B2B Approvals

Audit Trail for B2B Orders in Shopify: What SOC 2 and ISO 27001 Reviewers Want

Renato Mateus · Founder, RMMS.Cloud
·10 min read
  • audit trail
  • SOC 2
  • ISO 27001
  • Shopify B2B
  • GateFlow

Why audits go sideways on wholesale

SOC 2 and ISO 27001 reviewers ask the same question dozens of ways: "How do you ensure financial transactions are authorized?" For B2B, the answer must include sample wholesale orders with proof of the approval chain. If you cannot produce that for a recent quarter in minutes, the audit drags and findings pile up.

The minimum audit record per draft order

  • Order ID, customer, total, currency, term.
  • Created-by user, timestamp.
  • Threshold rules triggered: which conditions placed the order in the queue.
  • Approver(s): with timestamps, decisions, reasons.
  • Notifications sent: channel, recipient, timestamp.
  • Final status: approved, rejected, expired.
  • Downstream actions: invoice sent (timestamp), shipment created (timestamp).

Storage that survives compliance review

  1. Immutable log. Append-only structure; no edits after the fact.
  2. Time-stamped entries. Server time, UTC; document timezone handling.
  3. User attribution. Real user ID, not service accounts; service-account use must be exceptional and logged.
  4. Retention policy. Match your written retention policy (typically 7 years for financial records).
  5. Export ability. CSV or JSON export per quarter for sampling.

Queries reviewers actually run

  • "Show me 10 random orders above $25K from last quarter and the approval chain."
  • "List all orders approved by user X in Q1."
  • "How many orders were auto-approved vs. required human approval, by month?"
  • "Show all rejected orders from the past 6 months with reason."
  • "What is the median approval time per tier?"

What fails the audit

  • "It's in the Shopify admin somewhere"—not queryable, not exportable, fails.
  • Approval recorded only in email—not immutable, fails.
  • Service accounts approving without human attribution.
  • No record of which threshold triggered the queue placement.
  • Inability to produce a sample within hours of the request.

Segregation of duties (SoD)

Reviewers check that the person who creates an order cannot approve it. Your system must enforce this rule and the audit record must prove enforcement. A self-approved order is an automatic finding even if no fraud occurred.

Periodic access review

  1. Quarterly review of who has approver permissions.
  2. Confirmation that departed employees no longer have access.
  3. Re-justification of permissions held more than 12 months without use.
  4. Documented sign-off by the access reviewer.

Incident response readiness

  • If a wrong approval slipped through, you can reconstruct who, when, what, and why.
  • You can demonstrate the corrective action taken (rule change, training).
  • You preserve evidence for legal even if the immediate operational issue is closed.

Merchant example: passing a SOC 2 Type II sample in 48 hours

ClearPath Industrial, a Shopify Plus merchant selling safety equipment to 60 B2B accounts, started a SOC 2 Type II audit with a spreadsheet of "approved orders" maintained by RevOps — updated manually from email threads. The auditor requested 15 random orders above $20K from Q2 with full approval chains. RevOps spent six days reconstructing from Gmail and Slack. Two orders had no approver on record. The auditor opened a finding.

ClearPath replaced the spreadsheet with an immutable audit log tied to each draft order in Shopify admin. The next audit cycle, the same request arrived on Tuesday at 10am. RevOps exported a CSV by Wednesday noon — approver, timestamp, rules triggered, decision reason, notification log. Zero findings on authorization controls. The CFO cited the audit trail as the reason they could offer Net-45 to enterprise buyers with confidence.

Audit record completeness checklist

FieldRequired for SOC 2Required for ISO 27001Common gap
Order ID + customerYesYesUsually present
Creator + timestampYesYesMissing in email-only flows
Rules triggeredYesYesRarely logged manually
Approver identityYesYesService accounts used instead
Decision + reasonYesYes"Approved via Slack" fails
Notification logRecommendedYesAlmost never in manual process
Export per quarterYesYesSpreadsheet drift

Preparing for the auditor conversation

Auditors do not want a tour of your Shopify admin. They want sample evidence, fast. Prepare three artifacts before the audit window opens: a written authorization policy, a role matrix showing who can create vs approve, and a export procedure documented in your internal wiki.

Questions to rehearse with RevOps and Finance

  • "Show me an order that was rejected last month — who rejected it and why?"
  • "Can the person who created this order also approve it? Prove they cannot."
  • "What happens when an approver is on vacation?"
  • "How long do you retain approval records?"
  • "Walk me through a Net-60 approval from queue to invoice."

Retention and export: do not wait for the auditor to ask

Set your retention policy before the first wholesale order queues — typically seven years for financial authorization records. Test CSV export quarterly even when no audit is scheduled. If export takes more than an hour or requires a developer, you will fail the "produce a sample in minutes" test every time.

Where GateFlow fits

GateFlow writes an immutable audit record per draft order with all the fields above, supports CSV/JSON export per quarter, enforces SoD at the rule level, and exposes queryable reports for compliance review. Learn more.