Why a 90 minute SaaS audit belongs on your calendar
Most New Zealand offices run on a messy mix of SaaS applications. That messy mix quietly drives up software spend, weakens security controls, and leaves you carrying the audit risk when something breaks. A focused 90 minute SaaS review can reset your entire cloud application environment without needing a full IT project.
As office manager, you see invoices, staff requests, and support tickets before anyone else. That vantage point makes you the natural owner of practical SaaS management, even if a third party IT provider technically runs the cloud services. Treat this as business risk management, not a technical tidy up, because the real time impact shows up in payroll delays, sales reporting gaps, and compliance headaches.
Think of the 90 minute audit as a structured internal review for tools, not people. You are not judging staff, you are judging software, services, and data flows against basic management controls. The goal is simple and measurable, namely to cut waste, reduce risk, and improve access to the few apps that actually support work.
Global benchmarks from the Zylo SaaS Management Index show that organisations without disciplined subscription management overspend by roughly a quarter. For example, Zylo’s 2023 Index reports an average 26 percent overspend on unused or underused licences across mid market organisations. In New Zealand, Insentra has warned that running more than one hundred cloud apps is both expensive and risky for mid sized companies, noting that one client reduced its active SaaS catalogue from 143 to 96 applications and cut annual spend by just over 18 percent after a structured review. Those numbers translate into very real dollars on your P&L, especially when every department can swipe a card for new apps without any audit process.
The 90 minute window forces sharp choices and keeps the audit process lightweight. You are not building a perfect management platform on day one, you are building a usable inventory and a one page business case. That is exactly the level of reporting your CEO or COO needs to greenlight deeper risk assessment or contract changes.
The 90 minute framework: inventory, classify, calculate, propose
Start the SaaS audit sprint with a ruthless inventory. Pull the last three months of credit card statements, accounts payable data, and any expense apps exports to capture every recurring application charge. For instance, a typical line might read “ACME SOFTWARE LTD – SUBSCRIPTION – $89.00 NZD / MONTH – COST CENTRE: SALES”. Include obvious SaaS applications like Xero, Google Workspace, and Microsoft 365, but also niche cloud apps for sales, HR, and facilities management.
Next, classify each line into three buckets, namely essential, overlapping, or unused. Essential apps are those where loss of access would halt payroll, sales operations, or compliance reporting within a day. Overlapping apps are where you have multiple services doing similar jobs, such as Slack and Teams for communication or Monday and Asana for project management.
Unused apps are the goldmine for spend optimisation and risk reduction. Look for licences where there has been no log in data for ninety days, or where the only activity is automated security monitoring emails. A simple 90 day usage check might show that 7 of 25 paid seats in a proposal tool have had zero sign ins since the last quarter. If you lack direct usage dashboards, ask your IT support or managed services provider to export real time SaaS usage reports from your central management platform.
Once you have the three buckets, calculate annualised SaaS spend for each. Multiply the monthly subscription by twelve, then tag each amount with a simple risk management note, such as high security impact or low business impact. This gives you a fast risk assessment view that leadership can understand without reading a full internal audit report.
Finally, turn the numbers into a one page proposal with three sections. First, list immediate cancellations for unused apps, then list consolidation opportunities where one application can replace several cloud tools. Third, outline a light governance model for future audits, including who approves new services and how often you repeat the software review.
When you present this to leadership, time it around renewal dates, not mid contract. Use the audit results to renegotiate with vendors when you still have leverage, especially for large data platforms or critical compliance tools. For a deeper view on how automation expectations are shifting in local offices, read this analysis of the government’s automation mandate and its signal for private offices at AI as a basic expectation in New Zealand offices.
Shadow IT in New Zealand offices: where the real risk hides
Shadow IT is not a buzzword in New Zealand offices, it is your daily reality. Staff sign up for new SaaS apps with personal cards, then expense them through generic cost codes that never mention software. Those small charges quietly expand your application footprint, increase security exposure, and complicate every future audit.
To surface these hidden services, start with expense reports and petty cash reimbursements. Search for keywords like subscription, licence, or cloud, then map each item to a named application and owner. This simple internal audit step often reveals duplicate project tools, overlapping file sharing apps, and third party integrations that nobody is actively managing.
