Wondering if anyone has ever engaged a 3rd-party to do a roles/permissions audit. We recently met with Fastpath and learned about their software solution, but I think the scale is too large for what we're needing. I'm envisioning a firm getting access to our instance, performing an audit and delivering a list of potential issues. I think it's something that I've got a good handle on as is, but another pair of eyes doesn't seem like a bad idea given the expansive nature of NS's roles and permissions list.

You should be able to perform the initial analysis by going into Setup->Users/Roles->Show Role Differences. Use the admin role as the base role and select all the roles on the multi-select box to compare to. Uncheck the only show differences. From that you can download a pseudo Excel-formatted file.

I think I'm pretty well set with the first 3 comments; the last one, not so much. I could definitely move several permissions from Full to Edit.

Use the role difference option ( just uncheck the check box) and create a dump of all the active/used roles permission table. Then use your organization's SOD (segregation of duties) rules to analyze the role permission based on the SOD and controls. I have done that so many times as part of the ITGC and and for auditors for multiple publicly traded companies literally lost count. Passed all the SOX and ISO 27001 SOD controls (COBIT 5) with flying colors. One secret though I did reverse engineered some of the FastPath's features blob devil. Check out my Suiteworld session few years back on GRC and ITGC for some tricks and tips on getting audit ready https://static.rainfocus.com/oracle/sw19/sess/1546631310573001gv1X/PDFPF%20/FIN1526SES_THURS_1553185241855001B1fO.pdf