Don’t sell IT assets to staff
Selling end-of-life laptops and desktops to employees can look like a simple cost recovery move, but in 2026 it is often the highest-risk route in corporate IT asset disposal. The hidden costs show up later, in data exposure, audit findings, tax queries, and reputational damage.
This article helps CFOs and risk owners decide when employee sales should be prohibited, and when they can be allowed only as a tightly controlled exception. By the end, you will have a decision tree, minimum controls, and a short checklist you can drop into an ITAD policy and approval pack.
Note for South Africa:
- Assume devices can contain personal information under POPIA, including staff and customer data, and plan disposal controls accordingly.
- Governance matters, pricing, approvals, and documentation must stand up to internal audit, external audit, and incident response.
- Prioritise a documented sanitisation programme and chain of custody over informal staff sales, especially for remote work endpoints.
At a glance:
- Employee sales are rarely the lowest-risk ITAD option once you account for POPIA, data remanence, and evidence requirements.
- Use a disposal decision tree based on data sensitivity, sanitisation evidence, chain of custody, connected-person risk, and licensing readiness.
- If you allow staff sales, enforce audit-grade sanitisation (not a simple factory reset), valuation controls, and sign-offs from IT security, legal, and finance.
- Safer defaults are vendor-managed ITAD with certificates, controlled redeployment, donations with safeguards, or certified recycling.
Key takeaways:
- Convenience is not a control, you need proof of sanitisation and proof of custody.
- Staff sales can trigger fairness issues and related party disclosure considerations, particularly for key management.
- Set a default policy of no staff sales for higher-sensitivity devices, with a documented exception path.
Executive summary, why employee sales are rarely the lowest-risk ITAD route in 2026
Employee buybacks feel efficient because the buyer is known, the device leaves quickly, and the company gets some proceeds. In practice, the organisation inherits most of the risk, because the buyer becomes the new data breach scenario.
For a CFO, the question is not only, did we wipe the laptop. The real question is, can we prove, to a reasonable standard, that we removed corporate and personal information, that we transferred ownership cleanly, and that the transaction was fair and properly approved.
In 2026, policies should be updated to reference current sanitisation guidance and programme-level controls. NIST published SP 800-88 Rev. 2 in September 2025, which emphasises an organisational sanitisation programme and validation, not just ad hoc wiping actions, see the NIST SP 800-88 Rev. 2 media sanitisation guidance.
If you’re new
- Start with a written ITAD policy that covers classification, approvals, and evidence retention.
- Assume every endpoint can contain both corporate data and personal information.
- Pick a sanitisation standard to reference, then define who validates sanitisation and how evidence is stored.
- Use an approved ITAD route by default, and treat staff sales as an exception, not a benefit.
If you have done this before
- Re-check whether your policy references an older sanitisation standard, and update it to a current revision where appropriate.
- Test your chain of custody end-to-end, including collection from remote workers.
- Review whether finance can reconcile the asset register, approvals, proceeds, and certificates for each device batch.
- Revisit staff sale pricing and eligibility rules, and document why the approach is fair and defensible.
The main risk categories, data, compliance, financial reporting and reputational risk
Employee sales combine three difficult realities. First, modern storage makes it easy to think data is gone when it is only inaccessible through the normal user interface. Second, accountability is on the company, not the employee, if data leaks after disposal.
Third, staff sales are a governance lightning rod. Even a well-intended programme can look like preferential treatment, weak controls, or a quiet write-off of assets that should have been handled through a formal ITAD process.
- Data risk: residual data, encryption key handling, and incomplete account removal.
- Privacy and compliance risk: POPIA safeguarding and secure disposal expectations for personal information.
- Audit risk: weak evidence, missing certificates, and unclear chain of custody.
- Financial reporting and tax risk: derecognition errors, mispricing, and documentation gaps.
