B2B Approvals
Audit Trail for B2B Orders in Shopify: What SOC 2 and ISO 27001 Reviewers Want
- audit trail
- SOC 2
- ISO 27001
- Shopify B2B
- GateFlow
Why audits go sideways on wholesale
SOC 2 and ISO 27001 reviewers ask the same question dozens of ways: "How do you ensure financial transactions are authorized?" For B2B, the answer must include sample wholesale orders with proof of the approval chain. If you cannot produce that for a recent quarter in minutes, the audit drags and findings pile up.
The minimum audit record per draft order
- Order ID, customer, total, currency, term.
- Created-by user, timestamp.
- Threshold rules triggered: which conditions placed the order in the queue.
- Approver(s): with timestamps, decisions, reasons.
- Notifications sent: channel, recipient, timestamp.
- Final status: approved, rejected, expired.
- Downstream actions: invoice sent (timestamp), shipment created (timestamp).
Storage that survives compliance review
- Immutable log. Append-only structure; no edits after the fact.
- Time-stamped entries. Server time, UTC; document timezone handling.
- User attribution. Real user ID, not service accounts; service-account use must be exceptional and logged.
- Retention policy. Match your written retention policy (typically 7 years for financial records).
- Export ability. CSV or JSON export per quarter for sampling.
Queries reviewers actually run
- "Show me 10 random orders above $25K from last quarter and the approval chain."
- "List all orders approved by user X in Q1."
- "How many orders were auto-approved vs. required human approval, by month?"
- "Show all rejected orders from the past 6 months with reason."
- "What is the median approval time per tier?"
What fails the audit
- "It's in the Shopify admin somewhere"—not queryable, not exportable, fails.
- Approval recorded only in email—not immutable, fails.
- Service accounts approving without human attribution.
- No record of which threshold triggered the queue placement.
- Inability to produce a sample within hours of the request.
Segregation of duties (SoD)
Reviewers check that the person who creates an order cannot approve it. Your system must enforce this rule and the audit record must prove enforcement. A self-approved order is an automatic finding even if no fraud occurred.
Periodic access review
- Quarterly review of who has approver permissions.
- Confirmation that departed employees no longer have access.
- Re-justification of permissions held more than 12 months without use.
- Documented sign-off by the access reviewer.
Incident response readiness
- If a wrong approval slipped through, you can reconstruct who, when, what, and why.
- You can demonstrate the corrective action taken (rule change, training).
- You preserve evidence for legal even if the immediate operational issue is closed.
Merchant example: passing a SOC 2 Type II sample in 48 hours
ClearPath Industrial, a Shopify Plus merchant selling safety equipment to 60 B2B accounts, started a SOC 2 Type II audit with a spreadsheet of "approved orders" maintained by RevOps — updated manually from email threads. The auditor requested 15 random orders above $20K from Q2 with full approval chains. RevOps spent six days reconstructing from Gmail and Slack. Two orders had no approver on record. The auditor opened a finding.
ClearPath replaced the spreadsheet with an immutable audit log tied to each draft order in Shopify admin. The next audit cycle, the same request arrived on Tuesday at 10am. RevOps exported a CSV by Wednesday noon — approver, timestamp, rules triggered, decision reason, notification log. Zero findings on authorization controls. The CFO cited the audit trail as the reason they could offer Net-45 to enterprise buyers with confidence.
Audit record completeness checklist
| Field | Required for SOC 2 | Required for ISO 27001 | Common gap |
|---|---|---|---|
| Order ID + customer | Yes | Yes | Usually present |
| Creator + timestamp | Yes | Yes | Missing in email-only flows |
| Rules triggered | Yes | Yes | Rarely logged manually |
| Approver identity | Yes | Yes | Service accounts used instead |
| Decision + reason | Yes | Yes | "Approved via Slack" fails |
| Notification log | Recommended | Yes | Almost never in manual process |
| Export per quarter | Yes | Yes | Spreadsheet drift |
Preparing for the auditor conversation
Auditors do not want a tour of your Shopify admin. They want sample evidence, fast. Prepare three artifacts before the audit window opens: a written authorization policy, a role matrix showing who can create vs approve, and a export procedure documented in your internal wiki.
Questions to rehearse with RevOps and Finance
- "Show me an order that was rejected last month — who rejected it and why?"
- "Can the person who created this order also approve it? Prove they cannot."
- "What happens when an approver is on vacation?"
- "How long do you retain approval records?"
- "Walk me through a Net-60 approval from queue to invoice."
Retention and export: do not wait for the auditor to ask
Set your retention policy before the first wholesale order queues — typically seven years for financial authorization records. Test CSV export quarterly even when no audit is scheduled. If export takes more than an hour or requires a developer, you will fail the "produce a sample in minutes" test every time.
Where GateFlow fits
GateFlow writes an immutable audit record per draft order with all the fields above, supports CSV/JSON export per quarter, enforces SoD at the rule level, and exposes queryable reports for compliance review. Learn more.
Related articles
B2B Approvals
Shopify B2B Draft Order Approval: The Workflow Every Wholesale Brand Needs
Drop-shipping a $50,000 wholesale order to the wrong terms costs more than the discount. The approval workflow that catches it before invoicing or shipping.
B2B Approvals
Wholesale Threshold Rules in Shopify: The Math That Decides What Gets Approved
Set thresholds too low and approvers drown. Too high and risky orders slip through. The model that calibrates USD, discount, term, and customer-tier rules to your real risk profile.
B2B Approvals
Net Terms Approval Before You Invoice B2B: Credit Risk Made Operational
Net-30, Net-60, Net-90 sound like sales courtesies. They are credit decisions. The operational checklist that turns “we'll invoice them” into a defensible risk call.