IT Asset Inventory & Audit Services

No class of asset drifts faster than IT. Laptops are issued, swapped and never returned; monitors migrate between floors; servers are decommissioned but live on in the CMDB; leavers’ kit sits in drawers and home offices; software is installed without a licence and SaaS subscriptions multiply on expense cards. Meanwhile every framework your organisation answers to — ISO 27001, Cyber Essentials, UK GDPR, SOC 2, FRS 102 — starts from the same question: do you actually know what you have, and can you prove it?

CPCON delivers independent IT asset inventory and audit across the UK. Our field teams physically verify every device in scope — end-user computing, peripherals, network and server hardware, audio-visual and mobile — capture serial-level data, tag anything untagged, record the software and licence position, and reconcile the findings against your CMDB, ITAM tool and fixed asset register line by line. With 30 years and more than 4,500 projects behind the methodology, the output is built to be sampled: by your security assessor, your financial auditor and your insurer.

One point of principle: CPCON is not a certification body and we do not issue audit opinions — that independence is the point. We produce the inventory evidence your auditors and assessors require, and it stands up because someone independent physically counted it.

Three records of your IT estate — three different answers

Most organisations hold at least three versions of the truth about their IT estate, and in our experience they rarely agree:

An IT asset audit is the disciplined reconciliation of the three. The physical count is the anchor — because it is the only one of the three that cannot be wrong about whether a device exists. The logical view tells you what is talking to the network; the recorded view tells you what finance and service management believe; only the floor-walk settles the argument about reality. Our guide to why your CMDB lies without a physical audit takes each source apart and shows what it systematically misses.

Hardware, software and cloud — what counts as an IT asset

"IT asset" is broader than the laptop on the desk. A defensible inventory spans the physical hardware you can verify by walking the floor, the software installed on it, and the cloud and SaaS estate that exists only as subscriptions and tenancies. Each class behaves differently and fails differently:

The division matters because it dictates method. Hardware is verified physically — you can hold it, scan it, photograph it. Software is verified by reconciling what is installed against what is entitled. Cloud and SaaS cannot be floor-walked at all; they are reconstructed from tenancy administration, identity provider records and finance data. A credible IT asset inventory uses the right method for each layer rather than pretending discovery covers them all.

Discovery vs physical: what agents structurally cannot see

The most common reason organisations skip a physical count is the belief that discovery tooling already provides one. It does not, and the gap is structural rather than a matter of configuration. Discovery, MDM and RMM agents enumerate devices that are powered, connected and enrolled at scan time. Everything outside that condition is, by construction, invisible:

None of this makes discovery useless — it is an excellent signal for the managed, online estate, and it is part of our reconciliation inputs. But a signal is not a census. Treating a discovery extract as a complete inventory means accepting blind spots in exactly the places that carry risk: the unmanaged device touching corporate data, the data-bearing server that was scrapped without a certificate, the leaver laptop nobody chased. The physical count starts from the opposite question — not "what answered the network?" but "what is in this room?" — and that is what closes the gap.

Shadow IT and BYOD: the estate outside the tools

Two categories sit deliberately beyond agent-based tooling, and they are where uncontrolled risk concentrates. Shadow IT is everything procured or stood up outside the approved process: locally bought laptops and peripherals, project hardware that never entered intake, departmental SaaS sign-ups on a corporate card, unmanaged cloud storage. None of it appears in the CMDB, much of it holds business or personal data, and none of it is patched or monitored on purpose. It surfaces in two places — the physical count (for hardware) and the reconciliation of expenses, subscriptions and identity records against the approved estate (for software and cloud).

BYOD — personal devices accessing corporate data — cannot be floor-walked and should not be treated as if it can. The right approach is policy plus attestation: reconcile MDM enrolment and conditional-access records against the people who actually reach corporate systems, so the inventory records which personal devices are managed and in scope, and which are unmanaged exposures the organisation has accepted, knowingly or otherwise. For ISO 27001 and Cyber Essentials alike, the point is not to ban BYOD but to know it exists and bring it into the scope decision rather than discover it during an incident.

