What is the difference between ITAM and a CMDB?

IT asset management (ITAM) manages assets as property: what was bought, what it cost, where it is, who holds it, which contracts and licences attach to it, and when it should be refreshed or disposed of. A CMDB manages configuration items and their relationships so IT service management can assess change and incident impact. ITAM cares that laptop X exists and is assigned to a person; the CMDB cares what breaks if server Y fails. Both depend on the same underlying fact — what physically exists.

What is a configuration item (CI)?

A configuration item is any component that needs to be managed to deliver an IT service — hardware, software, a network device, a service, even documentation — recorded in the CMDB together with its attributes and, crucially, its relationships to other CIs. The relationships are the point: a CMDB exists to answer "what depends on this?" An asset in an ITAM tool can be a flat record; a CI only earns its place in a CMDB if it carries the dependencies that make impact and change analysis possible.

Our discovery tool scans the network daily. Is that not an audit?

No. Discovery confirms what is powered, connected and reachable at scan time — a valuable signal, but structurally incomplete. It cannot see spares in cupboards, kit awaiting disposal, unreturned leaver devices, equipment at home and offline, or anything on isolated networks. It also cannot tell you a device was scrapped: absence from a scan is ambiguous. Discovery populates a CMDB; it does not verify it. Only a physical stocktake turns "not seen" into "not there".

What is a CMDB audit and how does it differ from running discovery?

Discovery refreshes the CMDB from whatever answered the network this scan. A CMDB audit independently tests whether the CMDB is true — completeness (is everything that exists recorded?), accuracy (are the attributes right?), and integrity (are the relationships between CIs correct and current?). It compares the CMDB against an external source of truth, and the only external source that cannot be wrong about whether a device exists is a physical count. A CMDB audit therefore pairs data-quality analysis with a physical reconciliation.

What does a physical IT stocktake involve?

Field teams walk every location in scope — desks, comms rooms, stores, meeting rooms — capturing serial numbers, asset tags, locations and custodians for every device, tagging anything untagged. The count is then reconciled at serial level against the CMDB, the ITAM tool, discovery extracts and the fixed asset register, with every line classified as matched, found-but-not-recorded, recorded-but-not-found, or recorded with the wrong location or owner.

How do you measure CMDB data quality?

Against three dimensions. Completeness: the share of the real estate actually recorded, exposed by the physical count finding assets the CMDB never had. Accuracy: the share of recorded attributes — location, owner, status, serial — that match reality. Integrity: whether the CI relationships are correct, current and free of orphans and duplicates. A reconciliation turns each into a measured rate rather than an impression, and gives you a baseline to manage the CMDB to over time.

How often should the physical reconciliation run?

A full wall-to-wall stocktake every one to three years for IT estates — faster-moving than general plant, so more frequent than the 3-to-5-year norm for fixed assets — with rolling cycle counts of high-churn classes (laptops, mobiles, loan kit) in between. RFID tagging makes the cycle counts cheap enough to run quarterly or continuously.

Does cleaning up the CMDB really affect tax?

Yes, through the fixed asset register it should reconcile to. Capital allowances on IT expenditure — full expensing, the Annual Investment Allowance, and the new 40% first-year allowance from January 2026 — are claimed at asset level, and disposals of assets that had first-year relief trigger balancing charges that need dates and proceeds. A register full of ghost IT assets and unrecorded disposals makes the claim history unreliable in exactly the places an HMRC enquiry looks.

ITAM & CMDB: Why Your CMDB Lies Without a Physical Audit

A CMDB is a model of reality, and a model is only ever as good as its connection to the thing it describes. Most organisations have spent real money on a configuration management database and a discovery tool to feed it, and most of those CMDBs are quietly wrong — not because the tooling is bad, but because the one control that keeps every other corporate record honest, the periodic physical stocktake, was never applied to IT. This guide sets out the difference between ITAM and a CMDB, what a configuration item actually is, why discovery tooling structurally cannot give you an audit, how a CMDB audit and a physical reconciliation work, how to measure the data quality you end up with, where ITIL governance fits, and what fixing it is worth in licences, contracts, insurance and tax.

Three systems, one physical estate

Most organisations describe their IT estate in at least three systems, built by different teams for different jobs:

System	What it manages	The question it answers
ITAM / asset register	Assets as property: ownership, cost, location, custodian, contracts, lifecycle	Is this asset real, where is it, and what does it cost us?
CMDB	Configuration items and relationships for change, incident and impact analysis	What depends on this, and what breaks if it changes?
Fixed asset register	Accounting record: cost, depreciation, net book value, capital allowances trail	What is on the balance sheet and what can we claim?

