SOC 2 is an independent attestation report, produced under American Institute of Certified Public Accountants (AICPA) standards, that tells your customers an external auditor has examined your security controls. It is not a certification you pass. For Australian SaaS firms selling into the US or to enterprise buyers, it has become the price of entry.
If you build software in Melbourne and your sales pipeline runs through US accounts or large Australian enterprises, you have probably hit a security questionnaire that asks one blunt question: “Do you have a SOC 2 report?” The honest answer for most early-stage Australian SaaS companies is no, and that “no” stalls deals. This post explains what SOC 2 actually is, how it differs from ISO 27001, what the audit involves, and what it realistically costs in time and money.
What SOC 2 actually is
SOC 2 (System and Organization Controls 2) is a reporting framework owned by the AICPA. A licensed CPA firm examines how you manage customer data and issues a report describing your controls and whether they were designed, and in some cases operating, effectively. The deliverable is a report, not a logo or a certificate. You cannot self-certify, and there is no central registry to check against — your customers read the report under NDA.
The report is built around the Trust Services Criteria. There are five of them, and you choose which apply to your business:
- Security — the only mandatory criterion (often called the “common criteria”). Covers access control, change management, risk assessment, monitoring and incident response.
- Availability — uptime, performance monitoring, disaster recovery. Relevant if you make uptime commitments in SLAs.
- Processing Integrity — data is processed completely, accurately and on time. Matters for payments, payroll or anything that transforms data.
- Confidentiality — protection of information designated as confidential, including encryption and retention controls.
- Privacy — collection, use, retention and disposal of personal information in line with your privacy notice.
Most SaaS companies scope their first report to Security alone, then add Availability and Confidentiality once customers ask. Privacy is the least commonly included because, for Australian companies, the Privacy Act 1988 and the Australian Privacy Principles already govern that ground — and bolting it onto SOC 2 adds work for limited buyer benefit.
Type I versus Type II
This distinction trips people up, so be clear on it before you commission anything.
| Aspect | SOC 2 Type I | SOC 2 Type II |
|---|
| What it tests | Whether controls are designed appropriately | Whether controls operated effectively over time |
| Timing | A single point in time | A monitoring period, typically 3 to 12 months |
| Evidence | Policies and configurations as they stand on the date | Evidence sampled across the whole window |
| Buyer confidence | Modest — proves intent | High — proves you actually do it |
| Typical use | A first step to show momentum | The report enterprise buyers actually want |
A Type I says “on 30 June, these controls were in place and well designed.” A Type II says “across the six months to 30 June, these controls ran and here is the audit evidence.” Serious buyers want Type II. Many Australian SaaS firms do a Type I first to demonstrate progress to a waiting prospect, then run a Type II over the following six to twelve months. That is a sensible path, but do not expect a Type I alone to clear an enterprise security review.
Why Australian SaaS companies pursue it
The driver is almost always commercial, not regulatory. SOC 2 is not law anywhere — it is a market expectation that crystallised in US procurement and has spread to large Australian buyers running mature vendor risk programmes.
If your product touches a customer’s data and you want to sell to a US fintech, a healthcare platform, or any ASX-listed enterprise, their security team will ask for a SOC 2 Type II report early in the process. Without one you get stuck in a back-and-forth of bespoke questionnaires, and procurement treats you as a higher-risk vendor. The report short-circuits all of that: it answers most of the questionnaire in one document and signals that you take security seriously enough to pay an auditor to check.
A logistics-tech startup in Cremorne we work with hit exactly this wall — a US enterprise prospect wouldn’t progress past security review without a Type II, and the deal was large enough that the audit cost was a rounding error against the contract value. That is the usual shape of it: SOC 2 pays for itself the moment it unlocks one enterprise account.
SOC 2 versus ISO 27001
This is the question every founder asks, and the honest answer is that they overlap heavily but serve different audiences.
| SOC 2 | ISO 27001 |
|---|
| Origin | AICPA (United States) | ISO/IEC (international) |
| Output | Attestation report from a CPA firm | Certificate from an accredited certification body |
| Nature | Auditor’s opinion on your controls | Certification of a management system (ISMS) |
| Recognised by | US buyers, North American enterprise | Europe, UK, Australia, global enterprise |
| Renewal | Report covers a period; reissued annually | Three-year cycle with annual surveillance audits |
| Public proof | Private report shared under NDA | Public certificate |
The control sets behind them are largely the same — access management, change control, risk assessment, vendor management, incident response. The difference is the wrapper. SOC 2 is an auditor describing and testing your controls; ISO 27001 certifies that you run a documented Information Security Management System that continuously improves.
Do you need both?
If your buyers are overwhelmingly North American, SOC 2 alone is usually enough. If you sell into Europe, the UK and Australia, ISO 27001 carries more weight and is the more recognised brand. Plenty of Australian SaaS companies end up doing both because their customer base spans regions — and the marginal effort is smaller than it looks, since one set of controls and one evidence library can support both audits. Build the controls once, attest and certify twice. If you are weighing the options, our cybersecurity services team can map your buyer base to the right framework before you spend a cent on auditors.
