Supergood | AuditBoard API

Programmatically access AuditBoard audit plans, SOX controls, risk registers, test results, issues and remediation, PBC requests, and evidence with a stable REST API. Supergood builds and operates production-grade, unofficial AuditBoard integrations so your team can automate GRC, regtech, and audit workflows without heavy custom engineering.

Plain English: AuditBoard is cloud software for audit, risk, and compliance teams to manage SOX and internal controls, operational audits, enterprise/IT risk, and regulatory frameworks end-to-end. An unofficial API lets you programmatically pull audits, risk registers, controls and control matrices, test results, issues/findings, remediation tasks, requests, and evidence—and push new records or updates back into AuditBoard.

For a tech company integrating with AuditBoard, this means you can ingest real-time control and risk data to power dashboards, sync issues and remediation to ITSM and dev tools (e.g., ServiceNow, Jira), automate evidence requests and uploads from your product, trigger attestations from your identity platform (e.g., Okta), and keep stakeholder systems (data warehouse, analytics, policy, ticketing) aligned with audit status.

What is AuditBoard?

AuditBoard (https://www.auditboard.com/) is a cloud platform for audit, SOX and internal controls, risk, and compliance management used by internal audit, SOX, and InfoSec teams. It centralizes risk and control inventories, audit planning and workpapers, walkthroughs and testing, issues and remediation, compliance frameworks and crosswalks, evidence collection, and reporting.

Core product areas include:

• SOX & Controls Management (Control library, narratives, procedures, testing, certifications)
• Internal Audit Management (Audit planning, workpapers, testing, findings, reporting)
• Risk Management (ERM and IT risk registers, assessments, KRIs, mitigations)
• Compliance & Frameworks (Requirement libraries, mappings/crosswalks, policy attestations)
• Evidence & Requests (PBC request workflows, file/evidence management, approvals)
• Reporting & Dashboards (Control effectiveness, risk heatmaps, audit status, SLA/aging)

Common data entities:

• Organizations, Business Units/Processes, Users, Roles/Permissions
• Audits & Programs (SOX, operational, ITGC, compliance)
• Risks (enterprise, IT, process-level) and KRIs
• Controls (design attributes, owners, frequency, key/ITGC flags) and Control-Requirement mappings
• Tests & Workpapers (procedures, samples, conclusions)
• Issues/Findings, Action Plans, Remediation Tasks
• Requests (PBC/evidence requests), Responses, Evidence/Attachments
• Frameworks & Requirements (e.g., SOX, ISO 27001, NIST CSF, SOC 2) and Crosswalks

The AuditBoard Integration Challenge

AuditBoard is widely adopted for GRC, but turning portal-based workflows into API-driven automation can be tricky:

• Role- and period-aware data: Auditors, control owners, and approvers see different states by period, entity, and assignment
• Evidence and file handling: Large attachments, versioning, and approval trails require resilient upload flows
• Cross-module relationships: Risks link to controls, controls to tests and requirements, findings to remediation and re-testing
• Authentication complexity: SSO/MFA and rotating session tokens complicate headless automation
• Compliance rigor: SOX, ITGC, and regulatory workflows impose strict state transitions and auditability

How Supergood Creates AuditBoard APIs

Supergood reverse-engineers authenticated browser flows and network interactions to deliver a resilient API endpoint layer for your AuditBoard tenant.

• Handles username/password, SSO/OAuth, and MFA (SMS, email, TOTP) securely
• Maintains session continuity with automated refresh and change detection
• Normalizes responses so you can integrate once and rely on consistent objects across modules
• Aligns with customer entitlements and role-based permissions to ensure compliant access

Use Cases

Controls & SOX Data Sync

• Mirror control libraries, narratives, and test conclusions to your data warehouse
• Push automated testing results (design/operating effectiveness) and exception details from your monitoring tools
• Keep control owners, frequencies, and mappings to frameworks current for reporting

Issue & Remediation Automation

• Create issues/findings from failed tests with consistent severity and root cause coding
• Sync remediation tasks and SLAs to ServiceNow or Jira; update statuses bi-directionally
• Trigger re-testing workflows automatically upon remediation evidence submission

ERM & IT Risk

• Ingest risk registers and assessments; propagate KRIs/KPIs from telemetry and third-party data
• Update risk scores, likelihood/impact, and mitigation ownership programmatically
• Align risks to business units and processes for executive dashboards

