← Back to blog
Product

The anatomy of an audit that actually finds things

July 3, 2026·11 min read
The anatomy of an audit that actually finds things: cover card

TL;DR

  • A real finding names the element and the measurement: a pricing-page button at 1.9:1 contrast against the 4.5:1 that WCAG 2.2 AA requires, screenshot attached.
  • Visitors rarely leave over one big failure; they leave over accumulated small wrongness like mismatched button labels and a copyright line that still says 2024.
  • A complete audit runs six passes: accessibility, felt performance (INP under 200ms), real form submissions, copy and trust signals, SEO structure, and mobile at 375px.
  • Prioritise by what a problem costs the business this week; the reader should know their first three fixes within thirty seconds of opening the report.

There are two ways a website audit usually fails. It’s either a 90-page wall of automated warnings that nobody reads past page six, or a breezy two-page summary that could describe any site on the internet. If you want to know how to audit a website so the audit actually changes what gets shipped next week, the answer is not a longer checklist. It’s a hierarchy: evidence first, sensitivity to small things, the right mix of measurement and judgment, and prioritisation firm enough to tell people what to ignore.

We’ve written a couple hundred audits by hand at our agency, and eventually built Audaitly to carry the mechanical parts of the job. This post is about the craft itself: what we check, in what order, and why. Steal any of it.

Evidence, or it didn’t happen

“Improve your CTA” is not a finding. It’s a vibe. A finding points at something real: the exact element, the measured value, the screenshot, the line of copy. “The primary button on the pricing page renders light grey text on a lighter grey background at a 1.9:1 contrast ratio, against the 4.5:1 that WCAG 2.2 AA requires” is a finding. Someone can fix it this afternoon and verify the fix tomorrow.

Evidence does three jobs at once. It makes the finding checkable, so nobody has to trust the auditor’s taste. It makes it fixable, because the developer knows exactly where to go. And it makes it survivable in the client meeting, where “the audit says our button is bad” invites an argument and a screenshot with a measured ratio does not. We learned that second part the hard way, on a call where a client’s developer disputed a finding for ten straight minutes until we shared the screenshot with the computed values on it. Ten minutes of friction that one image would have prevented.

This is a hard rule inside Audaitly too: every claim ships with its evidence attached, and anything the engine can’t verify doesn’t ship at all. If you’re auditing by hand, the discipline is the same. Screenshot as you go. Record the numbers, not your impression of the numbers. Your future self, writing the report at hour five, will thank you.

Why do the small things matter so much in an audit?

Small details decide whether a visitor trusts a site, because visitors almost never leave over one big failure. They leave over an accumulation of small wrongness they couldn’t articulate if you asked: a quotation mark that opens and never closes, “Get started” in the nav and “Get Started” in the hero, a copyright line that still says 2024. This is the layer that rarely makes it onto a website audit checklist.

Add five impressive logos with no case study, no link, no story behind any of them. Each one is trivial. Together they whisper: nobody careful lives here. And a visitor who has decided nobody careful lives here does not enter their card details.

This is also where AI-written copy quietly hurts sites now. The tells are recognisable: the same three adjectives cycling through every section, punctuation flourishes on every line, statistics with no source, that faintly weightless tone that says a great deal and asserts nothing. Readers are getting better at spotting it, faster than most site owners realise. An audit that doesn’t actually read the copy isn’t an audit. It’s an inventory.

What does a good website audit actually contain?

A good website audit contains six passes: accessibility and contrast, performance where users feel it, real form submissions including failure states, copy and trust-signal review, an unfancy SEO and structure check, and a full mobile pass at 375px. Every finding carries evidence and a priority.

What follows is the spine of our own process, the part that fits in a blog post. Two ground rules first. Crawl the whole site before judging any page of it, because half the serious problems (orphaned pages, inconsistent CTAs, broken internal paths) only show up in the aggregate. And then work page by page, not site-wide, because averages hide problems. A site with 59 fine pages and a broken checkout is not 98% fine.

Accessibility and contrast

Start here because failures are objective and everywhere. Body text contrast at 4.5:1 minimum, 3:1 for large type, and check states, not just resting buttons: hover, focus, disabled. Tab through the entire page with a keyboard; if the focus indicator vanishes on the third element, you’ve found a real bug that real people live with. Then images. Every meaningful image needs alt text that carries the meaning, and decorative ones need empty alt attributes so screen readers skip them. A team photo whose alt text is the export filename fails both ways. Heading order matters more than people think: one h1, no skipped levels, because assistive tech navigates by that outline even when the visual design hides it.