The audit process and the role of a security partner
A SOC 2 engagement has two distinct phases, and conflating them is where budgets blow out.
Readiness
Readiness is everything you do before the auditor arrives. You define scope, write or tidy policies, implement the controls, and stand up the tooling that proves they work — multi-factor authentication everywhere, centralised logging, formal access reviews, change management tied to your code pipeline, vendor risk records and an incident response plan you have actually tested. For most Australian SaaS companies this is the real work, and it is where an MSP or security partner earns its fee. The auditor will not help you fix gaps; their job is to observe, not advise.
This is what a security partner does in readiness: run the gap assessment against the Trust Services Criteria, prioritise the controls that matter, deploy the technical guardrails, and set up evidence collection so you are not scrambling at audit time. Much of the Security criterion overlaps with hardening work we already do for clients — the Essential Eight mitigation strategies map cleanly onto SOC 2’s access control, patching and application hardening expectations, so if you are already Essential Eight aligned you are further down the road than you think.
Evidence collection and continuous controls
Type II is won or lost on evidence. The auditor samples across the monitoring period and asks for proof that each control operated every time it should have — access reviews completed each quarter, every code change approved, every alert triaged, every offboarding done within policy. If those records do not exist, the control fails for the period regardless of how good your intentions were.
This is why continuous controls monitoring matters. Compliance automation platforms such as Vanta, Drata or Secureframe connect to your cloud, identity provider and code repositories and collect evidence automatically, flagging drift the moment a control slips. They do not make you compliant — they make the evidence trail survivable. A partner who already runs your SIEM and managed detection stack is well placed to wire these tools into your environment and keep the controls green between audit windows. TechAssist runs a 24/7 NOC out of Tecoma and our engineers are Australian-employed, so the monitoring that underpins your evidence is staffed locally, not handed to an offshore queue.
Realistic timeline and cost
Be wary of anyone promising SOC 2 in a few weeks. Here is the honest shape of it for an Australian SaaS company starting from a reasonable baseline.
- Readiness: two to four months for an early-stage company with decent foundations; longer if your access controls and logging are immature.
- Type I report: issued shortly after readiness, reflecting a point in time.
- Type II monitoring window: three months at minimum, but six to twelve months is what enterprise buyers expect to see.
- Annual reissue: SOC 2 is not one-and-done. A Type II report covers a stated period, so you run a fresh audit each year to keep a current report on hand.
On cost, the auditor’s fee for a Type II from a reputable CPA firm typically runs into the tens of thousands of dollars (AUD), and that is before tooling and the internal or partner effort to get ready. Compliance automation platforms add an annual subscription. The readiness work — the controls, the policies, the engineering — is usually the larger line item, especially the first time through. Budget for the whole programme, not just the audit invoice, and treat year one as the expensive one.
Frequently asked questions
Is SOC 2 a certification?
No. It is an attestation report issued by a CPA firm under AICPA standards. There is no certificate and no public registry — you receive a report describing your controls and the auditor’s opinion, which you share with customers under NDA. Calling it a “certification” is common shorthand, but technically wrong.
Should an Australian company do SOC 2 or ISO 27001?
It depends on who buys from you. North American buyers expect SOC 2; European, UK and Australian buyers lean on ISO 27001. If your customer base spans both, doing both is common and the underlying controls are largely shared, so the second framework costs far less effort than the first.
Does SOC 2 satisfy Australian privacy law?
Not on its own. The Privacy Act 1988 and the Australian Privacy Principles still apply to your handling of personal information regardless of any SOC 2 report. SOC 2 can include a Privacy criterion, but it is a US framework — it is not a substitute for meeting your obligations under Australian law.
Can an MSP get us SOC 2 ready?
A security partner can run the gap assessment, implement and harden the controls, stand up evidence collection and keep controls monitored continuously between audits. The CPA auditor must remain independent, so the same firm cannot both prepare you and issue the report — but the readiness work is exactly where an MSP adds value.
Where TechAssist fits
We are a Melbourne MSP, founded in 2014, with thirteen Australian-employed engineers. We do not issue SOC 2 reports — that is the auditor’s job, and it has to stay independent — but we do the readiness and the continuous controls work that gets you there and keeps you there. That means hardening your Microsoft 365 and cloud environment, standing up logging and detection, wiring in compliance automation, and making sure the evidence trail your auditor samples actually exists every time. If a SOC 2 report is gating your next enterprise deal, get in touch and we will map the gap before you commit to an audit timeline.
If you cannot tell us in 30 seconds how many SaaS subscriptions your business pays for, you have SaaS sprawl. For a typical sub-$10M Australian SME, 5% to 12% of recurring SaaS spend is duplicated, unused, or forgotten. This post walks through a four-step audit you can finish before EOFY.
