9-Point Tracking Audit
Find every broken event, double count, and silent attribution loss in 90 minutes.
Why this exists
Across 14 SaaS performance audits Xpand ran in Q1 2026, 11 had at least one critical tracking error inflating reported CPL by 30% or more. The fix is a 4-hour engagement for a competent operator. The lift is permanent. Run the audit before you blame creative, audience targeting, or budget.
Most paid-marketing waste comes from broken tracking, not bad creative or wrong audiences. Across 14 SaaS performance audits Xpand ran in Q1 2026, 11 had at least one critical tracking error inflating reported CPL by 30% or more. This is the same 9-point audit Xpand runs in week one of every performance engagement.
1. GA4 conversion event integrity
-
✓
Each conversion event fires once per qualifying user action
Use the DebugView to confirm. Common issue: form_submit firing on every step of a multi-step form.
-
✓
Conversion events have a value parameter where applicable
-
✓
Cross-domain tracking is configured if traffic flows across multiple domains
Set up the linker in GA4 Admin → Data Streams.
-
✓
Internal traffic is excluded via IP filter or internal_traffic dimension
2. Google Tag Manager firing rules
-
✓
No tag fires on All Pages without a clear reason
-
✓
Triggers use specific URL patterns, not 'contains' broad matches
-
✓
Form submission tags fire on success only, not on click
Use the form's success state event or a thank-you page URL match.
-
✓
DataLayer pushes are documented in a single source-of-truth doc
3. Meta CAPI (Conversions API)
-
✓
Server-side events are sent for Lead, Purchase, and InitiateCheckout at minimum
-
✓
Event Match Quality is 7.0+ for primary events
Send email, phone, and external_id where available. EMQ under 6 means iOS attribution is leaking.
-
✓
Pixel + CAPI are deduplicated using event_id
Otherwise Meta double-counts and inflates reported conversions.
-
✓
Test events show up in Meta Events Manager Test Events tab
4. LinkedIn CAPI (B2B only)
-
✓
Conversions API is enabled in LinkedIn Campaign Manager
-
✓
Server events match LinkedIn's required event names exactly
Lead, Purchase, AddToCart, etc.. case-sensitive.
-
✓
Hashed email is sent on every event for B2B match rates
-
✓
Insight Tag is also installed for retargeting (CAPI replaces some signals but not all)
5. Consent Mode v2
-
✓
ad_storage, ad_user_data, ad_personalization, analytics_storage all map to your CMP
-
✓
Default consent is set to 'denied' before the CMP loads
-
✓
Consent updates trigger gtag('consent', 'update', ...) calls
-
✓
EU traffic respects consent; non-EU traffic uses the right region defaults
6. Server-side GTM container (when applicable)
-
✓
Server container is deployed on a custom subdomain (e.g. server.yourdomain.com)
-
✓
First-party cookies are extending session lifetimes for iOS users
-
✓
Server tags forward to GA4, Meta, LinkedIn, TikTok with proper signal mapping
7. UTM hygiene
-
✓
UTM convention is documented and consistent across paid platforms
lowercase, hyphens, no spaces, source = ad platform, medium = paid-search/paid-social/etc.
-
✓
Auto-tagging is enabled for Google Ads (gclid)
-
✓
Email links carry utm_source=email and utm_medium=newsletter or transactional
8. Internal referral exclusions
-
✓
Payment domains (Stripe, PayPal) are excluded as referrers
-
✓
Auth domains (Google OAuth, Microsoft) are excluded
-
✓
Subdomains of your own site are not creating fake referrer sessions
9. CRM closed-loop reporting
-
✓
GCLID and FBC/FBP are stored on the lead record in HubSpot or Salesforce
-
✓
Closed-won deals push back to Google Ads via Enhanced Conversions for Leads
-
✓
Meta receives Purchase events with the actual deal value, not the estimated value
If you only fix one item: Meta CAPI deduplication. Double-counted conversions inflate ROAS by 30-80% on most accounts and lead to over-investment in failing campaigns.
How to use it well
Treat the 9 points as a strict ordered checklist, not a menu. Skip GA4 hygiene and the rest of the audit produces unreliable data. The most common single broken item is Meta CAPI deduplication. Send event_id with both Pixel and CAPI for the same user action, otherwise Meta double-counts and inflates reported ROAS by 30 to 80%.
What good looks like
Real audit output for a Series A SaaS account spending $24K per month on Meta plus Google.
[FAIL] 1. GA4 firing once per page. 2 config calls detected, duplicating sessions
[PASS] 2. Server-side GTM container. analytics.client.com, ITP-safe
[FAIL] 3. Meta CAPI EMQ 7+. currently 5.2, need hashed phone + city + country
[FAIL] 4. LinkedIn CAPI active. disabled, 30% of B2B spend losing signal
[PASS] 5. Google Ads Enhanced Conversions enabled
[FAIL] 6. Consent Mode v2. default consent set to granted, should be denied
[PASS] 7. Cross-domain tracking. Calendly chain intact
[FAIL] 8. UTM hygiene. 18 unique source values from free-text drift
[PASS] 9. Internal referral exclusions. clean
5 of 9 broken. Fixes shipped over 7 days. Reported CPL dropped 34% inside 14 days.FAQ
How do I know if my Meta CAPI is double-counting?
In Meta Events Manager, open the Lead or Purchase event and check the 'Event Coverage' tab. If both Browser and Server show counts but the Deduplication column is below 70%, you are double-counting. Fix it by sending event_id with both Pixel and CAPI events that represent the same user action.
What is a healthy Event Match Quality score?
8.0 or above. 7.0-7.9 is acceptable. Below 7.0 means iOS attribution is leaking. Improve EMQ by sending email, phone, first name, last name, city, country, and external_id with every event.
Do I need server-side tracking?
If you spend 10K USD a month or more on Meta or TikTok, yes. The lift on Event Match Quality alone justifies the cost. Below that volume, focus on getting browser-side Pixel and CAPI clean before adding server-side.
How long does a tracking audit take to complete?
90 minutes for the audit using this checklist. 1-3 days to implement fixes depending on what is broken. Xpand sees CPL drops of 20-40% within 14 days of completing a tracking audit and fixing the top 3 issues.