Security audits don't have to cost $20K and take 6 weeks. Here's what I check in the first 30 minutes of any engagement, and you can do it yourself.
SELECT COUNT() FROM User WHERE Profile.Name = 'System Administrator' AND IsActive = true
If this number is higher than 5, you have a problem. Every System Admin has full access to everything — data, configuration, metadata. Most orgs have 8-15 because "it was easier than creating a custom profile." That's a compliance risk.
SELECT CreatedDate, CreatedBy.Name, Action, Section FROM SetupAuditTrail ORDER BY CreatedDate DESC LIMIT 50
Look for changes made by people who shouldn't be making them. Look for changes made outside business hours. Look for permission changes you didn't authorize.
SELECT AssigneeId, COUNT(Id) FROM PermissionSetAssignment GROUP BY AssigneeId HAVING COUNT(Id) >= 10
Anyone with 10+ permission sets is over-permissioned. Period. Consolidate or remove.
Are sensitive fields (SSN, salary, commission amounts) visible to users who don't need them? Check this per profile and per permission set. This is the #1 thing SOC 2 auditors flag.
Are your profiles restricted to company IP ranges? If not, anyone with stolen credentials can log in from anywhere.
I built a free scanner that runs steps 1-3 automatically and flags the issues. Takes 60 seconds instead of 30 minutes. The full audit (steps 1-5 plus 15 more checks) is available as a paid service.