Surviving an IT asset audit: a practical checklist
The same five gaps appear in almost every IT asset audit — for SOX, ISO 27001, SOC 2, or vendor true-ups. This is the working checklist to close them before the auditor arrives.
Audits are stressful for two reasons. The first: nobody enjoys having someone read your records. The second: most teams don't know what records they are supposed to have until the auditor asks for them. The good news is that the auditor's request list is consistent across frameworks, even when the framework itself differs.
Below: what every IT asset audit looks at, the documents you should have on file, the five gaps that catch most companies out, and a 30-day pre-audit hardening plan.
The four audit types you'll meet
| Audit | What it looks at | Trigger |
|---|---|---|
| SOC 2 / ISO 27001 | Asset inventory, access control, change management, vendor management | Annual / customer-driven |
| SOX (ITGC) | Logical access, segregation of duties, asset records tied to financial reporting | Annual for public/regulated entities |
| Software vendor true-up | Are you using more licenses than you've paid for? | Renewal or randomly (Microsoft, Oracle, IBM are frequent) |
| Insurance / cyber underwriting | Asset coverage, MFA, patching, offboarding controls | Annual or after a renewal request |
Different framework, same questions: do you know what you have, who has it, and can you prove it?
The standard auditor request list
- Asset inventory — every laptop, server, mobile device, network device, with owner and location.
- Software inventory — every paid SaaS or licensed software, seat count, current users.
- Access matrix — which user has access to which system, with role, granted by, granted on.
- Joiner/mover/leaver records — for the audit period, the full sample of onboarding and offboarding events with evidence.
- Change log — every change to assets, access, or configurations, time-stamped and attributable.
- Contract repository — every active vendor agreement with a defensible owner.
- Hardware disposal records — proof that retired devices were wiped and disposed of correctly.
- Backup and recovery evidence — for systems holding regulated data.
The 5 gaps auditors find most often
1. Ghost accounts of leavers
An employee left in October, but their Slack, GitHub, or Salesforce seat is still active in February. This is the single most common SOC 2 finding. Fix: identity-provider-driven deprovisioning that touches every connected SaaS automatically, plus a quarterly "no-login > 60 days" sweep.
2. Untracked hardware
Laptops handed out without an asset tag. Phones reimbursed via expense reports that never enter the register. Fix: every hardware purchase enters the inventory at receipt, not at deployment, with a tag, owner, and warranty record.
3. Software in use that isn't licensed
The classic Microsoft/Oracle audit finding. A team installed a tool, the company never bought a license, the auditor finds it in the discovery scan. The true-up bill can be enormous. Fix: enforce a procurement-only software install policy, run quarterly discovery scans, reconcile against your license inventory.
4. Contracts owned by "IT@company.com"
If every contract is owned by a shared mailbox, no real human is accountable. Auditors note this immediately. Fix: every contract has a named human owner and a documented backup.
5. No audit trail on changes
"Who reassigned this license?" "Don't know — we just clicked Save." If your tooling doesn't log who did what when, you fail the audit before you start. Fix: pick an ITAM/access tool with proper change logging baked in. SOC 2 explicitly requires it.
30-day pre-audit hardening plan
Week 1 — inventory
- Reconcile hardware register against IdP user list. Every active employee accounted for; every laptop assigned to a real person.
- Sweep SaaS accounts. Disable or delete every account belonging to anyone not in the active employee list.
- Pull last-login data for every paid SaaS. Flag any seat dormant 90+ days.
Week 2 — access
- Generate the access matrix: user × system × role. Export from each system, consolidate in one place.
- Verify segregation of duties for finance-relevant systems (no one approves their own expenses; no one is both admin and reviewer).
- MFA enforcement check. Every privileged account has MFA. No exceptions.
Week 3 — contracts & licenses
- Every active contract uploaded to the central repository, with renewal date, notice period, owner, and value.
- License consumption vs. entitlement reconciliation for the top 10 vendors by spend.
- Procurement policy reviewed and signed off — software cannot be installed without a tracked license.
Week 4 — evidence pack
- Joiner/leaver evidence sample for the audit period.
- Hardware disposal certificates for any device retired during the period.
- Change log export for assets, access, and configurations.
- Vendor due-diligence file for any subprocessor handling regulated data.
Auditor body language
If the auditor asks "can you walk me through how a leaver loses their access?" and you say "the helpdesk does it, I think" — you've already failed that control. The right answer is "the IdP triggers an automated workflow, here's the log of the last twelve."
How an ITAM platform helps
Most of the work above lives in spreadsheets and shared drives by default, and that's exactly where audit prep falls apart. A modern IT asset management platform like InventorIA bakes in:
- Identity-driven joiner/leaver flows that produce evidence automatically.
- License utilisation vs. entitlement on every paid SaaS.
- Contract repository with parsed renewal terms.
- Change log on every asset, license, contract.
- One-click auditor export (CSVs, evidence pack, time-stamped).
Companies that run this continuously — instead of scrambling pre-audit — usually shorten audit cycles by a third and stop the panic-week tradition entirely.
Audit-ready inventory in days, not weeks
InventorIA produces evidence packs auditors actually accept. Free for your first 10 users.
Start free →