148 Checks in 90 Seconds: What a Real Nonprofit Salesforce Audit Looks Like

Most Salesforce "health checks" scan your metadata, flag some outdated API versions, and hand you a dashboard. They treat a $2M nonprofit the same way they treat a $500M enterprise. They don't check whether your donors are linked to their donations. They don't know what NPSP is. They've never heard of a GAU.

We built something different.

The Problem with Generic Audits

Tools like Hubbl Diagnostics do useful work. They'll find your outdated Apex classes, flag unused licenses, and score your org's metadata health. For a for-profit Salesforce org, that's a reasonable starting point.

But if you're a nonprofit running NPSP, a generic audit misses the things that actually matter to your mission:

• Are your donations linked to your donors? If Opportunity Contact Roles are missing, NPSP rollups break silently. Your "Top Donors" report shows the wrong numbers. Your year-end tax receipts go to the wrong people. A generic auditor doesn't check this.
• Is your tracked revenue anywhere close to your actual revenue? If your 990 says $2M and Salesforce says $300K, 85% of your fundraising is invisible. A generic auditor doesn't cross-reference your financials.
• Are departed staff still holding the keys? Nonprofits have high turnover. When your development director leaves, does their System Administrator access leave with them? Usually not.
• Is your online donation platform actually working? If your donation platform stops syncing, gifts still come in but they stop hitting Salesforce. A generic auditor doesn't check integration heartbeats.
• Are your lapsed major donors visible? A $350K donor who hasn't given in 18 months is a re-engagement opportunity worth more than every metadata issue combined. No generic tool surfaces this.

What We Built

148 audit checks across 15 domains, purpose-built for nonprofit Salesforce orgs running NPSP. The engine runs as a bash script using the Salesforce CLI, executes 120+ SOQL queries, computes a weighted health score, and outputs structured JSON plus a branded HTML report.

The 15 domains:

1. Organization identity and licensing
2. User access and identity (active, inactive, admin count, login history)
3. Security configuration (certificates, connected apps, MFA, audit trail)
4. Installed packages and NPSP health
5. Nonprofit configuration (account model, GAUs, donation stages, recurring donations)
6. Data quality and hygiene (missing fields, duplicates, orphaned records, ownership)
7. Fundraising and donor analysis (pipeline, segmentation, lapsed donors, revenue matching)
8. Automation (flows, scheduled jobs, legacy workflow rules, custom code)
9. Data model and schema (custom objects, fields, record types)
10. Reports and dashboards
11. Email and communications
12. Integrations (with dedicated analysis for donation platforms)
13. Storage and org limits
14. Compliance and audit trail
15. UI and user experience

Health Scoring

Every org gets a score from 0 to 100, weighted across five dimensions:

Security & Access      25 pts   Admin count, MFA, departed staff access
Data Quality           25 pts   Missing emails, orphaned contacts, duplicates
Data Completeness      20 pts   Revenue tracking vs actuals, record volumes
Configuration          15 pts   NPSP installed + current, proper profiles
Utilization            15 pts   Active users vs licenses, login frequency
                      ───────
Total                 100 pts

The scoring is opinionated. An org with six or more System Administrators loses 15 points immediately, regardless of how clean the data is. An org where 25%+ of donations are missing Contact Roles loses 10 points. An org with zero NPSP errors and clean donor segmentation gets full marks even if there's some metadata debt — because metadata debt doesn't lose donors.

What We Found in Production

We ran the audit against a real nonprofit — a youth and community services organization on the East Coast with ~$2.1M in annual revenue, 15 employees, and a multi-year capital campaign. All numbers below are representative of the findings but have been adjusted to protect the client's identity. The patterns are real.

Score: 71 / 100 — Fair

The org scored a 71 — dragged down almost entirely by a single domain: security. The data quality and completeness scored well. This is a pattern we see often: a well-intentioned org with decent data infrastructure and a serious access control problem that nobody knows about.

Finding 1: Six System Administrators (Should Be Two)

The org had six users with System Administrator profiles. Two were active employees. Four were departed staff whose accounts were inactive but still carried admin-level profiles.

This is the most common finding we see in nonprofit orgs. Staff turnover is high. When someone leaves, their account gets deactivated — but nobody changes the profile. The account sits there with full admin permissions, owning hundreds of records, and if anyone ever re-enables it (or if the password was shared), they have unrestricted access to every donor record, every dollar amount, every contact in the system.

