Audit Trail for B2B Orders in Shopify: What SOC 2 and ISO 27001 Reviewers Want

Why audits go sideways on wholesale

SOC 2 and ISO 27001 reviewers ask the same question dozens of ways: "How do you ensure financial transactions are authorized?" For B2B, the answer must include sample wholesale orders with proof of the approval chain. If you cannot produce that for a recent quarter in minutes, the audit drags and findings pile up.

The minimum audit record per draft order

• Order ID, customer, total, currency, term.
• Created-by user, timestamp.
• Threshold rules triggered: which conditions placed the order in the queue.
• Approver(s): with timestamps, decisions, reasons.
• Notifications sent: channel, recipient, timestamp.
• Final status: approved, rejected, expired.
• Downstream actions: invoice sent (timestamp), shipment created (timestamp).

Storage that survives compliance review

1. Immutable log. Append-only structure; no edits after the fact.
2. Time-stamped entries. Server time, UTC; document timezone handling.
3. User attribution. Real user ID, not service accounts; service-account use must be exceptional and logged.
4. Retention policy. Match your written retention policy (typically 7 years for financial records).
5. Export ability. CSV or JSON export per quarter for sampling.

Queries reviewers actually run

• "Show me 10 random orders above $25K from last quarter and the approval chain."
• "List all orders approved by user X in Q1."
• "How many orders were auto-approved vs. required human approval, by month?"
• "Show all rejected orders from the past 6 months with reason."
• "What is the median approval time per tier?"

What fails the audit

• "It's in the Shopify admin somewhere"—not queryable, not exportable, fails.
• Approval recorded only in email—not immutable, fails.
• Service accounts approving without human attribution.
• No record of which threshold triggered the queue placement.
• Inability to produce a sample within hours of the request.

Segregation of duties (SoD)

Reviewers check that the person who creates an order cannot approve it. Your system must enforce this rule and the audit record must prove enforcement. A self-approved order is an automatic finding even if no fraud occurred.

Periodic access review

1. Quarterly review of who has approver permissions.
2. Confirmation that departed employees no longer have access.
3. Re-justification of permissions held more than 12 months without use.
4. Documented sign-off by the access reviewer.

Incident response readiness

• If a wrong approval slipped through, you can reconstruct who, when, what, and why.
• You can demonstrate the corrective action taken (rule change, training).
• You preserve evidence for legal even if the immediate operational issue is closed.

Where GateFlow fits

GateFlow writes an immutable audit record per draft order with all the fields above, supports CSV/JSON export per quarter, enforces SoD at the rule level, and exposes queryable reports for compliance review. Learn more.