Salesforce Health Check: The Complete 2026 Guide (What It Covers, How to Run It, What to Fix)

TLDR

• A Salesforce health check is a systematic audit of your org's security, data quality, automations, integrations, performance, and license utilization.
• The native Security Health Check tool (Setup > Health Check) only covers security settings. A full org assessment covers all six areas.
• Traditional consulting health checks cost $5,000 to $25,000.
• Clientell runs a free health check with results in 24 hours.

Someone opens their Salesforce org on a Monday morning and something is off. Reports that matched last Friday now show different numbers. A record-triggered flow that processed renewals for two years is suddenly failing silently, no errors visible unless you know exactly where to look. The rep in Dallas can't see the accounts she owns because a permission set got overwritten during a bulk data import three months ago. Nobody noticed until she lost a deal.

This is what an uninspected Salesforce org looks like. Not broken in one dramatic way. Broken in forty quiet ways that compound until someone loses revenue, leaks data, or quits. Technical debt in Salesforce doesn't send you a notification. It doesn't flag itself in a dashboard. It accumulates in permission sets nobody audits, flows nobody owns, duplicate records nobody merges, and integrations nobody monitors. By the time the symptoms surface, the root cause is buried under months of unchecked drift.

The problem gets worse because there are two completely different things both called a "Salesforce health check." The first is the native Salesforce Security Health Check tool, found at Setup > Health Check. It gives you a score from 0 to 100 based on your security settings. It's useful, but it only covers security. The second is a full Salesforce org health assessment: a comprehensive audit covering security, data quality, flows, permissions, integrations, performance, and license utilization. This blog covers both, but the one that actually matters for most teams is the second one, because security settings alone won't tell you that 30 flows are firing on dead logic or that you're paying for 40 licenses nobody uses.

If you want to skip the reading and just get your org audited, Clientell runs a free Salesforce health check with results in 24 hours. Otherwise, here's everything you need to know.

What Is the Salesforce Security Health Check Tool?

Salesforce ships a native security auditing tool called Health Check. You can find it at Setup > Health Check in any Salesforce org. It's been around since 2016, and it does one thing well: it compares your org's security settings against a baseline and gives you a score.

The score runs from 0 to 100. Higher is better. The tool evaluates your settings across four risk categories:

• High Risk (0-33%): These are settings that create immediate exposure. Password policies with no complexity requirements, sessions that never expire, unrestricted network access. Anything in this range needs attention today.
• Medium Risk (34-66%): Settings that fall short of the baseline but aren't creating an immediate breach vector. Still worth fixing, just not a fire drill.
• Low Risk (67-100%): Minor gaps. Your settings are close to the baseline but not perfectly aligned.
• Informational: Settings the tool flags for awareness but doesn't score against. Certificate expiration dates, for example.

The baseline is Salesforce's recommended configuration. By default, the tool uses the Salesforce Standard baseline. Organizations in regulated industries (financial services, healthcare, government) can upload a custom baseline with stricter thresholds. More on that in the step-by-step section below.

What the Security Health Check tool actually evaluates: password policies, session settings, network access ranges, certificate and key management, and remote site settings. These are the security knobs that Salesforce admins configure in Setup, and the tool tells you which ones are set below the recommended standard.

What the Security Health Check tool does NOT evaluate: data quality, flow health, automation conflicts, license utilization, integration errors, storage consumption, or performance. It has no opinion on whether your flows are broken, your data is full of duplicates, or your API limits are being eaten by a rogue integration. It is purely a security settings audit.

When to use it: before a compliance audit (SOC 2, HIPAA, GDPR), after a security incident, during quarterly security reviews, and any time you want a quick pulse on how your org's security settings compare to Salesforce's recommendations. It takes five minutes to run and gives you immediately actionable output. Just know that it's one slice of a much bigger picture.

What Is a Full Salesforce Org Health Check?

A full Salesforce org health check is the comprehensive version. It goes beyond security settings to audit everything that affects whether your org actually works for the people using it. This is what most teams need when they say "our Salesforce is a mess" or "we need someone to look at our org."

