoice history from accounting (last 18 months)
• Admin console access to each major SaaS platform
• Current contract files for vendors with annual contracts
• Org chart so you can map tool ownership
• Shared spreadsheet with four columns per category: Product / Annual Cost / Actual Active Users / Renewal Date

3. Category 1 - Identity & Access (90 minutes)

Start here because identity is foundational and tends to be the cleanest category to audit.

What to inventory

Identity provider, MFA tooling, password managers, privileged access management, conditional access policies.

What to ask

• Are we paying for both Microsoft Entra Premium AND a separate password manager AND a separate MFA app?
• Could one of them go?
• Do we still have legacy directory services running that nobody uses?

Typical finding

One or two duplicate tools, usually inherited from a prior decision that wasn't sunset properly.

4. Category 2 - Productivity (90 minutes - take the full time)

This is where the most sprawl lives. Take the full 90 minutes.

What to inventory

Microsoft 365, Google Workspace, Slack, Teams, Zoom, Dropbox, Box, document signing, project management (Asana / Smartsheet / Project / Monday / Trello / etc.), wikis, file sharing, communication tools.

What to ask

• How many communication tools do we have?
• How many file sharing platforms?
• How many project management tools?
• Which ones are actually used vs. which ones have a few stragglers?
• What did each one cost over the last 18 months?

Typical finding

3-5 duplicate tools across communication and project management. Often a Slack + Teams overlap. Often a Microsoft Project + Asana + Smartsheet trio. 5-10% of total SaaS spend, often.

5. Category 3 - Accounting & Finance (90 minutes)

What to inventory

Production accounting platform, JIB platform, AFE management, ERP (if separate), expense management, accounts payable automation, payroll, banking software, treasury tools, audit support.

What to ask

• Are we paying for both a standalone JIB platform AND the JIB module in our production accounting platform?
• Do we have expense management we don't use?
• When did we last evaluate the production accounting contract terms?

Typical finding

Mid-market operators on industry-tier production accounting platforms (Quorum, P2, 3esi-Enersight) are usually fine here. The risk is the additional satellite tools (expense, AP automation) that may not be fully utilized.

6. Category 4 - Communications (90 minutes)

What to inventory

Email security, calendar tools, scheduling tools, customer relationship management, marketing automation, website CMS, transactional email.

What to ask

• Are we paying for email security separately when Microsoft Defender for Office 365 P2 could replace it?
• Are we paying for a CRM nobody uses?
• Do we have an old website CMS we haven't migrated off?

Typical finding

Often one orphaned tool from a prior marketing or sales experiment.

7. Category 5 - Security (90 minutes - take the full time)

Second most-likely category for material waste. Take the full 90 minutes.

What to inventory

EDR, email security, SIEM/SOC, vulnerability scanning, backup, identity threat detection, password breach monitoring, vendor risk management tools.

What to ask

• Are we paying for multiple EDR products (often happens when an old AV product wasn't sunset)?
• Are we paying for SIEM that nobody monitors?
• Are we running two vulnerability scanners?
• Is our backup product duplicating what our cloud platforms already provide?

Typical finding

5-15% of total SaaS spend, often, in overlapping security tools. Consolidation in this category also strengthens cyber posture - the overlapping tools usually have monitoring gaps where they meet.

8. Categories 6-7 - Infrastructure and OT/Field (90 minutes each)

Category 6 - Infrastructure

Cloud platforms (AWS, Azure, GCP), monitoring, automation, database tools, development tools. Most operators have minimal sprawl here.

Category 7 - OT/Field

SCADA, historians, field data capture, mobile workforce tools, IoT platforms. Industry-specific tools that are usually well-scoped but may have unused licenses or duplicate field-app subscriptions.

9. Category 8 - HR & Operational (90 minutes)

What to inventory

HRIS, scheduling, training platforms, compliance management, expense reporting, learning management, performance management.

Typical finding

Often one or two HR tools introduced for a specific need (training, compliance, performance reviews) that are still being paid for after the need passed or the team rotated.

10. The 30-day consolidation

The audit produces a list. The consolidation is the work. Plan for 30 days to execute on what the audit surfaces.

Days 1-10 - Renegotiate before terminating

Sometimes vendors will reduce pricing 20-40% when they know you're consolidating. The savings can exceed what termination would produce, with less operational disruption.

Days 11-20 - Execute clean terminations

The tools that can go cleanly. Honor notice periods. Document the terminations for next year's audit reference.

Days 21-30 - Plan migrations for tools requiring user moves

Users may need to move to a different platform. Communicate the timeline. Provide support. Don't underestimate user friction - the change management work makes the consolidation actually land.

11. Quarterly governance - prevent sprawl from returning

The audit catches up. The quarterly governance prevents recurrence.

One hour per quarter. CFO and IT lead. Review the vendor inventory. Identify new additions. Identify duplicates. Identify renewal decisions.

Operators who institute quarterly governance after the audit see vendor count plateau at appropriate scale. Operators who skip the governance see vendor count return to pre-audit levels within 18-24 months.

12. Master audit worksheet