The Audit That Went Wrong: When the Auditor Opens a Spreadsheet

The auditor sat down, opened a notebook, and asked three questions. They were not complicated questions. They were the kind of questions that any organization with basic IT governance should be able to answer in under five minutes. What happened next consumed three weeks, cost the company a non-conformity finding, and triggered an urgent overhaul of how they managed IT assets.

The Three Questions

The audit was a routine ISO 27001 surveillance check at a financial services company with 180 employees. The auditor started with the fundamentals:

• Question 1: “Can you provide a current inventory of all IT assets, including who they are assigned to and their location?”
• Question 2: “Can you show me the access rights for employees who left in the last 12 months and confirm that all access was revoked?”
• Question 3: “Can you show me the incident log for IT-related security events in the last quarter, with resolution times?”

The IT manager nodded. “Of course. Give me a moment.” He opened a spreadsheet.

What the Spreadsheet Revealed

The asset inventory lived in an Excel file stored on a shared drive. It had been created four years earlier and was maintained by whoever remembered to update it. The file had 14 tabs, multiple color-coding schemes from different contributors, and a “Last Updated” cell in the header that read “June 2025.”

The auditor noted that the file had not been updated in nine months.

When the auditor cross-referenced the spreadsheet against the company’s Active Directory, the discrepancies were immediate:

• Twenty-three devices were assigned to employees who had left the company.
• Eleven devices appeared in Active Directory’s device list but were absent from the spreadsheet entirely.
• The spreadsheet listed 14 devices as “in storage” that had actually been deployed months ago.
• Serial numbers were missing for 40% of entries. For those that existed, eight had obvious typos.

The IT manager explained that the team had been busy and updates had fallen behind. The auditor wrote the first note.

The Access Rights Problem

For the second question, the IT manager opened another spreadsheet. This one tracked offboarding activities. The auditor asked to see the records for eight employees who had left in the previous year.

Three of the eight had no offboarding record at all. For two others, the record showed email and VPN access revoked but made no mention of application-level access to the company’s CRM, financial systems, or cloud storage. One former employee’s account was still active in the CRM, seven months after departure.

The auditor asked if there was a formal offboarding checklist. There was not. The process depended on IT being notified by HR, and the notification was inconsistent. Sometimes it came via email. Sometimes it came via a chat message. Sometimes it did not come at all.

The Missing Incident Log

For the third question, the IT manager hesitated. Incidents were tracked in a mix of email threads, a shared Teams channel, and a different spreadsheet that the junior IT administrator maintained. The auditor asked for a consolidated view. It did not exist.

When the data was eventually compiled, it showed that resolution times were not consistently tracked. Several incidents had no recorded resolution at all. One entry simply read “fixed” with no date, no description of the root cause, and no documentation of what was done.

The auditor closed his notebook and scheduled a follow-up meeting.

The Outcome: Non-Conformity

The company received a major non-conformity finding on asset management (ISO 27001, Annex A.5.9 - Inventory of information and other associated assets) and a minor non-conformity on access control. The findings meant the company had 90 days to demonstrate remediation or risk losing its certification.

The financial impact was immediate and tangible:

• Remediation project: Three weeks of focused work by the IT team, pulling them away from planned projects. Estimated internal cost: 15,000 euros in diverted labor.
• External consulting: The company hired an ISO consultant to help structure the remediation. Cost: 8,000 euros.
• Follow-up audit: An additional surveillance visit was required to verify remediation. Cost: 4,500 euros.
• Reputational risk: Two enterprise clients asked about the audit findings as part of their own vendor risk assessments. One requested a formal remediation report before renewing their contract.

Why Spreadsheets Fail at IT Asset Management

This scenario is not unusual. According to industry surveys, 67% of SMBs still use spreadsheets as their primary tool for tracking IT assets. Spreadsheets are familiar, flexible, and free. They are also fundamentally unsuited for asset management. Here is why:

• No enforced data integrity. A spreadsheet will happily accept a serial number field left blank, a name misspelled, or a status set to “maybe.” There is no validation, no required fields, and no data types.
• No audit trail. When someone changes a cell, there is no record of who changed it, when, or what the previous value was. For compliance purposes, this is disqualifying.
• No automation. A spreadsheet cannot trigger an action when an employee leaves, when a warranty expires, or when a device has not been seen in 30 days. Every update requires a human to remember and act.
• No real-time accuracy. A spreadsheet reflects reality at the moment it was last updated. If that was nine months ago, it reflects nine-month-old reality. The gap between the spreadsheet and the truth grows every day.
• No access control. Anyone with access to the file can modify any field. There is no role-based access, no approval workflows, and no protection against accidental or intentional data corruption.
• Version chaos. Despite best intentions, spreadsheets multiply. Someone downloads a copy to work offline. Another person creates a “backup.” A third person maintains a separate sheet for their department. Within months, there are multiple versions of the truth, and none of them are complete.

What Proper ITAM Looks Like During an Audit

Compare the scenario above with what happens when an organization uses a proper IT asset management system:

Question 1 - Asset inventory: The IT manager opens the ITAM dashboard. The auditor sees a live inventory showing every device, its assignment status, location, serial number, and last activity date. The data is current because it updates automatically. The auditor can filter, sort, and export. Time to answer: two minutes.

Question 2 - Access revocation: The IT manager shows the offboarding records. Each departure triggered an automated checklist. Device collection, account deactivation, and access revocation are all timestamped and linked to the specific employee. The auditor can verify that every departing employee had their access fully revoked. Time to answer: three minutes.

Question 3 - Incident log: The IT manager opens the incident management module. Every incident is logged with timestamps, affected assets, assigned technician, actions taken, and resolution time. The auditor can see trends, averages, and individual records. Time to answer: two minutes.

Total audit time for these three questions: under ten minutes, compared to three weeks of scrambling.

Moving From Spreadsheets to Systems

If your organization currently relies on spreadsheets for IT asset management, the transition does not need to be painful. Here is a practical approach:

• Start with your current data. Import your existing spreadsheet into a proper ITAM system. It will not be perfect, but it gives you a starting point.
• Clean as you go. Rather than trying to fix every record at once, correct data as you interact with each asset. Within a few months, your data quality will improve dramatically.
• Automate the critical processes first. Focus on onboarding and offboarding workflows. These are the processes where spreadsheets fail most dangerously.
• Set a date. Pick a date after which the spreadsheet is no longer the source of truth. Communicate it clearly. Retire the spreadsheet.

The auditor will come back. The questions will be the same. The only variable is whether your answers take two minutes or three weeks.