All three are models of the same physical estate — and a model is only as good as its connection to reality. None of these systems observes the physical world directly: they record what processes and people tell them. When the telling stops, the model keeps asserting a world that no longer exists. That is not a tooling failure; it is the absence of a control that every other corporate record has — the periodic stocktake.

ITAM vs CMDB: two disciplines, one source of truth

The terms are used interchangeably and they should not be. IT asset management and configuration management answer different questions, are owned by different teams, and fail in different ways — but they draw on the same underlying fact, which is what physically exists. Understanding the split is what stops organisations trying to make one tool do the other’s job.

Dimension	ITAM	CMDB
Primary purpose	Manage assets as property over their lifecycle	Support change/incident/problem with CI dependencies
Unit of record	Asset (a thing you own/lease)	Configuration item (a thing a service depends on)
Key attributes	Cost, contract, licence, owner, warranty, disposal	Attributes plus relationships to other CIs
Lifecycle focus	Procure → deploy → maintain → retire → dispose	Build → operate → change → decommission
Owned by	IT asset / finance / procurement	Service management / configuration management
Common tooling	SAM/ITAM platforms, fixed asset systems	ITSM CMDB, often populated by discovery

ITAM is a financial and contractual discipline: it cares that a laptop was bought for a price, is assigned to a person, runs licensed software, and will be refreshed on a schedule. The CMDB is an operational one: it cares what services depend on a server and what fails if it changes. The overlap — the physical device itself — is where they meet, and where they both go wrong together when the device moves, is swapped or is scrapped without anyone updating the record. A physical baseline serves both because both are downstream of the same reality.

Configuration items and relationships — what a CMDB is for

A configuration item is any component that has to be managed to deliver a service: a server, a laptop, an application, a network device, a service, a piece of documentation. What turns a flat asset record into a CI is the relationships — this application runs on that server, which sits in this rack, which depends on that switch and this power feed. The relationships are the entire reason a CMDB exists: they are what let you answer "if we change this, what is affected?" and "this is broken — what is the blast radius?"

This is also why CMDB drift is more corrosive than a stale asset list. An asset register that is wrong about a laptop’s location costs you a search. A CMDB that is wrong about a dependency costs you a change that takes down a service nobody knew was connected, or an incident triaged against a topology that no longer exists. Relationships rot in ways discovery struggles to catch — a decommissioned server whose dependencies were never cleared leaves orphan CIs; a re-imaged machine duplicates itself and splits its relationships across two records. The integrity of the graph, not just the existence of the nodes, is what a real CMDB audit has to test.

How CMDBs drift from reality

The drift is not random; it follows predictable channels:

Leavers and loans

Devices issued, swapped or kept by leavers without the record catching up — the assignment field says one thing, the drawer says another.

Silent disposals

Kit scrapped, recycled or cannibalised for parts with no derecognition — it lives on in the CMDB and depreciates on the register.

Unrecorded arrivals

Locally purchased or project-delivered equipment that never entered the intake process — real, in use, and invisible.

Moves and re-stacks

Office moves, desk re-stacks and comms-room tidies done at pace; locations in the CMDB freeze at the last project that updated them.

Re-imaging and renaming

Rebuilt machines re-enrol with new identifiers and duplicate their former selves — discovery counts two, the bench holds one.

Store-room limbo

Spares, returns and awaiting-disposal stock sitting outside every automated tool’s line of sight, sometimes for years.

Each channel is small; compounded over a few years they are not. On general fixed asset estates that have gone unverified for years, our verification projects routinely surface ghost rates of 10–30% — and IT, the most mobile and most frequently refreshed asset class, sits at the sharp end of that range.

The cost of that drift is not abstract. A change assessed against a stale dependency map takes down a service nobody knew was connected. An incident is triaged against a topology that no longer exists, so the bridge call burns time chasing the wrong components. A software vendor true-up is calculated on a device population padded with ghosts and duplicates. An insurer prices cover on a sum insured inflated by assets that left years ago. And a security team reports patch coverage as a percentage of a denominator it cannot actually vouch for. Every one of these failures traces back to the same root: a model that drifted from reality because nothing independent ever re-grounded it.

