Adobe Commerce Audit Checklist

Summary

Most Adobe Commerce audits are superficial, version numbers, extension counts, a few performance screenshots. That's not an audit. A real assessment uncovers how the implementation has drifted, where technical debt compounds, and whether the architecture can actually support what the business needs next.

This checklist covers the questions that separate useful audits from checkbox exercises.

The Cost of a Shallow Audit

A rushed audit leads to bad recommendations. You'll either overscope (proposing a replatform when optimization would work) or underscope (promising an upgrade when the codebase is too compromised to salvage).

Use this checklist to structure your technical discovery. Not every question applies to every engagement, but skipping categories entirely is how audits miss critical issues.

Codebase & Customization

How Compromised Is the Core?

• Have any core Magento files been modified directly, or are all changes implemented via plugins, preferences, and observers?
• How many custom modules exist, and how many are actively maintained versus abandoned mid-development?
• Are there modules that override the same classes or methods, creating conflict risks during upgrades?
• What percentage of custom code has automated test coverage?

Extension Ecosystem Health

• How many third-party extensions are installed, and how many are still actively supported by their vendors?
• Are there extensions that duplicate functionality or conflict with each other?
• Which extensions have been modified post-installation, and are those modifications documented?
• Are there extensions that haven't been updated in more than 18 months?

Code Quality Signals

• Does the codebase follow PSR standards and Magento's coding guidelines?
• How much of the custom code uses deprecated methods or classes?
• Are there hardcoded values (URLs, store IDs, API keys) scattered through the codebase?
• What does static analysis (PHPStan, Psalm) reveal at strictness level 5+?

Database & Data Integrity

Schema Drift and Damage

• Have any core database tables been modified directly?
• Are there orphaned custom tables from removed extensions?
• How fragmented are the EAV attribute tables, and when were they last optimized?
• Are foreign key constraints intact, or have they been disabled for "performance"?

Data Quality Problems

• How many products have incomplete or inconsistent attribute data?
• Are there duplicate customer records from integration failures?
• How much historical order data exists, and is it actively queried or just stored?
• What's the actual size of the catalog versus active SKUs?

Indexer Reliability

• How long does a full reindex take for each indexer?
• Are indexers running on schedule, or are they frequently stuck or failing?
• Is the indexer mode set appropriately (schedule vs. save) for the business volume?

Performance & Infrastructure

Actual Performance Under Load

• What are actual response times for category pages, product pages, and checkout under normal load?
• What does New Relic (or equivalent) show for the slowest transactions?
• How much of the traffic hits Varnish/CDN versus origin?
• What's the cache hit ratio, and what's causing misses?

Infrastructure Fit

• Is the environment running on Adobe Commerce Cloud, or self-hosted?
• If Cloud, which tier, and are resource limits being hit?
• If self-hosted, when was the infrastructure last right-sized to current traffic?
• Is Elasticsearch/OpenSearch properly tuned for the catalog size?

Breaking Points

• What happens to performance during peak traffic (sales, campaigns)?
• Are there known bottlenecks that require manual intervention during high load?
• How quickly can the environment scale, and is it automated?

Integration Architecture

Integration Inventory

• What systems are integrated (ERP, PIM, OMS, CRM, marketing platforms)?
• For each integration, is it real-time, scheduled batch, or manual?
• Which integrations are built custom versus using vendor-supported connectors?
• What happens when an integration fails, is there retry logic, alerting, manual fallback?

Data Flow Mapping

• Where is product data mastered, and how does it flow into Commerce?
• How are inventory levels synchronized, and what's the latency?
• Are order and customer data flowing out reliably, or are there known sync gaps?
• How are price and promotion rules managed, in Commerce or upstream?

API Readiness

• Are REST and GraphQL APIs performing adequately for headless or mobile use cases?
• Are there rate limiting issues with third-party API calls?
• How much custom API development exists, and is it documented?

Security & Compliance

Patch Debt

• What's the current Adobe Commerce version, and how many versions behind is it?
• Are all security patches applied, including isolated security patches?
• When was the last security patch applied, and what's the patching cadence?

Access Control Reality

• How many admin users exist, and when was access last audited?
• Is two-factor authentication enforced for all admin accounts?
• Are there shared admin accounts or generic logins still in use?
• How are API credentials managed and rotated?

PCI Exposure

• If processing payments on-site, is PCI-DSS compliance current?
• Are there data handling practices that create compliance exposure?
• How is sensitive customer data encrypted at rest and in transit?

Business & Functional State

Feature Utilization

• Which native Commerce features are actively used versus ignored or worked around?
• Are there B2B features (company accounts, requisition lists, quotes) in use?
• How is the promotions engine being used, and are there performance concerns with complex rules?
• Is the staging and preview functionality being used for content and catalog changes?

Content & Catalog Workflow

• How are content updates made, Page Builder, direct database, external CMS?
• What's the workflow for product launches and catalog updates?
• Are there content or catalog management pain points that affect time-to-market?

Checkout Complexity

• Which payment methods are configured, and are they all actively used?
• Has checkout been customized, and how does that affect upgrade complexity?
• What's the cart abandonment rate, and are there known UX issues?

Operational Readiness

Deployment Maturity

• What's the current deployment process, automated CI/CD or manual?
• How long does a typical deployment take, and what's the rollback process?
• How frequently are deployments happening, and what's the failure rate?

Monitoring Coverage

• What monitoring is in place for uptime, performance, and errors?
• Are alerts actionable, or is there alert fatigue?
• How quickly are production issues typically detected and resolved?

Knowledge Continuity

• Is there current documentation for custom functionality and integrations?
• How much institutional knowledge exists only in people's heads?
• If the current team disappeared, could a new team operate the platform?

Turning Findings Into Recommendations

The goal isn't to check boxes, it's to build a clear picture of technical debt, operational risk, and feasibility for different paths forward.

Group your findings into:

1. Blockers: Issues that must be resolved regardless of strategic direction
2. Upgrade risks: Factors that complicate a version upgrade
3. Replatform drivers: Problems that won't be solved by staying on Adobe Commerce
4. Quick wins: Improvements achievable with modest effort

Your recommendation should trace back to specific findings. "We recommend replatforming" means nothing without the evidence trail showing why optimization or upgrade won't work.

How DigitalStack Supports This

DigitalStack provides a structured environment for platform audits where findings connect to recommendations instead of scattering across spreadsheets and slide decks:

• Audit findings link directly to stakeholder concerns and business objectives
• Technical debt items carry risk ratings and effort estimates
• Recommendations trace to specific evidence
• Deliverables generate from structured data rather than manual assembly

This turns a static audit into an engagement artifact that stays useful through decision-making and into implementation, not a PDF that gets emailed once and forgotten.

Next Step

If you're running Adobe Commerce audits with disconnected tools and manually assembled deliverables, request early access to see how DigitalStack structures technical discovery and advisory work.

Read Next

• How to Assess an Adobe Commerce (Magento) Instance
• Adobe Commerce Migration Guide for Agencies
• How to Run a Commerce Technical Audit
• Shopify vs Adobe Commerce — How to Choose
• Commerce Security and Compliance Checklist