Workiva

Supergood | Workiva API

Alex Klarfeld

Alex Klarfeld

6 min read

Programmatically access Workiva connected reporting, SOX controls, audit testing, certifications, ESG metrics, and disclosure workflows with a stable REST API. Supergood builds and operates production-grade, unofficial Workiva integrations so your team can automate GRC and audit processes without heavy custom engineering.

Plain English: Workiva is enterprise software for connected reporting and compliance. It brings together financial reporting (including SEC/XBRL), GRC (risk, controls, audits), certifications, and ESG/sustainability in one cloud platform. An unofficial API lets you programmatically pull control libraries, risks, test plans and results, audit issues, evidence requests, certifications/sign-offs, documents, datasets, and ESG metrics—and push new records or updates back into Workiva.

For a tech company integrating with Workiva, this means you can ingest real-time control and risk data to power dashboards, orchestrate testing workflows from your product, automate PBC/evidence collection, trigger subcertifications and approvals, manage issues and remediation plans, and sync reporting data to your analytics stack (e.g., Snowflake) or ERP (e.g., NetSuite, SAP). You can enrich your platform with disclosure mappings, ESG framework alignment, and filing-readiness signals, while keeping stakeholder systems (compliance, audit, analytics) in lockstep.

What is Workiva?

Workiva (https://www.workiva.com/) is a cloud platform for connected reporting and compliance teams across finance, accounting, risk, internal audit, legal, and sustainability. Organizations use Workiva to manage SOX and internal controls, maintain risk registers, execute audit programs and testing, coordinate certifications and disclosure controls, produce SEC filings with XBRL, and standardize ESG reporting across frameworks—all with role-aware workflows, data-linking, and document traceability.

Core product areas include:

  • Connected Reporting & Documents (linked documents, spreadsheets, presentations, data tables)
  • Financial Reporting & SEC Filing (10-K, 10-Q, 8-K, XBRL tagging, filing packages)
  • GRC: Risk, Controls, SOX, Audit (risk registers, control libraries, test plans, issues, evidence)
  • Certifications & Disclosure Management (subcertifications, sign-offs, approvals, attestations)
  • ESG & Sustainability (framework mapping, metric collection, audit trails)
  • Workflow Automation (tasks, reminders, routing, role-based permissions)

Common data entities:

  • Workspaces, Users, Roles/Permissions
  • Risks, Processes, Controls (metadata, owners, frequency, type)
  • Tests (design/operating effectiveness, methodology, samples, results)
  • Evidence Requests and Attachments (PBC items, artifacts)
  • Issues/Findings (severity, root cause, remediation)
  • Certifications (recipients, statements, due dates, approvals)
  • Documents/Sections and Linked Data (XBRL tags, disclosure mappings)
  • Datasets/Tables (source data, links, refresh state)
  • Filings (form types, status, EDGAR readiness)
  • ESG Metrics & Framework Mappings (GRI, SASB, CSRD, TCFD)

The Workiva Integration Challenge

Compliance and audit teams rely on Workiva daily, but turning portal-first workflows into API-driven automation is non-trivial:

  • Role-aware permissions: Controls, tests, certifications, filings, and ESG data restrict visibility by role and workspace
  • Audit rigor: Linked data, versioning, XBRL tagging, and immutable audit trails require careful handling
  • Document-centric flows: Certifications, evidence uploads, and disclosure controls are optimized for front-end interactions
  • Authentication complexity: SSO/MFA and session lifecycles complicate headless automation
  • Data spread: Key objects span controls, risks, tests, issues, certifications, documents, and datasets with relationships across modules

How Supergood Creates Workiva APIs

Supergood reverse-engineers authenticated browser flows and network interactions to deliver a resilient API endpoint layer for your Workiva tenant.

  • Handles username/password, SSO/OAuth, and MFA (SMS, email, TOTP) securely
  • Maintains session continuity with automated refresh and change detection
  • Normalizes responses so you can integrate once and rely on consistent objects across modules
  • Aligns with customer entitlements and role-based permissions to ensure compliant access

Use Cases

Controls, Risks & User Data Sync

  • Mirror control libraries, risk registers, and owners into your internal systems
  • Keep control metadata current for analytics and reporting (frequency, type, assertions)
  • Normalize statuses and relationships (risk → process → control) across multiple workspaces

Testing & Issue Management Automation

  • Create test plans and assign work from your product, then track results back to Workiva
  • Automate PBC/evidence requests and attachments with reminders and SLAs
  • Update issue severity, remediation plans, and target dates programmatically

