Insights / Products
Asset management for startups: know what you own
Moving from spreadsheets to a proper system of record, so you can track, value and control assets before an audit forces the issue.
Most startups begin tracking their assets in a spreadsheet, and most outgrow it before they realise they have. By the time a fast-growing team discovers a missing laptop during an audit, or finds three monitors with no owner on record, the spreadsheet has quietly become a liability rather than a tool. The cost is not only financial: untracked assets create insurance gaps, slow down audits, and leave your security posture with holes that are invisible until something goes wrong.
What asset management actually covers
For a startup, asset management spans more ground than it might first appear. The obvious category is IT equipment: laptops, monitors, mobile phones, peripherals, servers, and networking hardware. Beyond that sit physical assets such as office furniture and vehicles, and, depending on your structure, intangible assets such as software licences, subscriptions with named seats, and prepaid service contracts.
The common thread is lifecycle visibility: knowing what you own, where it is, who is responsible for it, what it cost, and what condition it is in right now. That sounds straightforward. It stops being straightforward the moment you hire your twentieth person, open a second site, or onboard a client's hardware into your environment. Spreadsheets handle the first few dozen items reasonably well. They break down when multiple people need to update the same record simultaneously, when you need version history, when you want to act on a status change automatically, or when an auditor needs to verify the data without a copy-paste exercise.
The real cost of not knowing what you own
Equipment that is not tracked gets misplaced, taken home permanently, or repurchased because nobody knew a spare existed. Whether the trigger is an ISO 27001 gap assessment, a client security questionnaire, or a board review, auditors expect a register with supporting evidence, and a shared spreadsheet with conflicting rows does not qualify. Insurers need accurate replacement values and serial numbers at claim time, so an incomplete register means delayed or reduced payouts when you can least afford them.
There is also a tax dimension. SARS provides wear-and-tear allowances for qualifying assets, and the correct classification and timing of an asset can affect your tax position meaningfully. The specifics are complex enough that you should confirm the treatment with a registered accountant or tax practitioner rather than rely on any general guidance. Every laptop you cannot account for is, at the same time, a potential data-breach vector, an insurance gap, and an audit finding waiting to happen.
What a proper asset register records
A useful register is built around a small set of well-chosen fields. The temptation is to capture everything up front; the practical approach is to start with what you will actually use and extend it from there.
Each record needs a unique identifier so that no two assets can be confused with each other. A human-readable asset tag, such as a short code tied to the year of purchase and a sequence number, makes it possible to reference the asset in conversation and in physical labelling without relying on a database key. The category tells you what kind of asset it is: a laptop, a monitor, a software licence, or a piece of office furniture. Beyond those fields, every record should capture the current owner, meaning the person or team accountable for the asset at this moment; the physical or logical location; the date of acquisition; the original cost excluding VAT; and the current status in its lifecycle. For physical hardware, the manufacturer, model, and serial number round out the picture and become essential at insurance claim time.
Lifecycle states deserve deliberate design. An asset moves from pending, when it has been ordered but not yet received, to active, when it is assigned and in use, to storage, when it is unassigned but still serviceable, and finally to disposed, when it has been sold, recycled, or written off. Treating "lost" as an explicit terminal state, rather than a gap in the record, ensures that the register reflects reality rather than wishful thinking. Recording the date and the person who triggered each transition gives you an audit trail without any extra effort.
A single source of truth, asset tags, and check-in or check-out
The register is only useful if it is authoritative. That means one system of record, not a register alongside a separate IT ticketing list alongside a finance spreadsheet that nobody reconciles. Every other tool should read from or write to the register rather than maintain its own copy.
Physical asset tags close the loop between the item in your hand and the record on screen. A printed label carrying a barcode or QR code makes it practical to do a periodic stocktake: scan the tag, compare with the register, and reconcile the differences. Without tags, reconciliation is a manual and error-prone exercise that most teams quietly stop doing. Check-in and check-out is the operational layer on top of the register. When a laptop moves from one person to another, a check-out event records who took it, when, and under what conditions. When it comes back, a check-in event closes the loop. This creates the chain-of-custody record that auditors and insurers expect, and it surfaces patterns such as assets that are frequently reassigned or items that have been out for longer than your policy allows.
Connecting the register to procurement and to staff movement
An asset register that requires entirely manual updates will drift from reality. The highest-value integrations for a startup are those that capture data at the moment it is generated, rather than requiring someone to remember to update a record later. The four events that matter most are procurement receipts, staff onboarding, staff offboarding, and licence reclamation:
- When a purchase order is raised, a pending asset record can be created at the same time, and when delivery is confirmed, it moves automatically to active, which closes the gap between "ordered" and "registered".
- When a new staff member joins, a bundle of assets is checked out to them as part of onboarding, so that ownership is recorded from day one rather than reconstructed weeks later.
- When someone leaves, an automated task can surface every asset assigned to them and require a check-in before the offboarding is marked complete, which alone prevents a large proportion of lost-equipment incidents.
- Software seat licences belong in the register too, because when someone leaves and their licence seat is not reclaimed, you continue paying for access that may still be active.
If your organisation runs a mobile device management solution, the register and the MDM should agree on which devices exist, who owns them, and what their status is. Discrepancies between the two are a signal worth investigating promptly.
Asset data, POPIA, and access control
Your asset register contains personal information. It links equipment to named individuals, records where they work, and may contain device identifiers that could be used to track a person's location. Under the Protection of Personal Information Act, that data must be handled with appropriate safeguards: collected for a specific purpose, kept accurate, protected from unauthorised access, and not retained longer than necessary.
Access to the register should therefore be scoped by role. A staff member should be able to see the assets assigned to them. A line manager may need visibility across their team. Finance needs cost and depreciation data. IT operations needs full read and write access. Nobody outside the organisation should have access without a clear justification that has been recorded. Audit logs on the register itself, covering who viewed which record and who made which change, are not bureaucratic overhead. They are the evidence layer that demonstrates responsible information handling if you are ever asked to account for it. For broader thinking on security foundations in a South African context, see our post on POPIA and security fundamentals for SA startups.
Build, buy, or adopt a purpose-built product
If you are weighing whether to build your own register, buy a generic tool, or adopt something purpose-built, the decision turns on how much customisation you genuinely need against how quickly you want to be operational. We have written about the build versus buy trade-off in detail. The short version is that undifferentiated infrastructure is rarely worth building from scratch when your engineering effort is better spent on your core product.
Lambdaserve's own Asset Management product, designed specifically for growing South African teams, is on the way and is not yet live. It will allow organisations to register, track, and report on assets across their full lifecycle. If you would like to be notified when it launches, get in touch.
In the meantime, a well-structured spreadsheet with strict column discipline and a clear owner is better than an ad-hoc collection of lists. Getting the foundations right now, before a missing serial number costs you an insurance claim or an auditor flags a gap that could have been closed months earlier, is the kind of work that quietly pays for itself. For cloud engineering patterns that can support this kind of internal tooling at small-team scale, see our post on cloud engineering and SRE practices for small teams.
Written by the Lambdaserve team as general, informational guidance for founders and engineers. It is not legal, financial or tax advice. Third-party product names, programmes and logos belong to their respective owners and are referenced for identification only.