How to Run a Shadow IT Audit

A complete shadow IT audit takes 4 weeks and uses five discovery methods to surface 80-95% of unauthorized apps. This guide walks through each step, its deliverables, and the tasks required to complete it.

4-Week Audit Timeline

Week 1

Scope and setup

  • Stakeholder alignment
  • All-company comms
  • Start DNS monitoring

Week 2

Technical discovery

  • DNS/SSO analysis
  • Expense audit
  • Send employee survey

Week 3

Analysis

  • Survey closes
  • Data consolidation
  • Risk classification

Week 4

Reporting

  • Build registry
  • Remediation plan
  • Executive presentation
1
👥

Scope and stakeholder alignment

Days 1-3

Before any technical work begins, align on what the audit will cover, who owns it, and what the consequences and amnesty terms will be. Audits without executive sponsorship and a clear amnesty policy surface 30-40% fewer apps than those that are well-communicated in advance.

Tasks

  • Define audit scope: which departments, which data classifications, which tool categories to prioritize
  • Obtain sign-off from the CISO, CTO, or CEO depending on org size
  • Assign an audit lead from IT or security who will own the shadow app registry
  • Draft and send an all-company communication explaining the audit, its purpose, and the amnesty policy
  • Confirm that no employee will face disciplinary action for tools disclosed during the amnesty window
  • Set a 30-day audit window with a clear end date

Output

Audit charter document, stakeholder sign-off, all-company communication sent

2
🌐

Technical discovery (DNS and SSO)

Days 3-14

Run DNS traffic analysis and SSO gap analysis simultaneously. These two methods together surface 60-80% of shadow apps without any employee involvement. Pull 30 days of DNS logs from your network monitoring tool or DNS filter. Export the full app catalog from your identity provider and compare against your approved application list.

Tasks

  • Enable DNS query logging if not already active (Cloudflare Gateway, Cisco Umbrella, or built-in router logging)
  • Pull 30 days of outbound DNS requests and filter by SaaS domain patterns
  • Export all OAuth-connected apps from Google Workspace Admin or Okta App Integrations
  • Cross-reference against your approved application catalog to identify gaps
  • Flag all apps in active use that are not connected to SSO
  • Group findings by department using login patterns and expense data

Output

DNS shadow app list, SSO gap list, combined technical discovery spreadsheet

3
💸

Financial discovery (expense audit)

Days 5-12

Pull 12 months of corporate card transactions and expense reports. Filter for software-related merchant category codes (SIC 7372 for software, 7371 for computer programming services) and any recurring monthly or annual charges. Cross-reference against your approved vendor list. Every unauthorized recurring SaaS charge is a confirmed shadow app with a known cost.

Tasks

  • Request a full export of corporate card transactions from finance for the past 12 months
  • Filter for merchant category codes 7371, 7372, 7374, 7379 (software and IT services)
  • Also filter for keywords: subscription, monthly plan, annual plan, SaaS, license, upgrade
  • Cross-reference vendor names against your approved catalog
  • Flag all unauthorized recurring charges and sum them by vendor and by department
  • Ask finance to add a flag for new recurring SaaS charges going forward

Output

Financial shadow app list with annual spend per vendor and per department

4
📋

Employee amnesty survey

Days 7-14

Send a structured self-report survey to all employees with amnesty framing. This is the highest-coverage method for discovering tools used on personal devices and personal accounts, particularly AI tools and browser extensions. Frame it clearly: the goal is to understand what tools employees need, not to enforce policy or remove tools without providing alternatives.

Tasks

  • Draft the survey in Google Forms, Microsoft Forms, or Typeform
  • Include sections for: project management tools, communication tools, file storage, AI writing and coding tools, design tools, analytics tools, and any other category relevant to your business
  • Add an open-text field: 'What tools do you wish the company would officially approve?'
  • Include a prominent amnesty statement at the top of the survey
  • Send via Slack or email with a 5-business-day deadline
  • Follow up with a reminder at day 3. Target 70%+ response rate

Output

Employee-reported shadow app list with tool names, use cases, and department breakdown

5
📄

Registry and risk classification

Days 15-21

Consolidate all four discovery sources into a single shadow app registry. Deduplicate entries where the same app appears in multiple discovery methods. For each unique app, record: data classification supported, user count, monthly cost, compliance relevance, SSO status, and a risk score. Risk score should be: high (processes regulated data), medium (processes internal data), low (no company data).

Tasks

  • Merge DNS discovery, SSO gap, financial discovery, and employee survey results
  • Deduplicate: one row per unique app in the registry
  • Record for each app: app name, vendor, category, user count, monthly cost, data accessed, compliance relevance
  • Assign a risk tier: High, Medium, Low based on data classification
  • Identify the business owner for each app (the team or person driving adoption)
  • Mark each app with a recommended disposition: Approve, Migrate, Remove, or Investigate

Output

Shadow app registry spreadsheet with risk tiers and recommended dispositions

6
🎯

Remediation planning and reporting

Days 22-28

Prioritize the top 20 highest-risk apps for immediate remediation action. For each, assign an owner, identify the approved alternative or exception path, and set a 90-day remediation deadline. Write an executive summary report covering: total apps discovered, total unauthorized spend, top 5 highest-risk findings, and recommended quick wins. Present to leadership within the audit window.

Tasks

  • Sort the registry by risk tier, then by user count to identify highest-impact items
  • For each High risk app, assign an IT security team member as the remediation lead
  • Define the remediation path: Approve (with controls), Migrate to approved alternative, or Remove with data recovery
  • Set 30/60/90 day milestones for each High risk item
  • Calculate total annual unauthorized spend and breach risk exposure for the executive summary
  • Present findings and remediation plan to IT leadership and executive sponsor

Output

Remediation plan, executive summary report, 90-day milestone tracker

5 Shadow IT Audit Mistakes to Avoid

Skipping the amnesty communication

Employees hide tools they fear will be removed. Survey response rates drop to 30-40% instead of 70%+. You miss the highest-risk AI tools on personal accounts.

Running only one discovery method

No single method covers more than 80% of shadow apps. DNS misses personal devices. SSO misses non-OAuth apps. Surveys miss apps employees forgot about.

Treating the registry as a one-time deliverable

New shadow apps are adopted continuously. A registry not updated quarterly becomes stale within 60 days as teams adopt new AI tools and SaaS products.

Prioritizing by cost instead of by risk

A $5/month personal ChatGPT subscription uploading customer proposals to OpenAI is far more dangerous than a $500/month project management tool with no data exposure.

Removing tools before providing alternatives

The most effective shadow IT reduction strategy is providing better alternatives. Removal without alternatives drives shadow apps to personal devices where you have no visibility.

Need Help Running Your Shadow IT Audit?

Digital Signet delivers a complete 4-week shadow IT audit: discovery sprint, shadow app registry, risk classification, and a 90-day remediation plan.

Get a Free Audit Assessment →

Shadow IT Policy Template →

Build your policy foundation once the audit is complete.

Approved Alternatives Guide →

Replace shadow apps with approved alternatives by category.