The IT asset lifecycle — where records and reality diverge

IT estates drift because the lifecycle has more events than the records capture. Every stage is a point at which the inventory can fall out of step with the floor:

• Procurement & intake. Centrally bought kit is usually recorded; locally bought or project-delivered kit often is not, entering use without ever touching the asset register.
• Deployment & assignment. Devices are issued, and the owner/custodian field is populated — or it is not, or it is populated once and never updated when the device changes hands.
• In-life moves & swaps. Monitors migrate, spare parts are cannibalised, machines are re-imaged and re-enrol under new names. Each event the paperwork misses widens the gap.
• Refresh. A hardware refresh introduces new assets and retires old ones at scale; if disposals are not recorded cleanly, the register carries both the new kit and the ghosts of the old.
• Leavers & returns. Return-of-assets is where security, HR and IT have to agree. A leaver whose laptop is still "assigned" months later is both a control failure and, if it held data, a live exposure.
• Disposal & derecognition. Data-bearing kit needs a destruction certificate; the register needs derecognition; tax needs the disposal date and proceeds. Miss any of these and the records and reality part company permanently.

A one-off count fixes the position; wiring the inventory into these lifecycle events is what keeps it fixed. Where volumes justify it, cycle counting of high-churn classes and RFID tracking turn the in-between maintenance from a project into a routine.

What the service includes

Cloud and SaaS: the estate with no floor to walk

Cloud changed where IT assets live but not the obligation to know you hold them. A modern estate runs across infrastructure and platform tenancies, dozens or hundreds of SaaS subscriptions, and cloud storage that holds production and personal data — none of it visible on a desk, and much of it provisioned outside the central IT process. The risk is the inverse of hardware: where physical kit tends to go missing from the records, cloud tends to accumulate in them without anyone noticing the cost, the data exposure or the duplication.

We reconstruct the cloud and SaaS estate from the sources that actually hold the truth: tenancy and subscription administration, the identity provider that grants access, and finance data — corporate cards, expenses and purchase ledgers where departmental sign-ups hide. Reconciling those three against the approved application list surfaces the unmanaged subscription, the orphaned licence still billing after a leaver left, the duplicate tools doing the same job in two departments, and the cloud account nobody owns. For ISO 27001 and UK GDPR alike, the point is the same as for hardware: an asset you have not recorded is one you are not governing, and cloud is where unrecorded assets are easiest to create and hardest to see.

The cloud picture also closes a loop the hardware count opens. A device retired from the floor often leaves behind an identity, a mailbox, a set of application entitlements and storage that outlive it. Tying the device inventory to the identity and subscription estate means a leaver or a decommissioned machine triggers the right deprovisioning rather than leaving a standing access path and a recurring bill.

Remote and hybrid working: the estate that left the building

Hybrid working permanently dispersed a large share of the device estate, and it is the part that drifts fastest because none of the usual control points apply. A home-based laptop is not walked past by an auditor, is not seen by a floor-walk count, and checks in to MDM only when it is on and connected. Leaver recovery, already the weakest link, gets harder when the device never has to come back through an office to be reclaimed.

The method that works combines three streams. Everything that passes through your offices and stores is verified on site in the ordinary count. Home-based kit is captured through a structured remote attestation — the custodian confirms the serial, photographs the device and asset tag, and states its status — which gives a verifiable record without a site visit. Both streams are then reconciled against MDM enrolment and current HR records, so an unreturned leaver device, a machine that has not checked in for months, or a custodian who no longer works for you surfaces as a named exception rather than a silent gap. The result is an inventory that is honest about the dispersed estate instead of quietly assuming everything is still on a desk.

What the reconciliation typically finds

Across IT estates that have not been physically verified in years, the same categories of finding recur. None of them is exotic; all of them cost money, carry risk, or both, and all of them are invisible to a tool that only sees the managed, online estate:

• Ghost devices on the register. Hardware scrapped, lost or cannibalised but still recorded — inflating the asset base, attracting depreciation and, on data-bearing kit, hiding a disposal with no destruction certificate behind it.
• Unrecorded live devices. Real, in-use kit the records never captured — locally bought, project-delivered or transferred in — each one an unmanaged endpoint for security and an uncapitalised asset for finance.
• Unreturned leaver equipment. Devices still “assigned” to people who left weeks or months ago, breaching return-of-assets controls and leaving a live data exposure where the kit held personal or commercial information.
• Duplicate identities. Re-imaged or rebuilt machines that re-enrolled under new names and now exist twice in discovery and the CMDB, distorting every count taken from those tools.
• Licence mismatches both ways. Software installed beyond entitlement (a compliance and penalty exposure) and paid-for licences assigned to machines and people no longer using them (recoverable spend).
• Shadow IT. Hardware, SaaS and cloud standing outside the approved estate — unpatched, unmonitored and often holding data nobody knows is there.
• Stale locations and owners. The right device in the wrong place or the wrong hands, so that even a "matched" record would have sent a security or finance query to the wrong person.

