GA4 & Google Analytics Audit Tool

Sample report. This is a demonstration audit of a fictional ecommerce store, North Peak Outdoors. Connect your own GA4 and GTM accounts to run a real audit in under two minutes.

PartialGTM ✓Cookie scan ✓GA4 events ✓GA4 conversions ✓

Consent Architecture

Cookie Classification

GTM Tag Governance

GA4 Event Quality

Conversion Integrity

North Peak Outdoors has a functional GA4 and GTM setup with solid foundations — the tracking is live, bot filtering is on, and data retention is correctly configured. However, four Google tags in GTM have no consent type set and no blocking trigger, meaning they fire regardless of what visitors choose on the cookie banner. A duplicate purchase event is inflating reported revenue by around 8%. Together these mean the analytics data — and the decisions built on it — are currently unreliable. None of them are difficult to fix.

In a real audit

Export to Google DocExport to Google Sheet— a client-ready report, generated in one click

4 GTM tags have no consent type set and are firing unconditionally — resolve before relying on this setup for GDPR compliance

Findings are signals to verify, not final verdicts. Some are flagged from naming or configuration patterns and may not apply once you investigate — a field named email_address flagged as personal data, for example, can be fine if it only ever holds a hashed value. Confirm each before acting. Learn more

Critical

(2)

Critical4 tags firing without consent gating (googtag, awct, awct, sp)

Four live GTM tags — the Google Tag (GA4), two Google Ads Conversion tags, and the Remarketing tag — have their consent type set to 'not set' and no blocking trigger. These tags have no mechanism to wait for a visitor's consent decision before firing. They collect data from every visitor regardless of what the cookie banner says.

Fix: In GTM, open each tag and set the Consent Type in Consent Settings to 'analytics_storage' (for the GA4 tag) or 'ad_storage' (for the Google Ads tags). This tells the platform which consent signal to check before the tag fires.

CriticalDuplicate purchase events detected

Your purchase event is firing twice on the order confirmation page — 34 of 412 transactions in the last 30 days were recorded as duplicates. This inflates reported revenue by roughly 8% and corrupts the conversion data that any connected ad platform relies on to optimise spend.

Fix: Add a transaction_id-based deduplication check, or move the purchase tag onto a single trigger that fires once per completed order. Verify in GA4 DebugView that purchase fires exactly once per transaction.

High

(2)

HighConsent Mode v2 not configured

No Consent Mode v2 variables were detected in the GTM container. Without Consent Mode v2, Google's tags cannot adjust their data collection based on visitor consent choices, and you lose access to Google's conversion modelling that recovers consent-declined traffic.

Fix: Implement Consent Mode v2 in GTM with a Consent Initialisation trigger, and confirm your CMP pushes default and update consent states before any tags fire.

HighPayment gateways appearing as referral traffic

PayPal and Stripe appear as traffic sources for 6% of sessions. When customers return from the payment page, GA4 starts a new session credited to the payment provider instead of the original marketing channel — breaking attribution for your highest-value (purchasing) visitors.

Fix: Add paypal.com, stripe.com and your other payment domains to the GA4 referral exclusion list (Admin → Data Streams → Configure tag settings → List unwanted referrals).

Medium

(1)

MediumScroll event firing twice (Enhanced Measurement + GTM)

GA4 Enhanced Measurement and a GTM tag are both sending the scroll event, so every scroll is counted twice. This inflates engagement metrics and any audience or report built on scroll depth.

Fix: Pick one source for the scroll event. The simplest fix is to disable scroll tracking in Enhanced Measurement and let the GTM tag own it, or vice versa.

Low

(3)

Low12 unused triggers in the container

The GTM container has 12 unused triggers not referenced by any tag. They have no data impact but add clutter and make the container harder to audit and maintain.

Fix: Review and delete the unused triggers as part of routine container housekeeping.

LowLegacy Universal Analytics tag present (paused)

A Universal Analytics tag remains in the container in a paused state. UA was shut down in July 2024 — the tag collects no data but should be removed.

Fix: Delete the paused Universal Analytics tag from the container.

LowThird-party platforms detected: Meta Pixel, Hotjar, Klaviyo

Three third-party tracking platforms are active in the GTM container: Meta/Facebook Pixel, Hotjar, and Klaviyo. Each should be listed in your privacy policy and cookie notice, and gated behind the appropriate consent type.

Fix: Verify each platform is disclosed in your privacy policy and cookie notice. Confirm each tag has the correct consent type set in GTM (ad_storage for Meta, analytics_storage for Hotjar, functionality_storage for Klaviyo).

Working Well

✓GA4 Configuration tag installed and firing on all pages

✓Bot filtering enabled — known crawler traffic excluded from reports

✓Data retention set to 14 months (maximum available)

✓Single GA4 web stream — no duplicate property tracking

✓No test or sandbox GA4 properties detected in the production container

✓No development domains in Conversion Linker configuration

✓Consistent tag naming convention across the container

Run this on your own setup

Connect your GA4 and GTM accounts and get a scored audit like this one — with a client-ready export — in under two minutes.

Run your free audit →