Editor's note: The numbers in this post are median patterns from roughly 1,000 production Salesforce org audits Clientell has run across mid-market and enterprise. Nothing is theoretical. Every percentage, count, and dollar figure has appeared in a real audit deliverable.
TLDR (Key Takeaways)
- Nine audit dimensions in ten minutes. Permissions, flows, technical debt, data quality, licenses, compliance, Agentforce readiness, change intelligence, and deployments, all via read-only OAuth. No install, no new credentials.
- Every finding has a Fix in Chat button. The agent drafts the change, tests it in your sandbox, and ships on your approval. The audit closes itself.
- The numbers are real. Median findings from 1,000+ production org audits: 234 unused permission sets, 282 automations on a single Opportunity object, 29% Apex coverage, 74% of licensed users who never log in.
- Compliance included. 144 controls mapped across SOC 2, ISO 27001, GDPR, HIPAA, and NIST CSF. Every finding attributed to who touched what, down to the second.
- Included with Clientell. Run your first audit, no credit card required.
Audits don't fix orgs. Ours does.
Most Salesforce audits are paperwork. Salesforce Optimizer flags 47 issues nobody triages. A consulting engagement produces a 60-slide deck six weeks after the kickoff call. A spreadsheet from your last SOC 2 prep sits in a Drive folder until next year's auditor asks for it again.
The findings are real. The remediation never happens. By the time anyone gets around to the spreadsheet, the org has drifted further, the admin who understood the old config has left, and you are paying for the next audit before you closed the last one.
We built Org Audit to break that loop. It scans your org. It tells you what is wrong. And then, and this is the part that matters, it offers to fix it. Every finding has a Fix in Chat button. The agent drafts the change, tests it in your sandbox, and ships on your approval. The audit closes itself.
What Org Audit actually does
In plain English, with no architecture diagram required:
You connect your Salesforce org via read-only OAuth. No new credentials. No installation. No package. The connection is revocable from your Setup screen at any time. We do not write to your org during the scan.
The scan runs in about ten minutes. It reads metadata, code, configuration, user activity, change history, and adoption signals. By the time you finish your coffee, you have findings.
Every finding is attributed. Who created the flow. Who edited the Apex class last. Which admin granted the permission set in 2022 and never revisited it. Salesforce's own SetupAuditTrail tells the story; Org Audit just makes it legible, and ties each entry to the configuration it produced.
That is the diagnostic. The bigger idea is what happens next.
The nine audits, in one connection
Org Audit is a suite. One scan produces findings across nine dimensions, each with its own page on this site if you want to go deep. The table below is the full inventory.
| Audit | What it scans | Typical finding | Page |
|---|---|---|---|
| Permissions Audit | Profiles, permission sets, sharing rules, Integration Users | 234 unused permission sets in a 4-year-old org | salesforce-permissions-audit |
| Flow Audit | Flows, Process Builder, Workflow Rules, race conditions | 282 automations on a single Opportunity object | salesforce-flow-audit |
| Technical Debt Audit | Apex, triggers, LWC, governor risks, test coverage | 29% average Apex coverage (deploys require 75%) | salesforce-technical-debt-audit |
| Data Quality Audit | Per-object grades, field completeness, duplicate density | 23.9% median field completeness | salesforce-data-quality-audit |
| License Audit | Seat utilization, idle users, unassigned licenses | 74% of licensed users have never logged in | salesforce-license-audit |
| Compliance Audit | SOC 2, ISO 27001, GDPR, HIPAA, NIST CSF (144 controls) | 58% median pre-audit SOC 2 pass rate | salesforce-compliance-audit |
| Agentforce Readiness | Data quality, process clarity, permission hygiene, automation overlap | 70% of orgs are not Agentforce-ready | agentforce-readiness-audit |
| Change Intelligence | SetupAuditTrail decoded into git-style diffs | 20,692 setup changes in a typical 30-day window | salesforce-change-intelligence |
| Deployments | Source → target diff, dependency surfacing, sandbox validation | Replaces change sets, Copado, Gearset workflows | salesforce-change-sets-alternative |
Org Audit covers nine dimensions of org health. One OAuth connection. One scan.
You do not pick one. The scan runs them all. Where you start reading depends on what you do for a living.
If you are a Salesforce admin
Open the Permissions Audit and the Flow Audit first. These are the two surfaces where drift hurts you most directly: over-permissioned users that fail an access review, and overlapping automation that causes the weird "this field updates twice on save" tickets nobody can reproduce. The findings here are concrete, named, and (this is the point) fixable from chat. A finding like "Permission Set 'Legacy_FieldService_Tier2' has not been assigned to any user in 14 months" becomes a one-line conversation: "clean it up." The agent drafts the deletion, tests in sandbox, asks for sign-off, and ships.
If you are a RevOps leader or exec
Open the License Audit and the Compliance Audit. The License Audit is the document you bring to your renewal call: how many seats you bought, how many are actually in use, where the unassigned licenses are sitting, and what the median annual waste looks like across orgs at your stage. The Compliance Audit is the one you bring to the security team: 144 controls, mapped to SOC 2 CC6.x, ISO 27001 A.9.x, GDPR Article 32, HIPAA 164.312, and NIST CSF. Each finding is exportable as auditor evidence, which is the format your assessor actually wants.