- Reputational and ESG risk: devices entering informal resale and e-waste streams.
| Disposal choice | Best fit when | Main CFO concerns | Evidence you should expect |
|---|---|---|---|
| Approved ITAD vendor | Most corporate endpoints, mixed data risk | Cost vs risk, vendor oversight | Certificate of sanitisation, chain of custody, recycling report |
| Redeploy internally | Device still meets performance needs | Lifecycle cost, support load | MDM re-enrolment logs, refreshed build record |
| Donation (controlled) | Low sensitivity, strong controls possible | Brand risk, privacy risk | Sanitisation certificate, donation agreement, recipient acknowledgement |
| Sell to staff (exception) | Low sensitivity, controls pass | Fairness, related party optics, data proof | Sanitisation evidence, valuation support, signed transfer documents |
| Certified recycling | Failed media, high sensitivity, damaged stock | ESG and legal expectations | Destruction or recycling certificate, downstream audit info |
Data remanence, encryption keys, and why "factory reset" is not an audit-ready control
Staff will often say they can do a reset themselves, and vendor guides make it look straightforward. For example, Microsoft publishes end-user steps for preparing a Windows PC for resale, see Microsoft guidance on resetting a Windows PC before resale.
That is not the same as an organisational control that is validated and documented. A reset might remove files from the user view, but it does not automatically prove that data is unrecoverable at your confidentiality requirement, and it does not address corporate identities, encryption key custody, MDM enrolment, or cached tokens.
For a corporate programme, what matters is the sanitisation method selected for the media type and confidentiality impact, and whether you can validate it. NIST SP 800-88 Rev. 2 positions sanitisation as a programme decision, with governance and validation, see the SP 800-88r2 changes overview.
- Define when clear, purge, cryptographic erase, or destroy is required in your policy.
- Separate user convenience steps from evidence-based sanitisation steps.
- Make encryption key handling explicit, key escrow, key destruction, and proof points.
Chain of custody and evidence, what auditors and incident response teams will ask for
Chain of custody is the story of the device from the moment it is designated for disposal to the moment it is sanitised and leaves the organisation. If you cannot tell that story with records, your programme is hard to defend when a laptop resurfaces with data or corporate tooling still on it.
Auditors typically look for consistency, completeness, and segregation of duties. Incident responders look for timing, who handled the asset, what controls were performed, and whether a gap exists between intention and execution.
- Unique asset identifiers tied to the asset register, not handwritten labels.
- Collection records, including remote worker collection and courier handover details.
- Secure storage logs, including access control to the holding area.
- Sanitisation records, method used, operator, date, and validation result.
- Transfer documents, proof of sale, donation, or recycling, with sign-offs.
If you want a vendor-managed chain of custody with documented outputs, start with the service overview at Corporate IT asset disposal services.
POPIA and privacy governance implications when devices may contain personal information
Under POPIA, responsible parties must secure the integrity and confidentiality of personal information in their possession or under their control. For IT assets, that obligation does not end when a laptop is old, it ends when personal information is securely disposed of, or irreversibly de-identified, and you can support that with reasonable evidence.
Devices frequently contain HR data, customer contact details, email archives, cached documents, and authentication artefacts. Remote work and hybrid use increase the chance that personal and corporate data co-exist on the same endpoint.
Your policy should link disposal decisions to POPIA safeguards, and it should define what "secure disposal" means in practical terms. For readers who want the underlying legislation in a navigable format, see the Protection of Personal Information Act (South Africa).
- Classify devices and data, and set a default sanitisation requirement for each class.
- Retain sanitisation evidence and chain of custody as part of privacy governance records.
- Limit staff sales for devices used by functions with higher exposure, HR, finance, legal, sales, customer support, or executives.
- Define breach response triggers if disposed assets are found with data remnants.
If you need an operational translation of POPIA Condition 7 into disposal controls, review a practical interpretation like POPIA Condition 7 secure disposal guidance, then align it to your own risk framework and legal advice.
Finance and tax implications, value, write-offs, proceeds, and documentation requirements
From a finance view, staff sales are not just a cash-in event. They are an asset disposal event that needs consistent approval, pricing rationale, and accurate asset register updates, including derecognition and any gain or loss treatment under your accounting policy.
Tax is often where informal programmes become expensive. Disposals below tax value, connected-person considerations, and poor supporting documentation can create avoidable queries or adjustments.
