As an eCommerce merchant, your website is your most critical digital property. It forms your customer’s first impression of your brand. Any problem—a load delay, difficult navigation, mediocre SEO—can drive your customers straight to your competitors. The importance of ongoing maintenance can’t be overstated.
That’s why we put a high value on regular auditing at Gauge. Audits give you the critical information you need to make better business decisions.
I recently sat down with Gauge Sales Director Joey Hoer to get more insight into site audits. Before he became our Sales Director, Joey was one of our senior developers. His technical background makes him uniquely qualified to explain this topic. In today’s article, we’ll take a deep dive into the importance of site audits, how they’re useful, and when it’s appropriate to complete an audit.
What are Site Audits?
Kali Keesee: What do we mean when we say “site audit”? What exactly is a site audit?
Joey Hoer: There are many different types of audits, so what we mean by “site audit” depends on the context. Usually an audit is used to gather more information on a particular subject or to diagnose a problem. For instance, if you’re concerned about your site’s performance, you’d want to conduct a performance audit.
Basically we’re talking about having an experienced person look over the current status of things and make some recommendations. It’s consulting work. You get a report at the end that provides valuable information about the current state of your site or system, with suggestions for improvements.
Generally the term “site audit” refers to a comprehensive technology audit. At Gauge we commonly refer to these as “transition audits,” because we usually do them when we’re transitioning a new client to our agency.
A site audit is similar to a medical diagnostic, like an MRI or x-ray. If you suddenly developed back pain, you’d go to a doctor and pay for an MRI to figure out what’s wrong with your spine. A site audit gives us a similar level of visibility into your website. During an audit, we’re taking an x-ray of your codebase to try and identify current or potential problems.
Of course, a doctor isn’t going to prescribe an MRI for a stomach bug. And even when you do get an MRI, that doesn’t mean it will give the doctor conclusive results. In the same way, we target audits to focus on specific areas, but we might not always find what we were looking for. We might even notice something unrelated—who knows?
Kali Keesee: Why does Gauge do transition audits?
Joey Hoer: Like any professional agency, we need to know what we’re getting ourselves into before we sign on for long-term support. At the very least, we want to be able to provide our clients with some reasonable recommendations that will actually make a difference for their business.
Whenever we take on new clients we need to perform a comprehensive audit. I call them “transition audits” because we just happen to do those during our transitions. This initial assessment gives us two important things: (1) a sense of the current condition of the codebase and infrastructure, and (2) an opportunity to create or assess the documentation for their systems and processes. Often, clients don’t already have a good understanding of those things.
It’s very difficult for developers to engage with a codebase that has a bunch of lingering issues, so the first step is always to diagnose any problems. During a transition audit, we determine what needs to be done to obtain a reasonable level of performance, security, and general stability. And then, of course, we make recommendations for fixing the issues. Sometimes we uncover problems that need to be fixed before our development team can assume support. Sometimes we simply flag problems to be addressed in the future.
Kali Keesee: Apart from a transition audit, what other types of audits can be done?
Joey Hoer: Great question! I’ve mentioned performance audits and comprehensive technology audits. Security audits are another important type. All of those audits are sort of technology-related, but there are many other types: SEO audits, email audits, user experience audits. In a way, I’d even describe user testing as a type of audit.
Essentially, for any area of your system that you want to dig into more deeply, you can probably conduct an audit. It doesn’t have to be just technology. We conduct different types of audits regularly for our monthly support clients.
When you’re considering an audit, it’s important to determine the scope. A generalized audit won’t provide the same detail as a specialized audit focused on one particular area. For example, a performance audit may also be further segmented into a backend performance audit or a frontend performance audit.
What is Included in a Site Audit?
Kali Keesee: So what’s included in a Gauge “comprehensive technology audit” or “transition audit”? What does our team actually do?
Joey Hoer: Lots of different things. For a comprehensive audit our process depends on the site’s platform.
Let’s use a Magento site as an example. First, we look for unapplied security patches and core code base modifications. Aside from creating risky security holes, those could cause problems when upgrading or applying security patches in the future.
We also take a full inventory of installed extensions and updates needed. We’ve found that extensions aren’t usually kept up to date, but using older versions can negatively impact the site. We make a list of all extensions installed on the site and figure out what version the client is currently using. Then we go to the extension source and determine what the most up-to-date version is. If the client is using an older one, we check out what upgrading would mean. Sometimes there are paid upgrades available and sometimes they’re free.
We’d look at site configurations like the admin URL to make sure best practices are being followed. For instance, is password rotation enabled? Are the admin URLs blacklisted or whitelisted so that only certain IPS can access them?
Another thing we’d do is create a list of people who need to access the site and make sure there are no old user accounts in the database. Those could come from former employees, a previous agency, or somebody who once did an integration. We’ve seen those accounts become a weak spot in site security. To eliminate the risk we delete or disable them.
