Quick answer: A proper GA4 audit looks at six things — property configuration, tracking implementation, events and conversions, consent and privacy, attribution and integrations, and data quality. Below is the 25-point checklist we run on every Snifflytics audit, with a quick test for each item so you can verify it yourself in under an hour.
Most "GA4 audit" articles online stop at 10 generic items ("check your time zone, check your filters") and miss the things that actually move analytics from broken to trustworthy. This checklist is built from the failure modes we see most often on real GA4 properties — and is the same set of checks the free Snifflytics audit runs automatically.
Property & data foundation
If these settings are wrong, every report downstream is wrong with them. Audit these first.
1. Data retention is set to 14 months, not 2
GA4 defaults user-level data retention to two months. That's almost certainly not what you want — any year-over-year comparison or 6-month cohort analysis is impossible at the default.
Test: Admin → Data Settings → Data Retention. Set to 14 months.
2. Time zone and currency match the business
The time zone determines where day boundaries fall in your reports. Currency determines how ecommerce events are aggregated. Mismatches here silently distort revenue and daily comparisons.
Test: Admin → Property Settings. Confirm time zone matches your reporting business and currency matches your store currency. If you operate multiple currencies, you need a conversion strategy (most teams normalize to USD at the tag level before sending value).
3. Reporting identity is set deliberately
"Blended" is the default and uses User-ID, Google signals, device, and modeling in order. "Observed" drops modeling. "Device-only" is the most conservative. Many teams accept the default without realizing it changes how unique-user counts work.
Test: Admin → Reporting Identity. Pick the one that matches your stance on modeled data, and document the choice.
4. Internal traffic is filtered out
If your team and contractors are interacting with the site at the same rate as real users, your engagement metrics are inflated. Worse, internal traffic skews session replay and behavioral modeling.
Test: Admin → Data Streams → Configure Tag Settings → Define Internal Traffic. Add office and VPN IP ranges. Then Admin → Data Filters → Internal Traffic → set to Active.
5. Bounce-rate and engagement thresholds are intentional
GA4's "engaged session" definition (10 seconds, OR a conversion, OR 2+ page_views) is fixed, but the engagement-rate-driving behavior of your site varies. Make sure your team interprets the numbers correctly — and if you're seeing missing data due to thresholding, address it before drawing conclusions.
Test: Explore → Standard report → check Engagement Rate against a known-good baseline. Investigate any sudden shifts.
Tracking implementation
This is where most audits find the biggest fires.
6. GA4 tag fires on every page
The most common audit finding: some templates or campaign landing pages are missing the GTM container or gtag snippet entirely.
Test: Use the Tag Assistant Companion Chrome extension or the GA4 DebugView. Walk through every major template (home, category, product, cart, checkout, confirmation, blog, search). Each should show a page_view event.
7. No duplicate page_view events
The second-most common finding: GTM fires page_view and the GA4 config tag also fires page_view on the same page load. Engagement metrics, session counts, and pages-per-session all inflate.
Test: In DebugView, count page_view events per pageload. Should be exactly one.
8. Enhanced Measurement is configured intentionally
"Enhanced Measurement" auto-collects scrolls, outbound clicks, site search, video engagement, and file downloads. All useful, but if you also fire your own custom events for these (common in GTM-heavy setups), you double-count.
Test: Admin → Data Streams → your stream → Enhanced Measurement. For each enabled toggle, confirm you don't have a competing custom event in GTM.
9. Cross-domain measurement covers every domain in the journey
If users move between marketing site, store, and help center on different domains, GA4 will split that one user into multiple sessions unless cross-domain is configured. The _gl parameter (which carries the client ID across domains) drops silently for a number of reasons.
Test: Admin → Data Streams → your stream → Configure Tag Settings → Configure your domains. List every domain. Then read our cross-domain audit guide for the six ways the _gl parameter can still disappear even when configured.
10. Server-side GTM forwards everything it should
If you use server-side GTM, your client-side container sends events to a server endpoint that then forwards them to GA4. That hop is where client_id, session_id, gclid, and consent state regularly get dropped — silently.
Test: See our server-side GTM audit checklist for the 12 things to verify on a server container.
Events & conversions
11. Custom events follow GA4 naming conventions
GA4 has a list of recommended event names (sign_up, purchase, generate_lead, etc.). Using the recommended names unlocks reports that depend on them. Custom event names should be snake_case — GA4 is case-sensitive and "Purchase" and "purchase" are different events.
Test: Reports → Realtime → Event count by Event name. Look for inconsistencies (Sign_Up vs sign_up, purchase vs Purchase). Standardize.
12. Key events are real conversions, not page_views
GA4 lets you mark any event as a "key event" (formerly "conversion"). Teams sometimes mark page_view on a thank-you page as a conversion — which works until the URL changes, the page is removed, or a bot crawls it. Use a discrete event tied to the actual purchase or signup instead.
Test: Admin → Events → Key Events. Every entry should be a transactional event (purchase, sign_up, generate_lead), not a navigational one.
13. Conversions have a currency and value where applicable
Without currency and value parameters on ecommerce events, you can't compare ROAS across campaigns or run value-based bidding. GA4 will also reject events that send value without currency.
Test: DebugView → expand a purchase event. Check the parameter list includes currency (3-letter code) and value (numeric, no symbol). If you see a conversion mismatch between GA4 and Google Ads, this is one of the first places to look.
14. Ecommerce events include all required parameters
For the ecommerce funnel (view_item → add_to_cart → begin_checkout → purchase) to be useful, every event needs the items array with item_id, item_name, and ideally item_category, price, and quantity. Partial implementations break funnel and product-level reports.
