Table of Content

A Comprehensive Salesforce Audit Guide

Salesforce audit

Being a powerhouse tool handling loads of company data and business operations, Salesforce inherently needs health checks from time to time. Only a full-fledged Salesforce audit gives a holistic picture of the system's current vulnerabilities, bottlenecks, redundancies, and other issues worth fixing.

That's why an audit is the most logical first step before any major Salesforce optimization. Moreover, audits highlight areas for improvement in each and every aspect of your Salesforce org: data, security, performance, UX, scalability, and more.

So, to make the most of Salesforce CRM, you need to review it thoroughly. Based on our experience auditing and optimizing the platform, we've created a guide on when a check-up is necessary, how to conduct it, what tools in Salesforce might help, and more.

1. Why Conduct Salesforce Audits?

Carrying out the Salesforce instance diagnostics may be deemed as a rather formal (and quite dull) activity. But being done timely and meticulously, it brings even more benefits than it seems at a glance. Auditing your Salesforce system helps to:

  • Assess the current state of the Salesforce environment to know where the situation is more or less stable and where immediate action is required.
  • Detect existing and potential issues in all crucial aspects of Salesforce functioning: data, reporting, security, automation, integrations, code quality, and so forth.
  • Determine areas for improvement, like possible optimizations, upgrades, automation, or AI solutions to boost teams' productivity and speed up business processes.
  • Analyze data processing and technical debt. Years of developing and managing the platform inevitably lead to suboptimal decisions by sales, marketers, admins, and developers, which demands a rigorous examination.
  • Make sure your SF platform is compliant with all current regulations, particularly data security policies.
  • Get a plan for optimizing your CRM. An audit conducted by professionals results in a detailed report with findings and concrete measures worth taking, sorted by urgency.

2. Is It Time for a Salesforce Audit Yet?

So, we've discussed how auditing Salesforce can be helpful. But how often should audits be performed? And when is it necessary to conduct an off-schedule one? Let's consider some cases.

  • You haven't done a Salesforce audit for 1+ year
    In fact, the periodicity of check-ups depends on the size and complexity of your Salesforce ecosystem. For a mid-sized business with a fairly basic Salesforce instance, a once-in-2-3-year audit will suffice. For an enterprise-level organization with a wealth of custom code and third-party integrations, we'd recommend a yearly audit.
  • Bugs slow down the workflows
    Mistakes in reports, inaccurate , faulty automation, and other bugs hinder business processes and decrease teams' effectiveness. These are telltale signs of persistent issues inside your SF system.
  • Staff members aren't happy with Salesforce
    Sales, marketers, and customer service agents might tell something isn't handy in Salesforce, from unclear instructions to dashboards overfilled with irrelevant blocks to a lack of functionality. Also, employees sometimes simply ignore the platform's possibilities and perform tasks manually because of not knowing how to automate them/being unaware something could be automated.
  • You feel there's room for improvement
    While reading articles about capabilities, you may wonder what is applicable to your Salesforce platform and whether something is missing. Then, an audit is the way to holistically evaluate the matter and offer solutions for your business needs.

Get a Free Salesforce Audit Example

Explore our Salesforce audit report on diagnosing common bottlenecks in the Salesforce ecosystem.

3. How to Conduct a Salesforce Audit?

The Salesforce audit process we'll describe below isn't the ultimate truth. There are multiple variables impacting its structure and duration: who performs the audit (in-house/outsource team), how often it happens (annually/once every several years/never conducted before), how well-documented previous audits were, and more.

We'll take a comprehensive audit done by an agency as an example here. Firstly, we'll break down the preparation part. Secondly, we'll discuss the audit steps themselves.

3.1 Salesforce Platform Audit Preparation

The pre-audit stage is of huge importance if we want to get valuable insights in the end. At the very start, we need to gather the team, define goals, outline the work scope and deadline, and prepare the needed documents.

The Team

Having Salesforce professionals on board is one of the main prerequisites for the project's success. Basically, there are three paths: assembling an internal, external, or hybrid audit team. We think the best variant is when the two groups work in tandem.

And here is why. The in-house team is the least objective and critical about its decisions and solutions simply because these are the people behind them. On the contrary, an outsourced team can present an unbiased view of the system. However, it needs more time to delve into Salesforce org's intricacies.

