Software Audit Checklist: Assessing Code Quality and Risk
A practical checklist for auditing software projects. Assess code quality, security risks, technical debt, and maintainability before acquisition or investment.
Strategic Systems Architect & Enterprise Software Developer
When and Why You Need a Software Audit
Software audits happen at inflection points. You're acquiring a company and need to know what the codebase actually looks like beneath the demo. You're inheriting a project from a previous developer and need to understand what you're walking into. You're six months into development and starting to feel the friction that suggests deeper problems. Or you're a non-technical founder trying to determine whether your development team built something solid or something fragile.
In every case, the goal is the same: develop an honest, structured assessment of the current state of a software system. Not "is this code beautiful?" but "what are the real risks, and what will it cost to address them?"
I've conducted audits on projects ranging from early-stage MVPs to enterprise systems with hundreds of thousands of lines of code. The patterns that signal trouble are remarkably consistent, and a systematic approach catches issues that gut-feel evaluations miss entirely.
The Audit Framework: Five Dimensions
A thorough software audit evaluates five dimensions, each revealing different types of risk.
Structural health examines the architecture and organization of the codebase. Are there clear boundaries between modules? Is there a consistent pattern for how data flows through the system? Or is the codebase a tangled graph where changing one feature risks breaking three others? I look for separation of concerns, consistent file organization, and whether the architecture matches the actual complexity of the problem being solved. Over-engineered architectures are just as concerning as under-engineered ones.
Dependency risk is one of the most underestimated dimensions. How many third-party dependencies does the project have? Are they actively maintained? Are there known vulnerabilities? I've seen projects with hundreds of transitive dependencies where a single abandoned library created a cascading security risk. Run npm audit or equivalent, check the maintenance status of critical dependencies, and evaluate whether any dependency could be replaced with a simpler solution.
Test coverage and quality goes beyond the coverage percentage. A project with 90% test coverage where every test is a snapshot test has different risk characteristics than a project with 40% coverage where those tests cover critical business logic with meaningful assertions. I evaluate whether tests actually verify behavior, whether they're maintainable, and whether the testing strategy matches the project's risk profile. The integration testing patterns matter more than the raw numbers.
Security posture requires examining authentication, authorization, data handling, and input validation. Are secrets hardcoded or properly externalized? Is user input validated and sanitized? Are there SQL injection vectors? Is authentication handled by a well-tested library or a hand-rolled implementation? Security issues found during an audit are dramatically cheaper to fix than security issues found after a breach.
Operational readiness evaluates whether the software can be reliably deployed, monitored, and maintained. Is there a CI/CD pipeline? Are there health checks? Can you deploy without downtime? Is there logging sufficient to diagnose production issues? A codebase that works on a developer's laptop but has no deployment story is an incomplete product.
Running the Audit: Practical Steps
Start with the automated tools. Static analysis, linting, type checking, dependency scanning — these catch a large volume of issues quickly and establish a baseline. Run tsc --noEmit for TypeScript projects, execute the full test suite, and review the build pipeline output. If the project can't build cleanly from a fresh clone with documented steps, that's your first finding.
Then move to manual review. Automated tools can't evaluate architecture decisions, naming clarity, or whether the code communicates its intent effectively. I typically review 15-20 representative files across different layers of the application, focusing on the most business-critical paths. Reading code is a skill, and it reveals things that tooling cannot — like whether the team had a coherent approach to error handling or was making it up as they went.
Interview the team if possible. The codebase tells you what was built, but the team tells you why. Understanding the constraints, timeline pressures, and trade-offs that shaped the code prevents you from misjudging intentional shortcuts as incompetence.
Presenting Findings Effectively
The output of an audit should be actionable, not just critical. Every finding should be categorized by severity (critical, high, medium, low) and effort to remediate (hours, days, weeks). This gives stakeholders the information they need to make decisions.
Critical findings are things that must be fixed before any other work: security vulnerabilities, data loss risks, compliance violations. High findings affect development velocity or reliability. Medium and low findings are improvements that should be scheduled into regular development work.
Resist the temptation to deliver a list of everything that's wrong without context. A codebase built under time pressure by a small team will always have rough edges. The audit's value comes from distinguishing between acceptable trade-offs and genuine risks — and giving the team a clear path forward. When I deliver audit results, I include specific recommendations that map to the project's actual priorities, much like the prioritization frameworks I use for my own technical debt decisions.