Hi James
SU24 is a good starting point but not definitive. Also, some objects fields may not be org relevant (e.g. profit centre)
custom transaction codes - huge reliance on the developer or security person maintaining SU24 with the correct mappings
Scanning the code, running traces and testing is the most accurate way to perform the analysis. You might be able to get a bit of a head start to check logs to see which transactions are actually used in the landscape and remove obsolete transactions from design to reduce footprint
Regards
Colleen