Skip to main content
2026 Annual · Free

State of Salesforce Audits 2026

The benchmark every Salesforce admin, architect, and compliance officer can cite. 1,000+ orgs analyzed via identical instrumentation. Industry cuts across SaaS, FinServ, Healthcare, Manufacturing, Consumer Goods, and Public Sector.

Last updated
Written by
Reviewed by Saahil Dhaka
Access JSON APIRead the reportPress kit + charts
1,000+
Orgs analyzed
7
Audit dimensions
144
Compliance controls
Free
Open data + JSON API

Executive Summary

Three findings that explain most Salesforce orgs in 2026.

1. Permission sprawl is universal.

The median org carries 234 unused permission sets, with the 90th percentile exceeding 600. 26% of users sit on System Administrator (5× the healthy benchmark of 5%). 14 integration users run with admin profiles. None of these patterns improve without active intervention; each compounds quietly until an external audit forces cleanup.

2. Automation density outpaces governance.

282 automations per critical object (Opportunity) is now median. The Workflow Rules EOL deadline has passed for most editions, yet 15 legacy Workflow Rules per org are still active. 1,844 inactive flow versions sit in the average org consuming storage and confusing audits. Race conditions emerge at 3 per critical object on average.

3. License waste is the fastest ROI.

74% of paid Salesforce seats have never logged in. The median org has 6,519 unassigned permission set licenses. Reclaim cycles before renewal save mid-market companies $30K-$80K/year on average. License audits are the only audit category where ROI lands inside 30 days.

The Benchmarks

Industry numbers across 7 audit categories.

Permissions & Access

Unused permission sets

Permission sets in org with zero current users assigned.

Healthy: Zero unused permsets. Every permset has at least one current user.

Percentile distribution (count)

47
p10
234
p50
612
p90
Target: 0 count

System Administrator users

Users assigned the System Administrator profile or equivalent admin permset.

Healthy: Fewer than 5% of users hold full System Administrator.

Percentile distribution (percent of total users)

8
p10
26
p50
47
p90
Target: 5 percent of total users

Integration users with admin

Service accounts (typically API integrations) assigned to System Administrator profile.

Healthy: Zero integration users on admin. All scoped to least-privilege permsets.

Percentile distribution (count)

4
p10
14
p50
32
p90
Target: 0 count

Inactive licensed users

Users not logged in for 90+ days still holding paid licenses.

Healthy: Zero inactive users retain licenses.

Percentile distribution (count)

18
p10
62
p50
187
p90
Target: 0 count

Flows & Automation

Automations per object (Opportunity)

Total Flows + Workflow Rules + Apex Triggers + Process Builders firing on the Opportunity object.

Healthy: Fewer than 50 automations per critical object.

Percentile distribution (count)

87
p10
282
p50
743
p90
Target: 50 count

Race conditions on critical objects

Conflicting automations writing to the same field on the same trigger event.

Healthy: Zero race conditions on any object.

Percentile distribution (count)

1
p10
3
p50
12
p90
Target: 0 count

EOL Workflow Rules still active

Legacy Workflow Rules still active despite EOL deprecation timeline.

Healthy: Zero EOL Workflow Rules. All migrated to Flows or Apex.

Percentile distribution (count)

3
p10
15
p50
48
p90
Target: 0 count

Inactive flows in org

Flow versions marked inactive but still in the org (consuming storage and confusing audits).

Healthy: Inactive flow versions deleted within 90 days.

Percentile distribution (count)

287
p10
1,844
p50
5,421
p90
Target: 0 count

Technical Debt

Apex test coverage

Overall org-level Apex test coverage percentage.

Healthy: At least 75% (Salesforce production deployment minimum).

Percentile distribution (percent)

18
p10
29
p50
72
p90
Target: 75 percent

Unused custom fields

Custom fields populated on under 5% of records (effectively dead fields).

Healthy: No unused custom fields cluttering page layouts.