A full org health assessment covers six areas:

1. Security and permissions: Everything the native tool covers, plus profiles, permission sets, sharing rules, field-level security, and guest user exposure.
2. Data quality and structure: Duplicate records, stale data, incomplete fields, inconsistent picklist values, and orphaned records.
3. Flows, automation, and configuration: Dead flows, silent errors, conflicting automations, untested Apex, unused custom objects and fields.
4. Integration health: Connected apps, API consumption, sync failures, credential management, and third-party connection status.
5. Performance and technical debt: Governor limit proximity, page load times, storage utilization, and code quality.
6. License utilization: Assigned vs. active licenses, unused feature licenses, and users holding seats they haven't touched in months.

This is different from a consulting project, which is ongoing work with deliverables stretched over weeks or months. It's different from staff augmentation, which is paying for people rather than outputs. And it's different from Agentforce, which is Salesforce's customer-facing AI platform. A health check is a point-in-time diagnostic. It tells you what's broken, what's at risk, and what to fix first.

The 6 Core Areas of a Full Salesforce Health Check

Let's go deep on each area. For each one: what typically goes wrong, what to look for, and what "good" looks like.

1. Security and Permissions

This is where most orgs have the scariest gaps, because permission changes happen constantly and rarely get audited.

What goes wrong: Organizations that lean heavily on profiles instead of permission sets end up with 30+ profiles, each a slightly different mutation of the last. Nobody knows which profile grants what. A new hire gets the "Senior AE" profile that was cloned from "VP Sales" two years ago and still has export-all and Modify All Data enabled. Meanwhile, sharing rules accumulate like barnacles. Someone set Account sharing to Public Read/Write in 2021 because a VP needed quick access to a deal, and it never got reverted.

What to look for:

• Profiles vs. permission sets: Are you using permission sets for granular access, or is every change baked into profiles?
• Sharing rules: Who can see what, and is it intentional or inherited from decisions nobody remembers?
• MFA enforcement status: Is multi-factor authentication enabled for all users, or just admins?
• IP restrictions and login hours: Are they configured for sensitive profiles?
• Field-level security gaps: Can users see fields (SSNs, salary data, deal terms) that they shouldn't?
• Guest user profile settings: This is the one that bites hardest. Guest user profiles on communities and sites often have object-level read access that was enabled during setup and never locked down.

What "good" looks like: Principle of least privilege applied everywhere. No single profile grants broad access. Permission sets are used for incremental access. MFA enforced for all users. Guest user profiles have the minimum possible access. Sharing rules are documented and reviewed quarterly.

2. Data Quality

Dirty data is the most common complaint about Salesforce, and it's almost always a governance problem, not a Salesforce problem.

What goes wrong: Duplicate accounts multiply every time a rep creates a record without checking if it exists. Required fields get bypassed by integrations, data imports, or admin overrides. Leads sit untouched for 18 months but still appear in reports. Opportunities reach Closed Won with no close date because a workflow skipped the validation. Picklist values drift: "New York" in one record, "NY" in another, "new york" in a third. Roll-up reports become meaningless.

What to look for:

• Duplicate accounts, contacts, and leads: Run Duplicate Record Reports or check the Potential Duplicates component. Anything above 10% duplication on Accounts is a red flag.
• Blank required fields: Build a report filtering for blank values on fields that should never be empty (Close Date, Stage, Amount on Opportunities).
• Stale data: Filter leads by Last Activity Date older than 12 months. Filter Opportunities by Close Date in the past with Stage still "Open."
• Inconsistent picklist values: Export a field's value set and check for variations. The State/Province field is almost always a disaster.

What "good" looks like: Duplicate rules active and enforced (not just reporting). Validation rules in place for critical fields. Data completeness above 90% on key objects (Account, Contact, Opportunity). Picklist values standardized and restricted where possible.

3. Flows, Automation, and Configuration

This is where orgs accumulate the most invisible debt. Flows break silently. Automations conflict. Custom objects get created for a project and never cleaned up.

What goes wrong: A record-triggered flow fires on every Account update, but its logic references a field that was deleted six months ago. The flow errors, but the error email goes to the inbox of an admin who left the company. Nobody sees it. Meanwhile, a workflow rule from 2019 and a new record-triggered flow both fire on Opportunity Stage changes, creating duplicate tasks and conflicting field updates. Apex triggers exist with zero test coverage, which means they'll block any deployment but nobody wants to touch them.