Why SaaS sprawl is a financial problem, not just an IT one
This is a deliberately financial post. We have a separate piece coming on Shadow IT, which covers the security angle. The audit process below is the one we run when a CFO calls us in May or June and says some version of: “I think we are paying for too much software and I do not really know what we have.” That conversation has happened more times this year than in the previous three combined, and EOFY is the moment to fix it because every subscription you cancel before 30 June reduces your run-rate cost for FY27.
SaaS sprawl is not a security incident, it is a slow leak. It happens because individual product subscriptions are small enough to fall under the discretionary spend threshold of most managers ($50 to $200 a month on a credit card), and big enough collectively to fund another two staff members. For a Hawthorn-based professional services firm we audited recently with 48 staff and around $7.5M revenue, the SaaS bill came to $186,000 a year. After audit, we cut it to $142,000 without removing any meaningful capability. That is one and a half graduate salaries, sitting in software nobody used.
Since founding TechAssist in 2014, we have run this exercise inside our managed IT engagements and as standalone projects. The methodology has stabilised into a four-step process that works for any SME with bookkeeping in Xero or MYOB and an executive willing to make some decisions.
Step 1: Extract the spend data
The first step sounds easy and is usually the hardest. You need a clean, single-source list of every recurring software charge the business has paid for in the last 12 months. Not what the IT register says you have. What the bank account and the credit card statements prove you have.
Pulling data from Xero
For Xero-based businesses, the export workflow is:
- Go to Accounting, Reports, Account Transactions
- Set the date range to the last 13 months (you want one full year plus the current month for renewal visibility)
- Filter by the expense accounts you typically book software to: usually ‘Software Subscriptions’, ‘IT Expenses’, ‘Computer Software’, ‘Cloud Services’, and sometimes ‘Marketing’ for tools that snuck in via that team
- Export as CSV
You also need the credit card transaction export, separately, because half the rogue subscriptions are on staff cards and never get coded to a software account. Pull the last 13 months of card statements and grep for any merchant name that looks like a SaaS vendor.
Pulling data from MYOB
For MYOB Business or AccountRight users, the workflow is similar: Reports, Accounts, Find Transactions, filter by account, export to Excel. The chart of accounts in MYOB tends to be messier than Xero in our experience, so you will want to also pull the All Journals report for the period and search the description column for known SaaS vendor names.
The Microsoft 365 admin centre and Google Workspace
Do not forget the platform you are already on. Microsoft 365 and Google Workspace both have a billing section showing all subscriptions, seat counts, and the per-seat price. Pull that as a separate dataset. You will use it later when you check seat utilisation against headcount.
At the end of step 1, you should have a single spreadsheet with columns for: vendor name, total annual spend, monthly spend (if recurring), billing frequency, payment method, charge account, and a blank column for ‘function’ which we fill in next.
Step 2: Deduplicate by function
This is where the audit gets interesting. Most SMEs do not think they have duplicate tools. Almost all of them do. The trick is to categorise every tool by the job it does, and then look for jobs being done twice.
Use a six-category matrix:
| Category | Typical tools | Common duplication pattern |
|---|
| Collaboration and project management | Asana, Trello, ClickUp, Monday, Notion, Jira | Two or three of these running in parallel across teams |
| Communications | Slack, Teams, Discord, Zoom, Webex, Google Meet | Teams paid for as part of M365 plus Slack paid for separately |
| Development and engineering | GitHub, GitLab, Bitbucket, Jira, Linear, Sentry | Multiple issue trackers; multiple monitoring tools |
| Finance and back-office | Xero, MYOB, Hubdoc, Dext, DocuSign, Adobe Sign | Two e-sign tools; receipt capture tool nobody uses |
| Marketing and sales | HubSpot, Mailchimp, ActiveCampaign, Salesforce, Pipedrive | Multiple CRMs from different sales eras; multiple email platforms |
| Niche and line-of-business | Industry-specific tools (practice management, CAD, EHR) | Less duplication, more ‘paid but unused’ |
For each line in your spreadsheet from step 1, assign a category. Then sort by category and look for duplicates within each category. The patterns we find most often:
- Three project management tools, because each department picked their own and never standardised
- Two e-signature platforms (DocuSign for legal, Adobe Sign because it came in Acrobat Pro)
- Paid Zoom Pro alongside Teams Phone, when nobody actually needs Zoom anymore
- An old CRM still being paid for after the team migrated to a new one 18 months ago
- Multiple file-sharing tools (Dropbox, OneDrive, Google Drive, Box) because different teams brought in different ones
- Two password managers, one of which has six active users out of 40 seats paid
The team in our audit example that kept paying for Trello two years after moving to ClickUp is not an exaggeration. The Trello bill was $18 a user per month for 12 seats, $2,592 a year, billed to the credit card of a manager who left in 2024. Nobody had thought to cancel it because nobody had thought about it at all.