Test: DebugView → each ecommerce event → expand items. Confirm presence and consistency of the required fields. If you're on Shopify, also check our note on double-counted Shopify purchases.
15. Custom dimensions and metrics are registered
You can send custom parameters with any event, but they don't appear as report dimensions until you register them in the GA4 admin. Common audit finding: events sending a plan_tier or account_id parameter that nobody can break out in reports because it was never registered.
Test: Admin → Custom Definitions. Cross-reference against the parameters your events actually send (see DebugView). Register anything you want to report on.
Consent & privacy
16. Consent Mode v2 is implemented with all 4 parameters
Required for EEA traffic since March 2024. Without it, you lose modeled conversions and risk GDPR breaches.
Test: See the full Consent Mode v2 audit checklist — 12 detailed checks specific to consent signaling.
17. Default consent is "denied" for EEA before any tag fires
The default consent state must be set in a script that runs before gtag.js, before GTM, before anything else. Defaulting to "granted" and then "downgrading" if the user rejects is a GDPR violation.
Test: View source on a page served to an EEA IP. The first script in <head> should be the consent default call with denied values and region: ['EEA', 'GB'].
18. CMP is on Google's certified CMP list
Non-certified CMPs may not correctly transmit consent signals. Certified CMPs include Cookiebot, OneTrust, Usercentrics, TrustArc, and others on Google's official list.
Test: Find your CMP on Google's certified CMP partner list. If it's not there, switch.
19. User data deletion is operable end-to-end
Under GDPR and CCPA, users can request deletion of their data. GA4 supports this via Admin → Data Deletion Requests. You also need a documented process for honoring requests received via email or your help desk.
Test: Submit a deletion request for a test user-ID through Admin → Data Deletion Requests. Confirm the request enters the queue and that you can produce a deletion timeline.
Attribution & integrations
20. Google Ads link is active
Without an active Google Ads link, you can't import GA4 conversions into Google Ads, can't share audiences for remarketing, and can't see Google Ads click data in GA4 acquisition reports.
Test: Admin → Product Links → Google Ads Links. Confirm the link shows "Linked." Conversion import should be enabled on the conversions you want to use for bidding.
21. Search Console is linked for organic landing-page data
Search Console gives you query-level data for organic search; GA4's Search Console integration brings that into the GA4 reporting interface so you can see organic landing-page performance alongside engagement and conversion data.
Test: Admin → Product Links → Search Console Links. Confirm linked and that the Search Console report appears under Reports → Acquisition.
22. BigQuery export is enabled if you want raw event data
GA4's UI applies thresholding, sampling, and 14-month retention. BigQuery export gives you every event as it was sent, indefinitely. Free up to a generous quota.
Test: Admin → BigQuery Links. Confirm there's an active link and that events are landing in the target dataset. Run a one-row query to verify.
23. Channel groupings handle your real traffic mix
GA4's default channel grouping has rules for what counts as "Paid Search" vs. "Organic Search" vs. "Unassigned." If you see a large "Unassigned" bucket, your UTM or referrer setup probably isn't matching the default rules.
Test: Reports → Acquisition → Traffic acquisition. If "Unassigned" is more than a few percent, follow our guide on fixing unassigned traffic in GA4.
Data quality & governance
24. Bot and spam traffic is excluded
GA4 filters known bots automatically, but country-level spam (e.g. China and Singapore data-center traffic) and referrer spam still get through. These inflate sessions and skew geographic reports.
Test: Reports → Tech → check country distribution against expected business mix. If you see suspicious volume from countries you don't serve, see our 3-layer fix for GA4 bot traffic from China and Singapore.
25. Tracking ownership is documented
The most overlooked audit item. Who edits the GTM container? Who's notified when a property setting changes? When the marketer who set up GA4 leaves, what happens? Without documented ownership, every audit finding eventually returns.
Test: Document a tracking ownership matrix: GA4 admin contacts, GTM editors, change-notification email list, on-call for tracking incidents. Store it somewhere your team can find it.
Frequently asked questions
How long does a GA4 audit take?
A manual audit covering the 25 points above takes 4–8 hours for a single mid-sized property if you know what you're looking for. Automated audits run in under five minutes. The Snifflytics audit covers most of this checklist in a single pass.
How often should I audit GA4?
Run a full audit quarterly, plus an event-level audit any time you launch a major site change, deploy a new GTM container version, or change CMPs. Tracking issues introduced by site changes are the most common source of broken analytics.
What's the difference between a GA4 audit and a GA4 health check?
"Health check" usually refers to a lightweight scan focused on tracking integrity — does the tag fire, are conversions counting. A full GA4 audit also covers configuration, governance, attribution, and integrations. Use the term "audit" when you want the comprehensive review.
Do I need to do this if I use a Consent Management Platform?
Yes — a CMP handles the consent collection piece (items 16–19), but everything else (configuration, tracking, events, conversions, attribution, integrations, data quality) is still your responsibility.
Can I get a free GA4 audit?
Yes. Snifflytics runs the audit covered in this checklist for free — connect your GA4 property with Google sign-in and you'll get a scored report in under five minutes.
Run this checklist automatically
The 25-point checklist above takes most teams 4–8 hours per property to work through manually. Run a free Snifflytics audit to cover most of it in five minutes — configuration, tracking integrity, conversion setup, consent signaling, and data-quality red flags, all checked automatically with a prioritized fix list at the end.