What to look for:

• Flow errors: Go to Setup > Flows, then check Setup > Process Automation > Flow Error Emails. Are errors being routed to an active inbox?
• Dead flows: Setup > Flows. Filter by Active status. Review the Last Modified Date column. Flows that haven't been modified in over 12 months and have no documented owner need investigation.
• Automation conflicts: Look for records where both a workflow rule and a record-triggered flow act on the same object and trigger event. These cause unpredictable behavior.
• Apex test coverage: Setup > Apex Test Execution. Overall org coverage below 75% is a deployment risk.
• Unused custom objects and fields: Use the Field Trip app (free on AppExchange) to identify fields with less than 5% population. For objects, check record counts: anything with zero records for 12+ months is a candidate for cleanup.
• Orphaned page layouts: Setup > Object Manager > [Object] > Page Layouts. Layouts not assigned to any record type are dead weight.

What "good" looks like: Every active flow has a documented owner. Flow error emails route to an active admin. No conflicting automations on the same object. Apex test coverage above 75%. Unused fields and objects are documented and scheduled for deprecation.

4. Integration Health

Integrations are the connective tissue between Salesforce and the rest of your stack. When they break, data stops flowing and nobody notices until a pipeline report looks wrong.

What goes wrong: Someone hardcodes API credentials in an Apex class instead of using Named Credentials. The credentials expire, and the integration fails silently for weeks. Marketing automation syncs create duplicate contacts because the matching rules weren't configured. API call limits get consumed by a chatty integration that polls every minute instead of using platform events. Connected Apps get granted broad OAuth scopes during initial setup and never get scoped down.

What to look for:

• Named Credentials vs. hardcoded credentials: Search your Apex code for hardcoded URLs and credentials. Hardcoded credentials are a security and maintenance liability.
• API call consumption: Setup > Company Information. Check "API Requests, Last 24 Hours" against your limit. If you're using more than 50% of your daily API allocation, one bad deploy or integration spike could hit the wall.
• Failed sync logs: Check the integration platforms themselves (HubSpot Sync Health, MuleSoft dashboards, Workato activity logs). Also check Salesforce debug logs for integration user errors.
• Connected App permissions: Setup > Connected Apps > Manage Connected Apps. Review OAuth scopes. Any app with "Full Access" scope that doesn't need it should be rescoped.

What "good" looks like: All integrations use Named Credentials. API consumption stays below 50% of daily limits. No failed syncs in the last 30 days. Every Connected App has a documented owner and the minimum required OAuth scope. All integrations are listed in a central document with their purpose, owner, and credentials rotation schedule.

5. Performance and Technical Debt

Performance problems in Salesforce are almost always code or configuration problems, not platform problems. And they directly kill user adoption.

What goes wrong: A developer writes a SOQL query inside a for loop. It works fine in sandbox with 100 records, then hits governor limits in production with 50,000. Page load times creep above 3 seconds because a Lightning page has 15 components, half of which load data on render. Data storage fills up because attachments and files were never archived, and suddenly record creation starts failing. Unused Lightning components from abandoned projects clutter the org.

What to look for:

• SOQL queries in loops: Review Apex code for any query inside a loop. This is the single most common governor limit violation.
• Page load time: Use the Lightning Usage App (Setup > Lightning Usage) to check page performance. Anything consistently above 3 seconds on key pages (Account, Opportunity, Case) is a user experience problem.
• Storage utilization: Setup > Storage Usage. Check both data storage and file storage. If either is above 80%, you're approaching the point where record creation or file uploads will fail.
• Unused Lightning components: Check your Lightning App Builder pages for components that were added and never removed. Also check for custom Lightning Web Components in the codebase that aren't referenced anywhere.

What "good" looks like: No SOQL queries in loops. Key pages load in under 2 seconds. Storage stays below 80% of capacity. Governor limit exceptions are rare (check debug logs and exception email alerts). Code is reviewed before deployment with static analysis.