Step 3: Map each tool to a business owner
For every line in your now-deduplicated list, you need a named human who owns the decision to keep, kill, or consolidate. This is the step that breaks the audit at most SMEs, because nobody wants to own a tool nobody uses, and nobody wants to admit they signed up for the thing in the first place.
The ownership conversation
Run this as a structured exercise, not an email thread. Get the leadership team in a room with the spreadsheet on a screen. For each line, the question is: “Who is the business owner of this tool?” If nobody puts their hand up, that is the strongest possible signal that the tool should be killed.
Owners need two responsibilities clearly stated:
- They authorise the spend
- They are accountable for whether the business gets value from the tool
For tools that survive ownership assignment, you also want a documented use case (“we use Asana for client project tracking across the consulting team, 18 users”) and a renewal date.
Seat utilisation check
For every tool the business is keeping, pull the actual seat utilisation in the last 30 days. Most SaaS vendors have a ‘last active’ or ‘last login’ field in the admin console. Compare paid seats to actively used seats.
A South Melbourne creative agency we audited had 38 Adobe Creative Cloud licences for 24 people. The previous office manager had set up seats for every staff member because Adobe ran a promotion in 2022. Of the 38 seats, 19 had been used in the prior 90 days. Cutting back to 25 seats (24 plus one buffer) saved $11,800 a year. They had been paying $880 a month for unused creative software for 18 months.
Step 4: Kill, consolidate, keep
The final step is the decision. Every tool in your spreadsheet ends up in one of three buckets.
Kill
Tools with no owner, no use case, or zero seat utilisation. Cancel them before the next renewal. For tools billed monthly, the cancellation is easy. For tools on annual contracts, mark the renewal date in the calendar and set a reminder for 60 days prior.
Watch for cancellation friction. Some SaaS vendors require you to call a sales rep to cancel, especially on enterprise tiers. Budget time for this. Some require 30 or 60 days notice. Read the terms before you assume you can cancel today.
Consolidate
Two tools doing the same job, both with active users. The owner of each tool needs to pick one and migrate. Set a realistic migration timeline (usually 60 to 90 days for a project management tool migration; longer for a CRM) and a hard cancellation date for the loser.
Migration is the step where consolidation projects die. Account for the cost: someone needs to actually do the work, and the loser tool needs to stay paid until the migration completes. Build that into the savings calculation.
Keep
Tools with a clear owner, an active use case, and reasonable seat utilisation. For these, the audit work is rightsizing the seat count and aligning the billing frequency. Annual billing is usually 10% to 20% cheaper than monthly. If you are confident in the keep decision, switch to annual at renewal.
Typical wins for a sub-$10M SME
For Australian SMEs in the $2M to $10M revenue band, we consistently see SaaS audit savings of 5% to 12% of total SaaS spend. The mix typically breaks down like this:
| Saving source | Typical share of total saving | Example annual saving (mid-sized SME) |
|---|
| Fully unused tools (kill) | 35-45% | $8,000-$15,000 |
| Duplicate tools (consolidate) | 25-35% | $6,000-$12,000 |
| Over-provisioned seats (rightsizing) | 20-30% | $5,000-$10,000 |
| Monthly to annual billing switch | 5-10% | $1,500-$4,000 |
For a Cremorne software business we worked with (32 staff, $4.8M revenue, $94,000 annual SaaS spend pre-audit), the savings broke down as $11,200 from killing unused tools, $9,800 from consolidating overlapping tools, $6,400 from rightsizing seats, and $2,100 from billing switches. Total $29,500 a year, 31% reduction. The audit itself took about 14 hours of staff time across three weeks.
The Excel template
The template we use internally has six tabs. You can build your own in an afternoon:
- Raw data: CSV exports from Xero or MYOB, pasted as-is, one tab per source
- Consolidated list: deduplicated by vendor, with annual spend, monthly spend, billing frequency, category, owner, use case, and decision (kill/consolidate/keep) columns
- Seat utilisation: for each kept tool, the paid seats vs active seats vs target seats
- Renewal calendar: all renewal dates in date order, colour-coded by criticality
- Savings tracker: per-decision annualised saving, with a running total
- Action log: what we cancelled, when, what we consolidated, and the realisation date for each saving
The most important tab is the action log. Audits are easy. Execution is hard. Without a tracked action log, half the decisions never get implemented and the savings never land.
Common mistakes during SaaS audits
Not including microservices and add-ons
Many tools are sold as the base product plus per-feature add-ons. HubSpot, Salesforce, Microsoft 365, Adobe Creative Cloud, all have premium add-ons that are often turned on by accident or for a one-off campaign and never turned off. Audit add-ons separately, not just the base product.