Compliance & Evidence Orchestration

• Generate and assign PBC/evidence requests at scale with due dates and categories
• Upload evidence artifacts from your product and validate completion via webhooks
• Map controls to frameworks/requirements and surface compliance posture in your platform

Available Endpoints

Authentication

POST /sessions: Establish a session using credentials. Supergood manages MFA (SMS, email, TOTP) and SSO/OAuth when enabled. Returns a short-lived auth token maintained by the platform.

curl --request POST \
  --url https://api.supergood.ai/integrations/<integration_id>/sessions \
  --header 'Authorization: Basic <Base64 encoded token>' \
  --header 'Content-Type: application/json' \
  --data '{
    "username": "[email protected]",
    "password": "<password>",
    "mfa": { "type": "totp", "code": "123456" }
  }'

Example response

{
  "authToken": "eyJhbGciOi...",
  "expiresIn": 3600,
  "user": {
    "id": "u_ab_7f129a",
    "name": "Audit Manager",
    "entitlements": ["audits", "controls", "tests", "issues", "requests"]
  }
}

POST /sessions/refresh: Refresh an existing token to keep sessions uninterrupted.

Audits

GET /audits: List audits and programs with filters and summary details.

Query parameters

• type: sox | operational | itgc | compliance
• year: integer (e.g., 2026)
• businessUnitId: string
• status: planning | fieldwork | reporting | closed
• updatedFrom, updatedTo: ISO 8601 timestamps
• page, pageSize: integers for pagination

Example response

{
  "items": [
    {
      "auditId": "aud_9b41c2",
      "name": "FY2026 SOX – Revenue Process",
      "type": "sox",
      "status": "fieldwork",
      "period": {
        "start": "2026-01-01",
        "end": "2026-12-31"
      },
      "businessUnit": {
        "id": "bu_rev_101",
        "name": "Revenue Operations"
      },
      "owner": { "id": "u_ab_1d02", "name": "Jane Patel" },
      "controlCount": 18,
      "openIssues": 3,
      "updatedAt": "2026-01-20T14:30:12Z"
    }
  ],
  "page": 1,
  "pageSize": 50,
  "total": 1
}

Controls

GET /controls: Retrieve controls with risk and framework mappings.

Query parameters

• processId: string
• frameworkId: string (e.g., "iso27001", "sox")
• ownerId: string
• updatedFrom, updatedTo: ISO 8601 timestamps
• page, pageSize: integers for pagination

Example response

{
  "items": [
    {
      "controlId": "ctl_45f9a0",
      "name": "Segregation of Duties – Revenue Recognition",
      "process": "Revenue",
      "objective": "Prevent improper revenue recognition entries",
      "type": { "key": true, "preventive": true, "itgc": false },
      "frequency": "monthly",
      "owners": [ {"id": "u_ab_59a0", "name": "Michael Lin"} ],
      "risks": [ {"riskId": "risk_201", "name": "Revenue Misstatement"} ],
      "frameworkMappings": [
        { "framework": "sox", "requirementId": "sox_302", "citation": "Management Certifications" },
        { "framework": "nist_csf", "requirementId": "PR.AC-1", "citation": "Identities and credentials" }
      ],
      "designStatus": "effective",
      "lastTestedAt": "2026-01-18T09:11:44Z",
      "lastTestResult": "pass",
      "updatedAt": "2026-01-20T12:02:09Z"
    }
  ],
  "page": 1,
  "pageSize": 50,
  "total": 1
}

Control Test Results

POST /controls/{controlId}/tests: Create a control test result (design or operating effectiveness) with procedures, samples, exceptions, and evidence.

curl --request POST \
  --url https://api.supergood.ai/integrations/<integration_id>/controls/ctl_45f9a0/tests \
  --header 'Authorization: Bearer <authToken>' \
  --header 'Content-Type: application/json' \
  --data '{
    "testType": "operating_effectiveness",
    "periodStart": "2026-01-01",
    "periodEnd": "2026-03-31",
    "sampleSize": 25,
    "procedures": [
      {"id": "proc_1", "description": "Reperform monthly review of rev JE approvals"},
      {"id": "proc_2", "description": "Inspect evidence for 25 sampled entries"}
    ],
    "result": "fail",
    "exceptions": [
      {
        "description": "2/25 entries lacked documented approval",
        "severity": "moderate",
        "impact": "potential control failure for Feb and Mar"
      }
    ],
    "evidence": [
      {"fileName": "rev_JE_approvals_Q1.zip", "uploadToken": "upl_872ab1"}
    ],
    "testerId": "u_ab_7f129a",
    "reviewerId": "u_ab_1d02",
    "testedAt": "2026-04-05T16:22:00Z",
    "conclusionNotes": "Repeat exception noted in Feb and Mar; escalate to issue."
  }'

