Services
Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
About Us
About Us
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships

Schellman’s Open APIs Explained

News

In the world of compliance, Application Programming Interfaces (APIs) have historically proven to be invaluable tools that enable innovation and collaboration while also helping meet evolving demands. Now, as a widely trusted tech-enabled partner for global compliance, Schellman is taking advantage—we’ve now introduced new open APIs for our renowned AuditSource® platform.

At Schellman, our commitment to technology investment has always been a driving force behind our success, and these APIs are just the latest step forward. Though our clients will already be familiar with AuditSource®—our comprehensive tool that empowers our team of 500+ professionals to efficiently request information, execute testing, attach evidence, and generate thousands of reports annually—these APIs are about to further improve the audit experience for our partners.

Yes, we anticipate that these open APIs will create a major enhancement to our workflows with our clients on their compliance projects, but we also understand that change can create confusion.

In this article, we’ll alleviate that by answering questions about how our new open APIs were developed, why we went in this direction in the first place, and the benefits our clients can expect, as well as what the early returns are telling us.

How Were Schellman APIs Developed?

 

It may come as no surprise given the line of work we’re in, but Schellman is committed to a security-by-design mindset across the board—that means that when developing these new open APIs, we prioritized maintaining a secure and trustworthy environment for our users and stakeholders, including the continued safeguarding of systems, data, and the interactions that are now facilitated through our APIs.

To ensure the integrity and confidentiality of our systems, we implemented robust security measures, including:

AWS Managed Services / API Gateway Secure Hosting

  •  AWS API Gateway is industry-leading infrastructure that provides strong security controls.
  • AWS Managed Services are used to manage, monitor, and protect the API endpoints with the highest levels of security.

Stringent Authentication and Authorization

  • Bearer tokens are required to pass through our authentication endpoints, ensuring secure and controlled access.
  • Secret API keys that are securely managed in a vault provide an extra layer of security. These keys uniquely identify API clients and their exchange through a secure keeper ensures that only authorized individuals or systems can interact with our APIs.

Rate-Limiting

These controls prevent abuse and protect against malicious activities, as they restrict the number of API requests that can be made within a given period.

Regular Vulnerability Testing

Proactive and ongoing evaluations helps us:

  • Identify and address any potential security weaknesses or vulnerabilities promptly
  • Maintain the resilience and robustness of our APIs against emerging threats.

AWS Managed Services / API Gateway Secure Hosting

  •  AWS API Gateway is industry-leading infrastructure that provides strong security controls.
  • AWS Managed Services are used to manage, monitor, and protect the API endpoints with the highest levels of security.

Stringent Authentication and Authorization

  • Bearer tokens are required to pass through our authentication endpoints, ensuring secure and controlled access.
  • Secret API keys that are securely managed in a vault provide an extra layer of security. These keys uniquely identify API clients and their exchange through a secure keeper ensures that only authorized individuals or systems can interact with our APIs.

Rate-Limiting

These controls prevent abuse and protect against malicious activities, as they restrict the number of API requests that can be made within a given period.

Regular Vulnerability Testing

Proactive and ongoing evaluations helps us:

  • Identify and address any potential security weaknesses or vulnerabilities promptly
  • Maintain the resilience and robustness of our APIs against emerging threats.

 

Why APIs at Schellman

 

So why did we turn in this direction in the first place? The same reason we do most things—because quality and consistency are at the core of our services.

But delivering unfailing excellence means staying cognizant of how important it is to tailor our solutions to our clients' unique environments, operating models, and technologies—that includes accommodating various Governance, Risk, and Compliance (GRC) systems. For our part, we’ve always stayed “GRC agnostic”—we don’t impose any specific GRC technology on our clients, nor do we promote or sell any proprietary solutions. We’ve always been able to deftly collaborate with any of the leading GRC platforms in use, and, when our clients have utilized their own GRC platforms, we’ve seamlessly integrated with those systems as well.

It may appear to be somewhat of a complicated juggle, but our newly launched open APIs will make it less so—they will enable effortless integration between AuditSource® and any client GRC platform, fostering seamless collaboration between our technologies that will permit us to deliver more streamlined and consolidated workflows.

Because our open APIs will allow you to continue leveraging your investments in your workflow and GRC systems to run your compliance programs, you’ll be to navigate your initiatives with increased ease and efficiency, because no matter your preferred GRC platform, our open APIs will support it.

The Benefits of Schellman’s Open APIs

 

And when we say they’ll enhance our collaboration on your compliance projects, this is what you can expect from our new open APIs:

  • Improved flexibility and scalability
  • Streamlined workflow
  • Increased transparency
  • Real-time updates
  • Opportunities for automation

In fact, we’re in the middle of the beta release of our API offerings, and the early results are promising, particularly regarding upgraded project management, progress monitoring, and collaboration.

Here are the key enhanced capabilities provided by our APIs that we have gleaned so far:

1. Retrieval of Request Lists Associated with Account & Projects: Information about existing projects, associated request lists, and project status overviews has been more effortlessly obtained.

2. Creation and Retrieval of Comments, Replies, and Requests for Clarification: Communication regarding the evidence exchanged during the assessment process has been made easier.

3. Request Submission: Assessment requests made from client users to Schellman have simplified the initiation of new assessment requests for different projects or systems.

4. Artifact/Evidence Submission: Submitting artifacts or evidence relevant to the assessment—including necessary documents, files, or any supporting materials—has become more convenient.

As part of this release, one of our client pilots also actively leveraged Schellman's assessment API to automate their JIRA and Github flow-based request handling process and subsequently found significant efficiencies in handling and managing their compliance programs.

Overall, the early returns from our new APIs are positive, and while we look forward to learning more about how they can help our clients, we know already that they provide flexibility and allow our partners to determine how they want to automate processes, integrate with internal tools, or consume data.

Next Steps for Schellman and Our Clients

Here at Schellman, our mission has always been to cultivate a superior partner ecosystem where our clients, their technology providers, and assessment partners can work collaboratively and more easily—these new open APIs are our latest endeavor to further reduce the friction of compliance, and the work doesn’t stop here.

If you’re a client of ours and are already working within major GRC platforms, rest assured that we are actively collaborating with several of these platforms so that you’ll be able to continue working within your preferred platforms while also leveraging Schellman's AuditSource® APIs. We’re also in the middle of working with several GRC vendors to connect to our client’s compliance management platforms, having already provided integrations with client instances of JIRA.

For those clients interested in piloting our APIs to experience their transformative potential, please reach out to your engagement manager or principal. Detailed documentation is available to help you get started seamlessly. Thank you for your continued partnership and trust in Schellman.

About Schellman

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.