Ignoring the implicit licence inside another product
This is the biggest miss. If you are paying for Microsoft 365 Business Premium at $33 per user per month, you already have Teams (voice optional), SharePoint, OneDrive, Exchange, Intune, Defender for Office 365, Azure AD Premium P1, and Power Automate Free. If you are also paying for Slack, Dropbox, a separate identity provider, or a third-party MDM, you are paying twice. Map the included entitlements of your platform tier before assessing the standalone tools.
Forgetting personal credit card subscriptions
If staff expense SaaS through reimbursement, those subscriptions never hit the company card. They live in the expense system. Pull a year of expense claims and search for any vendor name that smells like software.
Treating it as a one-off
SaaS sprawl is a continuous problem. Without a recurring process, you will be back where you started in 18 months. Build a quarterly mini-audit into the finance calendar: every quarter, pull new SaaS charges, check ownership and use case, and add to the central register. This is the kind of governance that comes naturally inside a managed IT services arrangement with per-user fixed monthly pricing, because the MSP has a vested interest in keeping the SaaS register clean.
How this connects to your broader IT environment
A clean SaaS register is a precondition for several other things you probably need to do this year. It feeds directly into your cybersecurity posture, because every SaaS tool is an authentication surface and a data exfiltration risk. It feeds into your Privacy Act compliance, because the 2024 reforms require you to know where personal information lives, and ‘in some SaaS tool nobody can remember the name of’ is no longer acceptable. It also feeds your cloud services strategy, because a deduplicated tool stack is much easier to integrate and govern.
For Essential Eight alignment specifically, the audit is the foundation of the User Application Hardening control. You cannot harden applications you do not know exist.
When to bring in external help
You can run the audit yourself if you have a financially literate operations manager with a few spare hours each week and an executive willing to make decisions. If you do not, or if you suspect the audit will surface uncomfortable conversations about who signed up for what, an external party makes the process faster and less politically charged.
TechAssist runs SaaS audits as a standalone engagement or as part of broader managed IT onboarding. Our team of 13 Australian engineers includes the people who actually know which Microsoft 365 entitlements overlap with which standalone tools, which matters because most of the consolidation savings hide in that overlap. We run audits out of both our Tecoma office and our 575 Bourke Street CBD office, so we can do the workshop in person wherever your team is. If you want to start a conversation, the EOFY window is the right time.
Frequently Asked Questions
How long does a typical SaaS audit take?
For a 30 to 80-staff SME, plan on 12 to 20 hours of work spread over three weeks. The data extraction is the longest single task. The decisions can be made in two or three workshops if leadership is willing to commit time.
Can we just use a SaaS management platform like Vendr or Zylo?
Those tools are excellent for businesses with 200+ staff and SaaS bills over $500,000. For sub-$10M SMEs, the licence cost of the management tool is often higher than the savings it surfaces. Excel and a focused three-week project produce 90% of the result at 10% of the cost.
Should we cancel everything that has zero use, or migrate users first?
Confirm zero use across at least 90 days before cancelling, and notify the listed billing contact (not just the technical contact) before pulling the plug. Some tools are ‘used’ only at month-end or quarter-end and look dormant at other times. A 90-day window catches most of these.
What about free SaaS tools, do they matter for the audit?
From a cost perspective, no. From a security and governance perspective, very much yes. Free tools are where the data leaks happen. That conversation belongs in the Shadow IT review, not the financial audit.
Do we need to involve our MSP in the audit?
If you have one, yes. Your MSP often holds the admin credentials to half the tools you are auditing, knows the seat utilisation in real time, and can execute the cancellations on your behalf. If you run a co-managed IT arrangement, this is the kind of work that should already be part of your quarterly review with the MSP.
When is the right time of year to run the audit?
April or May, to bank the FY27 savings before 30 June. Cancellations made in May reduce your run-rate for FY27 and improve your EBITDA position before EOFY. Audits run in September or October are still valuable, but you have given up a year of savings.
���������������������������������������������������������������������������������������������������
Shadow IT Discovery: Finding the SaaS Tools Your Staff Bought on a Credit Card
The average 50-person Melbourne SME has 60 to 80 SaaS apps in use. Finance can see maybe 15 of them. The rest were signed up to by individual staff on free trials or personal credit cards. The fix is discovery, triage and a clear sanctioning path, not a memo telling people to stop.
Why shadow IT happens (and why blaming users is the wrong move)
Before we talk discovery, it is worth being honest about why shadow IT exists. Three reasons account for almost all of it.
The first is speed. The official process for getting a new SaaS tool approved at most Melbourne SMEs is “raise a request, wait two weeks, get told no”. Trello is free. Notion is free. Calendly is free. ChatGPT is free. A salesperson who needs to send a polished proposal to a prospect by Friday will not wait two weeks. They will sign up for the free tier on Wednesday and put the paid upgrade through their personal card if the trial expires before they have proven the case for an official tool.
The second is feature gaps. Microsoft 365 is excellent at a lot of things and mediocre at a few. Planner is not Trello. Forms is not Typeform. SharePoint document collaboration is not Notion. When the official toolset has a feature shaped hole, staff fill it from outside. The accounting firm we audited last quarter had three separate Notion workspaces precisely because nobody could agree whether SharePoint or Teams was the right place to do running notes.
