IT Fleet Audit: The Complete 2026 Checklist

An IT fleet audit is the process of reviewing every IT asset across your organization -- hardware, software, licenses, security -- to identify gaps between what is declared and what actually exists. In 2026, with NIS2 enforcement beginning across the EU and vendor audits surging, not auditing your fleet means waiting for the invoice.

Why audit your IT fleet in 2026

The era when an IT audit was a yearly compliance exercise is over. Three factors make an IT fleet audit urgent in 2026.

Vendor audits are surging. 62% of companies were audited by a major software vendor in 2024, up from 40% in 2023. Vendors are investing heavily in non-compliance detection, and the fines follow.

62%of companies audited by a major vendor in 2024

Regulations are tightening. The NIS2 Directive, being transposed into French law via the "Loi Resilience" expected Q1 2026, explicitly requires asset management and security-related risk management under Article 21. Fines for essential entities can reach EUR 10 million or 2% of global revenue.

Shadow IT flies under the radar. 84% of applications and 74% of software spending sit outside IT's control. Without a structured audit, these blind spots become attack vectors: 67% of successful cyberattacks exploit unmanaged or unknown assets.

In short: auditing your fleet is no longer optional. It is a regulatory, financial and security prerequisite.

The hardware checklist: 8 items to verify

The hardware audit forms the foundation of every IT fleet audit. Every endpoint, server and peripheral must be inventoried and assessed.

• Complete physical inventory -- Reconcile your asset database with physically present equipment. Every device must have a serial number, an assigned owner and a location.
• Hardware health status -- Check battery health (cycles, remaining capacity), available disk space, RAM usage and CPU condition. A device with battery capacity at 40% is a replacement to plan.
• Age and warranty -- Identify devices outside manufacturer warranty. A laptop over 4 years old without warranty represents a measurable operational risk.
• Configuration compliance -- Verify that every endpoint meets the defined configuration standard (OS version, minimum RAM, disk encryption active).
• Peripherals and accessories -- Monitors, docks, keyboards, mice, headsets. Untracked peripherals often represent 10 to 15% of the hardware budget.
• Network equipment -- Switches, firewalls, Wi-Fi access points, routers. NIS2 explicitly requires their inclusion in the asset inventory.
• Mobile devices -- Corporate smartphones and tablets. Verify MDM (Mobile Device Management), OS versions and applied security policies.
• Ghost devices -- Detect machines connected to the network but absent from your inventory. These are your security blind spots.

Synthesis: a hardware audit without physical reconciliation is a partial inventory. Systematically cross-reference agent data with on-site verification.

The software checklist: licenses, versions, compliance

The software audit is the most financially risky component. This is where vendors find compliance gaps and send invoices.

Installed software inventory

• Map every installed application on every endpoint, server and virtual machine. Include exact version numbers.
• Identify unauthorized software -- Any application outside the approved IT catalog is shadow IT. 41% of employees acquire technology without informing IT.
• Detect functional duplicates -- How many of your teams simultaneously use Slack, Teams and Google Chat? Application redundancy is a major source of waste.

License compliance

• License-to-installation reconciliation -- Compare the number of licenses owned against effective installations. A positive gap (more installations than licenses) is a penalizable non-compliance.
• License types -- Verify the models: per-device, per-user, per-core, subscription. Each model has specific counting rules.
• Unused SaaS licenses -- 53% of SaaS licenses go unused over a 30-day period. Identify them for reuse or cancellation.

53%of SaaS licenses unused over a 30-day period

Versions and updates

• End-of-life software -- Every EOL application is an open security vulnerability. Windows 10 reached end of support in October 2025.
• Outdated versions -- Even a still-supported application can be vulnerable if the deployed version is not current.

sobrii's Applications & SAM module automates license-to-installation reconciliation and detects unauthorized software in real time.

Synthesis: the software audit must cover three dimensions -- inventory, compliance and obsolescence. Ignoring any one of them exposes you to financial or security risks.

The security checklist: NIS2, GDPR, patch policy

The IT fleet security audit has become a regulatory obligation under NIS2 and GDPR. It is no longer just about best practices -- it is about legal compliance.

NIS2: requirements for IT assets

• Information asset inventory -- Article 21 of NIS2 requires a complete inventory showing the management, control and importance of each asset.
• Scope covered -- Servers, workstations, virtual machines, databases, network interfaces (switches, firewalls). Everything must be documented.
• Risk management -- Each asset must be associated with a risk assessment. An unpatched laptop connected to the VPN does not carry the same risk level as an isolated fixed workstation.

EUR 10Mmaximum fine for essential entities under NIS2

GDPR: impact on the IT fleet

• Personal data mapping -- Identify which endpoints and servers process personal data. GDPR requires a processing activities register.
• Secure erasure -- Every decommissioned device must undergo certified personal data erasure.
• Incident response -- In case of a breach, you must quickly identify impacted devices, their locations and who accessed the data.

Patch policy and vulnerabilities

• Patched device rate -- Measure the percentage of endpoints current on critical patches. The target is 95%+ within 72 hours for critical vulnerabilities.
• Unpatched applications -- Do not limit yourself to the OS. Third-party applications (browsers, Java, Adobe) are major attack vectors.
• Disk encryption -- Verify that BitLocker (Windows) or FileVault (macOS) is active on 100% of laptops. A stolen laptop without encryption is a GDPR violation.

sobrii's Security & Compliance module covers 6 security dimensions and automatically generates the reports needed for NIS2 audits.

Synthesis: fleet security is no longer a technical topic reserved for the infrastructure team. It is a regulatory compliance matter with direct financial consequences.