- Agree the valuation approach, and document it per batch, not per conversation.
- Separate the roles, IT proposes, finance approves, and a designated operator executes sanitisation and handover.
- Keep a complete disposal pack, approval, valuation support, asset register update, proof of payment, and sanitisation evidence.
Asset register, derecognition and approval controls, including edge cases like "greater part of assets"
Asset register integrity is the CFO’s safety net. If the asset register and the ITAD log cannot be reconciled, you risk misstated balances and a weak control narrative.
Governance edge cases exist. In unusual circumstances, a disposal programme could be large enough to raise Companies Act considerations around disposing of all or the greater part of assets or undertaking, see Companies Act section 112 disposal of assets.
- Define an approval matrix by device class and aggregate disposal value.
- Track disposals in aggregate, not only as individual small transactions.
- Document who can approve staff sales, and explicitly prohibit self-approval for managers over their own device pools.
Related party optics can matter if key management personnel or their close family are eligible. IAS 24 is the anchor standard for related party disclosures, see IAS 24 related party disclosures.
For tax framing, do not rely on informal advice, and avoid hard-coding assumptions into policy. Where scrapping allowance concepts come up, refer to an authoritative SARS explanation such as the SARS section 11(o) scrapping allowance reference, and involve your tax team for company-specific application.
Security and IT operations implications, licensing, MDM, endpoint identity, and support expectations
Employee sales create operational failure modes that approved ITAD routes usually avoid. If a device leaves with MDM enrolment, remote management, or corporate accounts still present, the company may retain an unintended control surface over a privately owned endpoint.
Licensing and entitlement also require care. OEM licences, enterprise licences, and management tooling may not be transferable in the way staff assume, and your IT team should define what is removed, what is reinstalled, and what is explicitly not supported after sale.
- Identity and access: remove corporate accounts, tokens, and certificates, then verify sign-in is not possible.
- Encryption: confirm encryption state and ensure key handling supports your sanitisation method.
- MDM and remote tooling: remove enrolment, profiles, and management agents, and retain proof of removal.
- Support boundary: publish a clear rule, no warranty, no helpdesk support, and no returns unless legally required.
If your organisation is dealing with power resilience constraints that affect secure wiping processes and secure storage, consider operational hardening in adjacent areas, and use a service partner where needed, see Professional services.
Ethical and HR considerations, fairness, conflict of interest, and pricing governance
Staff sales are rarely neutral. Employees talk, and perceived unfairness travels faster than a policy memo.
Even if the amounts are small, the perception risk can be large, especially if certain teams get better devices, better prices, or earlier access. This risk increases when management can influence allocation, or when sales include key management personnel.
- Set eligibility criteria, and publish them internally before devices are offered.
- Use a consistent pricing method, and record it, avoid ad hoc discounts.
- Run allocations through a transparent mechanism, for example a documented queue, lottery, or role-based eligibility.
- Prohibit purchases by the disposal decision-makers for that batch, or require independent approval.
Common mistakes
- Treating a factory reset as sanitisation evidence, without validation or records.
- Letting devices leave before finance has approved valuation and derecognition.
- Skipping chain of custody for remote worker collections and courier handovers.
- Forgetting to remove MDM enrolment or remote tools, leaving corporate control artefacts behind.
- Allowing managers to approve or allocate devices within their own reporting line.
Safer alternatives to employee sales, approved ITAD vendors, donations with controls, redeployment, or certified recycling
You do not need to choose between value recovery and risk management. You need an option set where controls are realistic, repeatable, and provable.
In many cases, the best CFO outcome is fewer exceptions. That means a default route that produces evidence and reduces decision fatigue, even if per-device proceeds are lower than an informal staff sale.
- Approved ITAD vendor route: build a standard pack, chain of custody, sanitisation certificate, and downstream recycling evidence.
- Redeployment: extend lifecycle for lower-demand roles, but keep MDM and baseline builds consistent.
- Donation with controls: restrict to low sensitivity classes, sanitise with evidence, and use a donation agreement.
