After conducting deep dive portal audits across companies of every size and hub configuration, one thing is consistently true: the surface of a HubSpot portal looks better than it is. Workflows are running. Emails are going out. Deals are moving. But when you look underneath — at the data model, the lifecycle logic, the automation dependencies, the reporting trust — what you usually find is a system that's held together with duct tape and institutional knowledge.
This is the audit framework we use at Hubber Digital. Seventeen sections. Every hub covered. No checkbox skipped. Here's what we look for, why it matters, and — at the end — how to build an audit schedule that keeps your portal healthy between the big annual reviews.
HubSpot is easy to get started in. That's one of its greatest strengths and, eventually, one of its biggest liabilities. Because it's easy to create a workflow, companies end up with 150 of them — 75 running, 93 off, and nobody who can tell you what the off ones were supposed to do. Because it's easy to create properties, portals accumulate hundreds of custom fields, most of which were built for a one-time import and have been sitting empty ever since.
The real damage isn't visible in day-to-day use. It shows up in forecasting meetings where no one trusts the pipeline. In attribution reports that contradict each other. In a sequence with a 6.5% bounce rate that no one caught because no one owns email health. In 33 super admins — nearly 40% of all users — with billing access and no documentation of who approved it.
These aren't edge cases. They're what a portal looks like after two or three years of siloed ownership and no governance structure.
"The real damage isn't visible in day-to-day use. It shows up in forecasting meetings where no one trusts the pipeline."
A deep dive audit isn't a settings checklist. It's an architectural review of every layer of your portal — from how your business model maps to your CRM configuration, to whether the AI features you're paying for are actually being governed. Here's what each section covers and what we consistently find.
This is always the first section because everything else depends on it. If lifecycle stages aren't defined in terms of your actual sales motion, every downstream report, workflow, and lead routing decision is built on a broken foundation.
What we typically find: lifecycle stages that don't reflect business reality, no documented MQL→SQL handoff criteria, and no SLA between marketing and sales. The HubSpot default stages are still in place. Automation is setting lifecycle stages based on deal creation rather than pipeline-specific logic — a shortcut that causes misalignment across multi-pipeline portals.
We look at how objects relate to each other and whether that architecture actually supports your business model. Most portals have never used the data model builder to document their CRM structure — which means object relationships exist implicitly, not intentionally.
Property sprawl is the norm. In one recent audit, we found 520 custom properties — 117 with no data, 291 unused in any asset, and several near-duplicates. That's not a property problem; it's a governance problem that compounds over time.
Data governance is the unglamorous infrastructure that makes everything else reliable. Without it, you're building automation and reporting on top of data you can't trust.
Common findings: data privacy settings are off despite collecting data in multiple countries (a compliance risk, not just a best practice). Duplicate management is unconfigured. Cookie consent text is still the HubSpot system default. And in one portal we audited — 2,854 duplicate issues, 26,100 formatting errors, and no sandbox environment.
Marketing Hub gets five sub-sections because there are five distinct places it can quietly break. Email health looks fine until you realize no one's monitoring bounces. Automation looks active until you count the 93 workflows that are off with no documentation. Lead scoring looks sophisticated until you notice no thresholds have been set and the scores aren't applied to any segment.
Campaigns are a particularly common mess — we regularly see campaigns tied to individual email sends rather than coordinated marketing initiatives, no owners assigned, no revenue attribution, and statuses left on "draft" for months.
Pipelines are where RevOps alignment either shows up or doesn't. If deal stages don't reflect real buying milestones, forecasting is fictional. If required properties aren't enforced, reps skip steps and reporting has gaps. If there are no exit criteria, deals pile up in stages they've outgrown.
In portals with multiple pipelines, governance degrades fast. Enterprise and expansion pipelines often have zero rules enforced, no automation, and no required properties — while the main sales pipeline is reasonably well-configured. That inconsistency is a reporting blindspot waiting to happen.
Sequences deserve special attention: 4,000+ active enrollments with a 45% no-response rate and a 6.5% bounce rate is a data quality emergency masquerading as a sequence problem. Sequence health is a leading indicator of CRM health.
Service Hub is the most under-audited section in most portals — because it's the newest, because it's often owned by a team that isn't fully integrated into the RevOps structure, and because its problems don't show up in revenue dashboards until they've compounded. SLAs, escalation workflows, and help desk routing logic should be documented and tested, not assumed.
CMS & Content Hub — Evaluate whether landing pages and website pages are being used correctly (landing pages are conversion-focused; website pages are informational). Google Search Console integration and blog SEO health are frequently overlooked.
Operations Hub — Review data sync integrations, programmable automation, and field mapping governance. Custom-coded actions should be documented and owned, not running as anonymous scripts.