The financial checklist: TCO, unused licenses, contracts

The financial IT fleet audit typically reveals 20 to 30% of wasted spend. This is the component that convinces leadership to fund an ITAM program.

TCO per device and per category

• Calculate the full cost -- Purchase, maintenance, support, energy, depreciation. The purchase price represents less than 20% of the real TCO. The remaining 80% are post-purchase costs (support, maintenance, labor).
• Compare by category -- Desktop vs. laptop vs. thin client. A desktop consumes an average of 194 kWh per year versus 75 kWh per year for a laptop.
• Identify anomalies -- A device whose maintenance cost exceeds 40% of its replacement value is a replacement candidate.

Licenses and subscriptions

• SaaS spend per employee -- The average in 2026 is $4,830 per employee per year. Where do you stand?
• Dormant licenses -- Review the last 90 days of login activity. Any license without activity is waste.
• Upcoming renewals -- List renewals due within the next 6 months. Each renewal is an opportunity to renegotiate or consolidate.

Contracts and vendors

• Existing contract audit -- Renewal terms, audit clauses, penalties. Some contracts include unilateral audit rights for the vendor.
• Vendor consolidation -- Over 50% of organizations had to consolidate redundant applications in 2024. Every eliminated vendor is one less contract to manage.
• Budget forecast -- Project hardware and software renewal needs over 12 to 24 months. The audit must feed the budget plan.

Synthesis: the financial audit is not an accounting exercise. It is an optimization lever that generates measurable savings from the first quarter.

How to automate the IT fleet audit

A manual IT fleet audit mobilizes between 3 and 10 people, consumes 11 to 20% of the IT team's time and must be repeated at every request. Automation transforms a one-off event into permanent visibility.

What automation changes

• Continuous inventory -- Hardware and software data is collected in real time, not once a year.
• Proactive detection -- Compliance gaps, unauthorized software and unpatched devices are flagged immediately.
• Pre-formatted reports -- NIS2, GDPR and vendor audit reports are generated automatically from collected data.
• History and trends -- Every change is tracked. You know exactly when software was installed, uninstalled or updated.

Measurable gains

Organizations that automate their IT inventory save an average of 2,500 hours of manual work annually while achieving real-time visibility of 85% of their assets. For a fleet of 5,000+ assets, the annual savings range from $200,000 to $500,000, with ROI achieved in the first year.

sobrii's Action Center automatically correlates security, compliance and performance alerts to prioritize actions after each audit cycle.

Synthesis: automated auditing is not a luxury. It is the only way to maintain continuous compliance against regulations that do not pause between audits.

The 5 mistakes that derail an audit

Hundreds of IT fleet audits fail every year -- not from lack of data, but from lack of method. Here are the most common pitfalls.

1. Auditing hardware without software. An audit that only covers physical devices ignores the primary source of financial risk: licenses. Yet this is exactly where vendors come looking for penalties.

2. Relying on Excel spreadsheets. A spreadsheet is outdated the moment it is closed. Fleet data changes daily (installations, departures, reassignments). A static file cannot keep up.

3. Forgetting cloud and SaaS. The average company uses 275 SaaS applications. If your audit only covers locally installed software, you are auditing less than half of your actual surface.

275SaaS applications per company on average

4. Not involving the business units. IT does not know every tool used by every team. 41% of employees acquire technology without informing IT. Involve business unit leaders in the audit process.

5. Treating the audit as a one-off event. An annual audit gives a snapshot at a single point in time. Between audits, gaps widen. The modern approach is continuous auditing, powered by real-time data.

Synthesis: a successful audit covers hardware, software and cloud, relies on real-time data and involves all stakeholders.

For a comprehensive overview of the discipline, see our complete guide to IT asset management. To measure the outcomes of your audits, explore the 10 essential IT fleet KPIs. And for a structured approach to your asset inventory, read our guide on IT inventory methods and best practices.

FAQ

How often should you audit your IT fleet?

An annual point-in-time audit is a regulatory minimum, but it is insufficient in practice. With an average of 7.6 new SaaS applications added per month per company, audit data becomes stale within weeks. Best practice is to implement automated continuous monitoring, supplemented by a formal quarterly audit for compliance and financial review.

What are the fines for NIS2 non-compliance?

Essential entities face fines of up to EUR 10 million or 2% of global annual revenue. Important entities face EUR 7 million or 1.4% of global revenue. The French transposition via the "Loi Resilience" is expected in Q1 2026, with ANSSI technical standards planned for Q2 2026. Article 21 explicitly requires an asset inventory and associated risk management.

How long does a complete IT fleet audit take?

A full manual audit (hardware + software + licenses + security + financial) typically requires 3 to 10 people over 4 to 8 weeks for a fleet of 500 to 5,000 endpoints. With an automated ITAM tool, the initial inventory is available within hours and compliance reports are generated continuously. The team's time then focuses on analysis and corrective actions rather than data collection.

Do I need a dedicated tool or is Excel enough?

Excel works for a fleet under 50 devices with no compliance requirements. Beyond that, it becomes a risk: stale data, no versioning, no automatic license-to-installation reconciliation, no shadow IT detection. A dedicated ITAM tool like sobrii automates collection, correlates multi-source data and generates regulatory reports.

How does the IT fleet audit fit into GDPR compliance?

GDPR requires a processing activities register, which means knowing which endpoints and servers process personal data. The fleet audit provides this mapping. It also verifies disk encryption, secure erasure during decommissioning and the ability to quickly identify impacted devices in case of a data breach. The GDPR fine can reach 4% of global annual revenue or EUR 20 million.