A website audit can be done in two ways. Bear in mind that these two ways are complementary to each other not alternative.
Most third-party tools are used for monitoring performance, query load time, profiling, number of function calls, JS load time, HTML best practices and mobile usability. Below are the third-party tools which I prefer for auditing Drupal websites.
New Relic provides deep insights for Drupal websites, including database performance, modules monitoring, Apdex, function performance and front-end performance. It also provides Real User Monitoring (RUM), which gathers time information and shows you which hotspot in DOM (Document Object Model) rendering time may be causing your page to take several seconds to load.
XHProfiling measures the relative performance of your application at the code level. It captures things like CPU usage, memory usage, time and number of calls per function, a call graph, etc. The act of profiling impacts performance.
YSlow analyzes the webpage and suggests ways to improve page performance based on rules (Minimize HTTP Requests, Use a Content Delivery Network, Cache-Control Header, Gzip Components, Put Stylesheets at the Top, Put Scripts at the Bottom, Avoid CSS Expressions, Make JavaScript and CSS External, Minify JavaScript and CSS, Avoid Redirects and Remove Duplicate Scripts, etc). It also supports Smush.it and JSLint. YSlow can be configured in the system directly and is available for Firefox, Chrome, Mobile/Bookmarklet, Opera, Safari, Command Line (HAR), PhantomJS, Node.js Server and Source Code.
Third-party websites monitor your site based on specified URLs and report what part of the sites can be improved. These part of the sites can be JS, third-party URLs, services URLs, or HTML markups for desktop users and mobile usability. Generally, third-party sites check the page load time.
Below is a list of a few tools which can be used.
Being an open source, there are many modules available which also help us in auditing Drupal sites. These modules can be independent or use third-party services. For example, coder, xhprof, Dcq, Hacked, Security_Review and Drupalgeddon.
The Hacked module scans your site’s core/contrib modules/themes which have been modified originally and creates a patch. It also tells users exactly what has been changed. It is integrated with Drush as well.
Coder checks your Drupal code against coding standards and other best practices. It also supports Code_Sniffer and can be used on the command line.
It integrates Drupal with xhprof and helps report function-level call counts and inclusive and exclusive metrics such as wall (elapsed) time in Drupal.
The Security Review module automates testing for many of the easy-to-make mistakes that render your site insecure.
This is used to check the code quality through GIT. It can be used with Drush. It will help you get into the habit of following good practices while writing code.
Drupalgeddon (with an "L") checks for backdoors and other traces of known Drupal exploits of "Drupageddon" (no "L"), aka SA-CORE-2014-005 SQL injection. Drupalgeddon is not a module; it's a Drush command.
This is a Drupal static site, which is an analysis platform that generates reports with the best actionable recommendations.
That's a quick look at some of the tools that can be used for a Drupal audit. You could get a team of professionals to carry out the audit, or you could do a DIY Drupal Audit to identify major issues and vulnerabilities that need professional help.