The Ultimate Salesforce Health Check Checklist: 50+ Areas Every Enterprise Should Audit
Most Salesforce orgs start clean. You go live with well-defined processes, a tidy data model, and a team that's genuinely excited about the platform. Fast forward 18 months, and the reality looks a little different. There are flows nobody owns, profiles that have accumulated permissions like lint in a dryer, and reports referencing fields that were deleted two releases ago.
This isn't a failure of the platform. It's just how enterprise software evolves in the real world.
The good news? A structured Salesforce health check can surface all of it before it costs you a security incident, a failed integration, or a frustrated sales team that stops trusting the data.
This guide gives you a complete Salesforce health check checklist built around six operational domains. It's not a quick 10-tip post. It's the kind of framework you'd use to walk into any Salesforce org, whether it's two years old or twelve, and come out with a clear picture of where things stand and what needs to change.
What Is a Salesforce Health Check?
Before we get into the checklist, it's worth clarifying something that confuses many teams.
Salesforce has a native feature called the Health Check. It lives under Setup > Security > Health Check and gives you a score based on how well your security settings align with Salesforce's baseline standards. It checks things like session timeout length, password complexity, and login IP restrictions.
That's useful. But it's a narrow slice of org health.
A complete health check examines:
Security and compliance
Data quality and hygiene
Integrations and architecture
Automation efficiency
User adoption and licensing
Governance and documentation
Overall Salesforce performance optimization
Think of the native health check as a blood pressure reading. Helpful, but it doesn't tell you whether the patient is sleeping, exercising, or managing stress well. The full picture requires a proper examination.
How Often Should You Run a Salesforce Health Check?
There's no single right answer, but here's a practical guide based on org size and release cadence:
Who Should Be Involved?
A health check isn't just a Salesforce admin task. For the results to be actionable, you need the right people in the room:
Salesforce Admin — Owns the day-to-day configuration and knows where the skeletons are.
Salesforce Architect or Developer — Reviews automation logic, code, and integration architecture.
Security or IT Team — Validates access controls, compliance requirements, and data handling.
Business Stakeholders — Can speak to whether the platform is actually solving business problems.
Executive Sponsor — Ensures findings get prioritized and resourced.
Without business context, a technical audit can miss the most important issues entirely.
Introducing the SHIELD Framework for Salesforce Maintenance
To make this Salesforce maintenance checklist easy to navigate and repeat, we've organized it around six pillars. Together, they cover every major risk area in a Salesforce org.
SHIELD provides a structured framework for evaluating the overall health of your Salesforce environment.
Let's go through each one.
S — Security Checklist
Security isn't the most exciting part of a Salesforce audit, but it's consistently where the most serious risks hide. Permission creep is real. So is the tendency to grant "System Administrator" access to solve a short-term problem and never revisit it.
Work through these checkpoints:
User & Access Management
Multi-Factor Authentication (MFA) is enabled for all users.
Inactive users (no login in 90+ days) have been deactivated.
The freeze-before-deactivate process is being followed.
Login hours and IP ranges are configured for sensitive profiles.
Single Sign-On (SSO) is implemented where required.
Session timeout settings are configured appropriately.
Profiles & Permission Sets
Number of active profiles has been audited and minimized.
"Modify All Data" and "View All Data" permissions are assigned sparingly.
Permission Sets are being used in place of custom profiles where possible.
Permission Set Groups have been evaluated for role-based access alignment.
No users have permissions they don't actively need.
Sharing
Organization-Wide Defaults (OWDs) are set to the most restrictive appropriate level.
Sharing rules have been reviewed, and none are broader than required.
Manual shares have been audited for stale assignments.
Territory management (if used) is aligned with the current org structure.
Compliance & Monitoring
Field Audit Trail is enabled for regulated data.
Login History and Setup Audit Trail are being monitored.
Named Credentials are in use for external callouts (no hardcoded credentials).
GDPR/CCPA or other data privacy requirements are mapped to Salesforce data.