Next, check your Google Workspace admin console for connected apps. Many SaaS applications request access to email, calendars, or contacts, and those connections create both security and compliance obligations. Treat every new connection as part of your audit process, asking whether the business benefit justifies the additional risk and data exposure.
Shadow IT is also a governance story, not just a security story. When every team can buy its own software, you lose central controls over data retention, access rights, and reporting standards. That fragmentation makes it harder to meet IRD record keeping rules, WorkSafe documentation expectations, and any sector specific compliance requirements.
Build a simple policy that channels new requests through you as office manager. You are not blocking innovation, you are coordinating it, ensuring that new apps align with existing audit processes, risk management frameworks, and security monitoring practices. For a deeper explanation of why traceability matters, see this guide on what auditability means for New Zealand office managers at auditability and why it matters.
When you run your next round of audits, include shadow IT explicitly in the scope. Ask each team lead to list any apps they pay for directly, then cross check against finance data and your central management platform. Over time, this normalises the idea that every application, whether official or not, sits inside a shared SaaS governance framework.
From messy stack to governed system: templates you can use on Monday
Turning a chaotic SaaS stack into a governed system does not require a new department. It requires a repeatable template that fits into your existing management routines and respects the limited time you have. Think of it as adding a light layer of controls on top of the tools you already use, not building a new bureaucracy.
Start with a simple SaaS register in a spreadsheet or lightweight management platform. Each row should capture the application name, owner, department, cost, renewal date, data classification, and key security notes. Add columns for whether the app is essential, overlapping, or unused, and whether it integrates with core systems like Google Workspace or your payroll software.
Below is a minimal SaaS register layout you can copy into Excel or Google Sheets on Monday morning. Paste these columns into row one of a new sheet, then add one row per application as you work through your audit:
Example columns (copy into CSV or Google Sheets): Application | Owner | Department | Monthly Cost (NZD) | Renewal Date | Status (Essential / Overlapping / Unused) | Data Type (Payroll / Customer / Internal) | Integrations (e.g. Google Workspace, Xero) | Risk Note
Worked example row: "ProposalPro" | Sales Manager | Sales | $240 | 30/09/2024 | Overlapping | Customer | Google Workspace | 7 of 25 seats inactive for 90+ days, consolidate to core CRM tool at renewal.
Next, define three standard decisions for every audit cycle. Keep means the app is essential and well governed, consolidate means you will move users into a single preferred tool, and retire means you will cancel at the next renewal. This triage keeps the SaaS review process fast, while still supporting thoughtful risk assessment and spend optimisation.
Build a recurring calendar slot, ideally quarterly, for a 90 minute review with finance and IT. Use that session to update the register, review new apps, and confirm that security monitoring is in place for high risk services. Over time, this rhythm turns audits from a one off clean up into a normal part of office management.
When you negotiate with vendors, bring data, not feelings. Show them your audits, your real time usage reports, and your internal notes on risk and compliance, then ask for pricing that reflects actual value. A simple script you can adapt: “We’ve reviewed our usage and only 60 percent of seats are active. To renew, we need pricing that matches real adoption, or we will consolidate into a single platform at the end of this term.” Vendors respond differently when they see you have structured management controls and a clear view of your total SaaS spend.
Finally, link your SaaS governance work to people outcomes, not just numbers. Use savings from cancelled apps to fund better support, training, or ergonomic upgrades that staff actually notice. For context on how tight labour markets change these trade offs, see this analysis of unemployment and the tighter talent pool at what the Q1 numbers mean for your next hire.
New Zealand specific patterns: where local offices leak SaaS money
New Zealand companies share some very specific SaaS patterns that matter for your audits. Many offices run both local and global software services, mixing New Zealand payroll tools with international CRM and collaboration apps. That mix often leads to duplicate functionality, fragmented reporting, and unnecessary risk exposure across your application environment.
Common duplicates include Slack and Teams for communication, Monday and Asana for projects, and multiple expense tools layered on top of Xero. Each extra application adds more data, more access rights, and more security obligations, but rarely adds proportional business value. During your quarterly review, challenge every duplicate by asking which single tool best supports your actual workflows.
Another local pattern is reliance on third party IT providers who focus on infrastructure, not SaaS management. They may secure your network and manage your cloud backups, yet leave individual departments to choose their own apps and services. That gap is where you, as office manager, can lead by coordinating audits, risk assessment, and spend optimisation across teams.
