The short answer: A Shopify CRO audit is a 6-day diagnostic that examines a store across 7 areas (PDP, collection, cart and checkout, mobile UX, Core Web Vitals, analytics integrity, app and code bloat) and delivers a written report, a prioritized fix list ranked by estimated dollar impact, a Loom walkthrough, and a 30-day implementation plan. The point is not to list every issue. The point is to rank the few fixes that move revenue the most and hand the merchant a plan that survives contact with their developer. This post walks through how I run one across 100-plus audits over 12 years.
If a prospect asks me what I actually DO inside a CRO audit, this is the post I send them. The two existing guides on this site are the educational pillar (the Shopify CRO audit guide) and the self-serve pillar (the Shopify CRO audit checklist). This one is the process pillar. It is what merchants actually pay for.
The work has not changed much in 12 years. The tooling has. GA4 replaced Universal Analytics. Core Web Vitals replaced PageSpeed. Hotjar lost ground to Microsoft Clarity because Clarity is free. Apps got bigger and slower. The 7-area framework still maps cleanly to where the money leaks.
What is a Shopify CRO audit and what does it include?
A Shopify CRO audit is a structured diagnostic of a live store that identifies where conversion is leaking, ranks each leak by estimated dollar impact, and delivers a written remediation plan. It is not a Lighthouse score. It is not a list of design opinions. It is a numbered set of fixes, each one tied to a specific page, a specific user behavior, a specific dollar figure, and a specific implementation path.
A finished audit deliverable on my desk has five components. The audit report runs 25 to 60 pages. The fix list is a separate document or sheet ranked by dollar impact. The Loom walkthrough is 30 to 60 minutes of me on the screen with the merchant’s store open, talking through every finding. The 30-day implementation plan is a week-by-week schedule of which fixes ship in which order. The delivery call is a 60-minute working session at the end where the merchant asks questions and we agree on what happens next.
The merchant’s developer should be able to start work on day one of the implementation plan without ever opening Slack to ask me what I meant. That is the bar. If the audit is not implementation-ready, it is not done.
How long does a Shopify CRO audit take?
Six business days end-to-end is the standard timeline. Three days for diagnosis, two days for documentation, one day for delivery. That assumes access is handed off cleanly on day zero. Roughly one in four audits slips by 24 to 48 hours because the merchant takes time to invite me to GA4 or Search Console.
Here is the day-by-day breakdown:
| Day | Phase | What happens |
|---|---|---|
| 0 | Discovery call | 30-minute Calendly call. Confirm scope, traffic shape, top 3 pain points, KPI baseline. |
| 0 | Access handoff | Staff invite to Shopify admin, Viewer to GA4 and Search Console, read to Clarity or Hotjar, dev theme created. |
| 1 | Analytics diagnostic | GA4 funnel pull, GSC query and CTR pull, Clarity heatmap and rage-click review. |
| 2 | Storefront audit | PDP, collection, cart, checkout walked manually on desktop, mobile, Safari, Chrome, low bandwidth. |
| 3 | Code and theme audit | Theme inspector, app stack inventory, Liquid review, Lighthouse on PDP and collection. |
| 4 | Data triangulation | Cross-check GA4 funnel drop-offs against Clarity sessions and storefront findings. |
| 5 | Report and Loom | Write the report, build the prioritized fix list, record the Loom walkthrough. |
| 6 | Delivery call | 60-minute working session, hand over the plan, confirm next steps. |
Rush audits inside 72 hours are possible for stores under 10,000 monthly sessions but cost 40 percent more and skip the data triangulation day. I do not recommend them.
What access do you need from the merchant?
A real audit needs four things: Shopify admin Staff access, GA4 Viewer, Search Console read, and a development theme. Anything less and the audit becomes a guess. I will not take on a paid audit without all four. The number of audits I have done with merchants who only granted Collaborator with the wrong scopes is too high, and I have stopped accepting that arrangement.
The full access checklist I send before kickoff:
- Shopify admin: Staff access with theme editing, app management, analytics, and customer data scopes. Collaborator access works on Plus if scopes match.
- Theme: a duplicate of the live theme published as a development theme, named “CRO Audit YYYY-MM-DD”, that I can preview and inspect without touching the live store.
- Google Analytics 4: Viewer role on the property the storefront reports to. Editor is not required.
- Google Search Console: Restricted user role on the verified property. Required for the query and CTR pull on day 1.
- Microsoft Clarity or Hotjar: read access if either is installed. If neither is installed I add Clarity on the dev theme on day 1 because Clarity is free and rage-click data is non-negotiable.