6. License Utilization

This is the one that saves money immediately. Most orgs are paying for licenses that nobody uses.

What goes wrong: Forty users have full Salesforce licenses. Fifteen of them haven't logged in for 90+ days. Ten of those left the company. Feature licenses for Knowledge, Live Agent, or CPQ were purchased for a project that got canceled, but nobody deallocated them. At $150+ per user per month for enterprise licenses, unused seats add up fast. And Salesforce's renewal team will use your current license count as the baseline for your next contract.

What to look for:

• Assigned vs. purchased licenses: Setup > Company Information > User Licenses. Compare the "Licenses Purchased" column against "Licenses Used."
• Inactive users holding licenses: Run a report on Users where Last Login Date is blank or older than 90 days. Cross-reference against your HR system or Active Directory.
• Feature licenses: Setup > Company Information > Feature Licenses. Check which ones are assigned and whether the features they unlock are actively used.
• Permission Set Licenses: Same location. These often get assigned during implementation and never reclaimed.

What "good" looks like: Every license is assigned to a user who logged in within the last 30 days. Feature licenses match actual feature usage. License count is reviewed before every renewal. Departing employees have their licenses reclaimed as part of the offboarding process.

How to Run a Salesforce Security Health Check (Step by Step)

The native Security Health Check takes five minutes. Here's exactly how to run it.

Step 1: Navigate to Setup > Health Check. Type "Health Check" in the Quick Find box. Click the Health Check option under Security.

Step 2: Choose your baseline. By default, the tool uses the Salesforce Standard baseline. This works for most organizations. If you're in a regulated industry, click "Custom Baselines" to upload a stricter set of thresholds. Financial services organizations should align their custom baseline with their compliance framework (PCI-DSS, SOX). Healthcare organizations should align with HIPAA. The custom baseline is an XML file that defines minimum thresholds for each security setting category.

Step 3: Read your score. The overall score appears at the top as a percentage. In practice: 80-100 means your security settings are well-configured with minor gaps. 50-79 means you have medium-risk settings that need attention within the quarter. Below 50 means you have high-risk settings that could enable unauthorized access, and they need attention this week.

Step 4: Start with the High risks. Expand the High Risk section first. These are the settings furthest from the baseline and most likely to cause a security incident. Common culprits: password policies that don't require complexity, session timeouts set to "never," and network access ranges that allow login from any IP.

Step 5: Use "Fix Risks" for bulk changes. For password policies and session settings, Salesforce provides a "Fix Risks" button that bulk-updates settings to match the baseline. Use it for the straightforward fixes. For more nuanced settings (network access, remote site settings), make changes individually after understanding the impact.

Step 6: Document everything. Before and after. Create a document listing every setting you changed, the old value, the new value, and the date. This becomes your audit trail. When compliance asks "when did you enable MFA?" you'll have the answer.

Step 7: Schedule a re-check. Put a 30-day calendar reminder to rerun the Health Check. Settings drift. Someone disables a restriction for a vendor demo and forgets to re-enable it. Regular re-checks catch this drift early.

A note on custom baselines: The standard baseline is Salesforce's general recommendation. It's reasonable for most companies. But if you're subject to specific regulatory requirements, the standard baseline may not be strict enough. Custom baselines let you define tighter thresholds, for instance requiring 15-character passwords instead of 8, or limiting session duration to 2 hours instead of 12. You can create and upload custom baselines as XML files, and the Health Check tool will score your org against them instead.

How to Run a Full Org Health Check (Practical Checklist)

This is the comprehensive version. Organized by the six areas, with specific checks and where to find them.

Security and Permissions

• Profile audit: Setup > Profiles. Click each profile and review Object Permissions and System Permissions. Flag any non-admin profile with "Modify All Data" or "View All Data" enabled.
• Permission set review: Setup > Permission Sets. Check which users are assigned to each. Look for permission sets that grant broad access (API Enabled + Modify All Data) to users who don't need it.
• MFA status: Setup > Identity > Multi-Factor Authentication. Confirm it's set to "Required" for all users, not just admins.
• Sharing rules: Setup > Sharing Settings. Review org-wide defaults. Accounts, Contacts, and Opportunities should be Private unless there's a documented business reason for Public Read or Public Read/Write.
• Guest user check: Setup > Sites or Setup > Digital Experiences > All Sites. Click into each site's Guest User profile. Verify object permissions are minimal.

