What do auditors actually expect from your asset inventory?
Every major accreditation and governance framework expects the same core evidence: a complete inventory of in-scope assets, proof each record reflects reality — including physical location — and a trail showing who verified it and when. The frameworks differ in vocabulary and scope, but "can you show me where this device is and prove your record is current?" is the universal audit question.
What does the Joint Commission look for?
Joint Commission surveys evaluate hospitals against the Environment of Care (EC) standards, and medical equipment management is one of the plainest, most concrete parts of that chapter. Surveyors expect an inventory of equipment that falls within the scope of the organization's equipment management plan, and they expect that inventory to connect cleanly to a maintenance program — planned maintenance and inspection (PMI) completion records showing each piece of equipment was serviced on schedule. See how PMI compliance actually breaks down in practice for the mechanics of keeping that program current.
What makes an EC survey different from a paperwork review is that surveyors routinely ask to see specific devices, not just the spreadsheet describing them. A surveyor can point at a unit's equipment roster, pick an infusion pump or a portable monitor, and ask staff to walk them to it. If the answer is a shrug, a phone call to biomed, or a ten-minute hallway search, that's a finding — regardless of how clean the underlying maintenance records look. The inventory has to resolve to a physical, findable location, not just an entry in a database.
What about DNV?
DNV accredits hospitals under the NIAHO (National Integrated Accreditation for Healthcare Organizations) program, which is built on an ISO 9001 quality-management foundation rather than the Joint Commission's EC framework. The vocabulary differs — DNV surveyors talk about process control, corrective action, and continuous improvement rather than "Environment of Care" — but the underlying expectation for equipment is functionally identical: a documented inventory of medical equipment, evidence of a functioning maintenance and inspection process, and the ability to demonstrate that the process actually operates as documented.
Because NIAHO surveys carry an ISO 9001 process-audit flavor, DNV surveyors tend to probe the system behind the inventory as much as the inventory itself — how equipment gets added when it's acquired, how records get updated when equipment moves or is retired, and whether the process has a defined owner. An asset list that's accurate today but has no documented process for staying accurate tomorrow is a weaker answer under NIAHO than the same list paired with a described, repeatable update procedure.
What do CMS Conditions of Participation and OIG audits require?
CMS Conditions of Participation (CoP) for hospitals include equipment maintenance requirements that, in practice, run in parallel with accreditation-body standards — organizations accredited by the Joint Commission or DNV are typically presumed (via "deemed status") to meet the corresponding CMS requirements, but CMS retains independent survey authority and can look at the same equipment records directly.
OIG (Office of Inspector General) audits approach the same territory from a different angle: reconciliation. Rather than asking "is this equipment maintained," an OIG review is more likely to ask "does the equipment your organization purchased, billed for, or reported still physically exist, and is it where your records say it is?" That's a reconciliation exercise between financial/procurement records and physical reality — a gap between the two isn't just an inventory-hygiene problem, it's the kind of finding that turns into a broader audit.
What do SOC 2 and ISO 27001 expect from asset inventory?
Security-focused frameworks frame the same requirement as a control rather than a compliance checklist item, but the logic is identical: you cannot protect, patch, or account for what you cannot locate. SOC 2's Common Criteria include asset identification (commonly discussed under CC6.1) as a precondition for the access and change controls built on top of it — auditors expect organizations to know what hardware and systems exist and where they sit before they can credibly claim to control access to them. ISO 27001's Annex A asset management controls state the same expectation in different words: assets need to be identified, an inventory maintained, and ownership assigned.
What trips organizations up under both frameworks isn't the existence of an asset list — most organizations have one — it's staleness. A SOC 2 or ISO 27001 auditor sampling the inventory against physical reality during fieldwork is functionally running the same test a Joint Commission surveyor runs: pick a record, verify it's still true. An inventory that was accurate at the last audit but hasn't been touched since is a liability, not an asset, under either framework.
What do PCI DSS and CMMC require for hardware inventory?
PCI DSS requires organizations handling card data to maintain an inventory of in-scope hardware, including devices that capture cardholder data directly — point-of-interaction devices at the register or kiosk are a common example. The expectation, stated at the level that matters for asset management, is straightforward: know what devices are in scope, keep a current inventory of them, and be able to detect if one has been tampered with, replaced, or gone missing.
CMMC and its underlying NIST 800-171 controls apply the same logic to organizations handling Controlled Unclassified Information (CUI): maintain an accurate inventory of in-scope hardware so that access, configuration, and physical security controls have something concrete to attach to. As with PCI, the useful framing for asset-management purposes is the plain-language expectation — an accurate, current inventory of in-scope hardware — rather than trying to map every control number to a specific inventory feature. Frameworks revise their control language over time; the underlying requirement to know what hardware exists and where it is does not change.
What evidence actually satisfies a surveyor?
Strip away the framework-specific vocabulary and the evidence that actually holds up under scrutiny — Joint Commission, DNV, CMS, OIG, SOC 2, ISO 27001, PCI, or CMMC — looks remarkably similar across all of them:
- A timestamp. Not just a location field, but a record of when that location was last confirmed to be accurate.
- A named verifier. Who confirmed it — a specific person, not "the system" or "the last inventory."
- A confirmation method. How the location was verified — physically observed, scanned, reconciled during service — rather than assumed to still be correct because nothing flagged otherwise.
- An exportable report. Evidence that can leave the building in the format an auditor or surveyor actually wants — a spreadsheet, a PDF, a structured export — not a live-only dashboard the auditor has to be walked through in person.
The distinction that matters most in practice is between a room-name answer and a floor-plan answer. "It's in Room 4-East" satisfies an internal team that knows the building. It does not satisfy an external auditor or surveyor who doesn't know your floor layout, has limited time on-site, and needs to independently corroborate the claim. A floor-plan pin — a visual, spatial answer that shows exactly where on the map the asset sits — closes that gap in a way a text field can't, because it doesn't depend on the auditor already knowing your building.
Where Forager fits
Forager is built to produce exactly this kind of evidence as a byproduct of normal operations. Every asset confirmation — logged when a technician closes a ticket, services a device, or walks a floor — is timestamped, attributed to the person who made it, and pinned to the building's actual floor plan rather than a room-name text field. That combination is the attestation log a surveyor or auditor is really asking for when they ask "can you show me where this is."
Because the underlying data doesn't stay static between audits, Forager also addresses the staleness problem that undermines so many otherwise-clean inventories — see why CMDB location data goes stale for the mechanics of that decay and why annual reconciliation alone doesn't fix it. When it's time for an audit, the same attestation history exports directly into the format a surveyor, SOC 2 assessor, or OIG reviewer expects, turning "prove it" from a scramble into a report.
Forager doesn't replace the maintenance program, the security control framework, or the underlying compliance process any of these bodies require — it's the location-evidence layer underneath all of them. See how Forager works.
See asset intelligence on your own floor plan
Forager confirms asset locations as a side effect of the work your techs already do — $15/device/yr, no infrastructure changes. How Forager works or talk to us.