Encryption at rest is enabled for sensitive fields where required.
H — Hygiene & Data Quality Checklist
Bad data is expensive. Studies consistently show that poor data quality costs organizations significant time and money through lost productivity from manual cleanup, bad decisions from inaccurate reports, and eroded CRM trust when reps stop believing the data.
Duplicates & Record Quality
Duplicate Rules are enabled for Contacts, Leads, and Accounts at a minimum.
Matching Rules have been reviewed and configured appropriately.
A baseline duplicate rate has been established and is being tracked.
Duplicate records identified in the last audit have been merged or flagged.
Validation & Completeness
Validation Rules are active and not bypassed by admin workarounds.
Required fields are enforced at the page layout and validation rule level.
Data completeness scores are being measured for key objects (Account, Opportunity, Contact).
Picklist values are standardized (no "Other," "TBD," or "Unknown" catch-alls without process).
Phone, Email, and address fields follow consistent formatting.
Field & Object Cleanup
Custom fields with no data (or data in less than 5% of records) have been reviewed.
Deprecated fields are either hidden from layouts or scheduled for deletion.
Field usage reports have been run to identify orphaned fields.
No redundant custom objects exist that duplicate standard object functionality.
Archiving & Storage
Data retention policies have been defined.
Records older than the retention threshold have been archived or deleted.
Storage limits are being monitored (data storage and file storage).
Large files and attachments have been reviewed for migration to Files or external storage.
I — Integrations & Architecture Checklist
Integrations are often where Salesforce orgs accumulate the most invisible technical debt. A middleware tool configured by a contractor two years ago, a direct API connection that nobody documented, and a webhook nobody knows owns are common—and they're risky.
Connected Apps & API Access
All Connected Apps have been audited and unused ones revoked.
OAuth tokens have been reviewed for scope and expiration settings.
API usage is being monitored and remains below 75% of daily limits.
API version usage has been reviewed, with no calls using deprecated API versions.
Middleware & External Systems
All integration touchpoints are documented in a single integration map.
Integration ownership is assigned so someone knows who to contact when issues arise.
Middleware platforms (MuleSoft, Boomi, Zapier, etc.) are running on supported versions.
Failure notifications are routed to active monitoring channels rather than inactive inboxes.
Data Sync & Integrity
Sync frequency aligns with business requirements.
Integration logs are retained and reviewed regularly.
Duplicate creation from integration sources has been addressed.
Sandbox refreshes do not break integrations because credentials and endpoints are environment-specific.
Legacy Integrations
Point-to-point integrations (direct database connections, legacy APIs) have been catalogued.
A retirement plan exists for deprecated integration patterns.
Dependency documentation outlines what breaks if each integration is removed.
E — Efficiency & Automation Checklist
Automation is where most Salesforce orgs carry the most technical debt. The shift from Workflow Rules and Process Builder to Flow is well underway, but plenty of orgs are still running on tools Salesforce has announced it's retiring. Beyond migration, there's the question of whether automations are actually running cleanly or silently failing.
Legacy Automation Migration
All active Workflow Rules have been documented.
Migration roadmap from Workflow Rules to Flow is defined and has an owner.
All active Process Builder processes have been documented.
Process Builder retirement timeline is established.
No new automations are being built in Workflow Rules or Process Builder.
Flow Health
All active Flows are documented with owner, trigger, and business purpose.
Autolaunched Flows are designed and utilized as reusable Subflows to promote consistency, reduce duplication, and simplify maintenance.
Flow error emails are routed to an active team inbox rather than an individual's email address.
Fault paths have been added to all critical Flows.
Flows are tested in the sandbox before promotion to production.
Scheduled Flows have been reviewed for governor limit implications.
Apex & Custom Code
All Apex classes and triggers have documented owners.
Apex test coverage is above 75% (Salesforce minimum); target 85%+.
No SOQL queries inside loops in active Apex code.
Scheduled Apex jobs are monitored, and none are stuck or repeatedly failing.
Code review process exists for new Apex deployments.