Certifications & Disclosure Controls

  • Initiate subcertifications and control owner attestations in bulk
  • Monitor recipient completion, escalate past-due items, and archive artifacts
  • Link certifications to controls/disclosures for end-to-end traceability

Reporting & ESG/SEC Sync

  • Pull disclosure mappings and XBRL tag coverage to inform filing readiness
  • Ingest ESG metrics and framework alignment to power sustainability dashboards
  • Push status updates to keep analytics, ERP, and compliance tools synchronized

Available Endpoints

Authentication

POST /sessions: Establish a session using credentials. Supergood manages MFA (SMS, email, TOTP) and SSO/OAuth when enabled. Returns a short-lived auth token maintained by the platform.

curl --request POST \
  --url https://api.supergood.ai/integrations/<integration_id>/sessions \
  --header 'Authorization: Basic <Base64 encoded token>' \
  --header 'Content-Type: application/json' \
  --data '{
    "username": "[email protected]",
    "password": "<password>",
    "mfa": { "type": "totp", "code": "123456" }
  }'

Example response

{
  "authToken": "eyJhbGciOi...",
  "expiresIn": 3600,
  "user": {
    "id": "u_wkv_7a21d0",
    "name": "Audit Lead",
    "entitlements": ["controls", "risks", "tests", "issues", "certifications", "documents", "datasets"]
  }
}

POST /sessions/refresh: Refresh an existing token to keep sessions uninterrupted.

Controls

GET /workspaces/{workspaceId}/controls: List controls with filters and summary details.

Query parameters

  • framework: sox_404 | coso | iso_27001 | custom
  • status: active | archived
  • type: manual | automated | it_general
  • key: true | false
  • riskId: string
  • ownerId: string
  • processId: string
  • updatedFrom, updatedTo: ISO 8601 timestamps
  • page, pageSize: integers for pagination

Example response

{
  "items": [
    {
      "controlId": "ctl_9f21b3",
      "name": "Revenue Recognition Cutoff",
      "description": "Verify shipments and invoices recognized in correct period.",
      "processId": "proc_rev_001",
      "processName": "Order-to-Cash",
      "riskId": "risk_rev_misstmt",
      "riskName": "Revenue Misstatement",
      "assertions": ["Completeness", "Accuracy"],
      "type": "manual",
      "frequency": "monthly",
      "key": true,
      "status": "active",
      "owner": {"userId": "u_wkv_2c3a10", "name": "Finance Manager"},
      "lastTest": {"date": "2026-01-15", "result": "operating_pass"},
      "tags": ["SOX", "Revenue"]
    }
  ],
  "page": 1,
  "pageSize": 50,
  "total": 1
}

Tests

POST /workspaces/{workspaceId}/tests: Create a control test with methodology, sample size, and evidence requests.

curl --request POST \
  --url https://api.supergood.ai/integrations/<integration_id>/workspaces/wsp_42dc1a/tests \
  --header 'Authorization: Bearer <authToken>' \
  --header 'Content-Type: application/json' \
  --data '{
    "controlId": "ctl_9f21b3",
    "periodStart": "2025-10-01",
    "periodEnd": "2025-12-31",
    "testType": "operating",
    "methodology": "attribute_sampling",
    "sampleSize": 25,
    "attributes": [
      {"name": "Invoice Date vs Ship Date", "criteria": "<= 3 days"},
      {"name": "Authorized Signature Present", "criteria": "required"}
    ],
    "assignedToUserId": "u_wkv_7a21d0",
    "dueDate": "2026-02-10",
    "evidenceRequests": [
      {"description": "Provide 25 sample invoices and BOLs", "requesteeUserId": "u_wkv_88b32e"}
    ],
    "references": [
      {"type": "document", "id": "doc_rev_policy_v3"}
    ],
    "attachments": [
      {"fileName": "test_plan.pdf", "uploadToken": "upl_08ab73"}
    ]
  }'

Example response

{
  "testId": "tst_90e412",
  "status": "open",
  "controlId": "ctl_9f21b3",
  "createdAt": "2026-01-21T10:03:11Z"
}

Certifications

POST /workspaces/{workspaceId}/certifications: Initiate a certification/subcertification request tied to controls or disclosures.

