← All posts

How to Create a Preferred Vendor List for SaaS Procurement

July 13, 2026

Most mid-market companies do not have a documented list of approved software vendors, so every new tool purchase starts from zero: a fresh negotiation, a fresh security review, a fresh contract read, often for a category the company already has three tools in. A preferred vendor list turns that repeated one-off work into a standing decision, made once and reused every time a team needs to buy.

What a preferred vendor list actually is

A preferred vendor list (sometimes called a preferred supplier list, or PVL) is a maintained set of vendors, organized by category, that a company has already evaluated and wants employees to buy from by default. It is different from an approved vendor list (AVL), which is a compliance floor: any vendor that clears minimum legal, security, and financial checks gets on an AVL. A preferred list is narrower. It reflects vendors the company has actively chosen based on price, quality, security posture, and fit, not just vendors that passed a baseline check.

The distinction matters because an AVL alone does not change buying behavior. It tells a requester what is allowed, not what is recommended. A preferred list does both: it narrows the default choice to two or three vendors per category and gives buyers a reason to start there instead of opening a new browser tab and signing up for whatever tool a LinkedIn ad just showed them.

The scale of the problem

The gap between how mid-market companies think they buy software and how they actually buy it is large and getting harder to ignore. As of 2025, mid-market companies run an average of 254 SaaS applications, down from 289 in 2024 as some consolidation takes hold, but still a wide surface area for a company with a few hundred employees and a two- or three-person procurement or IT ops function (BetterCloud, 2026 SaaS Statistics). At that scale, 30% or more of licenses typically go unused or underutilized at any given time (PayEm, 2026), which means the company is not just buying tools it did not need, it is paying ongoing subscription fees for seats nobody opens.

Shadow IT is the mechanism behind most of that sprawl. Gartner estimates shadow IT already accounts for 30 to 40% of enterprise IT spend, and projects that by 2027, 75% of employees will acquire, modify, or create technology outside IT's visibility, up from 41% in 2022. On the spend side, business units and individual expensing now drive the majority of SaaS purchasing at most companies, with IT directly controlling a minority of the total (Zylo, 2026 SaaS statistics). None of this is because employees are trying to break the rules. It is because signing up for a SaaS tool with a corporate card takes two minutes, and routing the same purchase through procurement, security review, and legal can take weeks.

That gap shows up directly in the numbers on off-contract buying. Maverick spend, meaning purchases made outside negotiated contracts and preferred terms, typically runs around 30% of total spend at companies without a documented preferred vendor process, and considerably higher in unmanaged categories (Veridion, 2025; CIPS research). Companies that let this continue lose 10 to 20% of the savings they would otherwise have negotiated, since maverick purchases bypass volume pricing and pre-agreed terms entirely, and some studies put the loss as high as 50% in the least-controlled categories. A documented preferred vendor list is one of the few controls that addresses this at the root rather than trying to catch it after the fact.

Why this happens

Three structural problems combine to produce the sprawl described above.

There is no single front door for software purchases. When five different managers can each independently decide their team needs a project management tool, and each one has a corporate card, the company ends up running Asana, Monday, and Notion Projects simultaneously with no one aware of the overlap until a spend review surfaces it.

Review processes are slow relative to the alternative. Standard vendor security reviews typically take 2 to 3 weeks, and reviews for strategic or higher-risk vendors run 4 to 6 weeks (based on industry vendor-onboarding benchmarks). Compared to a self-serve signup that takes minutes, a formal review looks like friction with no clear payoff to the requester, so people route around it rather than through it.

There is nothing to check against. Without a documented list, an employee evaluating a new expense reporting tool has no way to know the company already has a contract with a comparable vendor, what that contract costs, or when it renews. The information exists somewhere, usually in an inbox or a shared drive, but it is not discoverable at the moment someone is deciding what to buy.

What good looks like

Companies that manage this well share a common trait: they treat the preferred vendor list as infrastructure, not a policy document. Best-in-class procurement organizations are roughly twice as likely as their peers to maintain a documented pre-approved supplier list covering all major spend categories, at 56% versus 26% (Veridion, citing CIPS research). That gap alone explains a meaningful share of the difference in negotiated savings and spend visibility between well-run and loosely-run procurement functions.

In practice, "good" looks like two to five preferred vendors per category, which is enough to preserve real competition at renewal time without spreading relationship management too thin (a range consistent across procurement best-practice guidance from AuraVMS and Airswift). It looks like a list that a requester can actually find and check before they buy anything, not one buried in a spreadsheet that only the procurement lead has open. And it looks like a purchasing motion that is predictable and auditable: when someone needs a tool, they check the list first, and if the category is not covered, there is a known, reasonably fast process to evaluate a new vendor rather than an ad hoc scramble.