The third is autonomy. Department heads — particularly in sales and marketing — often have their own budget and the authority to spend it. They are not breaking any rules when they sign up to HubSpot, Mailchimp, Canva Pro or Loom. They are exercising the budget authority they were given. IT only finds out when something integrates badly with the core stack, or when the credit card runs through to finance.
The right framing is: shadow IT is a signal that your official tooling is missing something. Treat it as feedback, not as misbehaviour.
The actual cost of unsanctioned SaaS
Shadow IT is not free for the business. It costs in five distinct ways.
Direct duplication. Three different teams each paying $50 a month for the same tool because none of them knows the others have it. We have audited Melbourne SMEs that were paying for Slack, Microsoft Teams, Google Chat and Discord simultaneously. None of the leaders knew about all four.
Data exposure. Client data in unmanaged tools the business has no idea exists, with no DLP, no retention policy, and no offboarding when the staff member leaves. The Notion workspace tied to someone’s personal email survives their departure indefinitely unless someone goes looking.
Compliance failure. The Australian Privacy Act obligations apply to personal information regardless of which SaaS tool the staff member chose to store it in. The fact that the tool was not sanctioned by IT is not a defence. The 2024-25 amendments tightened the breach notification and accountability requirements specifically here.
Integration risk. Every shadow tool that connects to Microsoft 365 via OAuth gets a slice of access to your tenant. Most of them are fine. Some of them are not. There is a non-trivial number of “free productivity apps” with read access to mailbox content.
Exit friction. When a senior staff member leaves and they have been the de facto owner of three shadow SaaS tools the rest of the team relies on, you are now in the position of either paying ransom to get the data out, or rebuilding the institutional knowledge from scratch.
Four discovery methods that actually work for SMEs
You do not need to buy a Cloud Access Security Broker for $40,000 a year to find your shadow IT. There are four cheap and effective methods, and the right answer for most Melbourne SMEs is to run all four sequentially.
Method 1: Microsoft Defender for Cloud Apps (if you have it)
If you are on Microsoft 365 E5, Defender for Cloud Apps is built in. If you are on Business Premium, it is not, but the related “Cloud Discovery” features in Microsoft Defender for Endpoint give you a surprisingly useful subset. Both work by analysing endpoint and firewall logs for outbound connections to known SaaS providers, then producing a discovery report that maps which staff are using what.
The first run of this against a tenant is always sobering. We ran it for a 70-person legal firm in Richmond and the discovery report identified 137 distinct cloud services in use, of which the firm had formally sanctioned 12. The rest broke down into “harmless free tools nobody minds” (about 80), “duplicates of things we already pay for” (about 20), “things that should probably be replaced” (about 15), and “wait what is this” (about 10).
Defender for Cloud Apps gives you a risk score per service based on a published catalogue of about 30,000 cloud apps with their compliance and security attributes. That risk score is a useful starting point for triage but should not be treated as the final word.
Method 2: Expense report keyword scan
This costs nothing. Export the last twelve months of corporate card transactions and personal expense reimbursements. Scan for the obvious keywords: Notion, Trello, Asana, Monday, Loom, Calendly, Canva, HubSpot, Mailchimp, ChatGPT, Anthropic, OpenAI, Zapier, Make, Airtable, Slack, Zoom, Lucidchart, Miro, Figma, Dropbox, Google. Add any local Australian SaaS providers relevant to your industry.
This catches everything that has gone through finance — which is roughly two-thirds of all shadow IT, in our experience. The expense report scan is fast, cheap, and produces a list with names attached, which is the part that makes the conversation possible. A salesperson cannot deny they signed up to HubSpot when the $80 a month is on their May expense report.
We did this exercise for a Geelong construction firm and the keyword scan caught more shadow SaaS than the Defender for Cloud Apps discovery did, because so much of the spend was on personal cards being expensed back.
Method 3: Browser extension audit
If your staff use Chrome or Edge on managed devices, the installed extensions list is a goldmine of shadow tooling. Grammarly, Loom, Asana, Notion Web Clipper, ChatGPT extensions, password manager extensions that are not the corporate one, screen recorders, AI writing assistants — they all show up.
This is also where you find the genuinely risky stuff. There is a long tail of malicious browser extensions that survive on the Chrome Web Store for weeks at a time before being pulled, often with names that look like productivity tools. An extension audit catches these and is also a chance to enforce an allowlist via Microsoft Edge for Business or Chrome Enterprise policies.
For Melbourne SMEs on Microsoft Intune, this is a one-page report. For unmanaged endpoints it requires a walk-the-floor approach, which is part of why endpoint management matters.