Pay attention to how sales, marketing, and operations teams adopt new apps. Sales teams often trial new CRM add ons or proposal tools, while operations might add niche scheduling software or facilities apps without central approval. Each of these decisions affects your overall management controls, internal audit readiness, and compliance posture.
New Zealand privacy expectations and data residency concerns also shape your choices. When evaluating data platforms, ask where the data is stored, how security monitoring works, and whether the vendor supports local compliance requirements. Document those answers in your SaaS register so you can show due diligence during any future audits.
Finally, remember that consolidation is not just about cutting costs. It is about building a coherent system where reporting aligns, support is manageable, and staff can move between roles without learning five different apps for the same task. The real win is a stack that feels invisible because it simply works, from the front desk to the boardroom.
Making the case upstairs: how to sell consolidation without drama
Office managers in New Zealand often sit close to the CEO but outside formal IT governance. That position can feel awkward when you start talking about SaaS security, risk management, and internal audit findings. The key is to frame your software governance work as financial stewardship and operational resilience, not a land grab for IT control.
Start your one page business case with three numbers, namely total SaaS spend, identified waste, and potential savings. Express savings as both annual dollars and percentage of current spend, then link those numbers to tangible outcomes like extra headcount, better support, or upgraded facilities. Executives respond quickly when they see that a 15 to 20 percent reduction in subscription spend can fund strategic priorities without new revenue.
Next, highlight the risk story in plain language. Explain how unmanaged apps increase the chance of data loss, access breaches, or compliance failures, and how simple controls like regular audits and central registers reduce that risk. Use examples from your own audits, such as dormant accounts with active access or third party integrations with no owner.
Position IT as a partner, not an obstacle. Propose a shared management platform or simple register that both you and IT can update, and suggest joint quarterly audits focused on high risk apps and cloud services. This collaborative framing shows that you respect existing expertise while bringing your own visibility into invoices, contracts, and day to day support issues.
Finally, be clear about the cadence and scope of your governance model. Recommend a 90 minute review every quarter, a deeper audit annually, and a standard checklist for any new SaaS applications before purchase. Over time, this rhythm turns SaaS governance into a normal part of running the office, not an emergency clean up after something goes wrong.
When leadership sees that your approach combines financial discipline, security awareness, and practical management controls, they are far more likely to back consolidation moves. The real test of success is not the policy PDF, but the Monday morning queue at reception.
FAQ
How often should a New Zealand office run a SaaS audit ?
Most small and mid sized New Zealand offices should run a structured SaaS audit every quarter. A 90 minute review is usually enough to update the inventory, check for new apps, and confirm that security and compliance controls still match current usage. High growth companies or those in regulated sectors may benefit from a lighter monthly check on new subscriptions and access changes.
What tools do I need to start SaaS management without an IT team ?
You can begin effective SaaS management with a spreadsheet, access to finance data, and admin rights in core platforms like Google Workspace. Over time, you may add a dedicated management platform or audit software to automate reporting, risk assessment, and security monitoring. The critical step is not the tool, but the habit of running regular audits and documenting every application, owner, and renewal date.
How do I handle resistance from teams that love their favourite apps ?
Start by sharing data on actual SaaS usage and total subscription spend, then explain the business case for consolidation in terms of savings and reduced risk. Offer clear migration plans, training, and support so teams feel supported rather than punished. When people see that consolidation improves reliability, reporting, and support response time, resistance usually softens.
What are the biggest security risks in an unmanaged SaaS environment ?
The largest risks include dormant accounts with active access, unvetted third party integrations, and inconsistent data handling across multiple apps. These gaps can lead to data breaches, compliance failures, or operational disruption if a key application fails without backup. Regular audits, central registers, and basic security monitoring significantly reduce these risks for New Zealand offices.
Can a 90 minute audit really find 15 to 20 percent savings ?
Many offices do uncover 15 to 20 percent savings in their first focused audit, especially where shadow IT and duplicate tools have grown unchecked. A simple before and after example: one Wellington firm reduced its monthly SaaS bill from $9,800 to $8,050 by cancelling unused licences, consolidating two project tools into one, and renegotiating contracts using real usage data. While results vary, a disciplined 90 minute review almost always surfaces enough waste to justify making SaaS audits a recurring management practice.