Nearly all real servers are behind (a bit) on SW upgrades/patching, both for OS + services (eg Oracle, Apache etc).
Possibly any Apps as well
HW upgrades are different, but you need to check if they can be or not.
The ones that can't are presumably prime candidates for VM-ing eg Solaris zones.
There may well be licensing issues ie running on a VM vs running on metal.
Better make sure they are up to date....
Ditto support ctcs for everything (HW + SW).
Does your (manager's) definition of 'audit' include security?
There are political & legal issues involved in a proper audit ... you're going to have to start thinking in those terms, I'm afraid.