The 5-Day Vendor Contract Audit: From Chaos to Clarity

The triggers for a vendor contract audit are usually one of four things:

New exec mandate.A new CFO, CTO, or COO joins and immediately asks for a full vendor list with spend and renewal dates. The honest answer - “we don't have one” - is not acceptable twice.

M&A activity. Due diligence requires a complete contract register. Scrambling to produce one under deadline pressure is where errors and omissions happen. Build it before you need it.

Audit or compliance pressure. SOC 2 prep, investor due diligence, or an internal audit flags that vendor contract governance is weak. You need a defensible process, not just a spreadsheet you updated this morning.

Spreadsheet collapse.The shared Google Sheet that tracked contracts is three versions old, has conflicting data, and hasn't been updated since the person who built it left. You're starting from scratch whether you like it or not.

Any of these sound familiar? Then block the week. This is worth doing properly once rather than badly three times.

Your job today is simple: collect every source that might contain evidence of a vendor contract. Don't open the documents yet. Don't try to extract data yet. Just gather.

Accounts payable records. Pull the AP ledger for the last 24 months. Filter for recurring payments - anything that appears more than twice is worth investigating. Export to a spreadsheet. This is often the most complete single source you have, because vendors always manage to get their invoices paid even when nobody knows a contract exists.

Shared drives.Search Google Drive, SharePoint, or your equivalent for: “agreement”, “contract”, “MSA”, “statement of work”, “SOW”, “order form”, “renewal”, “subscription”. Download or bookmark everything. Create a staging folder.

Email.Search the IT manager inbox (and any general ops/procurement inbox) for: “auto-renews”, “renewal notice”, “upcoming renewal”, “contract renewal”, “your subscription”. Also search for vendor names you already know. Most vendors send renewal notices via email 60-90 days out - those emails are a useful shortcut to a list of what's about to expire.

Department heads.Send a single email to every department head today. Keep it short: “We're doing a vendor contract audit. Please reply with any vendor agreements your team has signed or manages, even if you think IT or finance already has them.” Add a deadline of end-of-day tomorrow. You will get three categories of response: people who send you a list immediately, people who ignore you until you chase, and people who reveal something genuinely surprising. Budget time to follow up.

Legal.If you have an internal legal team or use outside counsel, ask them for any vendor contracts they've reviewed or have copies of. Legal often holds the signed versions that never made it back to IT.

By end of Day 1, you should have a staging folder with PDFs, a list of recurring AP payments, and replies starting to come in from department heads. You don't need it to be complete. You need it to be started.

Today you build the master list. Not a perfect list - a working list. A spreadsheet with one row per vendor contract.

The minimum columns you need:

Don't let perfect be the enemy of done. For Day 2, you're filling in what you can from the AP records and any obvious metadata on the files you collected yesterday. A lot of cells will say “Unknown”. That's fine. Unknown is information - it tells you where the gaps are.

Aim to have every recurring AP payment represented as a row by end of Day 2. You'll likely have 60-80% of the data you need. The missing pieces are what Day 3 is for.

One thing to do today that will save significant time later: group contracts by department (IT, Marketing, Finance, Operations, HR, Legal). Contracts cluster by department, and department-level grouping makes ownership assignment on Day 5 much faster.

Today is the most time-intensive day. You're opening the actual PDFs and pulling out the specific terms that matter.

For each vendor contract in your master list, you need to capture:

• Exact renewal date.Not “sometime in Q3” - the specific date. This is usually in the term section, sometimes buried in an order form addendum.
• Notice period.The number of days' written notice required to cancel or modify the contract before it auto-renews. 30, 60, and 90 days are most common. Some enterprise vendors use 120 days.
• Auto-renewal clause.Does the contract auto-renew if you don't act? For what term? Month-to-month, or another full year/multi-year term? This is the most expensive clause you'll find.
• Price escalation terms.Many contracts include automatic annual price increases - typically 3-5%, sometimes tied to CPI. If yours does, calculate what the next renewal will actually cost before assuming it's the same number as last year.
• Termination terms. Beyond the notice window, what are the exit conditions? Some contracts include penalty clauses for early termination.

Work through contracts in order of annual value. Your top 20 contracts by spend will account for the majority of your total vendor commitment. Get those done first.

For the larger stack of smaller contracts - the $500/month subscriptions, the minor SaaS tools, the maintenance agreements - a faster review is fine. You're primarily checking for auto-renewal clauses and notice periods. A contract that auto-renews for a year at $6,000 is still $6,000 you committed to without thinking about it.

If you're working through 80+ contracts manually, this is genuinely tedious work. Tools like Renewly can extract renewal dates, notice periods, and auto-renewal clauses from uploaded PDFs automatically, which collapses Day 3 from a full day to an hour. But whether you do it manually or with a tool, the output is the same: a complete master list with dates and terms filled in.

By end of Day 3, you should have the renewal date and notice period columns populated for at least your top 40-50 contracts by value. The rest can follow.

You have data. Now you need to turn it into action signals.

Flag the next-90-days renewals first. Any contract renewing within 90 days needs immediate attention. The notice window may already be closing. For each one, calculate: when does the notice window actually close? (Renewal date minus notice period in days.) If the notice window closes in less than 30 days, that contract is P0 - stop the audit and deal with it today.