curl --request POST \
  --url https://api.supergood.ai/integrations/<integration_id>/workspaces/wsp_42dc1a/certifications \
  --header 'Authorization: Bearer <authToken>' \
  --header 'Content-Type: application/json' \
  --data '{
    "title": "Q4 Revenue Controls Subcertification",
    "type": "subcertification",
    "periodStart": "2025-10-01",
    "periodEnd": "2025-12-31",
    "statement": "I certify that the controls listed remain effective and were performed as designed during the period.",
    "recipients": [
      {"userId": "u_wkv_2c3a10", "role": "certifier"},
      {"userId": "u_wkv_9ab441", "role": "approver"}
    ],
    "dueDate": "2026-02-05",
    "reminders": {"frequencyDays": 3},
    "relatedObjects": {"controlIds": ["ctl_9f21b3", "ctl_71c0ee"], "riskIds": []},
    "attachments": [
      {"fileName": "control_listing_q4.xlsx", "uploadToken": "upl_7fa223"}
    ],
    "requireMFA": true
  }'

Example response

{
  "certificationId": "cert_51af80",
  "status": "pending",
  "recipientCount": 2,
  "createdAt": "2026-01-21T11:20:44Z"
}

Issues

PATCH /workspaces/{workspaceId}/issues/{issueId}: Update audit issue status, severity, remediation plan, and target date.

curl --request PATCH \
  --url https://api.supergood.ai/integrations/<integration_id>/workspaces/wsp_42dc1a/issues/iss_7c3d21 \
  --header 'Authorization: Bearer <authToken>' \
  --header 'Content-Type: application/json' \
  --data '{
    "status": "in_remediation",
    "severity": "high",
    "rootCause": "Manual cutoff checks not consistently performed",
    "remediationPlan": "Implement automated cutoff report and require monthly review sign-off.",
    "targetDate": "2026-03-15",
    "ownerUserId": "u_wkv_9ab441",
    "resolutionNotes": "Automated report development started in Jan.",
    "attachments": [
      {"fileName": "remediation_plan.docx", "uploadToken": "upl_9bc014"}
    ],
    "labels": ["SOX", "Revenue", "Remediation"]
  }'

Example response

{
  "issueId": "iss_7c3d21",
  "status": "in_remediation",
  "severity": "high",
  "updatedAt": "2026-01-22T08:15:12Z"
}

Get full API Specs →

Technical Specifications

  • Authentication: Username/password with MFA (SMS, email, TOTP) and SSO/OAuth where enabled; supports service accounts or customer-managed credentials
  • Response format: JSON with consistent resource schemas and pagination across modules
  • Rate limits: Tuned for enterprise throughput while honoring customer entitlements and usage controls
  • Session management: Automatic reauth and cookie/session rotation with health checks
  • Data freshness: Near real-time retrieval of controls, risks, tests, issues, certifications, documents, and datasets
  • Security: Encrypted transport, scoped tokens, and audit logging; respects Workiva role-based permissions
  • Webhooks: Optional asynchronous delivery for long-running workflows (e.g., certifications, evidence collection)

Performance Characteristics

  • Latency: Sub-second responses for list/detail queries under normal load
  • Throughput: Designed for high-volume control library sync and testing/certification processing
  • Reliability: Retry logic, backoff, and idempotency keys minimize duplicate actions
  • Adaptation: Continuous monitoring for UI/API changes with rapid adapter updates

Getting Started

  1. Schedule Integration Assessment

Book a 30-minute session to confirm your modules, licensing, and authentication model.

  1. Supergood Builds and Validates Your API

We deliver a hardened Workiva adapter tailored to your workflows and entitlements.

  1. Deploy with Monitoring

Go live with continuous monitoring and automatic adjustments as Workiva evolves.

Schedule Integration Call →

Frequently Asked Questions

Q: Which Workiva modules can this integration cover?

Supergood supports workflows across commonly used modules such as GRC (Risks, Controls, Tests, Issues, Evidence), Certifications/Disclosure Controls, Connected Reporting (Documents, Datasets), and ESG, subject to your licensing and entitlements. We scope coverage during integration assessment.

Q: How are MFA and SSO handled for automation?

We support username/password + MFA (SMS, email, TOTP) and can operate behind SSO/OAuth when enabled. Sessions are refreshed automatically with secure challenge handling.

Q: Can you automate certifications and evidence collection?

Yes. We can initiate certifications, manage recipients and reminders, and orchestrate evidence requests/uploads via signed URLs, with checksum validation and time-limited links. Status changes can be delivered via webhooks or polling.

Q: Do you support SEC/XBRL workflows and ESG frameworks?

We can mirror disclosure mappings, XBRL tag coverage, and ESG metrics/framework alignment to your systems, and provide normalized objects to power filing readiness dashboards and sustainability reporting. Scope is tailored to your entitlements.

Ready to automate your Workiva workflows?

Supergood can have your Workiva integration live in days with no ongoing engineering maintenance.

Get Started →

Read more