The fix is 15 minutes of work: demote the profiles, transfer record ownership, verify MFA. The risk of not doing it is unlimited.

Finding 2: Online Donation Platform Running Perfectly

The org uses a cloud donation platform that syncs to Salesforce via API. Our audit detected over 380 API authentications in the last 90 days — one every few hours, around the clock. The integration is healthy, recent donations are flowing in, and the sync is reliable.

But here's the thing: the integration was configured by a former consultant whose contact email is still on the Connected App. If that consultant's email bounces and the platform sends a renewal notice or security alert, nobody at the org sees it. We flagged this for immediate remediation.

A generic audit tool would have flagged the Connected App as "exists." We flagged it as "working correctly but misconfigured for continuity."

Finding 3: $7.8M in Tracked Revenue — and It Matches the 990s

The org's Salesforce contains $7.8 million in tracked donations across roughly 2,900 Opportunities. When we cross-referenced against their publicly available 990 filings:

Year    SF Revenue     990 Revenue    Match
2021    $247,300       $253,100       98%
2022    $1,836,400     $1,912,700     96%
2024    $2,184,500     $2,091,200     104%

Within 2-5% for most years. The data is trustworthy. This is rare — most nonprofit orgs we've seen have significant gaps between what's tracked and what's real. Someone at this org did serious work building the donation infrastructure.

No generic audit tool makes this comparison. They can't — they don't know what your 990 says.

Finding 4: Donor Segmentation Reveals the Real Story

Our audit segments all won Opportunities by gift size:

Gift Range           Donations    Revenue
$1 – $99             1,418        $48,200
$100 – $499            783        $121,600
$500 – $999            164        $104,300
$1,000 – $4,999        197        $378,900
$5,000 – $24,999        94        $892,700
$25,000+                42        $6,284,300

42 gifts above $25,000 account for 80% of all revenue. This is a major-gift-dependent organization. The grassroots base (1,418 gifts under $100) generates less than 1% of revenue. This isn't a data quality finding — it's a strategic finding. It tells the executive director exactly where to focus: stewarding the top 40 donors is existentially more important than growing the email list.

Hubbl doesn't generate donor segmentation. It doesn't know what an Opportunity Amount means in a nonprofit context. It sees metadata. We see fundraising strategy.

Finding 5: $2.6M in Lapsed Major Donors

The audit surfaced 15 donors with $2.6 million in cumulative lifetime giving whose last gift was more than 12 months ago. Several are six-figure donors who last gave in late 2024 — they simply haven't been asked again.

This is the single highest-ROI finding in the entire audit. Re-engaging even a fraction of these lapsed major donors could recover $75K-$300K in gifts. No amount of metadata cleanup comes close to that impact.

Finding 6: Certificate Expiring in 47 Days

The org's X.509 certificate was approaching expiration. The executive director had received an email about "something expiring" but didn't know what it meant. Our audit found it in 90 seconds. The fix was a 15-minute certificate rotation.

If the certificate had expired without intervention, any integration depending on it would have failed silently. Donations might have stopped syncing. The org might not have noticed for weeks.

The Output: A Report You Can Actually Use

The audit generates three artifacts:

1. Structured JSON — Every query result, every computed metric, every risk finding. Machine-readable. Feeds the HTML generator and supports programmatic analysis.
2. Markdown report — Human-readable, version-controllable, diffable. The working document for the consultant.
3. Branded HTML report — Self-contained single file. Dark theme. SVG health score ring. Collapsible sections. Donor segmentation bar chart. Navigation bar. Print-friendly CSS. Glossary of terms. Confidentiality banner. The thing the client opens in their browser.

The HTML report is designed for two audiences simultaneously: the executive director who needs plain-language explanations of what each finding means, and the technical consultant who needs the raw data to act on it. Every section opens with contextual guidance, followed by the data tables, followed by specific recommendations.

What This Means for Nonprofit Orgs

If you're a nonprofit running Salesforce with NPSP, the generic tools aren't built for you. They don't check the things that matter for your mission. They don't know that a missing Contact Role means a donor's giving history is invisible. They don't know that your recurring giving program has collapsed from $4,200/month to $89/month. They don't know that your biggest lapsed donor hasn't been asked in over a year.

We built this because we've been in the nonprofit ecosystem for over 20 years and we're tired of watching organizations fly blind. Your Salesforce contains the answers to your most important fundraising questions. You just need someone to ask the right questions.

148 of them, to be exact.