A BA’s Checklists for Salesforce Org

Audit, Impact Analysis, Technical Debt,

and Compliance

Salesforce Org Audit Checklist

Audit Area Description Detection Risk if Remediation

Method Non-Complia Action

nt

User Access Review inactive Login history, High Deactivate

& users, permission set (security unused users,

Permissions excessive assignments. breaches, enforce least

permissions, data leaks). privilege, review

and role role hierarchy.

hierarchy gaps.

Data Check OWD, "Sharing Critical Tighten OWD,

Security & sharing rules, Settings" review, (compliance restrict public

Sharing and field-level FLS audits. violations). sharing, enforce

security for
 overexposed field-level

data. security (FLS).

Audit Trail & Ensure Setup Review "Setup Medium (lack Extend log

Logging Audit Trail and Audit Trail" of retention, enable

event retention. accountabilit event monitoring,

monitoring are y). archive logs

enabled and externally.

retained.

Integration Validate OAuth "Connected High Limit OAuth

Security scopes, API Apps" and (unauthorize scopes, IP

access, and "Remote Site d data restrictions,

connected app Settings." access). review API

permissions. usage.

Custom Audit Code scans High Fix insecure

Code & Apex/Flow (PMD, (exploitable code, use named

Automation vulnerabilities Checkmarx), code flaws). credentials,

(SOQL manual review. bulkify triggers.

injection,

hardcoding

secrets).
Data Identify Duplicate rules, Medium Merge

Integrity duplicate "Unused Fields" (reporting duplicates,

records, reports. inaccuracies) archive unused

unused fields, . fields, enforce

or broken validation rules.

validation

rules.

Compliance Verify Compliance Hub, Critical Implement data

(GDPR, compliance manual checks. (legal/financi masking,

SOX) with al penalties). document

regulations controls, enable

(e.g., PII encryption.

masking, audit

requirements).

Backup & Confirm Backup tool logs High Schedule

Recovery backups are (OwnBackup, (irrecoverabl automated

scheduled and Salesforce). e data loss). backups, test

tested for restore

critical data. processes.

Change Review "Setup Audit Medium Enforce change

Managemen deployment Trail," change (unstable control, require

t history for request logs. org). sandbox testing,

unauthorized/u
 napproved document

changes. deployments.

Governor Monitor "Limits" page, High (org Optimize code,

Limit Usage proximity to Salesforce disruptions). archive data,

limits (API Health Check. request limit

calls, storage, increases if

Apex limits). needed.

Key Notes:

●​ Detection Tools: Use Salesforce’s Health Check, Setup Audit Trail, Event
Monitoring, and third-party tools like OwnBackup or Checkmarx.
●​ Risk Levels: Align with business impact (e.g., compliance risks are Critical).
●​ Remediation: Prioritize fixes based on risk, document actions, and retest.

Additional Recommendations:

1.​ Automate Audits: Use tools like Salesforce Shield or Third-Party GRC Solutions.
2.​ Schedule Regular Audits: Quarterly for compliance, monthly for security.
3.​ Stakeholder Reporting: Share findings with IT, legal, and business teams.
Salesforce Impact Analysis Checklist
Impact Type Description Detection of Risk of Reduction of

Impact Impact Impact

Data Loss Accidental Audit logs, High Regular backups,

deletion or backup checks, (business-cri validation rules,

corruption of user reports. tical data at recycle bin

records, fields, risk). retention,

or files. "undelete"

permissions.

Integration APIs, Monitoring High Sandbox testing,

Failure middleware alerts, (disrupts version control,

(e.g., integration error business error-handling

MuleSoft), or logs. processes). workflows,

scheduled fallback

jobs fail due to mechanisms.

changes.

Performance Slow page User complaints, Medium Optimize SOQL

Degradation loads, Salesforce (reduces queries, bulkify

timeouts due Health Check. productivity). triggers, use

to inefficient async processes,

 code/triggers index critical

or volume. fields.