Example response

{
  "testId": "tst_9012aa",
  "controlId": "ctl_45f9a0",
  "status": "pending_review",
  "result": "fail",
  "exceptionCount": 1,
  "createdAt": "2026-04-05T16:23:10Z"
}

Evidence Requests (PBC)

POST /audits/{auditId}/requests: Create PBC/evidence requests with assignments and due dates.

curl --request POST \
  --url https://api.supergood.ai/integrations/<integration_id>/audits/aud_9b41c2/requests \
  --header 'Authorization: Bearer <authToken>' \
  --header 'Content-Type: application/json' \
  --data '{
    "title": "Provide February revenue JE approval screenshots",
    "description": "Upload approvals for all manual revenue JEs in Feb 2026",
    "category": "evidence",
    "controlId": "ctl_45f9a0",
    "dueDate": "2026-02-28",
    "assignees": ["u_ab_59a0"],
    "notifyAssignees": true,
    "attachments": [
      {"fileName": "sample_list.xlsx", "uploadToken": "upl_18acf3"}
    ],
    "tags": ["SOX", "Revenue"]
  }'

Example response

{
  "requestId": "req_4c19ef",
  "status": "open",
  "dueDate": "2026-02-28",
  "assigneeCount": 1,
  "createdAt": "2026-01-22T10:41:02Z"
}

Get full API Specs →

Technical Specifications

• Authentication: Username/password with MFA (SMS, email, TOTP) and SSO/OAuth where enabled; supports service accounts or customer-managed credentials
• Response format: JSON with consistent resource schemas and pagination across modules
• Rate limits: Tuned for enterprise throughput while honoring customer entitlements and usage controls
• Session management: Automatic reauth and cookie/session rotation with health checks
• Data freshness: Near real-time retrieval of audits, controls, tests, issues, requests, and compliance objects
• Security: Encrypted transport, scoped tokens, and audit logging; respects AuditBoard role-based permissions
• Webhooks: Optional asynchronous delivery for long-running workflows (e.g., evidence submissions, issue status changes)

Performance Characteristics

• Latency: Sub-second responses for list/detail queries under normal load
• Throughput: Designed for high-volume control/test ingestion and request/issue processing
• Reliability: Retry logic, backoff, and idempotency keys minimize duplicate actions
• Adaptation: Continuous monitoring for UI/API changes with rapid adapter updates

Getting Started

1. Schedule Integration Assessment

Book a 30-minute session to confirm your modules, licensing, and authentication model.

2. Supergood Builds and Validates Your API

We deliver a hardened AuditBoard adapter tailored to your workflows and entitlements.

3. Deploy with Monitoring

Go live with continuous monitoring and automatic adjustments as AuditBoard evolves.

Schedule Integration Call →

Frequently Asked Questions

Q: Which AuditBoard modules can this integration cover?

Supergood supports workflows across commonly used modules such as SOX & Controls Management (Control Library, Certifications), Internal Audit (Workpapers, Testing, Issues), Risk Management (ERM, IT Risk), and Compliance (Framework mappings, attestations), subject to your licensing and entitlements. We scope coverage during integration assessment.

Q: How are MFA and SSO handled for automation?

We support username/password + MFA (SMS, email, TOTP) and can operate behind SSO/OAuth when enabled. Sessions are refreshed automatically with secure challenge handling.

Q: Can you sync issues and remediation to our ITSM or dev tools?

Yes. We can normalize issues/findings and action plans to match your ITSM and engineering schemas (e.g., ServiceNow incidents, Jira issues) and deliver updates via webhooks or polling while complying with rate and permission constraints.

Q: Do you support evidence uploads and large files?

Yes. We support signed uploads with checksum validation and time-limited URLs, plus resumable transfers for large evidence packages. Completion and approval states are modeled explicitly in our normalized responses.

Related Integrations

Intralinks API - Programmatically access the Intralinks VDR with Supergood

Ready to automate your AuditBoard workflows?

Supergood can have your AuditBoard integration live in days with no ongoing engineering maintenance.

Get Started →