Governance documentation describes the intended state. A governance audit reveals the actual state. The gap between them is usually instructive.
Environment audit
- How many environments exist? Are all documented with a named owner and purpose?
- What is the Default environment being used for? Are there production workloads in it?
- Are environments named consistently with your convention?
- Are there environments with no recent activity?
DLP policy audit
- What DLP policies are active and which environments do they cover?
- Are all environments covered by at least one policy?
- When were policies last reviewed? Are new connectors classified?
- Are custom connectors classified appropriately?
Solution and app audit
- Are production solutions managed or unmanaged?
- What apps have no owner contact information?
- What apps have not been used in more than ninety days?
Security audit
- Who has System Administrator in each environment? Is this list minimal and justified?
- Are service accounts in use for production flows, or personal accounts?
The audit is not a blame exercise. It is a diagnosis. The findings tell you where to invest remediation effort.
Run a governance audit on a new tenant before building anything substantial. Run it on an existing tenant before starting a major new initiative.
