Shadow IT Audit: What your IT department doesn't know but needs to.
Your employees use roughly twice as many SaaS tools as your IT team knows about. ChatGPT, Dropbox, Trello, plus Excel applications in every department. Since December 2025, you are personally liable as managing director for knowing your IT assets. The Shadow IT Audit delivers a complete inventory with risk assessment and NIS2 compliance roadmap in 4-6 weeks.
What you receive
- Complete IT asset inventory: every SaaS application, every AI tool, every departmental solution. With cost, owner, and data sensitivity classification
- Risk assessment with traffic-light system: red, yellow, green for each asset. Based on data sensitivity, tool risk, and usage volume
- NIS2 and GDPR compliance gap analysis: where exactly your shadow IT violates Section 30 BSIG, Art. 28/30/32 GDPR, or the EU AI Act
- Prioritized action roadmap: what needs to happen immediately (0-30 days), short-term (1-3 months), and medium-term (3-6 months)
- Management presentation: executive summary, risk heat map, top 10 immediate actions, and NIS2 compliance status. Basis for management sign-off per Section 38 BSIG
Does this sound familiar?
- Your credit card statements show SaaS subscriptions that nobody in IT approved
- You fall under NIS2, but your IT asset inventory has blind spots. You know it, but nobody has time to sort it out
- Three departments use three different project management tools. Data is everywhere and nowhere
- Employees paste customer data into ChatGPT, and you have neither rules nor visibility into it
- An auditor or client asks for your software inventory, and the answer takes weeks instead of hours
4 phases. No CASB, no tool sales.
Financial data audit
We follow the money. 12 months of credit cards, accounts payable, and expense accounts reveal what software is actually in use. In our experience, over half of all SaaS spending hides under wrong cost categories.
One-on-one department interviews
Marketing, sales, HR, finance, engineering: we talk to each department individually. Not via questionnaire, but in conversation. Because nobody admits which tools they really use when the whole room is listening.
Technical quick wins
SSO/IdP audit via Azure AD or Google Workspace, OAuth permission review, analysis of existing firewall and DNS logs. No new infrastructure needed. We work with what you have.
Consolidation and assessment
Merge all sources, deduplicate, validate with department owners. Every asset gets a risk score, NIS2 compliance mapping, and a clear action recommendation.
What happens next
After the management presentation, you decide. The action roadmap works without us too. If you need oversight for implementing the critical measures, we handle that. No automatic follow-on.
Do you know what's actually running in your company?
30 minutes with the consultant who will run your audit. No sales pitch, no tool sales.