Secure disposal, WEEE and the financial close-out

The end of an IT asset’s life is where three obligations converge and most often fall out of step. Data protection requires every data-bearing device to be wiped or destroyed with evidence — a certificate tied to the specific serial — before it leaves your control; a disposal with no destruction record is both a UK GDPR exposure and a standing ISO 27001 finding under the secure-disposal control. Environmental compliance brings electrical and electronic equipment within the WEEE regime, with its own duties on how kit is treated and recycled, typically through a licensed IT asset disposal partner. Finance needs the disposal recorded so the asset is derecognised from the register, depreciation stops, and — where capital allowances were claimed — the balancing charge is calculated from the right disposal date and proceeds.

The inventory is what keeps the three aligned. Marking every data-bearing asset, reconciling disposals against destruction certificates, and feeding the disposal record straight into the fixed asset register turns a fragmented, error-prone hand-off into one evidenced process. Your choice of WEEE-compliant ITAD partner is yours to make; our job is to ensure the records — security, environmental and financial — tell the same story about the same serial number.

How an IT asset audit runs

1. Scope and data extracts. Sites, device categories and thresholds agreed; extracts taken from the CMDB, ITAM/SAM tooling, MDM and the fixed asset register; the capture template mapped to your field structures before anyone counts anything.
2. Floor-walk verification. Trained field teams count room by room — desks, docking stations, comms rooms, storage — capturing serials digitally and tagging as they go. Remote-worker devices are verified through a structured attestation process reconciled to MDM and HR records.
3. Reconciliation. Every record classified: matched, found-but-not-recorded, recorded-but-not-found (ghost), or right device in the wrong place or hands. Obvious mismatches — re-imaged machines, swapped peripherals — are resolved before being reported as real exceptions. Installed software is matched against entitlements both ways.
4. Exception investigation. Leaver kit traced against HR records, disposals checked for data-destruction certificates, transfers between sites confirmed, shadow IT and unlicensed software flagged — producing a documented write-off and correction schedule.
5. Reporting and handover. Posting-ready loads for the CMDB, ITAM tool and fixed asset register, owners assigned to every device, and a management report on the controls that let the estate drift in the first place.

Physical-to-CMDB reconciliation: the four buckets

The reconciliation is where a list becomes an audit. Matching the physical count at serial level against the CMDB, ITAM tool, discovery extracts and register sorts every line into one of four buckets, each with its own owner and action:

The pay-off reaches well beyond tidy data. Software licence and support true-ups stop being calculated against machines that no longer exist; maintenance contracts stop auto-renewing on retired kit; insurance schedules reflect what is actually held; and security tooling coverage can finally be expressed as a percentage of a known denominator rather than a guess. That known denominator is precisely what an ISO 27001 inventory control and a Cyber Essentials scope declaration both stand on.

Software licensing and reconciliation

Software is the half of the IT estate that cannot be seen on a desk and the half most likely to cost money quietly. The inventory captures what is installed on each verified device and reconciles it against your entitlements in two directions. Under-licensing — software installed beyond what was purchased — is a compliance and financial exposure that surfaces during vendor audits, often with penalties attached. Over-licensing — paid-for licences and subscriptions assigned to people or machines that no longer use them — is pure recoverable spend, and it accumulates silently as leavers depart and projects end.

The reconciliation between installed software, active SaaS subscriptions and the underlying hardware count is what makes both visible. It is also what stops licence true-ups being calculated on a phantom machine population: you cannot rightsize a software estate you cannot count. Where a dedicated software asset management tool is in place, the physical hardware baseline gives it a trustworthy device denominator; where it is not, the reconciliation is the first time installed and entitled have been compared against verified reality.

