Shadow IT Audit Checklist

30-Day Assessment for IT Directors

A structured, completable 30-day audit checklist. Four weeks, five detection methods, 60+ tasks. Print it, assign it, work through it.

Pre-Audit Preparation

Stakeholder Buy-In

Secure sponsorship from CISO or VP of IT. Brief department heads on audit scope and amnesty policy. Align with finance on expense data access. Coordinate with HR on employee survey communications.

Team Assembly

IT Security (lead), IT Operations (network/SSO), Finance (spend data), HR (survey), Compliance/Legal (regulatory assessment). Each team member owns specific checklist sections.

Week 1: Network and SSO Discovery

Network Discovery Tasks

  • Deploy DNS monitoring on primary DNS resolvers
  • Export 30 days of firewall logs filtered for SaaS domains
  • Identify top 50 most-accessed external domains by traffic volume
  • Cross-reference detected domains against approved software catalog
  • Flag AI-specific domains (openai.com, anthropic.com, midjourney.com, etc.)
  • Document newly-detected domains not in any previous audit
  • Classify detected apps by category (productivity, communication, storage, AI)
  • Estimate user count per shadow app based on connection frequency

SSO Gap Analysis Tasks

  • Export complete list of SSO-integrated applications from IdP
  • Pull OAuth consent grant log for the past 90 days
  • Identify OAuth grants to applications not in the approved catalog
  • Review dormant SSO integrations (no logins in 90+ days)
  • Document SSO gaps: apps detected by network but not integrated with IdP
  • Flag applications with overly broad OAuth scopes

Week 2: Financial and Browser Audit

Financial Spend Audit Tasks

  • Request corporate credit card statements (past 12 months) from finance
  • Filter transactions for recurring SaaS charges ($5 to $500/month range)
  • Review expense reports for software/tool reimbursement claims
  • Check department budgets for unallocated 'software' or 'tools' line items
  • Cross-reference discovered subscriptions against SSO app catalog
  • Calculate total unauthorized spend by department and app category
  • Identify the top 10 highest-spend shadow applications
  • Document any shadow apps with enterprise license alternatives available

Browser Extension Inventory Tasks

  • Pull browser extension inventory from endpoint management platform
  • Identify extensions with broad permissions (read/change all site data)
  • Flag AI assistant and chatbot browser extensions
  • Check for extensions that have expanded permissions after recent updates
  • Document data access level for each extension (minimal/moderate/broad)
  • Compile list of extensions to block, allow, or review

Week 3: Employee Survey and Classification

Employee Survey Tasks

  • Design anonymous survey covering tool categories: PM, file sharing, AI, communication, design
  • Include questions about personal device usage for work tasks
  • Include specific questions about AI tool usage (which tools, what data)
  • Distribute survey with amnesty guarantee for disclosed tools
  • Set 5-day response deadline with 2 follow-up reminders
  • Analyze responses by department, role level, and tool category
  • Cross-reference survey results with network and financial discovery data
  • Identify tools mentioned in surveys but not detected by technical methods

Data Classification Tasks

  • Classify each discovered app by data sensitivity: public, internal, confidential, regulated
  • Map regulated data types to specific apps (PII, ePHI, payment data, IP)
  • Identify apps processing data subject to GDPR, HIPAA, SOC 2, or PCI DSS
  • Flag apps with no data processing agreement on file
  • Document data residency for each app (EEA, US, unknown)
  • Assess vendor security posture for top 20 riskiest shadow apps

Week 4: Consolidation and Reporting

Registry Consolidation

  • Deduplicate shadow app list across all 5 detection methods
  • Create master shadow app registry with: app name, category, user count, data classification, risk score, department, detection method
  • Assign ownership for each discovered shadow app (department head)
  • Validate user counts by cross-referencing network and SSO data
  • Tag each app: approve, replace with alternative, or remediate
  • Calculate total annual cost for all discovered shadow subscriptions

Risk Scoring

  • Score each app on 4 dimensions: data sensitivity, user count, compliance impact, alternative availability
  • Weight scores by organizational risk tolerance
  • Rank all shadow apps by combined risk score
  • Identify top 10 highest-risk shadow apps for immediate remediation

Executive Summary

  • Draft executive summary: total shadow apps, total unauthorized spend, top risks
  • Include compliance exposure calculation by applicable framework
  • Create 90-day remediation roadmap prioritized by risk score
  • Prepare board-ready presentation with key metrics and recommendations

Shadow App Registry Template

Your audit deliverable should include a registry with one row per discovered shadow app. Here is the recommended field structure:

FieldExample
App NameNotion (Personal)
CategoryProject Management / Notes
Users23
Data ClassificationConfidential
Risk ScoreHigh (8/10)
DepartmentEngineering
Detection MethodNetwork + Survey
Monthly Cost$10/user = $230/month
Approved AlternativeConfluence (licensed)
ActionMigrate to Confluence by Q2

Post-Audit Next Steps

Governance Framework

Build a 12-week governance implementation plan based on audit findings.

Management Tools

Compare 8 platforms for ongoing shadow IT discovery and governance.

ROI Calculator

Build the business case for governance investment using audit data.

Cost CalculatorDetection MethodsGovernance FrameworkManagement ToolsCompliance Costs

Frequently Asked Questions

How long does a shadow IT audit take?

A comprehensive shadow IT audit takes 4 weeks using all 5 detection methods. Week 1: network and SSO discovery. Week 2: financial and browser audit. Week 3: employee survey and data classification. Week 4: consolidation, risk scoring, and executive reporting.

Who should be on the shadow IT audit team?

The audit team should include: IT security (lead the technical discovery), IT operations (SSO and network expertise), Finance (expense and credit card data access), HR (employee survey design and communication), and a compliance/legal representative (data classification and regulatory assessment).

How often should shadow IT audits be repeated?

Run a full 4-week audit annually. Conduct quarterly lightweight audits (1 to 2 weeks) tracking changes against the baseline registry. Implement continuous monitoring between audits using CASB, DNS monitoring, and SaaS management tools.

What is a shadow app registry?

A shadow app registry is a documented inventory of all unauthorized applications discovered during an audit. Each entry includes: app name, category, user count, data classification, risk score, department owner, detection method, cost, approved alternative, and required action (approve, replace, or block).

Should employees be punished for using shadow IT?

No. Best practice is an amnesty-first approach. Employees use shadow IT because approved alternatives are missing, too slow to procure, or inadequate for their needs. Punitive approaches drive shadow IT further underground. Amnesty periods encourage honest disclosure and provide data to improve the approved software catalog.

What are the deliverables from a shadow IT audit?

Key deliverables are: a master shadow app registry with risk scores, total unauthorized spend calculation, compliance exposure assessment by framework, a prioritized remediation roadmap, a board-ready executive summary, and governance framework recommendations.