Automated Audits: Stop Paying Fees for Dead Extensions and Ex-Employees

Most business owners track big-ticket expenses carefully, rent, payroll, insurance. What slips through? The $22/month Zoom Phone line for someone who quit in January. The Microsoft 365 seat assigned to a summer intern who finished in August and never got offboarded in the system. This is “license creep”: active, billing accounts with no active user behind them. Industry analyses from SaaS spend management platform consistently place unused or abandoned software licenses at 20-30% of total software spend for mid-size companies, and VoIP seats are among the easiest line items to miss because the charges are small enough to hide inside a larger telecom invoice.

Moving to hosted VoIP, genuinely changed how fast you can onboard someone. A new extension takes minutes to provision. De-provisioning is where the process falls apart. Removing a user typically requires a manual request to the provider, a ticket to IT, and sometimes a separate billing cancellation step, none of which fire automatically when HR marks someone as terminated in your HRIS. The result is a graveyard of ghost extensions, each one quietly billing you every single month with no one on the other end.

The Anatomy of a Ghost License

Here’s how ghost accounts accumulate. An employee gives notice, and the scramble begins: HR processes the final paycheck, the manager documents open projects, and IT recovers the laptop. The VoIP extension? It’s an afterthought every time. Most organizations have no automated workflow connecting an HR termination event to every downstream system that needs to act on it, no automatic ticket to the VoIP provider, no license reclaim in Microsoft 365 or Google Workspace, no account suspension in Slack or any other per-seat tool. The phone line stays active indefinitely because no one ever sent the email to turn it off.

That unreturned extension sits on your bill at $20 or $30 per month. One account feels trivial. But a company with 50 employees and annual turnover around 15%, roughly typical across many industries, can easily accumulate seven or eight ghost seats per year. At $25/month average, that’s $2,100 in dead VoIP spend annually, before counting the Microsoft 365 seats ($15-$22/month each) or any other per-seat SaaS license tied to the same departed employees. And they stay invisible until someone runs a manual audit, which, in most organizations, almost never happens on a consistent schedule.

More Than Just a Financial Drain: The Security Risk

The wasted spend is the most visible problem. The security exposure it creates is worse.

Voicemail exploits:

A dormant VoIP extension with a factory-default PIN, “0000” or “1234”, is low-hanging fruit for toll fraud. Attackers scan PBX and hosted VoIP portals, brute-force weak credentials, and route calls through the compromised account to premium-rate numbers they control, racking up thousands of dollars in international call charges billed directly to your account. Telecom security researchers commonly estimate global toll fraud losses in the billions annually; individual businesses have reported five-figure monthly bills before the fraud was even detected. A ghost extension tied to a former employee is the most dangerous kind, because no one in your organization is watching it.

A foothold for attackers:

Beyond toll fraud, a dormant account is a useful foothold for an attacker who’s already inside your network. Active-but-unmonitored credentials allow lateral movement, logging into internal systems, accessing shared drives, escalating privileges, with a lower chance of triggering an alert. Most SIEM platforms and endpoint detection tools flag anomalies by comparing activity against a behavioral baseline; a long-dormant account has no baseline, so anomalous activity registers as normal. That’s exactly the kind of blind spot a sophisticated attacker looks for and exploits.

Compliance and data privacy:

In regulated industries, this isn’t just a security risk, it’s a direct compliance failure. HIPAA requires covered entities to terminate access to electronic protected health information promptly when employment ends. SOC 2’s availability and confidentiality criteria require demonstrable access controls and timely deprovisioning as part of a formal audit. GDPR’s data minimization principle means you have no legitimate legal basis for a former employee’s account to remain active and potentially reachable. An auditor who finds ghost accounts with access to patient records, financial data, or customer PII will not treat it as a simple bookkeeping oversight.

Every ghost license is two problems at once: a budget leak that compounds quietly month after month, and an open door in your security perimeter that no one is watching.

The Automated Fix: A Manual Mess to Streamlined System

The only way to reliably stop license creep is to remove the human decision point entirely, not improve it, remove it. That means replacing a hope-based, manual process with one that fires automatically the moment your HR data changes. The mechanics are straightforward: connect your Human Resources Information System (HRIS), to the rest of your software stack, so an employment status change propagates instantly instead of sitting in someone’s inbox waiting to be acted on.