Security & Broken Security review Critical Least-privilege

Access Issues sharing rules, tools, login (compliance access, regular

permission history audits. /legal risks). permission

gaps, or audits,

exposure of encryption,

sensitive data. session timeout

policies.

Validation New validation User error logs, Medium Test in UAT,

Rule Conflicts rules block testing in (blocks phase

valid data sandbox. operations). deployments,

entry or temporary rule

updates. deactivation with

communication.

Dependency Changes to Test failures, High Impact

Breakage custom dependency (downstrea assessment

objects/fields analysis tools. m system tools (e.g.,

break reports, failures). Salesforce

flows, or Impact

connected Analyzer),

apps.
 regression

testing.

UI/UX Layout User feedback, Low-Medium User acceptance

Disruption changes adoption (training testing (UAT),

confuse users metrics. overhead). change

or hide critical communication,

fields. rollback plans.

Governor Apex/Flow Debug logs, limit High Batch processes,

Limit Hits hits limits due usage emails. (process query

to increased failures). optimization,

data volume or asynchronous

inefficient execution.

logic.

License/Stora Org runs out of Salesforce Medium Archive old data,

ge Limits storage or storage reports, (blocks enforce data

user licenses. admin alerts. growth). hygiene,

purchase

additional

capacity.
Metadata Deployment Deployment High (blocks Validate in

Deployment errors due to logs, sandbox releases). sandbox, use

Failures conflicts or validation CI/CD tools (e.g.,

missing errors. Copado),

dependencies. incremental

deployments.

Key Notes:

●​ Detection: Use Salesforce’s Setup Audit Trail, Event Monitoring, and Health
Check for proactive monitoring.
●​ Risk Assessment: Classify as Low/Medium/High/Critical based on business
impact.
●​ Reduction: Always test in a sandbox, document dependencies, and train users
before rollout.
Salesforce Technical Debt Checklist
# Technical Debt Description Steps to Discover Steps to Address

Type

1 Complex Object Objects with - Install Org - Consolidate

Structures excessive page Check package. redundant fields.

layouts, record - Run Setup > - Simplify page

types, and Optimizer. layouts.

custom fields. - Use SF Explorer - Archive unused

browser record types.

extension.

- Query objects

with a high

number of fields.

2 Unpopulated or Custom fields - Use Field Trip, - Remove truly

Inconsistent Data that are mostly Field Footprint, or unused fields

Fields blank or Cuneiform Field (after validation).

inconsistently & Data - Standardize

used. Management. data entry for

- Run field critical fields.

population

queries.

- Check

Hubbl.com or
 HappySoup.io for

impact analysis.

3 Process Builder & Legacy - Run Setup > - Migrate

Workflow Rules automation tools Optimizer. workflows to

Still in Use that need - Use Org Check Flow Builder.

migration to Flow. to identify - Deactivate

outdated redundant rules.

workflows.

4 Outdated or Stale Unreferenced - Run System - Remove unused

Code Visualforce Overview report. code.

pages, Apex - Use Org Check - Improve test

classes, or low or HappySoup.io coverage.

test coverage. for dependency - Refactor

checks. inefficient logic.

- Query metadata

dependencies.

5 Outdated Flows Flows with - Query - Update API

deprecated API FlowDefinitionV versions.

versions or no iew for outdated - Consolidate

active versions. flows. redundant flows.

- Use Org Check - Document flow
for analysis. purposes.
6 Outdated/Ineffici Dead methods, - Use Scale - Refactor

ent Apex Code SOQL/DML Center > inefficient

anti-patterns. Performance queries.

Analysis. - Remove dead

- Run ApexGuru code.

Insights. - Optimize bulk

operations.

7 Excessive Redundant or - Query - Consolidate

Profiles & unassigned profiles/permissi overlapping

Permission Sets permissions. on sets with no permissions.

users. - Remove unused

- Use Org Check. sets.