Discovery sees the network, not the estate

The standard objection: “our discovery tooling scans everything daily.” Discovery, MDM and RMM agents are necessary — and structurally incomplete. They enumerate devices that are powered, connected and enrolled at scan time. By definition they cannot see the spare laptops in the cupboard, the switch awaiting disposal, the unreturned leaver device offline at someone’s home, or the equipment on an isolated or OT network. Nor can absence prove disposal: a device missing from this month’s scan might be off, in transit, re-imaged under a new name — or gone. Discovery data is a heartbeat, not a census.

There is a deeper category error in treating discovery as an audit. Discovery populates the CMDB; it cannot verify it, because it shares the CMDB’s blind spots. Asking the same tool that built the record to confirm the record is reasoning in a circle: anything the agent never saw is absent from both the CMDB and the "verification". An audit, by definition, needs an independent source of truth — and for the hardware layer the only source that cannot be wrong about whether a device exists is someone standing in the room looking at it.

The physical stocktake closes exactly that gap, because it starts from the other end: not “what answers on the network?” but “what is in this room?” Counted serials are facts that do not depend on power, agents or enrolment.

The discovery tooling landscape — what each type sees and misses

"Discovery" is not one thing, and the gaps differ by method. Most estates run several mechanisms in parallel, each with a different blind spot, and none of them covering the stored, offline or non-digital estate. Understanding the method explains the gap:

Method	What it sees well	What it cannot see
Agent-based (MDM/RMM)	Enrolled endpoints with rich detail when online	Anything without the agent: unmanaged, BYOD, off, stored
Agentless network scan	Devices answering on reachable subnets at scan time	Powered-off, isolated/OT networks, anything not responding
Cloud/API discovery	Resources inside connected cloud tenancies	Unconnected accounts, on-prem kit, physical hardware
SCCM / endpoint management	Managed Windows estate, software inventory	Non-Windows, unmanaged and offline devices

Layering these tools improves coverage of the managed, online estate but does not change the category of what they miss. Stacking three methods that all require a device to be powered and connected still leaves the cupboard, the disposal pile, the home office and the isolated network unseen — and still cannot distinguish a scrapped device from a switched-off one. A federated discovery strategy is good engineering; it is not a substitute for the one source of truth that does not depend on the device cooperating.

A CMDB audit: testing whether the model is true

Running discovery and auditing the CMDB are different activities. Discovery refreshes the database from whatever responded this scan; a CMDB audit independently tests whether the database is true. The audit asks three questions the tooling cannot answer about itself — is everything that exists recorded, are the recorded details right, and are the relationships between CIs correct — and it answers them by comparing the CMDB against an external source of truth. For hardware, that source is a physical count; for software and cloud, it is entitlement and tenancy records reconciled against the verified device population.

A CMDB audit therefore has two halves that only work together. The data-quality analysis profiles the CMDB itself — missing attributes, stale records, orphaned and duplicate CIs, relationships that point nowhere. The physical reconciliation grounds that analysis in reality, because a CMDB can be internally tidy and still wrong about the world. Together they convert "we think our CMDB is roughly right" into measured completeness, accuracy and integrity rates with named exceptions attached.

Measuring CMDB data quality

"Improve the CMDB" is unmanageable as an objective until it is measured. A reconciliation lets you express data quality as rates against defined dimensions, which gives you both a baseline and a target to manage to:

Dimension	The question	How the reconciliation measures it
Completeness	Is everything that exists recorded?	Physical count finds assets the CMDB never held — the "found, not recorded" rate
Accuracy	Are the recorded attributes correct?	Location, owner, status and serial checked against the floor
Integrity	Are the CI relationships right and current?	Orphan CIs, broken dependencies and duplicates from re-imaging
Timeliness	How fresh is each record?	Last-verified and last-discovered dates against the reconciliation

Measured this way, data quality stops being an opinion and becomes a managed metric. You can set a target completeness for the device estate, track accuracy of the owner and location fields over successive cycle counts, and report integrity as the count of orphan and duplicate CIs trending down. That is the difference between a CMDB that is audited and one that is merely populated — and it is what lets service management trust the dependency data when a change is on the line.

What a physical IT stocktake involves

The stocktake is the source of truth the audit hangs on. Trained field teams walk every location in scope — desks, docking stations, comms rooms, stores, meeting rooms — capturing serial numbers, asset tags, make and model, location to room level and custodian for every device, and tagging anything untagged so future counts are a scan rather than a search. Remote and home-based devices, which discovery and a floor-walk both struggle with, are captured through a structured attestation process reconciled to MDM enrolment and HR records.