Data Quality

• Duplicate check: Reports > New Report > Accounts with Duplicate Record Items. If this report returns more than 10% of total Account records, you have a duplication problem.
• Field completeness: Reports > New Report > Opportunities. Add filters for blank Close Date, blank Amount, or blank Stage. Any records matching these filters indicate validation rule gaps.
• Stale leads: Reports > New Report > Leads. Filter by Last Activity Date older than 12 months and Status not equal to Converted or Disqualified. These are dead weight.
• Picklist consistency: Setup > Object Manager > [Object] > Fields > [Field]. Click on any picklist field and review the values. Export the field values and check for duplicates, misspellings, and casing inconsistencies.

Flows, Automation, and Configuration

• Active flow inventory: Setup > Flows. Filter by Status = Active. Review the Last Modified Date column. Any flow not modified in over 12 months with no named owner in the description should be investigated.
• Flow error routing: Setup > Process Automation Settings. Check the "Send Flow Error Email To" field. If it's blank or points to a deactivated user, fix it immediately.
• Automation conflicts: For each object with a record-triggered flow, check whether a workflow rule also fires on the same object and event. Setup > Workflow Rules, then compare against Setup > Flows filtered by the same object.
• Apex test coverage: Setup > Apex Test Execution > View Code Coverage. Overall coverage below 75% blocks deployments and signals untested code paths.
• Unused fields: Install the Field Trip app from AppExchange. Run it on your key objects (Account, Contact, Opportunity, Lead, Case). Fields with less than 5% population are candidates for removal.

Integration Health

• Connected Apps audit: Setup > Connected Apps > Manage Connected Apps. Review each app's OAuth scopes. Document the purpose and owner of each.
• API consumption: Setup > Company Information. Check "API Requests, Last 24 Hours" and compare to your limit. If utilization exceeds 50%, identify which integrations are consuming the most calls.
• Named Credentials check: Setup > Named Credentials. Verify that all external integrations use Named Credentials rather than hardcoded endpoints. Search your Apex codebase for hardcoded URLs as a cross-check.
• Integration error logs: Check the sync status in each integrated platform (marketing automation, ERP, support). Look for failed records in the last 30 days.

Performance and Technical Debt

• Storage check: Setup > Storage Usage. Review data storage and file storage. Flag if either exceeds 80% of the allocated limit.
• Page performance: Setup > Lightning Usage. Review Experience Page Time for your most-used pages. Anything above 3 seconds needs investigation.
• Governor limit errors: Setup > Debug Logs. Filter for errors related to SOQL limits, DML limits, or CPU time. Recurring governor limit exceptions indicate code that needs refactoring.
• Code quality: Run Salesforce Code Analyzer (sfdx scanner) against your Apex codebase. Flag any critical or high-severity issues.

License Utilization

• License inventory: Setup > Company Information > User Licenses. Compare "Licenses Purchased" against "Licenses Used" for each license type.
• Inactive user check: Reports > New Report > Users. Filter by Last Login older than 90 days. These users are holding licenses they may not need.
• Feature license review: Setup > Company Information > Feature Licenses. Cross-reference assigned feature licenses against actual feature usage.
• Permission Set License check: Setup > Company Information > Permission Set Licenses. Identify any that are fully allocated but assigned to inactive users.

When to Run a Salesforce Health Check

Don't run health checks "regularly." Run them at specific triggers where the risk of undiscovered problems is highest.

1. Before contract renewal. Your Salesforce AE will use your current license count as the starting point for renewal pricing. A health check before renewal finds unused licenses you can drop, saving tens of thousands of dollars. Run it 90 days before your renewal date.

2. After admin turnover. When your Salesforce admin leaves, they take institutional knowledge with them. The new admin inherits an undocumented org. A health check immediately after transition creates the documentation that should have existed and reveals the shortcuts the previous admin took.