Colour-code by risk. A simple three-colour system works:

• Red: renewing within 90 days, or notice window already closed
• Amber: renewing within 180 days, auto-renewal confirmed, no action taken
• Green: renewing in 180+ days, owner confirmed, tracking in place

Identify orphaned contracts.An orphaned contract is one with no named internal owner. In a 100-person company, you'll typically find 15-25% of vendor contracts in this state. These are the ones most likely to auto-renew without anyone noticing, because there's nobody whose job it is to notice.

For each orphaned contract, do a quick sense-check: which department uses this vendor? Who approved the original purchase? That person or their successor is the likely owner. Flag them for Day 5.

Check for duplicate vendors.It's common to find two departments paying for different instances of the same vendor, sometimes at different price points, sometimes on different contract terms. A 150-person company I worked with had three separate Zoom agreements - one through IT, one through a business unit that negotiated their own deal, and a third through a legacy arrangement nobody had cancelled. Consolidating them saved $8,000 a year and was invisible until the audit.

Calculate your total vendor commitment. Add up the annual values for all active contracts. This is a number your CFO will ask for, and the answer will surprise both of you.

The audit only has value if it changes behaviour. That means every vendor contract needs a named human being who is responsible for it.

Today you're doing three things:

Assign contract owners

For every contract in your master list, there needs to be a name in the “Contract owner” column. Not a team. Not a department. A name. Use the RACI framework from the ownership post as your guide - Responsible (who manages the renewal day-to-day), Accountable (who approves the decision), Consulted (finance, legal), Informed (department head).

For mid-market companies without a formal procurement team, the most common ownership model is: IT owns the SaaS and infrastructure contracts, department heads own any vendor contracts specific to their function, and finance is Informed on all of them. Whatever model you choose, write it down and get sign-off from the relevant stakeholders today.

Set up alert timelines

For every active contract, the owner needs reminders at:

• 90 days before renewal: start vendor evaluation
• 60 days before renewal: make the decision (renew, renegotiate, or cancel)
• 30 days before renewal: send notice if required
• 7 days before renewal: final check

At minimum, calendar invites. Better, a system that tracks these dates centrally. If you're managing 80+ contracts, a spreadsheet with manual reminders will start to fail within 12 months - someone will leave, the spreadsheet will go stale, and you'll be back where you started.

Brief stakeholders

Send a summary to your CFO, CTO, or whoever triggered this audit. Include: total contract count, total annual vendor commitment, number of contracts renewing in the next 90 days, number of orphaned contracts now resolved. This closes the loop on the mandate and demonstrates that the work was done properly.

For a template on how to structure the RACI across departments, the Vendor Renewal RACI template covers exactly this - with a worked example for IT, finance, and procurement ownership split.

By Friday afternoon, you should have:

• A complete vendor contract register with one row per vendor contract
• Renewal dates and notice periods for all material contracts (those above your minimum spend threshold)
• Auto-renewal status flagged for every contract
• Named owners for every contract
• A red/amber/green risk view showing what needs attention in the next 90-180 days
• Any duplicate or orphaned contracts surfaced and resolved
• A stakeholder briefing delivered

That's the deliverable. It's not a presentation. It's a working register that has an owner and gets maintained.

The audit is Day 1, not the finish line.

A vendor contract register that isn't maintained becomes a liability faster than you'd expect. Staff leave. New contracts get signed without being logged. Amendments get executed and filed somewhere nobody looks. Within 18 months of a manual-only process, you'll typically find 20-30% of the register is stale.

The practices that keep it alive:

New contract intake process.Every new vendor contract - before it's signed - gets added to the register. Owner, value, renewal date, notice period. Treat this as non-negotiable.

Quarterly review.Block 90 minutes every quarter to check the register against AP records. Any recurring payment that isn't in the register is a problem. Any contract in the register without a recent payment is either cancelled or about to lapse.

Offboarding checklist. When someone leaves the company, review their vendor contract ownership and reassign everything they owned before they go. This is how orphaned contracts happen - the person who set up the contract left, and the contract drifted without an owner.

For the details of how to review and decide on each individual contract once you've found them, the contract renewal checklist covers the 15 things to check per vendor agreement before you renew.

And if the manual process starts to feel like too much overhead - especially once you're tracking 60+ contracts - Renewly automates the extraction piece (dates, notice periods, auto-renewal clauses from uploaded PDFs) and keeps the alerts running so you don't have to manage them through a spreadsheet. Free for up to 5 contracts if you want to test it on your most critical renewals first.

The audit is the hardest part. After this week, maintaining it is a 90-minute-per-quarter job.

• The Contract Renewal Checklist: 15 Items to Review Per Vendor Agreement - once you've found your contracts, use this to review each one
• How to Track Contract Renewals Without a Dedicated CLM - tracking methods from spreadsheet to purpose-built tools
• Who Owns Vendor Renewals? A RACI for IT, Finance, and Procurement - the ownership framework for Day 5
• Automate Contract Renewal Management: When Manual Tracking Breaks Down - what to do when the spreadsheet stops working

Matt du Jardin is the founder of Renewly, vendor contract renewal management software for IT and ops teams. Before Renewly, he spent a decade in IT consulting watching mid-market companies lose money to vendor auto-renewals they didn't know they'd agreed to.