We also assess the permissions for current users and suggest changes that will increase security. We always recommend configuring the permissions on a per-user basis. That way, if somebody’s account does get compromised, that account doesn’t have the ability to compromise the entire system.
This is just the beginning. A Shopify audit would look pretty different. I’m happy to share the full list of what we do with anyone who’s interested.
Kali Keesee: What would other audits entail?
Joey Hoer: That depends on the type of audit.
An SEO audit would focus on current organic status, titles, descriptions, URLs, internal linking, broken links, page speed, structure, etc. An email audit would assess subject lines, body copy, structure, images, send time, and more.
Each audit has a different focus and will provide the specific information you’re looking for.
Kali Keesee: What happens after we’ve done those assessments? How do we share the information we uncover with the client?
Joey Hoer: We provide a “Summary of Findings” document. This executive summary gives the client a convenient way to easily see the entire picture. It essentially packages up all of our findings and actionable recommendations into one convenient document.
With the Summary of Findings we say, “Here are the red flags and problem areas we’ve found, and this is the best way to fix them.” We point out any time-sensitive issues that must be resolved before our team can assume support. We also highlight issues that may not need urgent attention but might require further investigation in the future.
It’s not uncommon for us to provide cost estimates along with our recommendations. We do this so the client has a general idea of what to expect so they can make informed decisions. With any business, balancing needs and expense is a constant reality. We want to make sure that our clients are aware of any possible problems or costs as early as possible, so they can choose how to budget in advance. Because Gauge is focused on building trust, we only make recommendations that will be truly valuable for that specific client.
What are the Greatest Benefits of Site Audits?
Kali Keesee: In your opinion, what’s the greatest benefit an audit offers?
Joey Hoer: The benefit is always to gain more information.
It’s difficult to make educated decisions without adequate information. An audit gives you insight into areas that are normally inaccessible. We’re helping you make decisions by providing you with valuable insight and suggestions.
Often, what we uncover with an audit isn’t information the client can just go and find themselves. If you’re dedicated and you have a high level of technical proficiency, you might be able to gather some of this information yourself. But we can offer a much deeper level of analysis.
As an eCommerce agency, we’ve worked with a huge variety of sites, systems, and technology. Our team has decades of experience in the eCommerce trenches, and much of that experience is in specialized areas. That knowledge and experience is invaluable when auditing.
So the greatest benefit is that it empowers the merchant to make educated decisions. As another bonus, it provides you with written documentation for your system. This, of course, helps our team when we’re getting familiar with a new client’s systems, but that client can also use it whenever they hire new employees too.
Kali Keesee: You mentioned doing regular audits. Why would a merchant want to audit that way, rather than doing them ad-hoc when a problem comes up? What’s the benefit there?
Joey Hoer: Often if you wait until there’s a problem, it’s already too late. Slow load times increase your bounce rate. One security breach can be devastating. Technical debt gets incredibly expensive over time. If you commit yourself to checking your site foundations regularly, you avoid costly mistakes. You know you’re always covered.
Let’s take performance audits as an example again. You could make a case that a performance audit should be done at least once a year. Installing upgrades and making changes will impact your site’s performance. If you’re making frequent changes, it wouldn’t be unreasonable to conduct a performance audit every six months, or even once a quarter.
Ad-hoc audits are valuable, but if you really want to take things to the next level, ask your agency to build in regular audits as part of your support services. We discuss auditing during our sales and onboarding processes, and we explain why it’s important to do this with regularity. We also build several types of checks and balances into our agreements, like performance and downtime monitoring. That way we can keep a baseline on those things in between full audits. It’s an extra layer of security.
When Should You Consider Doing a Site Audit?
Kali Keesee: Let’s say a reader has never had an audit done. When should they consider it?
Joey Hoer: The goal of an audit is to use objective measures to gather hard info so you can make better decisions. So, in that way, it’s always a good time to start an audit. It’s especially appropriate whenever you need more information to make a decision.
Maybe you have a problem on your site, or you’re thinking about moving agencies, or your site has been hacked, or you feel like your site is slower than it used to be. Whenever you need substantive data on a particular subject, an audit can help.
Kali Keesee: You’ve explained why regular audits are important. How would you structure those?
Joey Hoer: One good strategy is to schedule a different type of audit each quarter. For example, during Q1 you’d conduct an email audit; for Q2, an SEO audit; Q3, maybe focus on performance; and Q4 can be dedicated to user experience. All of these elements require regular check-ups, particularly if you’re making changes.
Things change rapidly in eCommerce; even best practices evolve over time. In internet terms, 365 days is a long time. A regular audit schedule keeps you disciplined and focused on those important foundations.
Just find the things that are most important to your organization and get audits on the calendar. That’s a great way to approach it.
