The audit is the artifact.

Most paid audits are a Loom recorded over a screen-share. A consultant scrolls through the store for an hour, narrates what they notice, and ships a video. The output is opinion at the speed of speech.

The Fortis Scan is built the opposite way. Every finding ties to a number. Every number ties to a window of time. Every claim about the live store ties to a screenshot.

48 to 72h  delivery 300+ checks  per scan 7 phases  in order
01The checklist

The Scan is a checklist we keep updating.

When we audit a store and surface a finding we had not documented before, we add a check for it. When a check we have been running stops surfacing anything useful, we drop it. The Scan you receive is the current version of that checklist, not a finished product.

The order matters. The data tells us what to look for before we open the live store.

02The seven phases

In order, from access granted to PDF shipped.

Data phases run first. The live store walkthrough runs after, because the data points us at what to verify. Synthesis runs last, never before a blocker is resolved or explicitly skipped.

00
15 min  Access & scope

Map every access, flag every blocker.

We list every credential we asked for against what was granted. Anything missing is documented before we start, not discovered halfway through. Audit period defaults to 90 days.

01
1 hour  Shopify foundation

Pull the store's own numbers, no interpretation yet.

Twelve baseline queries followed by seven deep queries against the Admin API. Orders, revenue, AOV, checkout completion, geography, repeat rate, top SKUs, sources, gateways for the trailing 90 days. The floor we build on.

02
45 min  Inventory & catalog

Sales velocity crossed with stock.

Four buckets fall out. Out-of-stock bestsellers losing weekly revenue. Low stock at high velocity needing urgent replenishment. Slow movers with capital locked up. Dead stock with zero sales in 90 days. Pricing distribution and collection zombies on top.

03
45 min  Compliance & risk

Policy pages, tax fields, discount loss vectors.

We scan policy page bodies for the keywords each jurisdiction requires. We flag unrendered Liquid placeholders inside policies, which signal a broken page nobody noticed. We list discount codes with unlimited usage and high absolute value, the kind that get screenshotted on Reddit.

04
30 min  Marketing stack

Total Cost of Ownership, beyond the Stripe bill.

Every paid tool gets a TCO: licence plus founder time at internal rate plus hidden integration cost. A $49 app that eats four hours of founder time a month is not a $49 app. It is the number that goes in the report.

05
1h30  Live UX walkthrough

The buying flow, as a customer.

Homepage, collection page, top product detail page, cart drawer, checkout up to but not through payment, footer, full mobile flow at 375 pixel viewport. Page speed on three page types. Every finding that points at the live store ships with a dated screenshot, URL visible in the address bar.

06
1 hour  Marketing performance

Where the accesses exist.

Meta Ads Manager for ROAS, CPM, CPC, creative fatigue. GA4 for funnel conversion. Google Search Console for queries and ranking. Klaviyo flows for welcome conversion, abandoned cart recovery, deliverability. We document what we have. We flag what we do not.

07
1 hour  Synthesis

Six files become one ranked document.

Every finding gets a severity tag. P0 risk requiring action this week. P1 retainer angle worth months of work. P2 quick win. P3 test. Every finding gets a sample size check. Below 20 events is directional. Below 10 events is removed from the report before delivery.

Total focused work, access complete, lands between 6 and 7 hours. The 48 to 72 hour delivery window absorbs scheduling, a second pass, and screenshot annotation.

A finding with no dollar impact, no window, no sample, or no screenshot does not survive synthesis.

03The three hard gates

What every finding has to clear before it ships.

These are not stylistic preferences. They are the gates that decide whether a finding survives to the PDF.

Gate 01  ·  Window

Every finding has a window of time.

Lifetime, last 90 days, last 30 days, or live. The window sits next to the number. A finding without a window is a finding that cannot be checked, and we treat it as invalid.

Gate 02  ·  Sample

Every finding has a sample size.

A pattern observed across fewer than 20 events is labelled directional. Fewer than 10 events and the finding is removed, even if the founder specifically asked about it. The bar is the bar.

Gate 03  ·  Visual proof

Every live-store finding has a screenshot.

Taken during the audit, URL visible in the address bar, saved to a dated folder we keep on file. If the screenshot does not exist, the finding does not appear in the report. No exceptions.

04How the dollars get computed

Four estimation modes. Each finding declares which one it used.

There is no proprietary engine. No black box. The mode used for each finding is stated next to the amount inside the report, so the reader can audit the math. The full framework lives on the methodology page.

MODE A

From the store's own data

The formula is written in plain language inside the report. Example: weighted average shipping margin gap per order in the under $80 bracket, multiplied by orders in that bracket over 90 days, annualized.

MODE B

From industry deltas

The gap between the store's observed rate and a published median for the vertical, applied to the relevant 12-month base. Source cited inline.

MODE C

From baseline benchmarks

A published industry benchmark applied to the store's own observed volume. Conservative end of the range used. Benchmark source named.

MODE D

Observed gap, no projection

Some findings have no defensible number. A privacy policy untouched since the GDPR deadline gets flagged with the risk written out and no recovery amount attached. We do not invent dollars we cannot defend.

05What the Loom is for

The Loom is the tour. The PDF is the destination.

Eight to twelve minutes, recorded after the PDF is finalized. The founder watches it once before reading the report, and the order of the findings, the severity tags, and the math conventions become immediately legible. After that, the PDF stands on its own.

We do not record the Loom during the audit. The PDF leads. The voice follows.

06What is deliberately not included

The scope is narrow on purpose.

The Scan is the diagnostic. It is priced to stand alone and credited at 100% against a Seal if the upgrade happens within 14 days.

07Where AI fits

The AI handles the parts where a human would be slower.

Reading policy page text, grouping discount codes by risk profile, comparing the store's metrics against patterns we have already documented. The AI does the first pass on those. A human reads what comes out, throws away what does not hold up against the hard gates, and writes the finding.

We use off-the-shelf models. We did not train our own. What we wrote is the prompts, the detection rules, and the scoring that make a generic model useful for auditing a Shopify store.

08Why we built it this way

Founders who have run a store for two years have already paid for several audits.

They are unimpressed by Looms and skeptical of decks. What persuades them is a document they can hand to an operator, an agency, or a freelancer, and have that person execute against without asking a follow-up question.

The Fortis Scan is built to be that document. Every finding ships with a number, a window, a sample, and a screenshot, because that is the format that survives the handoff.

The audit is the artifact. The artifact is the price.

Want one built for your store?

The Fortis Scan covers everything described on this page in 48 to 72 hours after read-only access is granted.

See pricing  → Read the methodology
Speed