The Tech Stack Teardown: Audit Your Business Software for Cost and Security (2026)

Last month we audited the software stack of a 14-person firm that was certain it ran "maybe eight or nine tools." We found 23 paid subscriptions. Two of them did the same thing. Four had active logins for people who'd left the company — one with admin rights and a company card still attached to the account. None of it showed up on a security checklist, because security checklists look at the tools you know about.

That's the problem with sprawl. It isn't just a budget issue — though the wasted spend is real. Tools you've stopped using may still hold active accounts, stored credentials, and OAuth grants that nobody reviews. Closing those accounts is one of the most practical security improvements a small business can make in a given quarter.

This is a teardown, not a build guide. We'll walk your existing stack through the same four-lens scorecard we use on client audits — Cost, Usage, Access-Risk, Overlap — and you'll come out the other side with a Keep / Consolidate / Retire verdict for every tool, a smaller bill, and fewer unmanaged access points. There's a downloadable worksheet so you can run it yourself.

Why Do Small Businesses Lose Track of Their Software Stack?

Small teams lose track because tools are added one at a time and rarely reviewed after launch. Here's what we typically find when we look.

Nobody sets out to build a bloated software stack. It happens one tool at a time, each one reasonable when it arrived, none of them reviewed after the first week.

The marketing team signs up for a design tool on a free trial that converts to paid. Someone in operations starts a project tracker because the shared spreadsheet got unwieldy. The founder still pays for the CRM they evaluated two years ago and never canceled. Each decision made sense in isolation. In aggregate, you're paying for a stack nobody can fully list from memory.

We've argued before that you shouldn't buy your way out of disorganization — that adding technology to a messy foundation just moves the mess to a more expensive platform. This article is the operational sequel: what to do about the tools you already bought.

The cost side is visible once you look: duplicate subscriptions, unused seats, annual renewals nobody approved. But there's a second cost running in parallel that most "simplify your stack" advice overlooks — unmanaged access.

Why Is Unused Software a Security Risk?

Most articles about SaaS sprawl frame it as a budget problem. It is. But unused software also creates unmanaged accounts, stored data, OAuth grants, and payment exposure that nobody is reviewing.

Here's how that happens:

1. A tool is adopted — approved or not — and accounts are created for the team.
2. Time passes. The tool falls out of use, but the accounts stay active.
3. Those accounts still have standing access to whatever data the tool touches: files, contacts, calendars, financials.
4. Credentials remain stored. Payment methods stay on file. MFA was probably never enabled on a "secondary" tool.
5. Nobody monitors logins on a tool nobody uses. If someone — or something — logs in, nobody notices.

The result is an account that still has access to company data but doesn't appear on any checklist for tools you actively manage.

There are two flavors of sprawl that matter here, and they require different responses:

Shadow IT is the tool your team adopted without telling you. The designer's Canva Pro subscription billed to a personal card. The sales rep's pipeline tracker that nobody in IT has heard of. An AI writing assistant someone connected to their work email via OAuth. These tools aren't malicious — they're practical workarounds that bypassed the approval process. The risk is that they're connected to company data through OAuth grants or shared logins, and nobody with security responsibility knows they exist.

Abandoned tools are the opposite: software the company officially adopted, paid for, and then stopped using without closing the accounts. The project management app you migrated away from two quarters ago. The second file-sharing service you kept "just in case." These can carry more risk than shadow IT because they had sanctioned access — admin-level permissions, SSO connections, API integrations — and all of that access persists after the last employee stops logging in.

In 2026, AI tools deserve specific attention here. Browser-based AI assistants, ChatGPT plugins, writing tools, and code assistants are the newest category of shadow IT. Many connect via OAuth to email, calendars, or file storage. They should be part of the same inventory and access review as any other SaaS tool.

If you've already gone through the exercise of auditing former employee access, you've addressed the people side of this problem. The software audit addresses the other half: the tools themselves. And if you're running a broader mid-year security review or working through a breach prevention plan, unused software should be on that checklist — it's where access risks and cost waste overlap.

Use a Four-Lens Scorecard to Audit Cost, Usage, Access, and Overlap

This is the framework we use on every client audit. Four lenses, each scoring a different dimension of whether a tool earns its place in your stack. Score each lens Red, Yellow, or Green. A Red access-risk score should trigger action even if the tool is inexpensive and well-used.

Lens 1: Cost

Not the sticker price — the true annual cost.

Per-seat creep is easy to miss. Many SaaS tools increase per-seat pricing at renewal, and if nobody reviews the invoice, you're paying 2026 prices for a 2023 decision.