3. Before a new product implementation. Adding Service Cloud, CPQ, or Marketing Cloud to a broken org gives you two broken things instead of one. Run a health check before any major implementation to ensure the foundation is solid.

4. After a data migration. Migrations introduce duplicates, break field mappings, and create records that bypass validation rules. A health check within 30 days of any migration catches these problems before they spread.

5. When adoption is dropping. If reps stop logging activities, updating Opportunities, or using dashboards, the problem is almost always broken flows, slow page loads, or permissions that prevent them from doing their work. A health check reveals the root cause.

6. Before a compliance audit. GDPR, HIPAA, SOX, SOC 2. All of these require you to demonstrate access controls, data handling, and security settings. Running a health check before the audit gives you time to fix issues rather than explaining them to the auditor.

7. After an acquisition or merger. Two orgs combining is a health check emergency. Duplicate records, conflicting automations, mismatched permission models, and incompatible integrations all surface during mergers. Run a health check on both orgs before any merge activity.

8. Annually as a baseline. At minimum, once a year, aligned with one of Salesforce's three annual releases (Spring, Summer, Winter). New releases change features, deprecate functionality, and introduce settings that need review.

What Does a Health Check Cost?

Three tiers, with real numbers.

DIY with Salesforce's native tools: Free. You can run the Security Health Check, Salesforce Optimizer, and manual audits using the checklist above without spending a dollar. The cost is time. Expect 1 to 3 weeks of an admin's time for a thorough assessment of a mid-size org, depending on complexity. That's 40 to 120 hours of admin work that isn't spent on the ticket backlog.

Traditional consulting health check: $5,000 to $25,000 depending on org size, number of business units, and scope. A typical engagement involves a consulting partner spending 2 to 4 weeks reviewing your org, producing a findings document, and delivering a remediation roadmap. The output is a PDF and a meeting. Implementation of the fixes is a separate engagement, usually billed hourly.

Clientell free health check: Free, with results in 24 hours. Covers all six areas: security, data quality, flows, integrations, performance, and license utilization. Includes a health score, prioritized issue log, and remediation roadmap. No engagement letter, no SOW, no invoice. Run your free health check here.

What You Get in a Clientell Health Check

Not "we look at your org and tell you stuff." Here's exactly what the output includes.

• Health score across all 6 areas: A numeric score for security, data quality, flows, integrations, performance, and license utilization. Not a single number that averages everything into meaninglessness, but six distinct scores so you can see where the real problems live.
• Prioritized issue log: Every finding categorized as critical, high, medium, or low severity. Critical means it can cause a breach or data loss today. Low means it's technical debt that should be cleaned up but won't break anything tomorrow.
• Flow audit: Every active flow reviewed for errors, conflicts, dead logic, and missing owners. If a flow is firing on every record update but doing nothing useful, it'll show up here.
• Permission review: Profiles, permission sets, sharing rules, and field-level security gaps. If a non-admin user has Modify All Data, you'll know.
• Data quality report: Duplicate rate on key objects, field completeness scores, stale record counts, and picklist consistency analysis.
• Integration status: Connected apps, API usage trends, sync error logs, and credential health. If an integration is using hardcoded credentials that expire next month, the report flags it.
• Remediation roadmap: What to fix first and why, organized by impact and effort. Not a generic "improve your data quality" recommendation. Specific actions like "Deactivate these 12 flows" or "Revoke Modify All Data from these 3 permission sets."

Free. Results in 24 hours. Get your health check or book a demo if you want to walk through it with someone.

Common Health Check Findings (What Teams Actually Discover)

These are the problems that show up in nearly every org we audit. If you're a Salesforce admin, you'll recognize at least five of these.

1. MFA not enforced for all users. Salesforce has required MFA since February 2022, but many orgs still have users logging in without it. This is a compliance gap and a breach vector. One phished password away from unauthorized access.

2. Guest user profile with read access to Accounts. Community and Experience Cloud sites create guest user profiles during setup. Those profiles often retain object-level read access that was enabled for testing and never revoked. This means unauthenticated visitors can potentially access your Account data.

3. 30+ inactive flows still active and firing on records. Every one of those flows consumes governor limits and adds processing time to record saves. Some of them throw errors that nobody sees because the error email goes to a deactivated inbox. They slow down the org and mask real problems.