Method 4: Microsoft 365 OAuth consent report
This is the one most people miss. Every time a staff member clicks “Sign in with Microsoft” on a third-party SaaS app, that app gets an OAuth token to access some scope of their Microsoft 365 data. The list of apps with active OAuth consent against your tenant lives in the Entra admin centre under Enterprise Applications, and is usually astonishing the first time someone looks.
We did this for a Camberwell architecture firm and found 89 third-party applications with active OAuth consent against their tenant, including three that had been granted “read all mail” scope — one of which was a free email tracking tool an account manager had signed up to in 2022 and forgotten about. That OAuth grant survived their staff turnover and was still active two years later.
The OAuth consent report is also where you find the AI integrations. ChatGPT plugins, Anthropic Claude connections, Zapier OAuth grants, all the new wave of AI productivity tools that are wiring themselves into Microsoft 365. None of them are inherently malicious. All of them deserve to be looked at.
The four-bucket triage: sanction, replace, retire, ignore
Once you have a discovery list, every item goes into one of four buckets. The bucket determines the action. This is the framework we use with every Melbourne SME shadow IT engagement.
| Bucket | What it means | Action | Typical examples |
|---|
| Sanction | Genuinely useful, no reasonable alternative in the existing stack, acceptable risk profile | Bring under IT management, move billing to the corporate card, document data classification, set up offboarding workflow | Specialist design tools, niche industry apps, accepted general productivity tools (Calendly, Loom) |
| Replace | Duplicates a capability the business already pays for elsewhere | Migrate users to the official tool, cancel the shadow subscription, set a hard date | Trello when the org pays for Planner, Dropbox when the org pays for OneDrive, Slack when the org pays for Teams |
| Retire | Genuinely risky, dormant, abandoned, or actively dangerous | Revoke OAuth grants, contact provider for data export, then delete | Forgotten OAuth grants from 2022, malicious browser extensions, abandoned personal accounts holding client data |
| Ignore | Low risk, low cost, low value to act on | Note it, move on, do not waste cycles | Free productivity tools with no data sharing, personal-use tools, ad-hoc utilities |
The ignore bucket is important. The temptation in shadow IT projects is to try to bring everything under formal control, which is both impossible and counterproductive. If a salesperson has Grammarly installed on their personal browser profile and uses it occasionally, that does not need to be on a vendor management register. Pick your battles.
Case study: a Melbourne accounting firm with three Trellos
A mid-sized accounting firm we work with — about 60 staff across two offices, including one in South Yarra — asked us to run a shadow IT discovery exercise in mid-2025 because their cyber insurer had started asking pointed questions about SaaS inventory at renewal. The findings were instructive.
The expense report scan turned up three separate Trello accounts run by three different teams. None of the teams knew the others had one. Each was paying $13 per user per month for the standard tier. The combined annual spend was $14,400, and the equivalent functionality was already available in Microsoft Planner and Loop, which were included in their existing M365 Business Premium subscription.
The OAuth consent report identified two Notion workspaces with active access to mailbox content. One was being actively used by the marketing team; the other belonged to a partner who had set it up in 2023 to draft a strategy document and then forgotten about it. The forgotten one still had read access to his mailbox via OAuth.
Most concerning, the browser extension audit identified a competitor’s project management tool — a SaaS aimed at accounting firms specifically — installed by a junior accountant on her work laptop. She had been adding live client data into it as a personal productivity tool because she found it easier than the firm’s official practice management software. The client data exposure was real, the staff member’s intent was harmless, and the underlying problem was that the official tool was genuinely worse than the alternative she found.
The triage outcome: Trellos consolidated and replaced with Planner over six weeks. The active Notion workspace was sanctioned and brought under IT management with proper offboarding workflow. The forgotten one was retired and OAuth revoked. The competitor tool was retired, the data was migrated out and into the firm’s official system, and the practice management software was put on the roadmap for replacement because the staff feedback was now formally on the table. None of this would have happened without the discovery exercise.
Building a sanctioning path so this does not happen again
Discovery is the first step. The longer-term fix is to build an internal path for staff to legitimately request new SaaS tools, with a turnaround time fast enough that they do not need to go around it. Three principles.
Time-box the approval. Five business days from request to yes/no. Longer than that and people will revert to shadow IT. The five-day commitment is enforceable if the assessment is structured: data classification, vendor security posture, integration impact, cost. A senior engineer can usually run this in two hours.
Pre-approve common categories. Maintain a list of SaaS categories where any tool from a pre-approved shortlist can be self-served by staff. Design tools, video conferencing, scheduling tools — none of these need a full assessment every time someone wants to use one. The shortlist gets reviewed quarterly.
Make rejection mean something. If you say no to a tool, you owe the requester either an alternative that meets their need or a clear explanation of why the problem cannot be solved that way. “No” without context is what drives staff into the shadow IT cycle. Co-managed IT models often work well here because they give internal IT the capacity to run this assessment without becoming the bottleneck.
