Here's a free, genuinely thorough Salesforce org health-check — an Excel workbook with 41 specific checks across the six areas where orgs actually go wrong, a severity rating on each, and a scorecard that tallies your results as you go. It's built to be worked through and handed to a stakeholder, not skimmed. Download it, and below is how to run an audit that's worth the afternoon.
Most "health check" content you'll find is a list of vague intentions — "review your fields," "check your security." That's not a checklist, it's a reminder to think about checklists. The difference is specificity: what exactly to look at, why it matters, and how bad it is if it's wrong. That's what this is built around.
What a real health check covers
A Salesforce org goes wrong in six places, and they're not equally dangerous. In rough order of how much they'll hurt you:
Permissions and access is where the real risk lives, and it's the section to give the most scrutiny. The checks that matter most: who has Modify All Data or View All Data beyond your core admins, how many full System Administrators you actually have, who can read your sensitive and PII fields once you resolve access across every profile and permission set, and whether your org-wide defaults still match what you intended. Over-privilege accumulates silently — nobody ever gets less access by accident — so this is where a periodic audit pays for itself. If you only do one section, do this one.
Security and compliance sits right next to it. Run Salesforce's native Health Check score, confirm MFA or SSO is actually enforced for everyone, and review your connected apps and their OAuth scopes — third-party app access is a genuine supply-chain exposure that most orgs never revisit after the initial setup. Check that field history or Field Audit Trail is on for sensitive fields, and remember that the Setup Audit Trail only retains 180 days before it permanently deletes, so "we can look it up later" has a hard expiry.
Fields and schema is where clutter turns into confusion. The high-value checks: what share of your custom fields have blank descriptions, which fields are genuinely unused (never populated, not on a layout, not referenced), where you have duplicate fields capturing the same concept, and whether any object is approaching its custom field limit before a build gets blocked. None of these is an emergency on its own; together they're the difference between an org a new admin can understand and one nobody dares touch.
Automation is where things break quietly. Look for legacy Workflow Rules and Process Builders still running (both on Salesforce's retirement path), multiple record-triggered flows firing on the same object with no controlled order, critical flows with no fault paths, and more than one Apex trigger per object. Hardcoded IDs are the sneaky one — they work until you move between sandbox and prod, then they don't.
Data quality is the section everyone agrees matters and nobody schedules. Active duplicate rules on your core objects, records still owned by deactivated users, blank rates on the fields your dashboards depend on, and validation coverage on the objects that carry your most important data.
Technical debt is the cleanup backlog: reports and dashboards nobody has run in a year, empty custom objects, Apex on outdated API versions, and dead metadata left behind by uninstalled managed packages. Low individual severity, real cumulative drag.
The workbook spells out all 41 checks with a "what to look for" note on each, so you're never guessing what a line item means.
Over-privilege accumulates silently — nobody ever gets less access by accident. If you only do one section, do Permissions.
How to run it without wasting the afternoon
Three habits separate a useful audit from a checkbox exercise.
Triage by severity, not by section order. The workbook pre-fills a sensible severity on each item and tallies your high-severity findings, but adjust them to your org — a blank description is genuinely Low, a handful of users with View All Data is genuinely High, and your time should follow that, not the order the rows happen to be in.
Write a real finding, not just a status. "Fail" tells future-you nothing. "Fail — six users have View All Data, only the two admins need it" is something you can act on and something a stakeholder can approve. The Finding column is where the audit's value actually accumulates.
Run it on a cadence. An org drifts continuously, so a once-and-never-again audit ages out fast. Quarterly is realistic for most teams; annually is the floor. Each re-run is mostly confirming what's still fine and catching the handful of things that changed.
The honest limit, and what to do about it
A manual health check is the right tool for understanding your org, and this is a thorough one. Its limit is the limit of any point-in-time review: it's true the day you run it and drifting by the next change. You'll notice that the fastest-drifting sections — fields, permissions, dependencies, data classification — are exactly the ones built from metadata, which means they're the ones that can be watched continuously instead of re-surveyed by hand each quarter. That's the part SchemaForce automates: it keeps the schema, field, access, and reference picture current and flags what changed, so the metadata half of this checklist stops being a quarterly slog and becomes something you glance at.
The boundary is worth stating plainly, because no honest tool covers the whole list. SchemaForce won't check whether your MFA is enforced, review your connected apps, or dedupe your records — the security and data-quality sections stay a human job. What it removes is the manual re-truing of the parts that go stale fastest. Use the checklist to learn where your org stands today; automate the sections that won't stay true on their own.
Start with the two that matter most
Download the workbook, and if you can't do all six sections at once, do Permissions and Security first — that's where the findings with real consequences hide. Set honest severities, write findings you could hand to a stakeholder, and put a re-run on the calendar for next quarter. You'll come out of the first pass with a clear, prioritized picture of your org's health, and a concrete sense of which parts you'll want to stop checking by hand. (Documenting as you go? The free data dictionary template is the companion for the fields section.)