Percentile distribution (count)

142
p10
418
p50
1,247
p90
Target: 0 count

SOQL queries inside loops

Apex methods with SOQL queries executed inside iteration blocks (governor limit violations).

Healthy: Zero SOQL-in-loop violations. All queries bulkified.

Percentile distribution (count)

2
p10
11
p50
47
p90
Target: 0 count

Data Quality

Data completeness floor

Lowest object completeness across the org (e.g. Accounts at 23.9%).

Healthy: All key objects above 90% completeness.

Percentile distribution (percent)

12
p10
24
p50
47
p90
Target: 90 percent

Duplicate density (Accounts)

Accounts identified as duplicates by Salesforce duplicate management.

Healthy: Under 2% duplicate density (industry healthy threshold).

Percentile distribution (percent)

4
p10
12
p50
31
p90
Target: 2 percent

Change Intelligence

Setup changes per 30 days

Total SetupAuditTrail entries logged in a rolling 30-day window.

Healthy: Not bad to have many — bad to not know what they were. Aim for 100% reviewed.

Percentile distribution (count)

4,127
p10
20,692
p50
78,410
p90
Target: 0 count

License Utilization

Seats never logged in

Paid Sales Cloud / Service Cloud licenses with zero login activity ever.

Healthy: Fewer than 5% of seats unused at any point in the licensing year.

Percentile distribution (percent)

41
p10
74
p50
92
p90
Target: 5 percent

Unassigned permission set licenses

Permission set licenses purchased but not assigned to any user.

Healthy: PSL count reviewed before every renewal.

Percentile distribution (count)

412
p10
6,519
p50
18,742
p90
Target: 0 count

Compliance Coverage

Compliance controls mapped

Number of SOC 2 / ISO 27001 / HIPAA / NIST CSF / GDPR controls auditable from Salesforce settings.

Healthy: All 144 controls actively monitored and audit-ready.

Percentile distribution (count)

144
p10
144
p50
144
p90
Target: 144 count

Industry Cuts

What changes by industry.

IndustrySampleNotable MetricValue
SaaS (B2B)412Average unused permission sets

SaaS orgs grow faster, accumulate permsets faster, retire them slower.

287
Financial Services187System Administrator percentage

Stricter compliance regimes correlate with lower admin sprawl (11% vs 26% overall).

11
Healthcare134Race conditions per critical object

Heavy custom Apex + multiple integrations drive higher race condition counts.

7
Manufacturing98Apex test coverage

Legacy customizations from 2015-2018 drive higher debt scores than SaaS or FinServ.

41
Consumer Goods / Retail76Data completeness floor

Marketing-driven contact imports without enrichment create largest completeness gaps.

19
Public Sector / Education43Setup changes per 30 days

Lower change velocity correlates with lower drift but also lower hygiene cadence.

6,841

Methodology

How we collected and aggregated the data.

Aggregated and anonymized findings from 1,000+ Salesforce org audits conducted by Clientell between January 2024 and April 2026. All orgs were scanned via read-only OAuth using identical instrumentation. Industries represented: SaaS (B2B), FinServ, Healthcare, Manufacturing, Consumer Goods, Public Sector.

62%
Mid-market (200-2000 users)
23%
Enterprise (2000+ users)
15%
Small business (under 200 users)

Cite this report

Sarkar, N., Dhaka, S., & Clientell Research. (2026).
State of Salesforce Audits 2026. Clientell.
https://www.getclientell.com/salesforce-resources/state-of-salesforce-audits-2026

Licensed under CC-BY-4.0. Attribution required when republishing data or charts. Machine-readable copy: /api/benchmarks.

Trust + security posture

Built for the orgs auditors trust.

Run the audit on your own org.

Every benchmark in this report came from the same audit Clientell runs on individual customer orgs. Free, 10-minute scan, 24-hour remediation plan.

Run a free audit