Workflow Templates for Systems Administration: Hardware Inventory Checklist

Scope and Preparation

Define the asset classes in scope

List the categories you are auditing this cycle: servers (physical and VM), workstations, laptops, network gear (switches, APs, firewalls), printers, mobile devices, and peripherals over a value threshold. Note categories explicitly excluded so the audit boundary is defensible at the next SOC 2 or ITGC review.

Confirm the asset attribute schema

Validate the CMDB / IT Glue / Hudu schema captures serial number, MAC, manufacturer, model, asset tag, purchase date, warranty expiration, location, assigned user, and lifecycle status. Missing fields surfaced now save rework during reconciliation.

Pull the prior audit baseline

Export last quarter's reconciled inventory from the CMDB as the baseline. Differences against this quarter's discovery are the work product of the audit.

Identify all sites and storage locations

Include HQ, branch offices, colo / data center cages, work-from-home laptops, and the spare-parts closet. Remote and decommissioned-but-not-disposed gear is the most common source of audit discrepancies.

Automated Discovery

Export the RMM agent roster

Pull the device list from NinjaOne, Datto RMM, ConnectWise Automate, or your equivalent. Filter for agents that have checked in within the last 30 days; older check-ins flag as exceptions for follow-up.

Export the Intune and JAMF device list

MDM coverage gaps (devices in RMM but not Intune/JAMF, or vice versa) reveal missing compliance posture. Export both and reconcile the delta.

Run a network discovery scan

Use Auvik, Lansweeper, or a Nessus discovery scan against each VLAN to surface unmanaged devices — rogue APs, personal printers, BYOD laptops on the corp VLAN. Anything responding on the network that's not in RMM is an exception.

Pull the vCenter and Hyper-V VM inventory

Export VMs with host, datastore, power state, and last-modified date. Powered-off VMs untouched for 90+ days are candidates for decommissioning and license recovery.

Reconcile discovery sources into a master list

Merge RMM, MDM, network scan, and hypervisor exports keyed on serial number or MAC. The merged list is the candidate inventory; deltas against the prior baseline drive the physical audit.

Physical Audit

Walk the data center and label each rack unit

Confirm every U is accounted for: server, switch, PDU, blanking panel. Photograph the front and back of each rack so the cabling state is captured alongside the inventory.

Verify asset tags on each device

Scan the asset tag and confirm it matches the CMDB record. Devices with missing or illegible tags get re-tagged before the auditor leaves the site — re-tagging from memory days later is how records drift.

Inventory the spare-parts and staging closet

Spare laptops, loaner devices, and replacement drives often live off the books. Capture quantities by model and serial range, including devices imaged but not yet deployed.

Confirm remote-worker laptop attestations

For laptops that haven't checked in to RMM in the last 30 days, send the assigned user a self-attestation form. Devices with no agent check-in and no user response escalate for retrieval.

Reconciliation and Exceptions

Cross-reference against purchase and lease records

Pull POs from finance and lease schedules from the leasing vendor (Dell Financial, HPE GreenLake, etc.). Anything purchased or leased but not in the discovered inventory is missing; anything discovered but not in finance records is unauthorized procurement.

Flag end-of-life and out-of-warranty devices

Cross-reference manufacturer EOL announcements (Cisco, HPE, Dell) and check warranty expiration. Out-of-warranty production gear is a budget conversation; EOL gear running unsupported firmware is a security finding.

Determine whether discrepancies were found

Summarize the count of missing devices, unauthorized devices, and tag/data corrections needed. The answer here drives whether an investigation step fires.

Investigate missing or unauthorized devices

Open a ticket per exception. For missing devices, check offboarding records and shipping logs; for unauthorized devices, contact the connecting user and the requesting manager. Persistent unaccounted-for assets escalate to the security team as a potential incident.

CMDB Update and Sign-Off

Apply corrections to the CMDB

Update IT Glue, Hudu, ServiceNow, or your CMDB with new devices, retired devices, location moves, and ownership changes. Bulk-import via CSV where the volume justifies it; keep the import file as the audit trail.

Tag decommissioned hardware for disposal

Mark devices as pending-disposal and route to the ITAD vendor (e.g., Iron Mountain, SADA, local R2-certified recycler). Capture certificate of destruction for any device that held regulated data — required for HIPAA, PCI, and most SOC 2 audit packages.

Publish the audit report and obtain sign-off

Deliver the report to the IT Manager and (for MSPs) the client vCIO as part of the QBR package. Sign-off closes the audit and resets the baseline for next quarter.