GA4 Audit: The 30-Point DIY Checklist for 2026

How to use this checklist

Work through all 30 items. Mark each as ✅ Pass, ⚠️ Needs attention, or ❌ Fail. Items marked ❌ Fail in the Critical category require immediate action — they indicate active data loss or measurement failure. Items marked ⚠️ in the Best Practice category are improvements that improve data quality but don't require emergency fixes.

Category 1: Property Configuration (8 items)

1. Data retention set to 14 months

Where to check: Admin → Data Settings → Data Retention → Event data retention

Pass: 14 months selected

Fail: 2 months (default) — Explorations limited to 2 months history; year-on-year analysis impossible

Fix: Change to 14 months immediately. Not retroactive — data before the change date cannot be recovered.

Severity: Critical

2. Timezone matches business operations

Where to check: Admin → Property Settings → Reporting time zone

Pass: Correct timezone for your primary market

Fail: Wrong timezone (e.g., UTC when business is based in London) — day-boundary sessions shift between days; weekly/monthly reports show wrong patterns

Severity: Medium

3. Currency matches platform currency

Where to check: Admin → Property Settings → Currency

Pass: Matches your e-commerce platform/CRM currency (GBP, USD, EUR, etc.)

Fail: Mismatched currency — revenue figures denominated in wrong currency

Severity: High (e-commerce sites)

4. Internal traffic filtered

Where to check: Admin → Data Streams → Web → More tagging settings → Define internal traffic

Pass: At minimum, your office IP range is defined; Data Filter active

Fail: No internal traffic filter — office browsing inflates sessions and distorts conversion metrics

Severity: Medium

5. Referral exclusions configured for payment providers

Where to check: Admin → Data Streams → Web → More tagging settings → Configure your domains

Pass: Payment processor domains listed (PayPal, Stripe, Klarna, etc.)

Fail: Payment providers creating referral sessions — attribution breaks for purchases

Severity: High (e-commerce)

6. Key events correctly configured

Where to check: Admin → Events → check which events have "Key event" toggled

Pass: 2–4 events marked as key events; these are genuine macro conversions (purchase, generate_lead, sign_up)

Fail: page_view, scroll, or session_start marked as key events; or zero key events defined; or >7 key events (inflation)

Severity: Critical

7. Google Ads linked (if running Google Ads)

Where to check: Admin → Google Ads Links → verify status shows "Linked"

Pass: Linked with all features enabled

Fail: Not linked — no conversion import, no audience publishing, no GA4-powered Smart Bidding

Severity: High (Google Ads advertisers)

8. BigQuery export enabled

Where to check: Admin → BigQuery Links

Pass: BigQuery project linked, daily export active

Fail/Not applicable: Not linked — can be enabled retroactively but future data only

Severity: Medium (nice to have for most; essential for high-traffic)

Category 2: Consent and Privacy (6 items)

9. Consent Mode V2 implemented

Where to check: DevTools → Network → filter collect → check for gcd parameter

Pass: gcd parameter present in GA4 hits

Fail: No gcd parameter — Consent Mode not implemented; modelled conversions won't activate; GDPR/Google Ads requirement not met

Severity: Critical (EU/UK, Google Ads advertisers)

10. All four V2 parameters set correctly

Where to check: GTM Preview Mode → Consent State tab on page load

Pass: analytics_storage, ad_storage, ad_user_data, ad_personalization all visible, defaulting to denied

Fail: Only analytics_storage and ad_storage visible (V1 implementation); or parameters defaulting to granted before consent

Severity: High

11. CMP accept → consent state updates correctly

Where to check: GTM Preview Mode → accept cookie banner → check Consent State tab updates to granted

Pass: All four parameters show granted after acceptance

Fail: Parameters remain denied after acceptance — update trigger not firing

Severity: Critical

12. No PII in page URLs

Where to check: GA4 → Reports → Engagement → Pages → change dimension to Page path + query string → scan for @ symbols or phone number patterns

Pass: No email addresses or phone numbers in page URLs

Fail: PII present in tracked URLs — GDPR violation and Google Analytics ToS violation

Severity: Critical

13. Data Processing Terms accepted

Where to check: Admin → Account → Account settings → Data Processing Amendment

Pass: Terms accepted

Fail: Terms not accepted — GDPR Article 28 controller-processor relationship not formalised