The role of identity and conditional access
Shadow IT discovery is closely related to the broader identity story. The more you centralise authentication through Microsoft Entra ID, the more visibility you get over what is connected to your tenant. Tools that require staff to create separate accounts with personal email addresses are inherently invisible; tools that integrate via “Sign in with Microsoft” show up in the OAuth consent report.
Conditional Access policies can be configured to require admin consent for any new third-party application requesting Microsoft 365 data access, which closes the OAuth-grant-from-2022 problem at the source. This is one configuration change, takes about thirty minutes, and stops new shadow IT from accumulating in that specific way. We make it a standard part of the cybersecurity baseline for every new client tenant we onboard.
The trade-off is that admin consent becomes a queue you have to service. If the queue is slow, staff will route around it. Five business days, again.
What this costs to fix
For a typical 50-person Melbourne SME, a complete shadow IT discovery and triage engagement runs four to six weeks of elapsed time and one to two days of senior engineer effort. The deliverables are: an inventory of cloud services in use, a triage report with recommended actions per service, a remediation plan for the high-risk items, and a sanctioning workflow design for ongoing requests.
The hard-dollar return varies but is almost always positive. The Geelong construction firm saved $9,400 a year in duplicate SaaS subscriptions identified during discovery. The Richmond legal firm saved closer to $22,000 because they had been paying for three project management tools and four file-sharing tools simultaneously. The South Yarra accounting firm broke even on direct cost but eliminated a real data exposure that would have been a notifiable breach if it had been discovered later.
The softer return — the reduction in compliance risk, the cleaner OAuth surface, the ability to answer “what SaaS tools do you use” honestly on an insurance renewal — is harder to put a number on but matters more.
How TechAssist runs shadow IT discovery
We treat shadow IT discovery as a structured engagement, not an ongoing service. The work is intensive for four to six weeks and then transitions into a steady-state sanctioning process that internal stakeholders can run themselves with our support.
Founded in 2014, we have 13 Australian-employed engineers and a 24/7 NOC in Tecoma. Our two offices — Tecoma and 575 Bourke Street CBD — let us run on-site sessions for Melbourne metro clients on the same business day where the discovery work needs human follow-up. We are Essential Eight aligned and ISO 27001 capable, which matters when the deliverable from the engagement needs to land in front of an auditor or cyber insurer.
We have run shadow IT engagements for clients in construction, manufacturing, logistics, law firms, accounting firms and healthcare. The methodology is broadly similar; the specific tools that show up vary wildly by industry. A construction firm’s shadow IT is almost entirely site-management apps and free file-sharing tools. A law firm’s is document collaboration and AI drafting tools. A healthcare provider’s is patient communication platforms — which is where the regulatory stakes get serious.
Frequently Asked Questions
Is shadow IT really a security problem or just an IT housekeeping issue?
Both, depending on which tool. A free Calendly account with no client data in it is housekeeping. A Notion workspace holding client matter notes with OAuth access to a partner’s mailbox is a security problem. The point of discovery and triage is to tell the difference and act accordingly.
Can we just ban shadow IT outright?
You can write a policy that says so, but you cannot enforce it without either heavy egress controls (which most SMEs find impractical) or a fast sanctioning process (which most do not have). The realistic answer is “discover, triage, sanction the useful, retire the risky, build a fast path for new requests so people use it”.
How often should we run a discovery exercise?
The first run is the big one. After that, an annual refresh combined with a quarterly OAuth consent review is enough for most Melbourne SMEs. If your business is going through rapid headcount growth or a significant tooling change, run discovery more often.
Do free SaaS tools count as shadow IT?
Yes. The pricing is irrelevant to the risk assessment. A free Trello account with client tasks in it is the same data exposure problem as a paid one. The triage matters more than the cost.
What about staff using their personal ChatGPT account for work?
This is the 2026 version of the shadow IT problem and it deserves its own conversation. Personal AI accounts in use for work tasks need to be either replaced with sanctioned enterprise alternatives (Microsoft 365 Copilot Chat, ChatGPT Team, Anthropic Claude Team) or actively prohibited. The middle ground — “just be careful” — does not work because there is no audit trail.
Should we tell staff we are running discovery?
Yes. Transparency makes the exercise work better. Staff who know discovery is happening volunteer information that the technical methods would not have caught. Frame it as “we want to make sure the tools you need are properly supported”, not as “we are looking for who broke the rules”.
What to do this week
Pick one of the four discovery methods and run it. The expense report scan is the easiest starting point and requires nothing more than a spreadsheet and an hour. The OAuth consent review is the second easiest if you have Microsoft 365 admin access. Both will turn up enough to justify a broader conversation.
Whatever you find, do not lead with blame. Lead with curiosity. The staff who signed up for these tools were trying to do their jobs. The fix is to build a system where doing their jobs and following the rules are the same thing.
If you want a hand running a structured shadow IT discovery and triage across your Melbourne business, get in touch. We will tell you what is worth fixing and what is not.