Governor Limits
API limit utilization is below 75%.
SOQL query limits are monitored in production.
Email sending limits are being tracked for orgs with heavy email automation.
L — License & Adoption Checklist
License costs are one of the largest line items in any Salesforce budget. Yet many organizations pay for licenses that go largely unused, while power users lack access to the capabilities they need. Adoption metrics also reveal whether Salesforce optimization efforts are truly delivering value.
License Management
The total licensed users versus active users gap has been measured.
Unused licenses have been reviewed for reallocation or reduction.
License types are matched to actual user needs (full CRM vs. platform vs. community).
Renewal date and license count are documented and owned by a business stakeholder.
Login & Engagement
Monthly Active User (MAU) rate is above 80% for your user base.
Login trends by team or department have been analyzed.
Users with zero logins in the last 30 days have been flagged for review.
Adoption reporting is included in the quarterly business review.
Feature Utilization
Reports and dashboards are being actively used rather than created and abandoned.
Einstein features (if licensed) are configured and in use.
Chatter or Slack integration usage has been measured where enabled.
Installed AppExchange applications have been audited for active use.
Training & Enablement
New user onboarding includes Salesforce training.
The department has identified training gaps.
A feedback mechanism exists for users to report friction or confusion.
Release notes are communicated to users after each major deployment.
D — Documentation & Governance Checklist
This is the area that separates Salesforce orgs that age well from those that accumulate chaos. When documentation is solid and governance is real, every admin who touches the org now or years from now can work confidently. When it isn't, every change becomes a calculated risk.
Release Management
A release calendar exists and is shared with business stakeholders.
Change management processes are documented (request → review → approval → deploy).
Sandbox strategy is defined, including the purpose of each environment.
A deployment tool is in use (Change Sets, SFDX, or a CI/CD pipeline).
Source control (e.g., Git) is used to track metadata changes, enable collaboration, and maintain version history.
Backup and rollback procedures are documented and regularly reviewed to support recovery from failed deployments or unintended changes.
Post-deployment checklists are followed for all production releases.
Technical Documentation
Data dictionaries exist for custom objects and key standard objects.
All integrations are documented in the current integration map.
Automations are documented with a business purpose and designated owner.
A technical debt register is being maintained.
Architecture decisions have been recorded.
Ownership & Accountability
Each major functional area has an assigned Salesforce owner.
An escalation path exists for urgent production issues.
A Salesforce Center of Excellence (CoE) or steering group exists at enterprise scale.
Business stakeholders are included in quarterly org review meetings.
Ongoing Review Cadence
A quarterly health check is scheduled and has an owner.
An annual full org assessment is planned.
A post-major-release review is built into the release process.
Security reviews are conducted at a minimum annually.
Salesforce Health Maturity Model: Where Does Your Org Sit?
One of the most useful things you can do after running through this checklist is to assess your org's overall maturity level. This gives you a realistic baseline and helps you prioritize what to fix first.
Level 1 — Reactive
The org works, but only just. Issues are fixed when users complain. Nobody knows exactly what's broken until it causes a problem. Documentation is minimal. Governance is informal or nonexistent.
Signs:
High volume of ad-hoc requests from users
Recurring data quality complaints
Frequent "who built this and why?" conversations
Level 2 — Managed
Basic processes are in place. Reviews happen, but irregularly. Some documentation exists. The team knows what the major pain points are but hasn't systematically addressed them.
Signs:
Quarterly reviews happen but lack structure
Some automation debt is understood but deprioritized
Adoption is tracked informally
Level 3 — Optimized
Proactive monitoring is standard. Governance frameworks are defined and followed. Adoption is measured by department. Technical debt is tracked and regularly addressed through planned releases.
Signs:
Clean automation architecture
Regular user feedback loops
Data quality scores improving over time
Level 4 — Intelligent
The org is a strategic asset. AI-driven insights inform business decisions. Continuous improvement is embedded in the culture. Salesforce maintenance services are proactive rather than reactive, and the platform evolves in lockstep with business needs.