- Certified recycling: default for failed drives, high-sensitivity endpoints, or damaged assets that cannot be trusted.
If you want to formalise a corporate programme rather than running ad hoc sales, start with an ITAD programme review via Contact us.
Decision framework and minimum controls if staff sales are allowed (exception process)
Use this decision tree to route the disposal option. The goal is not to make staff sales impossible, it is to ensure they are permitted only when all controls pass, and exceptions are explicit, signed, and rare.
Decision tree, CFO-facing
- Step 1, data sensitivity: Is the device used by functions likely to store sensitive corporate or personal information, or does it have privileged access. If yes, route to approved ITAD vendor or certified recycling.
- Step 2, encryption state and keys: Can IT confirm encryption status and manage keys so that sanitisation method selection is defensible. If no, route to vendor or destruction.
- Step 3, sanitisation evidence: Can the organisation produce sanitisation records and validation aligned to a recognised standard, and retain evidence. If no, staff sale is not permitted.
- Step 4, chain of custody: Can you document the full custody path from user to storage to sanitisation to handover. If no, staff sale is not permitted.
- Step 5, connected person and KMP risk: Is the buyer key management personnel, close family, or otherwise a connected person. If yes, require enhanced governance, independent pricing review, and consider excluding entirely.
- Step 6, licensing and MDM: Can IT remove MDM enrolment, corporate identities, and non-transferable licensing, and record that removal. If no, do not sell to staff.
- Step 7, valuation and tax pack: Can finance support pricing as fair and consistent, and file the disposal pack for audit and tax. If no, do not sell to staff.
- Step 8, ESG and e-waste path: Is there a credible end-of-life path if the device fails soon after sale, and does the organisation avoid reputational association with informal e-waste. If no, route to certified recycling.
- Outcome: Permit employee sale only if all steps pass. Otherwise use a safer route.
- Exception path: If business insists, require written sign-off from legal or privacy, IT security, and finance, plus a documented rationale, and store it with the disposal evidence.
Minimum controls checklist for an approved staff sale
- Written eligibility rules, pricing method, and an approval matrix.
- Sanitisation standard referenced in policy, with method selection and validation steps.
- Per-device evidence pack, asset ID, sanitisation record, validation, and handover record.
- Proof of MDM removal, account removal, and support boundary acceptance signed by employee.
- Asset register update and derecognition completed before the device leaves custody.
If you need a place to route non-staff disposals in a controlled way, use the options in Sell your items or review the organisation-level route in Corporate IT asset disposal services.
Frequently asked questions
Can we rely on a Windows reset as proof of secure sanitisation
Not by itself, because it is typically an end-user action and may not meet your confidentiality requirements or evidence expectations. Treat it as a convenience step, then apply a policy-defined sanitisation method with validation and records aligned to your programme standard.
What evidence should we retain for POPIA and audit purposes
Retain a disposal pack that links asset ID to chain of custody, sanitisation method, validation result, and transfer documentation. Also retain the policy basis for your method selection and the retention period for those records.
Does selling to staff create related party disclosure issues
It can, especially where key management personnel or close family are involved, or where terms could be viewed as not at arm’s length. Use IAS 24 as the reference point and involve your finance reporting team to decide what must be disclosed and how.
How do we avoid fairness complaints and conflict of interest
Publish eligibility and allocation rules upfront, enforce consistent pricing, and separate decision-making from allocation and approval. Where a manager can influence allocation, require independent approval or exclude that person from buying in that batch.
What is the simplest low-risk default policy position
Prohibit staff sales for higher-sensitivity devices and for privileged users, and route those assets to an approved ITAD vendor or certified recycling. Allow staff sales only as an exception when sanitisation evidence, chain of custody, and finance approvals are all in place.
Summary
- Staff sales concentrate risk where you want certainty, data sanitisation, privacy, and audit evidence.
- A CFO-ready ITAD route is one you can prove, not one that feels easy.
- Use programme-level sanitisation guidance and keep validation evidence per device.
- If staff sales exist, treat them as rare exceptions with enhanced governance.
This is educational content, not financial advice.