Here is the automated workflow:

1. The Single Source of Truth: Your HRIS is the authoritative record of who works for you, not a spreadsheet, not an IT ticket, not a forwarded email from a manager.
2. The Trigger: When an employee’s status changes to “Terminated” in the HRIS, that single event kicks off an automated workflow, no manual ticket required, no handoff to IT.
3. The Action: The workflow issues immediate commands to every connected system. The VoIP platform deactivates the extension. Microsoft 365 archives the user’s mailbox and releases the license back to your pool. Other integrated tools, CRM platforms, project management tools, file-sharing services, each receive an automatic deactivation signal, with a timestamped log entry recorded for every action.

The whole sequence runs in seconds and leaves a complete audit trail. There is no to-do item sitting in a queue, waiting for someone to remember. The de-provisioning is guaranteed.

FAQs

We are a small company and just use a spreadsheet for HR. Can we still automate this?

Yes, a dedicated HRIS is the cleanest trigger, but it is not the only one. A skilled IT automation partner can build the same workflows off other authoritative events: moving a user to a “Former Employees” organizational unit in Microsoft Active Directory (or Microsoft Entra ID), disabling a directory account, or closing an HR ticket marked with a specific status code. Google Workspace admins can use OU-based triggers in much the same way. The critical requirement is that exactly one system acts as the definitive signal, so there is no ambiguity about when de-provisioning should fire or who is responsible for initiating it.

Can’t I just have my office manager do a manual audit every month?

Manual audits are reactive by definition, you catch the problem only after you have already paid for unused licenses, sometimes for months. They are also error-prone: a single missed row in a spreadsheet comparison leaves a ghost account active and a security gap open. Automation flips the model entirely. De-provisioning fires the moment employment status changes, so there is no accumulation period to discover later. For the office managers and HR coordinators currently spending time each quarter cross-referencing invoices against user lists, that is a meaningful amount of time returned to more substantive work.

How do we even know how many “ghost” licenses we have right now?

Start with an audit. A qualified Managed IT Services Provider (MSP) will pull active user lists from your key subscription platforms, VoIP, Microsoft 365, your CRM, any per-seat SaaS tools, and compare them against your current employee roster to build a definitive list of active but unassigned licenses. In most small-to-mid-sized businesses, that comparison surfaces orphaned licenses immediately. Those recovered costs frequently cover the full implementation of an automated de-provisioning workflow, sometimes within the first billing cycle. The audit is both the diagnostic and the business case.

Does this automation only work for offboarding employees?

No, offboarding is the most visible use case, but the same automation logic applies to onboarding. When a new hire is added to the HRIS, an automated workflow can create their Microsoft 365 account, add them to the correct Active Directory or Entra ID groups, provision their VoIP extension, and grant access to role-appropriate tools, all without a single IT ticket. Platforms like Rippling and Okta handle much of this natively; for mixed environments, Zapier or Make can connect systems that lack built-in integrations. The practical result is a new employee who can log in and work on day one instead of spending the first week waiting on access requests to clear.

Eliminating Digital Waste for a Healthier Bottom Line

License creep is a process problem, not a billing quirk. When provisioning and de-provisioning depend on someone remembering to act, licenses accumulate, access lingers, and the hidden costs compound month after month alongside real security exposure. Fixing it does not require a large IT overhaul, an automated workflow triggered by your HRIS handles onboarding and offboarding consistently, logs every action for your next compliance audit, and stops orphaned licenses from accruing in the first place.

If any of this resonated, there’s a reasonable chance you have unused licenses billing right now, accounts tied to ex-employees, browser extensions nobody cancelled, SaaS tools that got quietly replaced months ago. Pacific Cloud Cyber runs structured licensing audits that cross-reference your active subscriptions against current headcount, surface dormant accounts, and produce a prioritized list of what to cut before the next renewal cycle. Book a call to find out exactly how many digital ghosts are on your payroll, and what removing them would save per month.