Integrations & API — Every private app, OAuth connection, and legacy integration should be documented and audited for necessity. Legacy apps approaching sunset should be flagged and migrated. In one audit, we found a legacy Zoho integration generating 177 4XX errors per week with access to sensitive data — running unmonitored.
Reporting & Analytics — In portals with reporting sprawl, we often find 600+ reports, dozens of dashboards that haven't been viewed in a year, and 23+ reports with no identifiable name. The signal that reporting governance has broken down: leadership is still making decisions from spreadsheets. Fix: limit report creation, establish naming conventions, and build a source-of-truth dashboard pack.
Security & Permissions — Super admin count is the most commonly ignored security issue in HubSpot portals. We regularly see 30%+ of users holding super admin access — including external contractors. Best practice: four to six super admins maximum, with a "super admin lite" role for everyone else. Every user enrolled in 2FA. Deprovisioning process documented and enforced.
Multi-Brand — Multi-brand portals fail quietly. Two brands sharing one portal with no brand field enforcement means deal leakage between orgs, misrouted contacts, and lifecycle stage ambiguity. Every multi-brand portal needs a mandatory brand field on contacts, companies, and deals — enforced at record creation, not retrofitted.
Commerce Hub — The most common gap: subscriptions and invoices exist in the portal with no reconciliation to deal records. Thousands of invoices with no overdue automation, subscription types with null values, and renewal opportunities that are never created. If Commerce Hub is live, revenue operations need to own it end-to-end.
Breeze / AI — Predictive lead scoring and AI features are increasingly present in portals — but almost never fully activated. Scores are built but not applied to routing logic. Visitor intent data is configured but not triggering automation. Brand identity is partially complete. The AI features are on; the governance isn't. Establish who can build agents, document the knowledge base being used, and connect intent signals to actual workflows.
Every audit ends with a prioritized risk list and a set of quick wins — actions that can be completed in 48 hours to two weeks and have disproportionate impact. These aren't afterthoughts; they're the deliverables that make an audit actionable rather than just descriptive.
The most common key risks we identify across audits:
Hard bounces, unsubscribed contacts, and formatting errors accumulating without suppression automation. Deliverability and compliance deteriorate before anyone notices.
50%+ of workflows inactive, active workflows undocumented, and enrollment conflicts creating unpredictable data changes at scale. The system is doing things no one approved.
Deals missing close dates or amounts. Subscriptions unreconciled to deal records. Forecast categories not assigned. The pipeline number doesn't connect to the revenue number.
Too many super admins — including former employees and external contractors — with no deprovisioning process and no audit log review. This is a billing risk, a data risk, and a compliance risk.
The underlying risk beneath every other finding. Without a named portal steward, a change management process, and documented standards, everything else drifts back to the way it was within six months.
An audit without a roadmap is a report. A roadmap tells you what to do, in what order, with measurable success criteria at each phase. The sequence matters — you cannot build reliable automation on top of unclean data, and you cannot build trusted reporting on top of unreliable automation.
Phase 4 and beyond is ongoing optimization — lead scoring enhancements, A/B testing programs, enrichment strategies, and quarterly governance reviews. The first 90 days are about stabilizing. Everything after that is about scaling what works.
A deep dive audit is a moment-in-time diagnosis. But portals aren't static — they accumulate decisions, configurations, and technical debt constantly. The only way to avoid another full-scale remediation in two years is to build a recurring audit schedule that catches problems before they compound.
Here's how to think about audit cadence across different layers of the portal:
A few principles worth anchoring to:
Clean data before new automation. This applies to both your initial remediation and your ongoing governance. Every time you're tempted to build a new workflow or launch a new nurture sequence, ask whether the data it depends on is clean enough to trust. If not, fix the data first.
One lifecycle rulebook. Lifecycle stage definitions drift because multiple people interpret them differently over time. The fix is documentation — a single, linked rulebook that defines every stage, every transition criterion, and every automation that fires on stage change. Review it quarterly and enforce it structurally.
The portal steward is not optional. Without a named owner — someone accountable for governance, approvals, and the integrity of the data model — every audit finding will return within 18 months. It doesn't have to be a full-time role. But it has to be someone's actual responsibility.
Quarterly reviews beat annual scrambles. The cost of a quarterly 2-hour governance review is a fraction of the cost of a full remediation. The portals we've seen that hold up over time all have one thing in common: someone is looking at them on a schedule, not just when something breaks.
Your HubSpot portal is the infrastructure layer your revenue motion runs on. Treat it like infrastructure — with documentation, governance, and a maintenance schedule — and it performs like infrastructure. Leave it ungoverned, and it becomes the thing your team works around instead of the thing they work from.
We conduct deep dive HubSpot portal audits covering all 17 sections — from data architecture to AI governance — and deliver a prioritized remediation roadmap with a phased implementation plan. If you're not confident your portal reflects your business accurately, the audit will tell you exactly why.