If you are a Salesforce developer or architect
Open the Technical Debt Audit and Change Intelligence. The Technical Debt Audit grades Apex, triggers, LWC, Flows, and remaining Workflow Rules A through F, with specific governor-risk patterns called out: SOQL in loops, DML in loops, hardcoded IDs, missing null guards, the things that pass review and then page someone at 3 AM. Change Intelligence decodes SetupAuditTrail into git-style diffs so you can answer "what changed in this org over the last 30 days" without writing a SOQL query against a 90-day rolling window every time.
What a typical org looks like before its first audit
These numbers are the median patterns across the 1,000+ production orgs we have audited. They are not the worst orgs we have seen. They are the average ones.
If you recognise your org in this list, you are not behind. You are typical. Salesforce orgs degrade. The question is whether you find the degradation on a Tuesday morning or during your next external audit.
From finding to fix
This is the part that makes Org Audit different from a report.
You read a finding. Let us say it is from the Permissions Audit: "User 'Alex Chen' holds System Administrator profile and has not used Modify All Data permissions in 184 days. Suggested remediation: reassign to the 'Sales Manager' profile with the 'Pipeline_Reporting' permission set."
You click Fix in Chat.
The agent opens a conversation with the proposed change written out. It shows you the diff: which profile is being unassigned, which one is being assigned, which permission set is being granted, which sharing rules and Apex sharing recalcs will be triggered, and which records the user currently owns (and what happens to them).
You ask questions. "What breaks if I do this?" The agent answers with specific references to Apex classes, validation rules, and reports that depend on the current configuration. "Run it in sandbox first." It does. It returns the test results, the change set bundle, and the validation output.
You say ship. The change goes to production. The audit log captures the deployment with full attribution.
Repeat for 233 more permission sets, 282 automations, or 6,519 unassigned licenses. The audit does not just say what is wrong. It closes the loop.
For the deployment side of that loop, the same engine powers our Change Sets alternative: source → target → diff → ship, with every dependency surfaced before you push instead of at minute four of a failing deploy.
The dirty secret of Salesforce auditing is that the report is the easy part. Generating a finding takes minutes. Closing one, through change management, sandbox testing, dependency analysis, and deployment, takes weeks. Org Audit was built so that the second half stops being the bottleneck.
Compliance and attribution, without the spreadsheet
Compliance auditing in Salesforce has historically been a manual export job. You pull profiles. You pull permission sets. You join them in a spreadsheet. You map them to SOC 2 CC6.1, CC6.2, CC6.3. You hand it to your assessor. Six months later you do it again.
Org Audit ships the export. 144 controls are mapped out of the box:
- SOC 2: 64 controls across CC6.x (access), CC7.x (system operations), and CC8.x (change management).
- ISO 27001: 47 controls across Annex A.5, A.8, A.9.
- GDPR: 18 articles, with Article 32 (security of processing) as the spine.
- HIPAA Security Rule: 9 controls across §164.308 and §164.312.
- NIST CSF: 6 functions (Identify, Protect, Detect, Respond, Recover, Govern).
Every finding inside those controls is attributed to a real user and a real timestamp. That is the SetupAuditTrail piece. If you have ever sat through an audit where the assessor asks "who granted this permission" and the answer was "we don't know," you understand why this matters. The Compliance Audit page has the full control inventory.
How to run your first audit
Three steps.
- Sign in to Clientell. If you already have an account, the audit shipped to it. If you do not, sign up at app.clientell.ai.
- Connect your Salesforce org via read-only OAuth. The flow is the standard Salesforce OAuth consent screen. Zero new credentials. The token is revocable from your Setup screen at any time.
- Wait about ten minutes. Findings start arriving in chat as the scan completes. The full deliverable, every audit, every finding, every Fix in Chat button, is in your account before the end of the hour.
That is the whole onboarding. If you want a single umbrella surface that shows all nine audits in one place, the Salesforce Health Check is the front door.
Common questions
Is the audit really read-only? Yes. The OAuth scope requests only read permissions during the scan. We do not have the ability to modify your org through the audit connection. When you accept a Fix in Chat remediation, that change is deployed through the standard sandbox-to-production path you control, not through the audit token.
How long does the scan actually take? About ten minutes for the scan itself. Some larger enterprise orgs (50,000+ users, deep Apex codebases) take longer, but the first findings begin arriving within the first few minutes regardless.
Is Org Audit a separate product I need to buy? No. It is included with the Clientell plan. There is no additional license, no per-audit charge, no "enterprise add-on" tier gating the compliance frameworks. If you are paying for Clientell, you have Org Audit.
Will the agent change anything in my org without my approval? No. Fix in Chat is approval-gated. The agent drafts, the agent tests in sandbox, the agent shows you the diff. You approve. Nothing ships otherwise.
How is this different from Salesforce Optimizer? Optimizer reports. Org Audit closes. Optimizer also covers a narrower surface: it does not grade Apex, it does not decode SetupAuditTrail, it does not map findings to SOC 2 or ISO 27001 controls, and it does not offer remediation. The two are not in the same category; the closest comparison is to a Salesforce SI engagement, except faster and recurring.
What happens if I disconnect mid-audit? The scan halts and any partial data is purged on the next cycle. Re-running the audit after reconnection starts from the current state of the org, not the partial state.
Does it cover orgs with Experience Cloud or Communities? Yes. External user permission models, sharing sets, and license consumption are scanned alongside internal users. The Permissions Audit reports them as separate surfaces.
Audits don't fix orgs. Ours does.