The Objectives and Work Scope

The first thing the team does is formulate the audit aims. Here, we're guided by stakeholders' perspectives, opinions, and needs, plus our own expertise. A typical goal is to evaluate the overall state of a Salesforce org.

However, it can be narrower, so we'll review isolated parts like the level of security, automation or customization quality, system performance, and so on. Once the goals are determined, we put up a preliminary plan and set milestones.

The Timeline

When it comes to time assessment, a comprehensive check-up takes up to two weeks if auditors aren't familiar with the instance. We at Onilab can join express Salesforce audits with actual coding tasks.
Let's say you turn to us to create a custom Salesforce app, automate some processes, integrate your org with ERP, etc. We need to explore your SF configuration as we work on the major task anyway. So, it'll take us just a little more time to complete the examination and summarize it in the report. In many cases, we don't even charge extra money.


Things like system architecture diagrams, previous audit reports, and dev docs on customizations and integrations help to move quicker with the steps we'll observe next.

3.2 A Mini Salesforce Audit Process Guide

After you've decided on auditors, goals, and the deadline, it's time for the audit itself. Here is a nine-step Salesforce audit checklist we often follow when our task is a "full-body scan" of a Salesforce instance.

Step One: Business Processes Review

At the very start, we get to know the peculiarities of a company's business logic, i.e., key business processes in sales, customer service, marketing, analytics, and finance departments. We break down the workflows into steps to grasp how they're organized.

Let's take analyzing the sales reps' workflows as an example. We look at how managers handle standard and custom objects (accounts, contacts, leads, opportunities, etc.): how they input data, which automates they use, how their dashboards look, and which inconveniences they encounter.

Step Two: Automation Solutions Review

Then, we assess how efficiently routine automation is implemented and seek blind spots in streamlining workflows. Salesforce provides wide no-code possibilities to automate business processes, so employees without programming knowledge can simplify and accelerate their work via Salesforce's GUI. However, we often notice such missed automation opportunities just because the staff isn't aware of them or is a bit afraid to try.

Also, we take a look at custom automation logic quality and whether a client uses relevant Salesforce or third-party automation software. Finally, we suggest new solutions: no-code, custom-coded, and ready-made software. Plus, we explain how to optimize routine automation, which is already in place to further reduce manual data processing, record handling, calculations, sending notifications, and so forth.

Step Three: Data Handling Review

Salesforce data quality and data hygiene are principal for the success of all operations taking place in the CRM. First off, auditors check for duplicated info, which may adversely impact data storage. Agents enter much of the customer data manually, and if there's no validation by certain parameters (like by a phone number), duplicates might occur. There also can be copies from third-party systems.

Unnecessary, old, or unused data may contribute to reaching data storage limits, too. Some entries can be deleted, others archived, plus we prompt how to prevent adding redundant data in the first place. We also review data validation rules, lost data syncs, data backup, and data security settings.

Step Four: Reports and Dashboards Review

Optimized reports and dashboards equal focused and productive teams that don't get irritated every time they interact with the CRM. Oftentimes, dashboards are suboptimal structure-wise, and users don't see some relevant blocks. The same is true for reports: their configurations don't always catch up with changes in strategy.

We'll suggest how to enhance both dashboard and reporting capabilities via settings or/and custom coding. Displaying all crucial info, hiding excessive blocks, and setting needed alerts greatly improves the day-to-day CRM routine.

Salesforce Dashboard

Step Five: Security Settings Review

A Salesforce security audit is another considerable chunk of the process. The first place to visit is the Salesforce Health Check tool, which warns about problematic settings, vulnerabilities, and expired certificates. Nevertheless, clients often want neither to make changes blindly nor to delve into the meaning of these Salesforce Health Checker insights, waiting for pros to take a look and give advice.

Salesforce Health Check tool

A security scan continues with investigating basic settings like user authentication (including password policy) and authorization (permissions, access rights, user roles, sharing rules). Auditors will carefully vet the system for compliance with the principle of least privilege, which is about giving users the bare minimum of rights to reduce security risks.

