DEV Community

hailports
hailports

Posted on

The Salesforce Audit Checklist Every Admin Should Run

The Salesforce Audit Checklist Every Admin Should Run

As a seasoned Salesforce administrator, I have had the opportunity to lead audits for some of the most complex and large-scale organizations in the industry. These audits are not just about ensuring compliance with regulations; they also provide invaluable insights into optimizing performance, enhancing security, and improving user experience.

In this article, we will walk through a comprehensive audit checklist that every Salesforce admin should run. We'll cover essential steps from data validation to configuration management, using real SOQL queries and specific config steps where necessary.

Table of Contents

  1. Data Integrity Check
  2. Object & Field Security Review
  3. Permission Set Management
  4. Profile Role Hierarchy Assessment
  5. Apex Code Quality Inspection
  6. Custom Object Audits
  7. Process Builder and Flow Verification
  8. Email Template Validation
  9. User Activity Monitoring
  10. Report and Dashboard Review

1. Data Integrity Check

Objective

Ensure that all critical data is properly stored, validated, and accessible.

Steps

1.1 Validate Custom Object Fields

SELECT Id, FirstName, LastName FROM Account WHERE FirstName = '' OR LastName = ''
Enter fullscreen mode Exit fullscreen mode

This query checks for accounts where the FirstName or LastName fields are empty, which might indicate data entry issues.

1.2 Check for Duplicate Records

SELECT COUNT(Id) FROM Account WHERE Email = 'test@example.com'
Enter fullscreen mode Exit fullscreen mode

Use this SOQL to count duplicate records based on a common field like email.

Cutover and Validation Steps

  • Implement validation rules to prevent empty or invalid fields.
  • Use process builders to automatically flag or correct potential duplicates.

2. Object & Field Security Review

Objective

Ensure that sensitive data is appropriately restricted from unauthorized access.

Steps

2.1 Assess Custom Object Permissions

SELECT Id, Name, FLSAccess FROM PermissionSet WHERE sObjectType = 'CustomObject__c'
Enter fullscreen mode Exit fullscreen mode

Check the permissions for custom objects to ensure they are properly restricted based on roles and profiles.

2.2 Review Field-Level Security

Navigate to Setup > Object Manager > [Your Custom Object] > Fields & Relationships > Field-Level Security.

  • Ensure that sensitive fields (e.g., SSN, credit card numbers) have proper restrictions.
  • Use sharing rules if necessary for external users.

Cutover and Validation Steps

  • Adjust permissions and field-level security based on the findings.
  • Conduct user testing to ensure no critical data is exposed.

3. Permission Set Management

Objective

Ensure that permission sets are correctly assigned and maintained.

Steps

3.1 List All Permission Sets

SELECT Id, Name FROM PermissionSet WHERE Description = 'Custom'
Enter fullscreen mode Exit fullscreen mode

Identify custom permission sets used in the org.

3.2 Assignments Review

Navigate to Setup > Users > Permission Set Assignments.

  • Verify that each user has the appropriate permissions.
  • Ensure no unnecessary permission sets are assigned.

Cutover and Validation Steps

  • Reassign or remove redundant permission sets.
  • Update documentation for permission set assignments.

4. Profile Role Hierarchy Assessment

Objective

Ensure that profile roles are properly configured to maintain a clear hierarchy.

Steps

4.1 Review Profile Roles

Navigate to Setup > Users > Profiles > [Your Profile].

  • Check the role hierarchy and ensure it aligns with organizational structure.
  • Verify that profiles have the correct permissions assigned.

Cutover and Validation Steps

  • Adjust roles and profile assignments as needed.
  • Document changes for future reference.

5. Apex Code Quality Inspection

Objective

Ensure that Apex code is well-written, tested, and secure.

Steps

5.1 List All Classes and Triggers

SELECT Id, Name FROM ApexClass WHERE Status = 'Active'
Enter fullscreen mode Exit fullscreen mode

Identify all active classes and triggers in the org.

5.2 Code Reviews

  • Use tools like SonarQube to analyze code quality.
  • Ensure that all critical logic is covered by unit tests.

Cutover and Validation Steps

  • Refactor or rewrite poorly performing or insecure code segments.
  • Increase test coverage for new changes.

6. Custom Object Audits

Objective

Ensure that custom objects are well-designed, secure, and utilized effectively.

Steps

6.1 Object Design Review

SELECT Id, Name, RecordTypeCount FROM CustomObject WHERE IsCustom = true
Enter fullscreen mode Exit fullscreen mode

Check the design of custom objects, including record types and fields.

6.2 Field-Level Security Assessment

  • Ensure that sensitive fields are appropriately restricted.
  • Verify that all required fields have proper validation rules.

Cutover and Validation Steps

  • Optimize object designs for better performance and security.
  • Document any changes made during the audit.

7. Process Builder and Flow Verification

Objective

Ensure that process builders and flows are functioning correctly and securely.

Steps

7.1 List All Active Flows and Processes

SELECT Id, Name FROM Flow WHERE Status = 'Active'
Enter fullscreen mode Exit fullscreen mode

Identify all active flows in the org.

7.2 Process Verification

  • Review each flow for security best practices.
  • Ensure that process builders are not being used excessively or insecurely.

Cutover and Validation Steps

  • Optimize flows and processes to reduce complexity and improve performance.
  • Document any changes made during the audit.

8. Email Template Validation

Objective

Ensure that email templates are properly configured and secured.

Steps

8.1 List All Email Templates

SELECT Id, Name FROM EmailTemplate WHERE IsPersonalizationDisabled = false
Enter fullscreen mode Exit fullscreen mode

Identify all personalizable email templates in the org.

8.2 Template Security Check

  • Ensure that sensitive information is not embedded directly into templates.
  • Use merge fields for dynamic content where possible.

Cutover and Validation Steps

  • Update templates to ensure security best practices are followed.
  • Document any changes made during the audit.

9. User Activity Monitoring

Objective

Ensure that user activity is monitored and logged appropriately.

Steps

9.1 Review Audit Logs

Navigate to Setup > Security Controls > Log Management.

  • Ensure that audit logs are enabled for critical objects and actions.
  • Check log volumes to ensure they are manageable.

9.2 User Behavior Analysis

Use analytics tools like Salesforce Analytics Cloud or third-party services to monitor user behavior.

  • Identify anomalies in user activity patterns.

Cutover and Validation Steps

  • Enable necessary logging settings based on findings.
  • Implement monitoring dashboards for real-time alerts.

10. Report and Dashboard Review

Objective

Ensure that reports and dashboards are well-designed, secure, and up-to-date.

Steps

10.1 List All Reports and Dashboards

SELECT Id, Name FROM Report WHERE IsDeleted = false
Enter fullscreen mode Exit fullscreen mode

Identify all active reports in the org.

10.2 Dashboard Security Check

  • Ensure that sensitive information is not exposed in dashboards.
  • Verify that users have appropriate access to relevant reports and dashboards.

Cutover and Validation Steps

  • Update or remove outdated or insecure reports and dashboards.
  • Document any changes made during the audit.

Conclusion

Regularly running through this comprehensive audit checklist will help maintain a secure, efficient, and compliant Salesforce environment. By following these steps, you can ensure that your organization is well-prepared for audits while also continuously improving its operational practices.

Try the Free Scanner

To streamline some of these checks and gain deeper insights into your org's health, try the free scanner at https://orgscanner.dev/?utm_source=devto&utm_medium=content&utm_campaign=content_poster.

By leveraging such tools, you can automate many of these checks and focus on areas that require manual intervention. Happy auditing!

Top comments (0)