Kali Keesee: When the Gauge team does audits, how often do we actually find things like bad code, missing security updates, or outdated extensions?
Joey Hoer: Let me put it this way: We’ve never conducted an audit where we haven’t been able to make a recommendation. And again, we only make recommendations that would actually be valuable.
The reality is—just like anything else in life—there’s always room for improvement. Knowledge isn’t static; it evolves and changes over time. Last year’s standard might not be a best practice today. That’s why regular audits are necessary.
Literally every time we perform an audit, we find useful information. It’s never not a worthwhile investment.
Kali Keesee: What should a merchant expect from an audit?
Joey Hoer: That really depends on their operations, their history, and why they want an audit.
If a merchant comes to us for an audit because they have a problem, they’re already expecting us to find something. They wouldn’t be asking otherwise. In those scenarios, we’re probably going to find something.
If a client has never had an audit done, we do tend to find more issues. Those organizations usually haven’t had a focus on maintenance. Maybe their business grew quickly, or they have a smaller team, or they just didn’t realize the importance of it. For whatever reason, they haven’t been maintaining documentation or keeping their systems up to date. When we perform a transition audit for those clients, we’ve got some extra work to do.
Kali Keesee: So to sum up what you’re saying… it’s never a bad time to do an audit, and it’s important to do regular audits to proactively prevent issues. Merchants should be regularly auditing not just their technology, but any system or element that’s important to their business.
I don’t think enough people do that. In my Account Management and Marketing roles I’ve seen this play out so many times. A merchant works hard to get to a launch. But afterward, they consider the site or campaign or whatever to be finished. They get complacent or distracted by the next thing. Then something goes wrong and they wonder, “How did this happen? I thought everything was fine.”
Had they been conducting regular audits and monitoring their systems, they probably would have seen the issue emerging before it actually happened.
Joey Hoer: Exactly.
Going Beyond the Site Audit
Kali Keesee: It sounds like the audits we provide are really valuable for our clients. They’re also valuable for our Gauge team, because we get intimately familiar with their site. That prepares us to work with them. Would you agree with that?
Joey Hoer: No doubt. There are lots of other benefits too.
Kali Keesee: You touched on documentation as a benefit. Can you explain that?
Joey Hoer: Sure. Generally, the better documentation you have, the more smoothly things will run. Yet a lot of organizations don’t have their systems documented. It’s tribal knowledge scattered among individual brains.
You’ve probably heard of the “bus factor:” If somebody gets hit by a bus, what do you do? That’s a grim idea, but other things happen. People leave jobs—they relocate or have kids or change careers. Merchants switch agencies and those agencies hire new people. When key information isn’t centralized and documented, it’s really difficult to bring new people up to speed quickly. Training takes longer than necessary and information falls through the cracks. But documentation takes time, and many merchants don’t realize its importance or simply can’t get to it.
During our comprehensive transition audits, we document the critical elements of your business. Our Summary of Findings document includes things like an infrastructure map. Third-party services, integrations with Order Management Systems, email service providers, analytics tools, PIM systems—whatever you use, we map it all out. Who are your shipping providers, your payment gateways? What automated processes are running and sending data back and forth? Where are backups hosted? Who is responsible for security certificates and domain name renewal? Where are your design assets stored? Your brand guidelines or pattern libraries? How exactly does your business operate?
This is just part of the information your agency needs to know to support you. As we learn about your systems, we document it for you. It’s another practical, tangible benefit to your organization. We look at all of these things. We go very deep.
Kali Keesee: It sounds like this documentation is a great tool for any team. It’s also convenient for the merchant to have this built in as part of their project. Is this documentation a one-time thing, or does Gauge update it over time?
Joey Hoer: It’s definitely valuable. Documentation should always be a priority. Any organization that doesn’t have it should think about how to create it.
It’s not a one-shot deal—it’s a living thing. As we’ve said, this industry changes fast, so by sheer necessity, most eCommerce operations do too. If you don’t update your documentation as these changes happen, it will quickly become irrelevant and worthless. Somebody has to be responsible for keeping it updated, and your agency should be sharing that responsibility with you.
Just like site audits, updating documentation should be done regularly. At Gauge, we incorporate both into our service agreements. Our clients know that these critical basics are covered. The peace of mind you get from a trusted partner is invaluable.
Here are our key takeaways:
- Site audits are essential for both your business and your agency.
- Be proactive. Audit before you recognize an issue.
- Identify the areas of your business that would most benefit from an audit and then complete audits regularly.
- Make sure your agency is taking audits seriously. Performing regular audits can save you and your agency precious time and money.
- Go beyond the audit. Use audits as an opportunity to create and maintain proper documentation.
At Gauge, we take partnership seriously. If you find yourself in need of a site audit, please contact us.