Free Asset Management Audit Checklist

What Is an Asset Management Audit?

An asset management audit is a structured review that verifies the existence, condition, ownership, valuation, and compliance of an organization's assets against its records and applicable standards. It answers three core questions: Are the assets we have recorded actually there? Are they correctly valued? Are they being managed in accordance with policy and regulation?

Importance

Regardless of asset type, a well-scoped audit pursues the same core objectives:

• Existence and completeness — confirm that recorded assets physically exist and that all assets in use are recorded (no ghost assets, no unrecorded assets)

• Accuracy and valuation — verify that asset values, depreciation schedules, and useful life estimates are correct and consistently applied

• Compliance — confirm adherence to relevant standards (ISO 55001, SOX , GAAP/IFRS, software licensing terms, ITIL/NIST)

• Operational performance — assess whether assets are being utilized effectively and maintained to standard

• Lifecycle controls — verify that acquisition, transfer, maintenance, and disposal procedures are followed and documented

Scope: Fixed Assets, IT Assets, and Enterprise Assets

The scope of an asset management audit depends on the type of assets being reviewed:

Asset Management Compliance and Standards

Asset management can cover a lot of industry standards and compliance regulations, some of which are:

• ISO 55001 — the international standard for asset management systems. Covers the full lifecycle: context, leadership, planning, support, operation, performance evaluation, and improvement. An ISO 55001 audit assesses whether the asset management system is designed and operating in accordance with these requirements.

• SOX (Section 302/404) — fixed assets are often a significant balance sheet item; controls over the fixed asset register, additions, disposals, and depreciation are key controls under ICFR. Ghost assets and unsupported depreciation are common SOX findings.

• GAAP/IFRS — govern recognition, measurement, depreciation, impairment, and disposal of fixed and intangible assets. Audit procedures test whether accounting policies are correctly applied and consistently followed.

• ITIL / NIST SP 800-53 — provide frameworks for IT asset management controls, particularly around CMDB accuracy, configuration management, and software license compliance.

• Software licensing standards — SAM ( Software Asset Management ) audits verify that license entitlements match deployment counts to avoid both under-licensing (compliance risk) and over-licensing (cost waste).

A Step-by-Step Guide to Performing an Asset Management Audit

Here’s a comprehensive guide on conducting a streamlined audit:

Phase 1: Planning and Scoping

1. Define scope — specify which asset categories, locations, systems, and business units are in scope. For large inventories, use a risk-based approach to prioritize high-value, high-risk, or high-movement asset populations.

2. Identify applicable standards — confirm which frameworks and accounting policies apply (ISO 55001, SOX, GAAP/IFRS, software licensing).

3. Gather source documentation — collect the asset register, general ledger (GL) extract, EAM/CMMS/CMDB reports, purchase orders, maintenance logs, depreciation schedules, and prior audit findings.

4. Assign the RACI — name the audit lead, asset register owner, IT asset manager, and physical verification team leads.

5. Set materiality and sampling approach — for large inventories, statistical or risk-based sampling is standard; document the rationale for sample size and selection method.

Phase 2: Asset Register and System Reconciliation

Before physical verification, confirm that the system of record is reliable:

• Reconcile the asset register to the GL — confirm that the total net book value per the fixed asset register agrees to the balance sheet. Investigate and resolve any reconciling items.

• Reconcile EAM/CMMS/CMDB to the asset register — for IT and operational assets, verify that the configuration management database or maintenance system aligns with the financial asset register. Discrepancies indicate either unrecorded assets or assets recorded in one system but not another.

• Validate data completeness — check that mandatory fields are populated: asset ID/tag, description, location, acquisition date, cost, depreciation method, useful life, assigned owner, and current status.

• Identify high-risk populations for follow-up — assets with zero net book value still in use (potential ghost asset or under-depreciation issue), fully depreciated assets still active, recent additions and disposals, and assets that have not been verified in over 12 months.

Phase 3: Physical Verification

Physical verification is the core fieldwork step for fixed and operational assets. Its purpose is to confirm that recorded assets exist, are in the location stated, are in the condition described, and are in active use.

