As our clients already know, having a well-thought-out and fully-documented IT asset disposition process can help you pass an audit on the first go-round. Here are 3 tips for passing an IT asset disposition audit that will get you well on your way to remaining compliant:
- Make sure you collect and track the right data. Does the process used internally for serial number validation match the process used externally by your vendor? More than once we have discovered that while our client’s internal team records serial numbers one way, the vendor records it another way, and both sides are unaware of the issue until the point in time when equipment gets handed off. This, in turn, causes reconciliation issues and prevents companies from being able to prove that data was destroyed. And that can be a big problem when they’re faced with an audit. To make matters even more complicated, some hard drives have as many as 3 different serial numbers listed on the side (see photo example below). It’s important to identify which serial number is correct for the purpose of capturing and recording it in the company’s records. It’s also important to coordinate with your vendor to make sure they’re doing the same thing.
- Don’t forget about embedded media! Although most companies adequately address the issue of hard drive erasure and destruction, over 95% of the companies we speak with do not have a policy for eliminating embedded media. In addition to lacking a process to erase embedded media, they lack the ability to identify where it is located. These two photos show what embedded media looks like 1) in a simple server and 2) close up:
- It’s critically important to have a consistent chain of custody. In addition to adhering to best practices, the same format should be used for chain of custody for all IT assets. Some companies end up using multiple strategies, such as trading some items back to CISCO and sending PCs to a recycler, gear to a different company and other equipment back to a leasing company. Unfortunately, this results in reporting inconsistencies, which indicates that there may be gaps in the process and paperwork. This is the kind of thing that catches an auditor’s attention and makes him dig deeper. To avoid this, it’s best to make sure there are no differences among your ITAD reports.
To find out more about how to develop a best-in-class chain of custody enterprise-wide, contact us.