# Auditing a Salesforce Org

## Functional Audit

One workshop mid-audit to discuss their process  
One workshop after the audit to discuss findings, step forwards

## General stuff to check

Administrator presence - Number of admins, experience, etc. (https://help.salesforce.com/HTViewSolution?id=000007548)  
Organization Security - Check the automated health check in Setup &gt; Health Check  
User-Friendliness - custom app ? limited number of tabs ? how many fields per page layout ? is LEX-enabled ? Page layouts make somewhat sense ?  
Maintainability - using best practices, nomenclatures, not using old notes or old attachments, low-ish number of automations per object, good structure in automations if many, avoid multiple sources of automation on one object.  
Usage - have users logged in in the past 30 days ?

## Limits

Data limit - Setup &gt; Data Storage  
Storage Limit - Setup &gt; File Storage  
Object limits - Run Optimizer if possible or check each object limit.  
APEX limits - API calls per 24h, errors when tracking a user, etc.

## Security

OWD &amp; role reviews  
Review of Profiles &amp; Permission sets, flag any VAD or MAD access  
Review Permission Set Groups &amp; Muting Permission Sets  
Review of any external access  
Review Sharing Rules

## Data Model

Review of limits and object usage  
Review of field usage  
Review of general architecture  
Solution design of Refactoring if needed

## Data

Duplicates ?  
Reportable ?  
Owners make sense ?  
Old records ?  
Quality ?

## Automation

Number of Processes/Workflows per object  
Process Builder best practice audit  
Flow best practice audit

\- How many flows are there ?  
&gt; few: not used, flag it as admin probably doesn't know about them, check how the flow looks internally to check  
&gt; medium: can be anything, but OK  
&gt; A lot: are they well named ? If yes yay, that's generally an admin that knows their shit. If not I'm in for a world of hurt straight out the bat.

\- how big are the flows ?  
&gt; small : don't care  
&gt; medium: don't care  
&gt; big: see if there's squares in the same order a few times, that means they should be using subflows. you'll notice it  
&gt; huge: should be using subflows anyway

\- variables  
&gt; no input variables : they're using it as a script, train admin, but at least it's easy shit  
&gt; only input variables : they have no idea wtf input vars do, train them and check the flow for other bullcrap  
&gt; normal usage: yay

\- elements  
&gt; are the elements named consistently ?  
&gt;&gt; Yes: yay  
&gt;&gt; No: fuck

&gt; are all elements present used ?  
&gt;&gt; yes: YAY:  
&gt;&gt; no: fuck

&gt; are all elements that could be reused reused, or are there a ton of throwaway elements ?  
&gt;&gt; tons of shit that gets used once because they don't know how to use assignments and vars: fuck  
&gt;&gt; reusable stuff: yay

  
\- structure  
&gt; are the DMLs outside of the flow main structure ?  
&gt;&gt; yes: YAY  
&gt;&gt; no: fuck

&gt; Are there elements in loops other than assignments or decisions ?  
&gt;&gt; yes: fuck  
&gt;&gt; no: YAY

\- maintainability  
&gt; can the flows be read ?  
&gt;&gt; yes: phew  
&gt;&gt; no: fuck

&gt; do you know wtf they're here for in less than 30 minuets ?  
&gt;&gt;yes: somebody did their job right  
&gt;&gt;no: fuck

&gt; are the structures of the flow consistent and make it easy t maintain (subjective)?  
&gt;&gt; yay  
&gt;&gt; fuck

&gt; are there flows that should be APEX or other shit ?  
&gt;&gt; yes: list them, explain why they shouldn't be that way  
&gt;&gt; no: cool beans

Validation Rules best practice review  
Workflows review

## APEX

High-level APEX review: naming, basic structure  
Code audit: standard best practices, optimization  
Architecture audit  
Solution design of refactoring if needed

## Generation of the Audit report