Verification steps:

1. Organize by location — group the asset register by site, building, or department to make the physical walk-through efficient.

2. Tag and scan — use asset tags (barcode, QR code, or RFID) to match physical assets to register records. For untagged assets, assign a tag on the spot and record it.

3. Assess condition — note physical condition (Good / Fair / Poor / Unusable) and flag assets that appear damaged, idle, or obsolete.

4. Identify unregistered assets — record any physical asset found that does not appear in the register. These require investigation: they may represent unrecorded additions, improperly disposed assets, or assets transferred without documentation.

5. Record ghost assets — assets present in the register but not physically located. These need to be written off or investigated for theft, loss, or unauthorized disposal.

Sampling guidance for large inventories:

For populations over 500 items, full wall-to-wall verification is often impractical. Common approaches include: random statistical sampling (select a sample from the register and physically locate each item), floor-to-register sampling (start on the floor, identify assets, and trace back to the register to test completeness), or a hybrid of both. Document the approach and sample size with the rationale.

Phase 4: IT Asset Audit

For IT assets, physical verification is only part of the picture. The audit also covers software, licensing, and system-level controls.

IT asset checklist by category:

Common IT asset findings:

• Shadow IT — software or cloud services in use but not formally procured or tracked

• License sprawl — duplicate or unused SaaS subscriptions still billing

• Zombie hardware — devices in the CMDB marked as active but physically decommissioned

• Unmanaged devices — endpoints not enrolled in MDM or not appearing in discovery scans

Phase 5: Depreciation, Impairment, and Disposals Testing

For fixed and intangible assets, the audit must verify that accounting policies are correctly and consistently applied:

• Depreciation testing — confirm that the depreciation method (straight-line, declining balance) and useful life assigned to each asset class are consistent with policy and with GAAP/IFRS requirements. Recalculate depreciation for a sample of assets and compare to the recorded charge.

• Impairment review — confirm that assets showing indicators of impairment (damage, obsolescence, significant underutilization) have been reviewed and, where required, written down.

• Useful life review — assess whether the remaining useful lives assigned to aging asset classes are still realistic.

• Disposals — verify that disposed assets have been properly removed from the register, that disposal proceeds are correctly recorded, and that gains/losses on disposal are appropriately calculated.Evidence: Disposal authorization forms, sale/scrap records, GL journal entries

What to Include in an Asset Management Audit Checklist

Before fieldwork begins, define the audit scope across asset categories, locations, systems, and applicable standards.

• Asset Register and Data Quality - Confirm that the asset register is reconciled to the general ledger and that all mandatory fields are fully populated before physical verification begins. Flag high-risk populations — fully depreciated assets still in use, recent additions and disposals, and items not verified in the past 12 months — for prioritized follow-up.

• Physical Verification - Conduct wall-to-wall or sampled verification to confirm that each recorded asset physically exists, is in its stated location, and is in the condition described. Document ghost assets and unregistered assets separately, and update the register to reflect any location or condition discrepancies found during the walk-through.

• IT Asset Verification - Reconcile hardware inventory across the CMDB, discovery tool scan, and physical count, and match all software installations to licensed entitlements. Inventory SaaS and cloud subscriptions for unused licenses, verify MDM enrollment for all devices, and confirm that license keys and renewal dates are tracked securely.

• Depreciation and Valuation - Recalculate depreciation for a sample of assets and confirm the recorded charge matches policy, then review useful lives for major asset classes to verify they remain realistic. Identify any assets showing impairment indicators and confirm that write-downs have been recorded where required under GAAP/IFRS.

• Compliance and Controls - Verify that asset additions, transfers, and disposals were properly authorized, documented, and reflected in the register. Confirm insurance coverage for high-value asset classes and, for ISO 55001 audits, check that the asset management plan, objectives, and performance reviews are current.

• Audit Report and Remediation Tracking - Document each finding with a risk rating, root cause, and corrective action assigned to a named owner with a target remediation and retest date. Prepare an executive summary covering scope, overall register accuracy rate, key findings, and the top three recommendations for management.