8 External Access Overly permissive - Run Org Health - Restrict public

Misconfiguration sharing settings Check. access.

exposing - Review Guest - Apply

sensitive data. User least-privilege

permissions. sharing.

9 Untracked or Labels with no - Use Org Check - Remove

Unused Custom references in the to identify unused obsolete labels.

Labels org. labels. - Document

critical ones.
10 Overloaded Org - Check Setup > - Archive old

Storage nearing/exceedin Data > Storage records.

g storage limits Usage. - Implement data

due to unused - Analyze retention policies.

data. EmailMessage/T

ask trends.

Key Actions for Addressing Tech Debt

1.​ Prioritize by impact (e.g., security risks, performance bottlenecks).

2.​ Document cleanup efforts to prevent recurrence.
3.​ Automate monitoring (e.g., Org Check, HappySoup.io).
4.​ Assign ownership for ongoing maintenance.

Salesforce Org Compliance Checklist

Compliance Description Detection Risk if Remediation

Area Method Non-Compli Action

ant

PCI-DSS Ensure no raw Field audit (e.g., Critical Use tokenization

(Credit Card credit card CreditCardNumb (fines, (e.g., Stripe),

Data) numbers are er fields), revoked enable Masking

stored; validate transaction logs. processing). and Encryption,

encryption/mas restrict access

king. via FLS.

HIPAA PHI (e.g., SSN, Review Critical Enable Platform

(Protected diagnoses) object/field-level (legal Encryption,

Health Info - must be security (e.g., penalties, audit sharing

PHI) encrypted and Patient__c). lawsuits). rules, sign BAAs

access-controlle with vendors.

d.

GDPR Ensure EU Data inventory Critical (4% Implement Data

(Personal citizen data is (e.g., global Retention

Data) collected Contact/Lead revenue Policies,

consensually fields storing fines). anonymization

and can be PII). tools, and

erased. consent

tracking.

SOX Validate Review High Enforce MFA,

(Financial financial data Financial__c (investor/fed document

Controls) integrity (e.g., objects, eral change

audits, change approval scrutiny). approvals, log

controls). processes. all financial data

edits.

FERPA Protect student Check High (loss of Enable Role

(Student education Education__c funding). Hierarchies,

Records) records from objects and encrypt

unauthorized sharing settings. sensitive fields,

access.
 restrict report

access.

CCPA Allow users to Audit OptOut__c High Build Data

(California opt out of data fields and data ($7.5k/violat Subject Request

Consumers) sales and flows. ion). (DSR)

request deletion. workflows,

update privacy

policies.

PII Masking Personally Scan for Medium-Hig Use Dynamic

Identifiable unmasked h (privacy Masking (e.g.,

Information (PII) Email, Phone, breaches). Salesforce

must not be SSN fields. Shield) or

visible to all custom

users. Lightning

components.

Audit Trail Compliance Check "Setup Medium Export logs to

Retention often requires Audit Trail" (failed SIEM (e.g.,

logs retained for retention audits). Splunk), use

7+ years. settings. Event

Monitoring.

Third-Party Ensure apps Review High (supply Only install

App (e.g., DocuSign) AppExchange chain risks). HIPAA/PCI-certi

Compliance meet
 compliance security fied apps,

standards. certifications. review BAAs.

Backup & Compliant orgs Validate backup Critical Use OwnBackup

Data must have frequency and (data loss). or Salesforce

Recovery immutable encryption. Backup, test

backups. restores

quarterly.

Key Notes:

1.​ Tools to Use:

○​ Salesforce Shield (Encryption, Event Monitoring).
○​ Health Check (Baseline compliance scoring).
○​ AppExchange Solutions (e.g., Vault Platform for HIPAA).
2.​ Automation:
○​ Flow or Apex to auto-delete/anonymize expired data (GDPR).
○​ Validation Rules to block PCI data entry in free text fields.
3.​ Documentation:
○​ Maintain Records of Processing Activities (ROPA) for GDPR.
○​ Sign Business Associate Agreements (BAAs) for HIPAA vendors.