Severity: High

14. Data sharing settings reviewed

Where to check: Admin → Account → Account settings → Data Sharing Settings

Pass: Settings reviewed and disabled if not needed ("Google products and services", "Benchmarking")

Fail/Needs review: Default settings active without deliberate review

Severity: Low-Medium

Category 3: Event Tracking Quality (8 items)

15. Purchase event firing correctly (e-commerce)

Where to check: GA4 DebugView → complete a test purchase → verify purchase event fires with transaction_id, value, currency, items

Pass: All required parameters present and populated (no (not set))

Fail: Missing parameters, zero value, empty items array

Severity: Critical (e-commerce)

16. No duplicate transactions

Where to check: GA4 → Reports → Monetisation → E-commerce Purchases → check if any transaction IDs appear multiple times in BigQuery

Pass: Each transaction ID appears once

Fail: Duplicate transaction IDs — revenue over-reported; Smart Bidding corrupted

Severity: Critical

17. Revenue within ±10% of platform revenue

Where to check: Compare GA4 revenue to Shopify/WooCommerce/platform revenue for last full month

Pass: Variance ≤ 10%

Fail: Variance > 10% — significant over- or under-tracking

Severity: High

18. Lead form events firing correctly (lead gen)

Where to check: Submit a test form → verify generate_lead event in DebugView with form_id parameter

Pass: Event fires once on form success; form_id populated

Fail: Event fires on click (before validation), fires twice, or form_id is (not set)

Severity: Critical (lead gen)

19. No enhanced measurement duplicates

Where to check: GA4 → Reports → Events → check form_submit, scroll, outbound_click counts against expected volumes

Pass: No unexpectedly high event counts suggesting double-firing

Fail: Form events firing from both enhanced measurement and custom GTM tags — count is 2x actual

Severity: Medium

20. Custom dimensions registered

Where to check: Admin → Custom Definitions → review registered dimensions vs parameters being sent

Pass: All important custom parameters registered as custom dimensions

Fail: Custom parameters being tracked but not registered — can't use in standard reports

Severity: Medium

21. Cardinality check — no significant (other) in key dimensions

Where to check: Reports → Pages and screens (Page title dimension) → look for (other) row > 5%

Pass: (other) < 5% of page views in any standard report dimension

Fail: (other) > 5% — cardinality limit hit; analysis unreliable for that dimension

Severity: Medium

22. DataLayer integrity (for GTM implementations)

Where to check: Browser console → type dataLayer → check the array on key pages

Pass: dataLayer defined and populated with event pushes; no undefined values

Fail: dataLayer undefined, or events pushed before GA4 tag fires

Severity: High

Category 4: Attribution Quality (5 items)

23. Auto-tagging enabled (Google Ads)

Where to check: Google Ads → Settings → Account settings → Auto-tagging ON; verify google / cpc in GA4 Traffic Acquisition

Pass: google / cpc sessions present in GA4 when campaigns are active

Fail: All Google Ads traffic showing as Direct — auto-tagging broken

Severity: Critical (Google Ads advertisers)

24. (Other) / Unassigned < 5% of sessions

Where to check: GA4 → Reports → Acquisition → Session default channel group — check (Other) and Unassigned share

Pass: (Other) + Unassigned < 5% of total sessions

Fail: > 5% — UTM misconfiguration causing attribution loss

Severity: High

25. Direct traffic within expected range

Where to check: Traffic Acquisition → Direct channel share

Pass: < 30% for paid-media-heavy sites; < 40% for organic-focused sites

Fail: > 40% — potential attribution loss (broken UTMs, consent mode issues, cross-domain tracking failure)

Severity: Medium

Category 5: Reporting Quality (3 items)

26. Looker Studio dashboard functional

Where to check: Open any GA4-connected Looker Studio reports → verify data loading correctly

Pass: All charts loading with data matching GA4 report values

Fail: Broken connections, (not set) everywhere, or data not refreshing

Severity: Medium

27. Annotations maintained

Where to check: Any GA4 standard report → annotation icon → review recent annotations

Pass: Major tracking changes and site changes annotated within 48 hours of occurrence

Fail: No annotations in the last 90 days despite known changes

Severity: Low

28. Access management reviewed

Where to check: Admin → Account → Access Management → review all users

Pass: No stale users (former employees, former agencies), correct access levels

Fail: Former users still have access; or users with unnecessarily high access levels

Severity: High

Scoring