There are a couple more useful security auditing tools in Salesforce to help with these tasks. Security Center monitors all security-related settings and alerts admins when suspicious activities like failed login attempts or changes in critical settings happen. Besides, it aids in overseeing and managing user access and permissions.

View Setup Audit Trail is one of the central monitoring tools in Salesforce. It logs the changes in a Salesforce org over the last 180 days: configuration and security settings, custom fields, profiles, permission sets, and so forth. It shows what was altered, when, and by whom.

Setup Audit Trail

Step Six: Integration Review

Each Salesforce org utilizes additional software to expand functionality, speed up processes, or for data exchange. When dealing with this part of the system, auditors review installed packages and vet integrations. As a result, we can discover unnecessary apps, inefficiently used ones, and performance issues. Besides, we can recommend more modern, relevant, and/or cheap alternatives to currently used extensions.

One more task in auditing integrations is reviewing the API part. We analyze failed API requests and search for API optimization ways to avoid blocking API calls due to and bulk API limitations.

Integration Review

Step Seven: Custom Code Review

If a Salesforce org has plenty of custom code, this step is obligatory. First and foremost, auditors are on the lookout for legacy Apex code that needs to be updated to perform better and more productively. Also, we check the overall code quality of Apex classes, Lightning components, and Visualforce pages, focusing on excessive/suboptimal logic, errors, and long execution times.

Custom-made applications also come under scrutiny since it might be possible to optimize them. Plus, as Salesforce periodically upgrades its systems, and it can't automatically transfer custom business logic, we take notes on what to move to newer versions or systems.

Salesforce offers handy auditing tools to review various customizations and get recommendations. For instance, Salesforce Optimizer is available by default and aimed at analyzing custom code, fields, page layouts, dashboards, and giving optimization tips.

Salesforce Optimizer

Another powerful tool is Apex PMD, a source code analyzer detecting mistakes and helping to maintain fine Apex code quality. Salesforce Accelerator, which is available on demand, is a Salesforce tool running profound check-ups, identifying technical issues, and giving advice on tackling them.

Step Eight: Scalability Review

For businesses on the brink of expanding their operation, it's crucial to project whether the capacities of the current Salesforce instance will be enough. If not, are there any opportunities to optimize the platform usage or reconfigure the instance to stay on the current Salesforce edition?

If there's a need to scale considerably and hire more people, auditors can evaluate what resources are needed and which Salesforce edition will be the perfect fit. Since the price gaps between different Salesforce packages are significant, an accurate assessment may help to reduce future expenses.

Step Nine: Preparing a Salesforce Audit Report

At last, the Salesforce audit team compiles a report with all key findings and suggestions. In accordance with Salesforce audit objectives, it highlights issues found in the platform's parts under study.

Besides this, the report contains professional advice about what to customize and automate, which solutions to replace and why, how to monitor performance further, and more. Salesforce audit documentation serves as a comprehensive guide for admins and Salesforce developers who will carry out optimization.

Salesforce Health Check: Final Word

Being complex and ramified, each Salesforce implementation requires an audit once in a while. A comprehensive audit in Salesforce includes checking automation solutions, data quality and data protection, security settings, customizations, integrations, and more.

Salesforce audit reports are, in fact, well-structured plans for subsequent platform optimization. If you're searching for Salesforce auditing and monitoring by an outsourced independent team, we're at your disposal. Contact Onilab to discuss your project and order the express or thorough Salesforce audit.

How to Audit Salesforce: FAQ

What is Salesforce audit?

An audit in Salesforce means an examination of a company's Salesforce platform. It can be performed by either in-house Salesforce administrators and developers or an outsourced team. Audit findings help in further optimization and scaling tasks.

How to audit a Salesforce org?

A comprehensive audit covers analyzing all parts of the org: custom objects and routine automation; usage limits and permission sets; login history and login attempts; sensitive data protection and active licenses; custom apps and code; etc. Once the audit is completed, a client receives a report with key issues and Salesforce audit recommendations.

What are the Salesforce audit timelines?

The more complex your instance is, and the more users interact with it daily, the more frequently audits should be performed. We'd recommend yearly checks for large companies, while smaller ones can carry out full audits every two to three years.

Let’s stay in touch

Subscribe to our newsletter to receive the latest news and updates.