The discipline matters as much as the coverage. A count that double- records a re-imaged machine, or misses a comms room, produces exceptions that are noise rather than signal. CPCON’s method — built over 30 years and 4,500+ projects — resolves the predictable confusions (swapped peripherals, rebuilt machines, kit in transit) before they are reported, so the exception schedule the audit produces is real findings the business can act on, not artefacts of a sloppy count.

The reconciliation: where the value is

A physical IT stocktake on its own produces a list; the value is in the reconciliation. Matching the count at serial level against the CMDB, the ITAM tool, discovery extracts and the fixed asset register classifies every line into four buckets, each with its own action:

Matched. Confirmed, location and custodian updated, last-verified date stamped — the maintained inventory your auditors ask for.
Found, not recorded. Real devices entering the records for the first time: an unmanaged-endpoint risk closed for security, and unrecorded additions for finance.
Recorded, not found. Ghost records to investigate and then retire from the CMDB and write off from the register with a documented schedule.
Right device, wrong data. Wrong site, wrong owner, duplicate identity from re-imaging — corrected at source so the next scan does not recreate the error.

The pay-back is broader than data hygiene. Software licence true-ups stop counting machines that no longer exist; support and maintenance contracts stop renewing on retired kit; insurance schedules reflect what is actually there; security tooling coverage can finally be expressed as a percentage of a known denominator — the foundation that ISO 27001’s asset inventory control and a Cyber Essentials scope declaration both stand on. The same reconciliation feeds the device population behind a credible IT asset inventory, so security, service management and finance finally argue from one set of numbers.

The business case: what an accurate CMDB is worth

A reconciliation is easy to justify because the savings and avoided risk land in several budgets at once, and most of them are quantifiable from the exception schedule itself. The recurring sources of value:

Software and support true-ups. Licence and maintenance costs are often calculated per device or per install. A count that removes the ghosts and the duplicates shrinks the denominator the vendor invoices against, and stops support contracts auto-renewing on retired kit.
Avoided audit penalties. When a software vendor audits you, an accurate, reconciled estate is the difference between a defensible position and a penalty calculated on a phantom or over-installed population. Reconciling before the vendor does is the cheaper order of events.
Insurance accuracy. IT is frequently scheduled or valued for cover; a register full of ghosts overstates the sum insured and the premium, while unrecorded kit is uninsured. Reconciliation prices cover on what is actually held.
Faster, safer change and incident response. A CMDB with correct CIs and relationships shortens impact analysis and reduces change-related outages; a wrong one causes the very incidents the CMDB exists to prevent.
Security coverage as a real percentage. Endpoint protection, patching and monitoring coverage can only be reported honestly against a known device population. The reconciliation supplies that denominator, turning "we think we are at 98%" into a figure with an audited base.
Clean tax and accounting position. Through the fixed asset register, an accurate IT estate underpins correct depreciation, defensible capital allowances and properly evidenced disposals — the places an enquiry probes.

The exception schedule from a single reconciliation usually pays for the exercise several times over, before counting the harder-to-price benefits of resilience and avoided audit findings. That is why the physical baseline is best understood not as a cost of data hygiene but as a recurring return on a one-off count.

Where ITIL governance fits

None of this is a departure from good practice — it is good practice actually operated. ITIL frames the CMDB through service configuration management, whose stated purpose is to maintain accurate information about configuration items and their relationships and make it available where it is needed. ITIL is equally clear that the value of that information depends on its accuracy, and that configuration audit and verification — checking the recorded CMDB against the real environment — is part of the practice rather than an optional add-on.

The gap in most organisations is between the documented practice and the operated one. The configuration management policy says the CMDB will be verified; in reality verification means re-running discovery, which shares the CMDB’s blind spots. A physical reconciliation is how the verification step is genuinely performed for the hardware layer, and how data-quality KPIs — completeness, accuracy, integrity — get real numbers behind them. Governance also means owning the reconciliation on a calendar: a standing physical-to-CMDB-to-register check, dated and assigned, so the practice is sustained between audits rather than rediscovered in a crisis.

Why automation alone never closes the loop

CMDB vendors invest heavily in automation — normalisation that reconciles inconsistent model and manufacturer names, identification rules that decide when two records are the same CI, and reconciliation engines that merge data from multiple discovery sources. This is genuinely valuable: it stops the same laptop appearing three times under three spellings and keeps the authoritative source for each attribute clear. But every one of these mechanisms operates on data that is already in the system. Normalisation cannot normalise a device that was never discovered; identification rules cannot identify kit that never reported; reconciliation engines reconcile sources that all share the same blind spot.

