Most "free audits" on LinkedIn are thinly-veiled sales decks. This one is the actual checklist I run on day one of a paid engagement, applied to a real brand — so you can judge the rigour before you book a call.
The six issues, ranked
Every issue below is (a) observable from public signals, (b) tied to a rough revenue estimate using standard benchmarks, and (c) fixable without ripping out existing tools. I list them in priority order — where I'd start on Monday morning.
| # | Issue | Domain | Priority | Est. signal / yr |
|---|---|---|---|---|
| 01 | TLS certificate on subdomain 28 days from expiry | Infrastructure | P0 | £– |
| 02 | GA4 firing before consent banner accepts | Compliance | P0 | GDPR risk |
| 03 | Review-signal leak · 217 Trustpilot reviews unsynced to product pages | Attribution | P1 | £18K – £34K |
| 04 | No UTM discipline on paid social — channel mix unreadable | Attribution | P1 | £4K – £9K |
| 05 | Purchase event fires on /thank-you but not before refresh protection | Tracking | P2 | 2–5% double-count |
| 06 | No product-schema markup — missing rich result eligibility | Organic | P2 | £2K – £6K |
Issue 01 — TLS expiry on the checkout subdomain
The main domain rotates correctly. A subdomain used in transactional emails doesn't — its certificate is days from expiry on the day I checked. Impact if it lapses: every email link returns a browser warning, inbox providers down-rank the sender, post-purchase flows stop converting.
Fix is 20 minutes in Let's Encrypt or Cloudflare. The harder question: why did nobody catch it? Most likely because the alerting is tied to the person who shipped it three jobs ago. Operational debt, not technical debt.
Issue 02 — GA4 fires before consent
Load the site fresh, open the network tab, and you can watch collect requests to google-analytics.com go out before the consent banner is dismissed. Under the current ICO guidance and PECR, that's not allowed for non-essential analytics.
The ICO has been pragmatic in how it enforces non-essential cookies — but "pragmatic" is not "fine". If this brand ever scales into the ICO's line of sight, this is the ticket that gets written first.
What to do
- Move GA4 behind a consent-mode v2 implementation — trivial in GTM.
- Keep conversion modelling on via Google's consent-mode path so marketing doesn't go dark.
- Log the fix in a DPIA addendum. A good accountant will thank you.
Issue 03 — 217 reviews leaking revenue signal
Trustpilot has 217 reviews averaging 4.6. The brand shows an aggregated star rating in the header — but not on any product page. Reviews are not marked up in schema. Google Shopping therefore can't show seller ratings. Product pages don't show review counts, which studies from Baymard and Spiegel consistently put at 8–15% of checkout conversion lift for considered purchases.
Math, low end: 217 reviews × conservative 4% conversion lift × £48 AOV × ~40K sessions/yr ÷ 10 touched → roughly £18K. High end doubles that. I'm being generous with the fix cost — two days for a dev, one for QA.
Issue 04 — UTM discipline
Tagged links from Meta ads arrive as ?fbclid=... only. No utm_source, no utm_campaign. GA4 does its best — puts them under Paid Social / Facebook — but you can't tell which campaign or which creative is doing the work. Worse, anyone rebuilding the attribution model downstream gets garbage.
The fix is a UTM-building template and a ten-minute policy. The cost of not doing it is that next quarter's budget-allocation decisions are vibes.
Issue 05 — purchase double-count
Purchase fires on /thank-you page load. If the customer refreshes — and a meaningful number do, to save the order confirmation — the event fires again. GA4 has a transaction-ID deduplication mechanism, and I can see transaction_id is populated, so GA4 itself is safe. But Meta's pixel isn't deduped, which means ROAS in Ads Manager reads inflated against the actual Shopify truth.
If you've ever wondered why Meta says 3.2x and Shopify says 2.1x — this kind of thing is usually half of the gap.
Issue 06 — missing product schema
No Product schema, no AggregateRating, no Offer. Google rich results are therefore unavailable. For a brand with high-intent category search (" nutritionally complete meal UK"), that's a free 10–20% CTR lift on existing organic rankings. This is usually a one-afternoon job in Shopify — either via an app or a snippet in the theme.
The playbook if this were my client
- Week 1. Ship P0 fixes (TLS, consent). Document. Email findings.
- Week 2. Instrument reviews-on-PDP and schema. Watch Google rich-result eligibility for 14 days.
- Week 3. UTM template + comms to paid team. Rewire Meta pixel dedupe via CAPI.
- Week 4. Reconciliation dashboard — GA4, Shopify, Meta — with a single revenue number and a discrepancy band. This is the artefact the founder actually wanted all along.