Signs:
Einstein analytics in active use
Org architecture reviewed against business strategy quarterly
CoE functioning as a center of innovation, not just governance
Most mid-market orgs sit somewhere between Level 1 and Level 2. Getting to Level 3 is a realistic 12–18 month goal with the right investment in Salesforce maintenance and governance.
Healthy Salesforce Benchmarks: How Does Your Org Compare?
These benchmarks give you concrete targets to work toward as part of ongoing Salesforce performance optimization.
Salesforce Health Check Metrics & Benchmarks
| Metric | Target Benchmark |
|---|---|
| Monthly Active User Rate | > 80% |
| Duplicate Record Rate | < 2% |
| Flow Failure Rate | < 1% per week |
| Inactive Users (90+ days) | 0 active licenses |
| Profile Count | Permission sets preferred |
| Apex Test Coverage | ≥ 85% |
| API Limit Utilization | < 75% |
| Data Completeness | > 90% |
| Integration Failure Rate | < 0.5% of daily transactions |
| Release Documentation | 100% of production changes |
Not sure where your org stands?
MV Clouds offers a complimentary Get a Free Salesforce Health Check
No strings, no pitch deck, just a clear picture of what's working and what needs attention. Book your free session today and walk away with a prioritized action list.
Making Salesforce Health Checks a Habit, Not a Project
One of the most common patterns in Salesforce environments is the "big cleanup" cycle. The org deteriorates over time, somebody raises the alarm, a significant project is kicked off to fix everything, and the cycle repeats. It's expensive, disruptive, and avoidable. The goal of a mature Salesforce maintenance practice is to make health checks routine. A standard part of how you manage the platform, not a reactive response to accumulated pain.
A Few Practical Steps to Get There
Assign Ownership
Every domain in the SHIELD Framework should have a named owner. who's accountable for its health. Without accountability, checklists are interesting documents that nobody acts on.
Schedule It
Add a quarterly health review to your Salesforce governance calendar. Treat it like a sprint retrospective structured, time-boxed, and tied to action items.
Measure Over Time
Track your benchmark scores quarter over quarter. Progress matters more than perfection, and trends will tell you whether your Salesforce optimization efforts are actually working.
Involve the Business
The most important measure of org health isn't a technical score; it's whether Salesforce is helping people do their jobs better. Business stakeholder input is essential.
Adapt the Framework
Use this checklist as a starting point, not a ceiling. Your org has specific needs, specific risks, and specific opportunities. Adapt the framework to fit your context.
Why Choose MV Clouds for Salesforce Support and Maintenance
At MV Clouds, we understand that Salesforce success doesn't end after implementation. Our team works as an extension of your business to ensure your
Salesforce environment remains secure, efficient, and aligned with evolving goals.
Our Salesforce experts help organizations:
Conduct comprehensive Salesforce health assessments.
Deliver proactive Salesforce maintenance.
Optimize workflows and automations.
Improve data quality.
Strengthen governance practices.
Enhance user adoption.
Support ongoing innovation.
Whether you need periodic reviews or fully managed Salesforce maintenance services, we help you maximize the value of your Salesforce investment.
Final Thoughts
Developing a healthy Salesforce organization doesn't happen by accident. Maintaining Salesforce consistently, reviewing it regularly, clearly defining ownership, establishing strong governance, and treating it as a strategic asset rather than a utility to be ignored until it breaks are the keys to its success.
The 50+ checkpoints in this guide give you a practical foundation for that kind of assessment. Whether you're an admin doing your first full org review, an architect walking into a new engagement, or a business leader trying to understand why your CRM isn't delivering the value you expected, this framework gives you somewhere concrete to start.
Run the checklist. Find the gaps. Build the roadmap. And then build the habit.
If you'd like support running a structured Salesforce org assessment or implementing a governance framework, explore our Salesforce maintenance services. We help organizations move from reactive to optimized, without the chaos of a big-bang cleanup project.
