Hardware Inventory Checklist

List the categories you are auditing this cycle: servers (physical and VM), workstations, laptops, network gear (switches, APs, firewalls), printers, mobile devices, and peripherals over a value threshold. Note categories explicitly excluded so the audit boundary is defensible at the next SOC 2 or ITGC review.

Validate the CMDB / IT Glue / Hudu schema captures serial number, MAC, manufacturer, model, asset tag, purchase date, warranty expiration, location, assigned user, and lifecycle status. Missing fields surfaced now save rework during reconciliation.

Export last quarter's reconciled inventory from the CMDB as the baseline. Differences against this quarter's discovery are the work product of the audit.

Pull the device list from NinjaOne, Datto RMM, ConnectWise Automate, or your equivalent. Filter for agents that have checked in within the last 30 days; older check-ins flag as exceptions for follow-up.

MDM coverage gaps (devices in RMM but not Intune/JAMF, or vice versa) reveal missing compliance posture. Export both and reconcile the delta.

Use Auvik, Lansweeper, or a Nessus discovery scan against each VLAN to surface unmanaged devices — rogue APs, personal printers, BYOD laptops on the corp VLAN. Anything responding on the network that's not in RMM is an exception.

Export VMs with host, datastore, power state, and last-modified date. Powered-off VMs untouched for 90+ days are candidates for decommissioning and license recovery.

Confirm every U is accounted for: server, switch, PDU, blanking panel. Photograph the front and back of each rack so the cabling state is captured alongside the inventory.

Scan the asset tag and confirm it matches the CMDB record. Devices with missing or illegible tags get re-tagged before the auditor leaves the site — re-tagging from memory days later is how records drift.

Spare laptops, loaner devices, and replacement drives often live off the books. Capture quantities by model and serial range, including devices imaged but not yet deployed.

Pull POs from finance and lease schedules from the leasing vendor (Dell Financial, HPE GreenLake, etc.). Anything purchased or leased but not in the discovered inventory is missing; anything discovered but not in finance records is unauthorized procurement.

Cross-reference manufacturer EOL announcements (Cisco, HPE, Dell) and check warranty expiration. Out-of-warranty production gear is a budget conversation; EOL gear running unsupported firmware is a security finding.

Summarize the count of missing devices, unauthorized devices, and tag/data corrections needed. The answer here drives whether an investigation step fires.

Update IT Glue, Hudu, ServiceNow, or your CMDB with new devices, retired devices, location moves, and ownership changes. Bulk-import via CSV where the volume justifies it; keep the import file as the audit trail.

Mark devices as pending-disposal and route to the ITAD vendor (e.g., Iron Mountain, SADA, local R2-certified recycler). Capture certificate of destruction for any device that held regulated data — required for HIPAA, PCI, and most SOC 2 audit packages.