4. Duplicate accounts exceeding 15% of total Account records. That means one in seven Account records is a duplicate. Reps waste time working records that already have an owner. Reports overcount pipeline. Territory assignments break. Marketing sends duplicate emails.

5. Three integrations using hardcoded credentials that expired. The integration silently stopped syncing. Marketing wonders why leads aren't flowing from the website. Support wonders why cases aren't creating from email. Nobody connects the dots for weeks.

6. License waste: 40+ users assigned licenses with last login 180+ days ago. At $150 per user per month, 40 unused licenses cost $72,000 per year. That's money you could reclaim before your next renewal.

7. Flow error emails going to a deactivated admin's inbox. Flows have been throwing errors for months. Nobody knows because the notification goes to an employee who left. Problems compound invisibly until a user escalates.

8. Permission sets granting Modify All Data to non-sysadmin users. This is a security audit failure. Modify All Data lets a user read, edit, and delete any record in the org. It should be restricted to system administrators. Finding it on a sales rep's profile is a five-alarm finding.

How to Fix the Most Critical Issues

Three categories, specific steps.

Security Fixes

• Enable MFA: Setup > Identity > Multi-Factor Authentication. Set "Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org" to enabled. Communicate to users before enforcement. Give them a one-week window to set up their authenticator apps.
• Fix guest user profiles: Setup > Digital Experiences > All Sites. Click the site name, then click the Guest User profile link. Under Object Permissions, remove read access for every object that external visitors don't need. Accounts, Contacts, Opportunities, Cases, and custom objects should almost never be accessible to guest users.
• Review sharing settings: Setup > Sharing Settings. Set org-wide defaults to Private for Accounts, Contacts, Opportunities, and Cases. Use sharing rules to grant access to specific groups who need it. Document each sharing rule with its business justification.

Data Quality Fixes

• Enable duplicate rules: Setup > Duplicate Rules. Activate the standard Account and Contact duplicate rules. Set the action to "Alert" first (so reps see a warning), then move to "Block" once you've confirmed the matching rules aren't too aggressive.
• Run a deduplication job: For small volumes (under 500 duplicates), use Salesforce's native Merge Accounts and Merge Contacts features. For bulk deduplication, use a dedicated tool like Cloudingo or DupeCatcher from the AppExchange. Always merge into the record with the most recent activity and the most complete data.

Flow Cleanup

• Deactivate dead flows: Setup > Flows. Sort by Last Modified Date. Any flow not modified in over 12 months, with no documented business purpose, and no recent run history is a candidate for deactivation. Don't delete immediately. Deactivate first, wait 30 days, and delete only if nobody reports an issue.
• Fix flow error routing: Setup > Process Automation Settings. Update the "Send Flow Error Email To" address to an active admin's email or a shared admin inbox. Never point to a specific person's inbox, because when they leave, errors go to a black hole.

Salesforce Health Check Tools Worth Knowing

These are real, verified tools. Each serves a different purpose in the health check process.

• Salesforce native Health Check (Setup > Health Check): Security settings only. Free, built into every org. Good for a quick security pulse. Limited to password policies, session settings, and network access.
• Salesforce Optimizer: Free from the AppExchange. Broader than the native Health Check. Reviews performance, configuration, and feature adoption. Generates a report with recommendations for improving your org's setup. Worth running quarterly.
• Field Trip: Free on the AppExchange. Shows field-level usage across your org. Identifies fields that are never populated, helping you clean up unused fields and simplify page layouts.
• Apex PMD: Open-source static analysis tool for Apex code quality. Catches common code smells, unused variables, overly complex methods, and potential governor limit violations. Run it in your CI/CD pipeline.
• Salesforce Code Analyzer: Free CLI tool from Salesforce (sfdx scanner). Performs static analysis on Apex, Visualforce, and Lightning components. Catches security vulnerabilities, performance issues, and best practice violations. Different from Apex PMD in that it includes Salesforce-specific rules.
• Clientell: AI-powered continuous org health monitoring. Not a one-time audit, but ongoing automated analysis of your org's security, data, flows, integrations, and performance. Flags issues as they appear rather than waiting for a quarterly review. Learn more.