Lens 2: Usage

Who actually logs in, and how often?

The 30-day login check is the single most revealing data point in a software audit. Most admin dashboards show last-login dates. If 75% of your licensed users haven't touched a tool in a month, you're paying for shelf space.

Lens 3: Access-Risk

What can this tool touch, and who's provisioned?

Any Red on Access-Risk is an immediate action item, regardless of what the other lenses show. A tool that scores Green on cost and usage but Red on access-risk still needs attention.

Lens 4: Overlap

Does this tool duplicate something you're keeping?

Overlap is where the largest cost savings tend to appear, but it's also where consolidation mistakes happen. Two tools that look like duplicates from the admin dashboard may serve genuinely different workflows on the ground. Score the overlap, but verify with the people who use them before you cut.

Rolling Up the Scores

How Should You Decide Whether to Keep, Consolidate, or Retire a Tool?

The scorecard gives you a verdict per tool. Here's what each verdict actually requires — canceling a subscription is not the same as closing the access.

Before you retire any tool

This applies to both Consolidate and Retire verdicts:

1. Export all data — download reports, files, and historical records. Verify the export is complete.
2. Transfer ownership — reassign any shared resources, templates, or automations to the replacement tool or a team member.
3. Revoke OAuth and API connections — remove all tokens, webhooks, and integrations connecting this tool to other systems.
4. Remove SSO connections — if the tool is connected through your identity provider, remove the app registration.
5. Disable every user account — deactivate all logins, not just the ones you remember.
6. Request full account deletion — contact the vendor or use their admin panel to delete the account entirely, not just cancel billing.
7. Save proof of cancellation — screenshot the confirmation or save the email. You may need it at audit time or if the vendor continues billing.

The "Consolidate" bucket is where most audit mistakes happen. Three traps to watch for:

The data-loss trap. You retire Tool A because Tool B does the same job, but you forget to export Tool A's historical data first. Three months later, someone needs a report from 2024. Gone.

The contract trap. You decide to retire a tool in March, but you're locked into an annual contract through September. Mark it for cancellation at renewal. In the meantime, revoke all non-essential access and remove inactive users — don't leave it running untouched for six months.

The "free tier" trap. You downgrade a paid tool to its free tier thinking you've eliminated the cost. You have — but the account, the stored data, the OAuth grants, and every user login still exist. A free account is still an account. If you're not actively using it, close it.

What Does a Small-Business Software Teardown Look Like in Practice?

A teardown scores every tool on cost, usage, access risk, and overlap before canceling anything. Let's walk through the 14-person firm from the opening. This is a composite based on several real audits, anonymized and simplified, but the patterns are representative of what we find in a typical 10–20 person business.

The stack before the teardown: 23 paid subscriptions, $4,340/month total spend, 4 accounts with active former-employee logins, no centralized app inventory.

Here's how 6 representative tools scored:

The total time to run this teardown: about 6 hours across two people (one with admin access, one who knew the workflows). The security improvements: 4 orphaned accounts closed, 3 unmonitored OAuth grants revoked, MFA enforced on 2 tools that had it available but not enabled.

For a deeper look at what a right-sized stack actually contains for a firm this size, our 10-person accounting firm build documents the exact stack we deployed — hardware, software, pricing, and rationale for each choice.

How Can You Audit Your Software Stack This Week?

You don't need to hire someone to do this (though we do run these audits if you'd rather hand it off). Start with billing, identity-provider access, and a short team survey.

Step 1: Pull the billing statements (30 minutes)

Download the last 3 months of credit card and bank statements for every card used for business software. Search for recurring charges. You're looking for anything billed monthly or annually that looks like a SaaS subscription. Most people find 3–5 tools in this step that they'd completely forgotten about.

Step 2: Pull the connected-apps list from your identity provider (15 minutes)

This is the step most audit guides skip, and it's the most valuable one.

Google Workspace: Admin console > Security > Access and data control > API controls > Manage Third-Party App Access. This shows every app that has been granted OAuth access to your organization's data — including apps individual employees authorized without admin approval.

Microsoft 365: Entra admin center > Entra ID > Enterprise apps > All applications. Select any app and check Security > Permissions to see what access it has. Sort by apps with user consent to find tools employees connected without admin approval.

Between your billing statements and your IdP's connected-apps list, you'll have 90% of the full picture. The remaining 10% surfaces when you ask your team: "What tools do you use that aren't on this list?" Include AI tools, browser extensions, and anything that connects to work email or files.

Step 3: Build your master list (30 minutes)

Combine both sources into a single spreadsheet. For each tool, capture these columns:

This becomes the input for the scorecard — and after the audit, it becomes your standing software inventory.