Performance where users feel it

Skip the vanity score and check the feel. The hero image is the usual crime scene; we still find 2.4 MB PNGs where a 140 KB WebP would look identical. Watch for fonts that swap visibly two seconds in, and for layout shift when the cookie banner loads. Then interaction: INP, the gap between a tap and the page visibly reacting, should stay under 200ms, because a menu that takes half a second to open reads as broken even when it isn’t. Test on a throttled connection at least once per audit. Your users are not on office fibre.

Forms, where money goes to die

Submit every form. Actually submit it. Then submit it wrong: a malformed email, an empty required field, and if you can simulate one, a failing endpoint. What you’re hunting is the failure state. Does the user get told what went wrong, or does the page swallow the submission and smile? We once watched a client lose three weeks of leads to a form that spun forever on error, and it permanently changed how we treat this section. Check the success path’s honesty too: if the thank-you page promises a reply within one business day, ask who owns that promise.

Copy, consistency, and trust signals

Read every page, ideally aloud. You’re listening for claims without support (“trusted by hundreds” with nothing behind it), tone that lurches between pages, button labels that disagree about the same action, prices and dates that contradict each other, and dead ends: social icons that 404, a blog last touched fourteen months ago sitting proudly in the main nav. Each of these is a two-minute fix. Finding them is the actual job.

SEO and structure, without the theatre

We keep this pass deliberately unfancy. Each page should target one intent; a services page trying to rank for nine things usually ranks for none of them. Titles and descriptions should be written for a human scanning results, not stuffed until they read like a ransom note. Check canonicals, check for orphan pages the crawl found but no menu links to, and check that the sitemap reflects the site that exists today rather than the one that existed in March. None of this is clever. All of it compounds.

The pass most people skip: mobile, for real

Not the responsive-mode spot check. The full pass, at 375px, with your thumb. Cookie banners that bury the CTA, tap targets that overlap, tables that force horizontal scrolling, sticky headers that eat a third of the viewport. On most of the sites we audit, mobile is the majority of traffic and the minority of the team’s attention. That gap is where conversions quietly go missing.

Deterministic checks and judgment need each other

Half of auditing is measurement. Contrast, image weight, response codes, heading structure, link integrity. Machines should do this half, exactly, every single time, because humans doing arithmetic at hour five make mistakes and machines don’t get bored.

The other half is judgment. Whether the hero says anything a stranger would understand in five seconds. Whether the pricing page answers the questions buyers actually have or the questions the founder wishes they’d ask. Whether the copy sounds like a person. No regex catches any of that. This is where we put a frontier model to work in Audaitly, and where you should put your most senior reviewer when working by hand. The trick is keeping the two halves honest against each other. Judgment proposes, measurement verifies. A model saying “this button is hard to read” is a guess. The same claim with a computed 1.9:1 ratio behind it is a finding.

Prioritise like the fixes cost money

Because they do. A hundred findings in no particular order is a to-do list nobody starts. We grade by one blunt question: what does this cost the business this week? A checkout form eating submissions outranks everything on the page. A contrast failure on the primary CTA outranks the same failure in the footer. An awkward sentence on the About page might rank nowhere at all, and that’s fine. Part of a good audit is granting explicit permission to ignore things.

One rule we hold ourselves to: if everything is critical, nothing is. In Audaitly’s reports the criticals surface first, page by page, and the long tail stays visible but out of the way (the features overview shows how findings are structured). Whatever tool or document you use, do the same. The reader should know their first three fixes within thirty seconds of opening the report.

Ship the findings as work, not literature

The final failure mode is the beautiful PDF. Findings die in PDFs. Whatever you find has to become tickets someone owns, with the evidence attached, so the person fixing it never has to re-derive the problem from a paragraph. This is why Audaitly turns every finding into an assignable task rather than prose (the docswalk through that flow). If you audit by hand, budget a final hour just for converting findings into tickets. It’s the most valuable hour in the entire process, and the one most often skipped.

A good audit is a strange product. Done right, it’s mostly a list of small, boring, checkable things, held together by judgment about which ones matter. It doesn’t flatter the site or the auditor. And it ends not with a grade but with next week’s work, in priority order. That’s the bar. We miss it sometimes too. But it’s the right bar.

See it on your own sites.

Audaitly is invite-only while we onboard our first cohort of agencies.