Tagging and the right identification technology

An inventory is only as fast to maintain as its assets are to identify, which is why tagging during the count matters as much as the count itself. An untagged estate forces every future check to be a search — reading serials off the back of devices, cross-referencing spreadsheets, arguing about which laptop is which. A tagged estate turns the same check into a scan. The right technology depends on the asset class, the environment and how often you intend to re-count:

• Barcode and QR labels. Inexpensive, durable and universal — the default for most IT estates. QR codes pack more data and can carry a link to the asset record; both are read one at a time with a scanner or phone, which is fine for periodic counts.
• Tamper-evident labels. For laptops and other portable, data-bearing kit, a label that visibly voids if removed deters quiet swaps and supports the security controls auditors care about — you can show the tag has not been moved between devices.
• RFID tags. Where volumes are high or counts need to be frequent, RFID lets a reader capture a whole room of tagged assets in seconds without line of sight — the technology that makes continuous or quarterly cycle counts economic rather than a project.

Capture quality is the other half. A count is only useful if the data it produces loads into your systems without rework, which is why we map the capture template to your CMDB, ITAM tool and fixed asset register field structures before anyone walks the floor — agreeing the controlled vocabularies (categories, conditions, statuses), the location hierarchy and the mandatory fields up front. Serials and tags are captured digitally at the point of inspection, validated against format rules to catch transcription errors, and photographed where useful. The output is a clean, mapped dataset, not a spreadsheet that needs a second project to make usable. Our dedicated asset tagging page covers the labelling options in more depth.

Built for the frameworks your business answers to

The same verified inventory does compliance work in several directions at once:

• ISO/IEC 27001:2022 — Annex A 5.9. If your organisation holds or is pursuing certification, control A 5.9 requires an inventory of information and other associated assets, including owners, to be developed and maintained. Certification auditors routinely sample it both ways — device on the floor to inventory, inventory line to device. Our guide to the asset inventory ISO 27001 auditors expect covers what they test.
• Cyber Essentials and Cyber Essentials Plus. Your scope declaration depends on knowing the device population — end-user devices declared with make and operating system, and unsupported operating systems found in scope are a fail. Cyber Essentials Plus then tests a sample of real devices. You cannot declare honestly what you have never counted.
• UK GDPR — Article 30 records and breach response. Records of processing assume you know which systems and devices hold personal data; a 72-hour breach assessment is impossible for a lost laptop you did not know existed. A device-level inventory with custodians and a data-bearing flag is the practical foundation for both.
• SOC 2 — for those selling globally. If you sell to US or multinational enterprise customers, their procurement teams will ask for a SOC 2 report, and the examination expects maintained inventories of system components as part of your control environment — sustained over the whole reporting period for Type II, not rebuilt the week before.
• FRS 102 and Companies Act 2006 s.386. IT hardware is property, plant and equipment: the same count feeds the fixed asset register, clears ghost assets from depreciation, and puts asset-level evidence behind capital allowances on your next IT refresh.

Sector focus: financial services and regulated estates

Some sectors carry expectations on top of certification. In financial services, operational-resilience and outsourcing requirements push firms to evidence control over the technology behind important business services — which presupposes a reliable inventory of that technology and where it sits. Our financial services page sets out how independent verification supports that picture. The same applies in any environment where a regulator, insurer or major customer can ask you to prove, not assert, the estate behind your controls.

Why independent physical verification, not another tool

The market is full of software that promises a single source of truth for IT assets, and that software has a place. What it cannot do is observe the physical world: discovery sees the logical estate, the CMDB and register hold the recorded estate, and both share the same blind spots because both are built from what people and processes tell them. The missing layer is independent confirmation of the physical estate — and that is what CPCON provides. We are not a discovery reseller and we do not issue audit opinions; we count what is actually there, tag it, and reconcile the physical, logical and recorded views into one defensible position.

That independence is the value. An inventory your own team asserts is an assertion; one an external team has physically verified is evidence — which is exactly what your security assessor, financial auditor and insurer are looking for. Behind the UK service sits a methodology proven over 30 years and more than 4,500 verification and inventory projects, delivered by experienced field teams rather than a franchised count crew. If the IT estate is part of a wider problem — plant, furniture, fixtures, whole sites — the same engagement extends naturally into full fixed asset verification, and RFID tracking can make the counting continuous. For why discovery tooling alone never gets you there, see why your CMDB lies without a physical audit.