GA4 Property Audits at Agency Scale: A Repeatable 90-Minute Process (2026)

How do agencies run GA4 audits efficiently across multiple clients?

The repeatable 90-minute agency GA4 audit covers five domains in sequence: (1) property configuration (15 min — data retention, timezone, reporting identity, internal filters), (2) tag and consent (25 min — DevTools verification, Consent Mode status, CMP integration), (3) attribution integrity (15 min — channel group gaps, UTM consistency, auto-tagging), (4) data quality (20 min — event volumes, cardinality issues, duplicate transactions), (5) report writing (15 min — severity scoring, remediation roadmap).

Running this process across 10+ clients monthly requires two efficiency tools: a standardised checklist (so no domain is forgotten) and a report template (so findings are formatted consistently without re-writing each time). Both are described in detail below.

The 90-minute audit process

Domain 1 — Property configuration (15 minutes)

Access: GA4 Admin → Property Settings

Check in order:

Data retention (2 min)

• Event data retention: should be 14 months (default is 2 months — flag if not extended)
• Impact of default: Explorations only go back 2 months, breaking year-on-year analysis

Timezone (1 min)

• Does the timezone match the client's business operations timezone?
• Mismatch causes day-boundary attribution errors (sessions split across two days incorrectly)

Reporting identity (2 min)

• Which reporting identity is active? (Blended / Observed / Device-based)
• Is it appropriate for the client's use case?
• Device-based is closest to UA behaviour; Blended is the default and uses modelling

Currency (1 min)

• Does the currency match the client's reporting currency?
• Mismatch causes revenue figures in the wrong currency (e.g., USD reported for a GBP business)

Data streams (5 min)

• Are all expected streams present (web, iOS app, Android app)?
• Is enhanced measurement enabled on the web stream? Are the right events enabled?
• Are any unexpected streams present (test properties, old domains)?

Internal traffic filters (2 min)

• Is there an internal traffic filter excluding agency/client office IPs?
• If not, internal sessions inflate session counts and distort engagement metrics

Conversion events / Key events (2 min)

• Are the right events marked as key events?
• Are any events marked as key events that shouldn't be (e.g., page_view marked as a conversion — this inflates key event counts enormously)

Domain 2 — Tag and consent (25 minutes)

Access: Chrome DevTools on the client's live site

Consent Mode status (5 min)

• Open DevTools → Network → filter collect
• Check gcd parameter: 11t (all granted), 11l (denied/Advanced mode), absent (Consent Mode not implemented)
• Check all four V2 parameters in GTM Preview Mode Consent State tab
• Flag: missing gcd, wrong default state, V1-only parameters

GA4 tag firing on key templates (10 min)

• Homepage, category page, product page, checkout, thank you/confirmation page
• Verify GA4 configuration tag fires on each
• Verify purchase event fires on confirmation page (check transaction_id present)
• Check for duplicate firing (same event firing twice in the same page load)

PII detection (5 min)

• Search DevTools network request payloads for email patterns, phone numbers in page URLs
• Check dl (document location) parameter in GA4 hits for query strings containing user data

dataLayer inspection (5 min)

• Open browser console, type dataLayer — review the array
• Check for uninitialised dataLayer
• Check for ecommerce pushes (if e-commerce client) — verify items array structure

Domain 3 — Attribution integrity (15 minutes)

Access: GA4 → Reports → Acquisition

Channel group completeness (5 min)

• Are there significant sessions in Unassigned or (Other)? (more than 5% = flag)
• Is Direct traffic suspiciously high? (more than 30% for a paid-media-heavy client = likely attribution loss)
• Do all expected channels appear? (if client runs LinkedIn ads but no Paid Social sessions exist, UTMs are misconfigured or missing)

UTM consistency check (5 min)

• Reports → Acquisition → Traffic Acquisition → Secondary dimension: Session medium
• Look for inconsistent medium values: cpc, CPC, paid, paid_social all for the same channel = UTM naming convention problem

Auto-tagging verification (5 min)

• Reports → Acquisition → check for google / cpc sessions (auto-tagged Google Ads traffic)
• If Google Ads campaigns are running but no google / cpc sessions appear, auto-tagging is broken or final URLs are stripping gclid

Domain 4 — Data quality (20 minutes)

Access: GA4 → Reports + BigQuery (if available)

Anomaly scan (5 min)

• Check sessions trend over the last 90 days for unexplained spikes or drops
• Sudden 5x session spike from a single country = bot traffic
• Sudden 50% drop = tag removed or GA4 property disconnected from data stream

Event volume sanity check (5 min)

• Reports → Engagement → Events
• page_view should be the highest-volume event for content sites
• If scroll or click events are 10x higher than page_view, event deduplication issue
• If purchase count significantly exceeds GA4 transaction IDs in e-commerce backend data, duplicate transaction issue

Cardinality check (5 min)

• Reports → Engagement → Pages and screens
• If Page title = (other) represents more than 5% of page views, cardinality limit reached on that dimension
• Common cause: appending user-specific data to page titles

E-commerce reconciliation (5 min — for e-commerce clients only)

• Compare GA4 revenue vs Shopify/WooCommerce/platform revenue for the same period
• Acceptable variance: ±5–10%
• Variance above 10% = under-tracking (missing purchase events) or over-tracking (duplicate events)

Domain 5 — Report writing (15 minutes)

Use a severity scoring framework:

Minimum findings report structure:

• Executive summary: 3-line summary of most important finding + estimated impact
• Findings table: severity, domain, description, recommended fix, effort estimate
• Prioritised next steps: top 3 actions, with specific acceptance criteria for "done"

Template fields to populate per finding:

• Severity (Critical / High / Medium / Low)
• Domain (Property Configuration / Tag & Consent / Attribution / Data Quality / E-commerce)
• Description (what's wrong)
• Evidence (screenshot, DevTools output, or GA4 report screenshot)
• Business impact (what this costs in data quality or business terms)
• Recommended fix (specific steps)
• Effort estimate (engineer hours or analyst hours)

The three automated checks that save the most time

1. GA4 Audits automated scan (ga4audits.com) Runs 229 automated checks against property configuration in 8–12 minutes. Surfaces configuration findings (data retention, key events, streams, filters) without manual admin review. Use as the starting point for Domain 1 — eliminates the manual admin walkthrough for standard properties.

2. DataLayer Inspector+ (Chrome extension) Real-time dataLayer monitoring without opening DevTools manually for every page. Particularly useful for e-commerce event audit — shows ecommerce pushes as they fire with formatted item array display.

3. Screaming Frog for UTM coverage Crawl the client's ad landing pages to check UTM parameters are present in tracked URLs. Screaming Frog can export all unique query parameter combinations from crawled pages — cross-reference against expected UTM patterns to find missing or malformed campaign tags.