Step 4: Score each tool (1–2 hours)

Walk every tool on your master list through the 4-Lens Scorecard above. You'll need access to each tool's admin dashboard to check last-login dates and user lists. For most SaaS tools, this is under Settings > Users or the admin panel's activity log.

Don't try to score everything perfectly on the first pass. The goal is to identify the obvious retirements and the clear keeps. Anything in the middle goes into Consolidate for a second look.

Step 5: Assign an owner to every remaining tool

If nobody owns renewal, access review, and offboarding for a tool, the stack will drift again within a quarter. Every tool that survives the audit should have a named person responsible for it.

Step 6: Act on the verdicts (1–2 hours)

Start with retirements — they tend to deliver the clearest cost and access improvements. Then work through consolidations (remembering to export data and check contracts first). Finally, harden your keeps: remove unused seats, enforce MFA, revoke excessive permissions.

The worksheet mirrors the 4-Lens Scorecard with pre-built columns for each question, auto-scoring, and a summary view that rolls up to Keep/Consolidate/Retire. It's the same structure we use internally.

How to timebox this

The first pass is the big one. After that, a quarterly review takes about an hour — you're just re-scoring anything that changed and checking for new shadow IT.

How to Prevent the Stack From Growing Back

The teardown cleans up what's accumulated. These habits keep it from building back up:

Require approval for new tools. A one-line Slack message to a designated person ("I want to try Tool X for project Y") is enough process. The goal isn't bureaucracy — it's awareness.

Add software to your offboarding checklist. When someone leaves, revoke their access to every tool, not just email. Our former employee access guide covers the full process — and if you're also tightening up the other end, the new employee onboarding checklist shows how to set up access correctly from day one.

Set a renewal calendar. Most SaaS contracts auto-renew. A shared calendar with renewal dates for every tool gives you a chance to re-evaluate before the charge hits.

Run a quarterly check. Pair it with your mid-year security review and it becomes a standing agenda item, not a special project. The quarterly check takes about an hour — you're re-scoring anything that changed and scanning for new unapproved tools.

Include AI tools in the same process. In 2026, AI assistants and browser-based AI tools are the fastest-growing category of shadow IT. Apply the same inventory and OAuth review to them.

What Should a Right-Sized Small-Business Software Stack Include?

A right-sized stack gives each core business function one owned, secured tool — and nothing extra. After removing 9 tools and $1,300/month in spend, a natural question is: did we cut too much?

A right-sized stack for a 10–20 person business typically covers five layers:

If you want to see what those layers look like in practice:

• Your First Business Software Stack: The Essential 4 covers the minimum viable stack — the four categories every business needs before adding anything else.
• Complete Business Software Stack Under $250/Month shows what a full, lean stack costs when you're intentional about every line item.

The teardown and the build guides are two sides of the same coin. The teardown removes what doesn't belong. The build guides show you what does. If you've run the teardown and your remaining stack maps roughly to those five layers, you haven't over-cut — you've right-sized.

For the security side, pair this with the small business network security audit guide to cover the infrastructure layer that a software audit doesn't touch — your network gear, firewall rules, and physical access controls.

We run these audits as part of our managed IT engagements for businesses throughout South Florida. If you'd rather hand off the scoring, the vendor negotiations, and the account closures, that's what we do. But the worksheet is free and the framework is the same one we use — the point is that somebody runs it, not that it has to be us.

Related Resources

• The Technology Your Small Business Doesn't Need (Yet) — The philosophical foundation this teardown builds on: don't buy your way out of disorganization.
• How to Audit and Revoke Former Employee Access — The people-side companion to this software audit — focused on offboarding and access revocation.
• Mid-Year Security Audit Checklist for Small Business — The recurring security review that this teardown feeds into.
• Your First Business Software Stack: The Essential 4 — What a right-sized stack looks like when you're starting clean.
• Complete Business Software Stack Under $250/Month — The full lean stack, priced out.
• The Exact IT Stack We Deployed for a 10-Person Accounting Firm — A real-world reference for what "right-sized" looks like in practice.
• Small Business Breach Prevention Guide — Practical steps to reduce breach risk, including managing shadow IT and unmanaged SaaS apps.
• New Employee IT Onboarding Checklist — The onboarding counterpart to this teardown — set up access correctly from day one.
• Small Business IT Budget Planning Guide — How to budget for the tools that survive your audit, and avoid cloud cost creep.
• Small Business Network Security Audit Guide — The infrastructure-side audit that covers what a software teardown doesn't.