- Email and SMS platform: read access on Klaviyo, Postscript, or Attentive. Required to validate event firing and abandoned-cart flow integrity.
- Apps: a list of installed apps with login access where automation can be inspected (review apps, bundle apps, post-purchase apps, popups).
I never request Owner access. I never request payment processor or bank access. I never request anything I do not need to deliver the report.
What does day 1 of the audit look like?
Day 1 is data first, storefront second. I open GA4, pull the funnel for the last 30 and 90 days, and write down the four numbers that frame the entire audit: sessions, add-to-cart rate, checkout-initiation rate, and purchase rate. Those four numbers map directly to the GA4 ecommerce events spec and tell me whether the bleeding is at discovery, consideration, intent, or checkout. The report’s structure follows from there.
After GA4 I open Search Console and pull the top 50 landing pages by impressions, the top 50 queries by impressions, and the average CTR on each. SEO leakage is a CRO problem too. A page ranking position 3 with a 0.4 percent CTR is leaving traffic on the table that costs nothing to recover.
After GSC I open Microsoft Clarity. Two filters: rage clicks and dead clicks. If a PDP shows 8 percent dead-click rate on the variant selector, I do not need to guess what is broken. The user told me. I screenshot the session and add it to the report verbatim.
By the end of day 1 I have a one-page diagnostic written in plain English: where the funnel is leaking, what the SEO data corroborates, and which storefront pages the rage-click data points at. Day 2 starts with that page open.
What gets audited: the 7-area framework
The 7-area framework is the structural backbone of every audit I run. It maps to where conversion actually leaks on a Shopify store, in roughly the order users encounter friction. I run it the same way every time so nothing slips. Across 100-plus audits the relative weights shift but the seven areas stay constant.
| Area | What I audit | Common leaks |
|---|---|---|
| 1. Product detail page | Above-fold layout, gallery, variant selector, price, ATC, trust signals, schema | Variant pickers that hide price, gallery that breaks on Safari mobile, missing schema |
| 2. Collection and listing | Filter UX, sort defaults, card density, product card data, pagination | Slow filter rerenders, missing prices on cards, infinite scroll killing back-button state |
| 3. Cart and checkout | Cart drawer, cart page, accelerated payments, checkout extensions, post-purchase | Cart drawer that requires a click to see the total, Shop Pay button below the fold |
| 4. Mobile UX | Sticky ATC, tap targets, gallery swipe, form auto-zoom, viewport handling | Sticky ATC over the price, 44px tap-target failures, iOS form zoom |
| 5. Core Web Vitals | LCP, INP, CLS, TBT, on the four highest-traffic templates | Hero images without priority hint, third-party scripts blocking main thread, layout shift from late-loading prices |
| 6. Analytics integrity | GA4 events, ecommerce object, Klaviyo events, Meta CAPI, GSC verification | Missing add_to_cart, double-firing purchase, broken Meta Pixel after checkout extensibility migration |
| 7. App and code bloat | Installed app count, app block scripts, theme JS bundle, render-blocking CSS | Five review apps when one is enough, hardcoded prices breaking multi-currency, jQuery loaded twice |
Each area has a tool or deeper guide on this site. Core Web Vitals run through the Shopify CrUX Grader for the field-data baseline against the web.dev Core Web Vitals thresholds. App bloat runs through the Shopify App Bloat Detector, which scans 192 known apps and ranks them by Total Blocking Time. Multi-currency price audits run through the Shopify Hardcoded Price Detector so the merchant has a concrete list of files to fix. PDP and mobile sit in the Shopify mobile CRO guide. Cart sits in the cart abandonment hidden causes breakdown, anchored against Baymard’s cart abandonment benchmark of 69.99 percent. Checkout sits in the Shopify checkout optimization guide, where Shop Pay’s 1.72x conversion uplift is one of the few accelerated-checkout numbers worth quoting. Popups, which sit at the intersection of mobile UX and conversion-leak math, get their own treatment in popups killing conversions.
How are findings prioritized?
Findings are ranked by estimated dollar impact, not by severity, not by ease, not by how interesting the issue is to me. Dollar impact is the only ranking that survives a CFO conversation. Every finding in the fix list has four columns: the issue, the page or template, the estimated annualized dollar impact, and the implementation effort in hours.
The dollar-impact math is straightforward and is documented in detail in the Shopify conversion leaks dollar impact breakdown. The short version: I take the affected sessions per month, multiply by the conservative conversion-rate lift I expect from the fix (usually 0.1 to 0.5 percentage points), multiply by the average order value, and annualize. A fix that affects 60,000 mobile sessions per month with an estimated 0.3-point lift on a $90 AOV is worth $194,400 per year. A fix that affects 800 desktop sessions on a 0.1-point lift is worth $864 per year. Both go in the report. Only one goes near the top.