Automation, in other words, raises the internal consistency of the CMDB without touching its external truth. A perfectly normalised, de-duplicated CMDB can still be confidently wrong about the world — missing every stored, offline and unmanaged asset, and asserting the continued existence of everything that was quietly scrapped. The only input that breaks the circle is an observation made outside the system, by someone counting what is physically there. That is the specific, irreplaceable role of the physical reconciliation: not to replace the automation, but to give it a true baseline to be measured against and corrected from.

Who needs the physical reconciliation most

Every estate drifts, but some conditions accelerate it and raise the cost of being wrong. The reconciliation pays back fastest where several of these are present:

Recent change at scale. A merger, acquisition, office move, large refresh or a shift to hybrid working injects thousands of undocumented events in a short window — exactly the conditions under which records and reality part company.
Years since the last physical count. Drift compounds. An estate that has only ever been "verified" by re-running discovery has never had its blind spots tested.
A looming vendor or certification audit. A software vendor true-up, an ISO 27001 stage audit or a Cyber Essentials assessment all sample the estate; reconciling first is cheaper than being found wrong.
High-value or data-heavy estates. Where devices carry significant book value, or hold personal and regulated data, the cost of a ghost or an unrecorded device — financial, regulatory, reputational — is high enough to justify certainty.
Regulated sectors. Where a supervisor can ask you to evidence control over your technology estate, an unverifiable CMDB is a compliance gap, not just an operational nuisance.

The capital allowances angle on your next IT refresh

There is a tax reason to reconcile before you refresh. IT hardware is main-rate plant and machinery, so a refresh programme runs through the capital allowances regime: full expensing gives companies 100% first-year relief on new kit, the Annual Investment Allowance covers up to £1 million including second-hand equipment, and from January 2026 a new 40% first-year allowance applies where the others do not — while the main-rate writing down allowance falls from 18% to 14% from April 2026, making first-year claims worth getting right. Claims are made, and defended, at asset level. The disposals matter just as much: assets that had full expensing trigger a balancing charge on disposal, which requires knowing the disposal happened, when, and for what proceeds — precisely the events an unreconciled CMDB and register lose track of. A physical stocktake ahead of the refresh hands finance a clean baseline: what exists, what is genuinely end-of-life, and a defensible write-off schedule for the ghosts.

Sector context: financial services and regulated estates

In some sectors a wrong CMDB is a regulatory problem, not just an operational one. Financial-services firms operate under operational-resilience and outsourcing expectations that require them to understand and evidence the technology behind important business services — impact tolerances and recovery planning both assume an accurate map of the configuration items those services depend on. A CMDB that is wrong about what exists or what depends on what undermines exactly that evidence. Our financial services page covers how independent verification supports resilience and audit. The principle generalises to any regulated or safety-critical estate where the dependency map has to be right.

From one-off clean-up to a managed control

A reconciliation delivers a clean baseline, but a baseline decays the moment the next undocumented move, swap or disposal happens. The organisations that stay accurate treat the physical reconciliation not as a project they did once but as a control they operate on a schedule — the same way finance treats the year-end stocktake. The shift is from "we cleaned the CMDB in 2024" to "we verify the estate on a defined cycle, measure the data quality each time, and manage the number." That is what makes every subsequent audit, certification and refresh start from evidence rather than from another archaeological dig through records nobody trusts.

Keeping it true after the clean-up

Tag during the count. Durable asset tags — with tamper-evident labels on laptops — make every later check a scan rather than a search.
Cycle counts on high-churn classes. Quarterly cycle counts of laptops, mobiles and loan kit; RFID where volumes justify reading a room in minutes.
Close the lifecycle loops. Joiner, leaver, move and disposal processes that update the records at the moment of the event — with data-destruction certificates filed against every disposed data-bearing device.
Reconcile on a calendar, not a crisis. A standing physical-to-CMDB-to-register reconciliation, owned and dated — so the next audit, certification or refresh starts from evidence instead of archaeology.

CPCON has spent 30 years and 4,500+ projects doing exactly this — independent counts, tagging and serial-level reconciliation across offices, plants, hospitals and campuses. We do not sell you the CMDB platform and we do not issue audit opinions on it; we provide the independent physical truth it has to be measured against. If your CMDB and your comms room are telling different stories, our IT asset inventory service is how they get back to one.