QuantumNest
Delivery · Audit

The health check that actually finds problems

Most audits produce a hundred-page report that gets filed and forgotten. A useful one is short, ranked, and exits with three things leadership will fund.

QuantumNest Engineering24 June 20258 min read
A clinician reviewing a diagnostic chart, standing in for a system audit
// a health check is only useful if the output is a decision. the framework is built around that single constraint.

A Salesforce health check produced by most consulting firms is a hundred-page report. It lists every observation, ranks none of them, recommends everything at once, and ends up in a shared drive nobody reopens. The team reads the executive summary, agrees the org has problems, and goes back to the work that created those problems. Nothing changes, and the audit becomes a line item rather than an intervention.

A useful health check is shorter and ranked. It answers twelve specific questions, plots each finding on a severity-by-ease grid, and exits with three recommendations the chief financial officer will actually fund. The structure matters more than the depth, because the structure is what forces the report toward a decision instead of a description.

The twelve questions

These are the questions we work through, in order, in every audit. Each one is a query you can run and a conversation you can have, not a vague theme.

01
AccessWho can see and edit what, really
02
Dead weightInactive users, unused objects and rules
03
Automation overlapTriggers, Flows, and processes that collide
04
Code healthCoverage, deprecated patterns, dead classes
05
Sharing modelDoes actual access match the documented one
06
IntegrationsCallout failure and inbound error rates
07
Data qualityDuplicates, blanks, obviously wrong dates
08
Reporting truthDashboards built on retired fields
09
Technical debtHard-coded IDs, framework violations
10
Licensing fitRight editions, seats matched to roles
11
User experienceLoad times, fields above the fold, mobile
12
Change disciplineSandbox cadence, time from request to prod

Severity first, then ease of fix

Each finding earns two ratings. Severity is the cost of leaving it alone, expressed in business terms rather than technical ones. Ease of fix is the effort to address it. Plotted against each other, the findings fall into four quadrants, and the quadrant decides the order of attack.

SEVERITY EASE OF FIX CRITICAL · DEEP Architectural debt Sharing model, code debt, integration sprawl. → phased programme CRITICAL · QUICK Do this first Failing automations, stale licences, security holes. → this sprint LOW · DEEP Park for later Cosmetic issues, niche automations, rare paths. → note in backlog LOW · QUICK Hygiene Layout tweaks, picklist cleanup, naming. → batch into one push
// the grid we draw on every audit. attack order is fixed: critical-quick, then critical-deep, then low-quick, then ignore.

The order of attack never changes. Top-right first, the critical issues with a quick fix. Then top-left, the critical issues that need a planned programme. Then bottom-right, the low-severity easy wins batched into a single push. Bottom-left gets a paragraph in the report and otherwise nothing, because spending effort there is how audits turn into busywork.

The point of the grid is not to be clever. It is to drag the conversation away from "what is wrong" and toward "what do we do this quarter".

The report shape

The deliverable is short. Twelve pages plus an appendix. One page of executive summary carrying the three top recommendations, one page per question with the finding, its severity, and the recommended action, one page of roadmap sequencing the next two quarters, and an appendix with the raw data, the queries used, and screenshots where they help. The team reads the twelve pages. The appendix exists for whoever needs to verify the method, and most readers never open it, which is exactly as it should be.

The three-recommendation rule

Leadership will fund three things. Not seven, not fifteen. Three. The audit must rank itself ruthlessly enough that the top three are obviously the right ones. If it cannot do that, the audit has failed at its only real job.

What good looks like

A good health check produces three months of action, the team finishes those three things, and the next audit six months later shows a different top three because the original problems are gone. The org is measurably healthier, not on paper but in the operational numbers: fewer support tickets, faster releases, less time lost to workarounds. A bad health check produces three months of meetings about the health check. The difference lives entirely in the deliverable. Keep it to twelve pages, rank it honestly, and let the grid pick the priorities for you.

Time for an honest audit?

We run focused two-week Salesforce health checks scoped to produce an action plan, not a doorstop. Tell us where you suspect the trouble is and we will show you whether you are right.

Book a health check