In Liquid examples I always show prices through the money filter so the math is correct in every currency:
{% raw %}<span class="price">{{ product.price | money }}</span>{% endraw %}
The fix list is not a wishlist. It is the order I would ship the work in if I were the one shipping it.
What deliverables does the merchant receive?
Five artifacts: report, fix list, Loom walkthrough, 30-day plan, delivery call. The PDF report runs 25 to 60 pages, structured by the 7-area framework, every finding logged with screenshot, file path, broken code, corrected code, and testing steps.
The fix list ships as a Google Sheet or Linear board sorted by dollar impact: ID, area, page, issue, dollar impact, hours, priority, owner, status. The Loom is 30 to 60 minutes of me on screen with the merchant’s storefront open. Most teams tell me the Loom is the deliverable they actually use. The 30-day plan is week-by-week: week 1 analytics integrity, week 2 highest-value PDP and checkout fixes, week 3 mobile UX and Core Web Vitals, week 4 app cleanup. The delivery call is a 60-minute Zoom working session.
What happens after the audit?
Three options: DIY, retainer, or fixed-scope project. I do not pressure either way. About 60 percent of audit clients hire me to implement, 40 percent take the report to an internal developer or another agency. Both outcomes are designed for from day one.
DIY clients use the report and the fix list to brief their own developer. The fix list is written so any competent Shopify Liquid developer can ship from it. I usually offer a 30-day Slack channel for free clarification questions, capped at one hour of my time, because answering “what did you mean on row 14” is faster than rewriting row 14 in more detail.
Retainer clients book a recurring weekly or biweekly block, usually 8 to 16 hours per week, and I work through the fix list in priority order. This is how the Factory Direct Blinds and WD Electronics engagements run. Retainers are billed monthly, scope is reviewed every 30 days.
Fixed-scope clients pick a defined slice of the fix list, usually the top 5 to 10 items, and I quote a fixed price for shipping that slice. This is how Everly and the Casa Amar engagements started. The advantage is budget certainty. The trade-off is that anything outside the slice waits for the next sprint.
Real examples: 3 audits and the lift afterward
Three recent audits, three different problems, same framework. Each ranked the priority leak by dollar impact and shipped the implementation plan from there.
- Enea Studio: luxury jewelry, Lighthouse mobile 23 with Core Web Vitals failing. Render-blocking jQuery, missing hero preloads, Slick gallery on mobile. Post-sprint: all three CWV passed on field data, Lighthouse recovered into the 70s.
- Everly: Shopify Markets store with FOUC. 38 hardcoded prices and 90 lines of bespoke JS fighting Markets currency. CLS 0.11 on mobile dropped to 0.00 after a four-hour fix using the
money_with_currencyfilter. - Casa Amar: Focal 10.1.3, 0.01 percent CVR on 37,000 monthly sessions. 11 active apps, 4 review apps stacked on the PDP, and a checkout extension double-firing the GA4 purchase event. That double-fire reframed every other dollar estimate. Full case study lands once the 90-day data is in.
The pattern is the same across all three. The audit is not what moves revenue. The audit is the document that gives the team permission to ship the right fix in the right order. That is what merchants pay for.
Want a free 30-minute mini-audit?
Want to see what a free 30-minute mini-audit looks like? Book here. I will walk through your store live, identify the top 3 conversion leaks, and send you a Loom recap. No pitch, no commitment.
If a full paid audit is the right fit, I send a fixed-price proposal within 24 hours of the call. If it is not, you keep the Loom and ship the fixes in-house. Either outcome is a good outcome.
For deeper background before you book, the Shopify CRO audit guide is the educational walkthrough, the Shopify CRO audit checklist is the 80-point self-serve list, and the Scandinavian furniture marketplace case study is the longest-running engagement on the site at the time of writing.
The takeaway
- Day 0 is access handoff. Without Staff admin, GA4 Viewer, GSC Viewer, and a duplicate theme, the audit cannot start.
- Days 1 to 4 is diagnosis: analytics integrity, live storefront, code, and dollar-impact ranking via Traffic times Gap divided by Effort.
- Days 5 to 6 is documentation and delivery. Written report, Loom, 30-day plan, working session.
- Every fix in the report ships with the file path, broken code, corrected code, and verification steps. Implementation-ready or it is not done.
- Audit the data before the design. Most stores leak revenue from analytics integrity issues that double-count or under-count, not from button colours.