FAQ

What is a Salesforce health check?

A Salesforce health check is a systematic review of your Salesforce org to identify security risks, data quality problems, broken automations, integration failures, performance issues, and license waste. The term covers two things: the native Salesforce Security Health Check tool (which only audits security settings) and a full org health assessment (which covers all six areas). Most teams need the full version.

How do I access the Salesforce Security Health Check?

Go to Setup, type "Health Check" in the Quick Find box, and click Health Check under the Security section. You need System Administrator permissions to access it. The tool is available in all Salesforce editions.

What does a good Salesforce health check score mean?

The native Security Health Check scores from 0 to 100. A score above 80 means your security settings are well-aligned with Salesforce's baseline. Between 50 and 79 means you have medium-risk gaps. Below 50 means you have high-risk settings that need immediate attention. For a full org health check, "good" means all six areas (security, data, flows, integrations, performance, licenses) are within acceptable thresholds, not just security.

How long does a Salesforce health check take?

The native Security Health Check takes 5 minutes to run. A full org health check done manually takes 1 to 3 weeks depending on org complexity. A Clientell health check delivers results in 24 hours because the analysis is automated.

How much does a Salesforce org health check cost?

DIY using native tools: free, but costs 1 to 3 weeks of admin time. Traditional consulting health check: $5,000 to $25,000 depending on org size and scope. Clientell: free, with results in 24 hours. Get started here.

What is the difference between a health check and a full audit?

A health check is a point-in-time diagnostic that identifies problems and recommends fixes. A full audit is a deeper engagement that often includes remediation, documentation, and organizational process changes. Think of a health check as the diagnosis and an audit as the diagnosis plus treatment plan plus follow-up appointments. Health checks are faster and cheaper. Audits are more comprehensive but take longer and cost more.

How often should I run a Salesforce health check?

At minimum, annually. Ideally, run one at each of the eight trigger points: before renewal, after admin turnover, before a new implementation, after a data migration, when adoption drops, before a compliance audit, after an acquisition, and annually as a baseline. The native Security Health Check should run quarterly.

Can I run a Salesforce health check myself?

Yes. You can run the native Security Health Check (Setup > Health Check) in five minutes. For a full org health check, use the checklist in this article. You'll need admin access, familiarity with flows and permission models, and 1 to 3 weeks of dedicated time. Alternatively, you can use Clientell's free automated health check to get the same coverage in 24 hours without the manual work.

What is the Salesforce health check baseline?

The baseline is the set of security thresholds that the native Health Check tool scores your org against. The Salesforce Standard baseline is the default, representing Salesforce's general security recommendations. Custom baselines are XML files that define stricter thresholds for regulated industries. You can upload and manage custom baselines in Setup > Health Check > Custom Baselines.

Does Clientell offer a free Salesforce health check?

Yes. Clientell provides a free Salesforce org health check that covers all six areas: security, data quality, flows, integrations, performance, and license utilization. Results are delivered within 24 hours. The output includes health scores, a prioritized issue log, and a remediation roadmap. No contract, no credit card. Start your free health check or book a demo to walk through it with the team.

What to Do Next

Two options.

Option 1: Run it yourself. Use the checklist in this post. Start with the native Security Health Check (Setup > Health Check) for a quick security score. Then work through the full org checklist section by section. Budget 1 to 3 weeks for a thorough review. Prioritize security and flow cleanup first, because those are the areas most likely to cause an incident.

Option 2: Get Clientell to run it free. Connect your org, and we'll deliver a complete health check across all six areas within 24 hours. You get health scores, a prioritized issue log, and a remediation roadmap. No cost, no commitment. Run your free health check or book a demo to see how it works.

Either way, the worst option is doing nothing. Technical debt in Salesforce doesn't fix itself. It gets worse every quarter until it costs you a deal, a security incident, or an admin who burns out and quits. Pick a path and start.

Ready to see what's hiding in your Salesforce org?

• Run a free health check: clientell.io/salesforce-health-check
• Talk to us: book a demo
• Explore managed services: Salesforce managed services
• See pricing: pricing