How to build a preferred vendor list: a five-step framework

Step 1: Inventory what you already have

Before deciding what should be preferred, find out what is actually in use. Pull data from your identity provider (SSO login activity is the fastest signal), expense reports, and accounts payable to build a full list of active vendors and contracts. Most mid-market companies are surprised by this step alone: it is common to find three or four tools serving the same function that nobody had realized were running in parallel.

Step 2: Group tools into categories and score existing vendors

Organize the inventory into functional categories: CRM, HRIS, expense management, project management, e-signature, and so on. Within each category, score the vendors currently in use against a small set of consistent criteria: price relative to peers, security posture, contract terms (auto-renewal, notice period, escalation clauses), reliability, and how well the tool is actually adopted by the team using it. This step turns a list of names into a defensible basis for choosing which vendors to keep as preferred and which to phase out.

Step 3: Set tiers and approval thresholds

Not every purchase needs the same level of scrutiny. Define tiers based on spend and risk: a sub-$5,000 tool with no access to sensitive data might need only a manager sign-off, while anything touching customer data or exceeding a set spend threshold routes through security and legal review. Attach the preferred vendor list to this tiering so the fastest path is buying from a vendor already on the list, and the slower path is reserved for genuinely new categories or higher-risk purchases.

Step 4: Document the list and make it the default intake point

Publish the list somewhere every employee can actually find it before they buy anything, not after. Pair it with a simple intake form: "check the preferred list first; if your need isn't covered, submit this form to request an evaluation." The goal is to make the preferred list the path of least resistance, not an obstacle competing with the two-minute signup flow.

Step 5: Review the list on a fixed cadence

A preferred vendor list that never changes becomes stale and loses credibility. Set a quarterly review cadence to check adoption, satisfaction, and pricing for each preferred vendor, and trigger an off-cycle review whenever a vendor's contract comes up for renewal. This is also the natural point to retire vendors that have fallen out of use or add a new preferred vendor in a category that previously had none.

Maintaining the list without it going stale

The most common failure mode after building a preferred vendor list is treating it as a one-time project rather than an ongoing responsibility. Assign a named owner, typically someone in finance, IT, or a dedicated procurement role if the company has one, who is accountable for keeping the list current. Tie list reviews to the renewal calendar so that vendor performance and pricing get reassessed exactly when there is leverage to act on the findings, rather than reviewing the list in the abstract on a quarterly calendar disconnected from any actual decision point.

Common mistakes to avoid

Companies building their first preferred vendor list tend to make the same handful of errors:

  • They set the list too narrow with no documented exception path, which pushes people back toward shadow purchases the moment a real edge case comes up.
  • They fail to assign clear ownership, so the list quietly goes out of date within two quarters.
  • They build the list but do not integrate it into the actual purchasing workflow, so it exists as a reference document nobody checks.
  • They treat every category the same, applying enterprise-level review rigor to a $2,000 annual tool, which reintroduces the exact friction that caused maverick buying in the first place.

Frequently asked questions

What is the difference between a preferred vendor list and an approved vendor list?

An approved vendor list is a compliance floor: any vendor that meets minimum legal, security, and financial requirements can be added. A preferred vendor list is more selective, typically two to five vendors per category, chosen based on price, quality, and strategic fit rather than just baseline compliance. Most mature procurement functions maintain both, using the AVL as the qualifying gate and the preferred list as the default recommendation.

How many vendors should be on a preferred vendor list per category?

Two to five vendors per category is the range most procurement guidance converges on. Fewer than two removes competitive tension at renewal time, while more than five spreads relationship management and volume-based negotiating leverage too thin to matter.

Who should own the preferred vendor list at a mid-market company without a dedicated procurement team?

At most mid-market companies, ownership sits with finance or IT, whichever function already has the closest visibility into contracts and spend. The important part is naming a single accountable owner rather than leaving the list as a shared, unowned document, since unowned lists go stale within a quarter or two.

How do we stop employees from buying SaaS outside the preferred vendor list?

Making the preferred list the fastest path to a signed contract works better than blocking alternatives outright. Pair the list with a simple intake process, a corporate card policy that flags new SaaS charges, and a tiered review process so low-risk purchases from preferred vendors clear quickly while anything outside the list gets appropriate scrutiny.

How often should a preferred vendor list be reviewed and updated?

Review the full list on a quarterly cadence at minimum, and trigger an additional review whenever a specific vendor's contract comes up for renewal. Quarterly reviews catch adoption and satisfaction trends; renewal-triggered reviews are when the company actually has leverage to act on pricing or performance issues.

Does a preferred vendor list actually reduce software costs?

Yes, primarily by consolidating spend with fewer vendors, which supports volume-based negotiating leverage, and by reducing maverick, off-contract purchases that typically forfeit 10 to 20% of achievable savings. Companies with documented preferred vendor lists are also better positioned to catch duplicate tools before they become entrenched, which is one of the larger and more preventable sources of SaaS waste.

Related Articles

No items found.

Procr

Stop renewing blind.

See what Procr does with your real vendor portfolio.

Book a demo →