Independent and vendor-neutral. Every figure on this site is either a source-cited published statistic or a reader-controlled bounded calculation. No vendor averages presented as fact.

ShadowITCost

Last verified April 2026

Method 3 of 4

Expense Audit: Finding Shadow IT in Your Financial Trail

Pull 12 months of expense report and corporate card data. Filter for SaaS merchants using MCC codes and a known-vendor keyword list. Reconcile against SSO gap findings.

What this method covers

Any shadow IT that leaves a financial trail through your corporate card issuer or expense reimbursement platform. That includes departmental SaaS subscriptions paid on corporate cards without IT review, personal-card SaaS subscriptions that were later reimbursed, vendor invoices paid through accounts payable, and annual SaaS renewals accrued in financial subledgers. For paid SaaS, this method is the most complete source of truth outside of a SaaS management platform deployment.

The step-by-step method

  1. Work with the finance team to pull 12 months of transaction data from the corporate card issuer and the expense platform. Include merchant name, MCC, date, amount, card-holder or submitter, and memo. Twelve months captures annual renewals.
  2. Also pull vendor payments from accounts payable for the same period, filtered for category codes consistent with software or digital services, plus a keyword search for common SaaS vendor names.
  3. First-stage filter: MCC 5734, 5817, 5815, 7372, 7379, plus a keyword list of known SaaS merchants. This gives you candidate transactions, typically several hundred to several thousand rows.
  4. Second-stage validation: cross-reference candidate merchants against the SSO gap baseline, check each merchant against a SaaS vendor database (Crunchbase, G2), sample memo fields for business justification. Drop false positives.
  5. Consolidate: merge all rows by merchant, summing annual spend. Count distinct card-holders or submitters to estimate user count.
  6. Annotate: for each merchant, add data-classification estimate, department concentration, and whether the app appears on the approved catalog. Apps paid for but not on the catalog are the shadow IT gap from this method.
  7. Add to the consolidated registry. Flag consolidation candidates (same app paid for by multiple card-holders separately) as a priority for procurement review.

Typical findings and benchmarks

Practitioner patterns from discovery sprints: the same SaaS tool often appears as 10 to 50 separate personal subscriptions before consolidation; annual shadow spend surfaced by expense audit alone typically sits in the 1 to 3 percent of total IT spend range for partial-maturity mid-market organizations; the long tail of sub-$500 annual subscriptions often represents 40 to 60 percent of the distinct-app count but only 10 to 20 percent of the dollar spend.

These ranges are practitioner heuristics, not peer-reviewed benchmarks. They are offered as rough expectations to help you sanity-check your own results. Your numbers will depend on industry, company size, procurement maturity, and remote-work posture.

Blind spots

Free-tier SaaS leaves no financial trail; not visible here. Personal-card spend never reimbursed is not visible either (common for AI assistants bought by individual knowledge workers). Some SaaS purchases are buried in reseller invoices where the line-item detail is on a separate invoice; AP reconciliation often misses these. Non-SaaS shadow IT (browser extensions, local tools, open-source) is entirely out of scope for this method.

Output

Add detected apps to the consolidated shadow app registry from the discovery methods overview page. The annual-spend number from this method is the primary input to the observable spend cost category and feeds the board-ready exposure estimate on /measure-your-exposure.

Common MCC codes worth filtering

5734 Computer Software Stores
5817 Digital Goods, Applications
5815 Digital Goods, Media
7372 Computer Programming
7379 Computer Services
5968 Direct Marketing Subscriptions

Method 2

SSO gap analysis ->

Method 4

Browser plus survey ->

Cost bucket

Observable spend ->

Frequently asked questions

What data do I pull?+
Twelve months of corporate card transactions and expense reimbursement data, with merchant name, merchant category code (MCC), date, amount, card-holder or submitter name, and any memo field. Work with the finance team to pull directly from the corporate card issuer (Brex, Ramp, AmEx, Chase) and from your expense platform (Expensify, Concur, Pleo). Twelve months captures annual renewals and masks seasonal noise.
Which MCC codes filter for SaaS?+
The most productive filters are MCC 5734 (Computer Software Stores), 5817 (Digital Goods, Applications), 5815 (Digital Goods, Media), 7372 (Computer Programming, Data Processing), and 7379 (Computer Services not classified elsewhere). MCC-based filtering is imprecise because many SaaS vendors are miscoded, so also run a keyword search for known SaaS merchant name fragments (figma, notion, slack, canva, loom, typeform, airtable, miro) in the full transaction list.
What about personal card spend that was never reimbursed?+
Expense audit does not see it. That is one of the primary blind spots of this method. The mitigation is the amnesty-framed employee survey (method four), which asks employees to voluntarily disclose tools they pay for personally. Personal-card-never-reimbursed spend is typically a long tail of small subscriptions and is often low-dollar, but it can include AI assistants and tools with sensitive data, so the survey is worth running.
How do I avoid false positives?+
MCC codes are noisy. A $9.99 Spotify subscription in MCC 5815 is not shadow IT. Two-stage filtering: (1) filter by MCC and keyword to get candidate transactions; (2) for each candidate merchant, validate by (a) cross-referencing the SSO gap list, (b) looking up the merchant in a SaaS vendor database such as Crunchbase or G2 to confirm it is a business SaaS product, (c) sampling the expense memo field for business justification language. False-positive rate after the second filter is typically under 10 percent.
What if the same app has 20 separate personal subscriptions?+
That is a very common finding: a department uses the same SaaS tool, but each team member expenses their own personal subscription. Consolidate these in the output by merging all rows with the same merchant into a single app entry, summing annual spend. This identifies the strongest consolidation candidates, where one enterprise agreement would replace N individual subscriptions at lower per-seat cost.
Does this method find AI tool spend?+
Partially. ChatGPT Team, ChatGPT Enterprise, Claude Pro, GitHub Copilot, and similar are typically surfaced by expense audit. Free-tier AI use (ChatGPT free, Claude free, Gemini free, open source tools) leaves no financial trail and requires the survey or browser inventory to find. For shadow AI, sequence expense audit followed by browser audit and a targeted AI-focused survey question.