IAASB Digital Technology Market Scan: API Access
Jan 20, 2022 | English
Welcome to the second market scan from the IAASB's Disruptive Technology team. Building on our previous work, including the Innovation Report created with Founders Intelligence and discussed at the January 2021 IAASB meeting, we will issue a Market Scan focusing on topics from the report approximately every two months. Market Scans will consist of exciting trends, including new developments, corporate and start-up innovation, noteworthy investments and what it all might mean for the IAASB.
In this Market Scan, we explore API Access to External Data Sources for Enriched Analysis, which falls under Accessing Information & Data, because establishing a method for obtaining relevant and reliable external data that can be used in an audit has the potential to reshape the audit process.
- What an API is and why it is important?
- The latest exciting developments on this topic are, including Open Banking
- Possible implications for the IAASB
What is an API and why is it important?
An API or Application Programming Interface is a set of defined rules that explain how computers or applications communicate with one another. They enable companies to open their application’s data and functionality to external third-party developers, business partners and internal departments within their companies. APIs use standardized requests that in turn return standardized outputs or responses.
APIs have been around as long as computers; modern day “web APIs” grew in use with the advent of social media platforms, like Facebook and Twitter. However, it was Amazon that created a fundamental shift in how digital resources are accessed with founder and CEO Jeff Bezos’ famous API mandate, issued in 2002. This manifesto requires all Amazon development teams to “expose their data and functionality through service interfaces”.
From “What Is an API: Concept and Architecture Types Explained on Real-Life Examples” at Cleveroad.com. See additional resources at the bottom of this email for more.
From an audit and assurance perspective, there are three key areas where APIs can be leveraged.
- Enabling access to entity data (such as general ledger or sub-ledger data) for the purposes of inquiry or extraction.
- Enabling access to entity-specific third-party data such as bank transactions.
- Enabling access to audit-relevant external information sources, such as macroeconomic or industry-specific data.
1. Access to entity data
In our last Market Scan: Data Standardization, we wrote about the exponential growth in available data that could be used in an audit as well as the challenges of obtaining standardized data and the use of common data models. The initial step in the data acquisition process may involve using an API to request the required data from the entity’s accounting system. Over the last five years, there has been growth in investment in this area both from within accounting firms and from third party vendors of data extraction, transformation and load (ETL) technology such as Engine B, Validis, Inflo, Galvanize and Workiva.
2. Access to entity-specific third-party data
This is the key area of potential disruption to the audit and assurance industry. Being able to directly access entity-specific third-party data, such as bank transactions, by using open banking APIs could revolutionize how audit evidence is obtained, particularly when connected with entity data and other relevant external information sources. Mandates such as the Second Payments and Services Directive in Europe, which required banks to open their payments infrastructure and customer data to third parties, have supported the growth in open banking. It is now a global initiative with 87% of countries having some form of Open Banking API. Below are details of some countries that use open banking, including where driven by government regulation.
From “Trailblazers and latecomers: open banking around the world” at GoCardless.com
3. Access to audit-relevant external information sources
Use of external information sources is commonplace in an audit. By using APIs, information can be obtained in a standardized format, which makes it easier to use, for example, in analytical procedures.
The benefits of APIs may include increased speed and access to data from varied independent reliable sources. Additionally, when coupled with other technology, such as robotic process automation, it can facilitate efficiencies in routine audit activities, such as using company registry information to identify related parties. Many audited entities seeking to leverage these benefits are using APIs within their IT environment to support business operations.
Alongside the significant growth in prevalence of APIs comes concerns about security and management of data. The UK and Australian governments have both issued API data standards and continued attention from governing bodies is likely.
Recent noteworthy developments in API access
This section is designed to provide examples of recent developments that may signal future disruption in this area. It is not a complete list of all activities in the field of API access. For a reminder of Key Venture Capital and Investment terms please refer to the previous Market Scan.
1. Open Banking experiences rapid growth
I. Fintech start-ups are shaking up the banking industry
There are a number of very active fintech start-ups developing APIs that allow easier sharing of financial data. Prominent examples around the world include:
- Plaid, a San Francisco-based startup building technology platforms to connect applications to users’ bank accounts, has raised US$735m in funding with a latest US$425m Series D backed investors such as Andreessen Horowitz and Silver Lake. Acquisition by Visa was blocked by the US Department of Justice on the grounds that it would limit competition in the payments industry. Plaid was one of the first companies to create what is called a unified API—a single API that connects to over 11,000 financial institutions.
- Tink and Truelayer, both based in Europe offer platforms and products to support open banking integration in applications. Tink was recently acquired by Visa.
- Open banking has also gained traction in Asia with early-stage start-ups like Hong Kong-based Finverse, which has an ambitious goal to enable open banking throughout the Asia-Pacific region.
Additionally, there are start-ups serving the financial services industry with APIs providing access to payroll, insurance and credit data to support targeting of appropriate financial products to businesses. This is an area of significant growth and one to watch for future audit and assurance implications.
II. Recognition grows of the impact of Open Banking on Assurance services
- Confirmation.com (part of Thomson Reuters) has provided audit confirmation services for nearly 20 years and recently completed a three-month pilot to test open banking, which received positive feedback from pilot audit firms.
- Circit is a rapidly growing Dublin-based fintech startup launched in 2017 that provides a platform supporting confirmation requests, transaction verification, PBC client collaboration and document signing. It names banks, “big four” and mid-tier audit firms amongst its clients.
2. External Information Sources Related Activity
I. US PCAOB issues guidance on external information sources
In October 2021, the US Public Company Accounting and Oversight Board (PCAOB) issued staff guidance highlighting the importance of appropriately evaluating the relevance and reliability of information from an external information source that an auditor plans to use as audit evidence. The publication gave a number of examples and factors to consider. It notes that, “Advancements in technology in recent years have improved accessibility and expanded the volume of information available to companies and their auditors from traditional and newer external sources.”
II. Growth in data platform providers to support access to external data sources
- People Data Labs raised US$45m in Series B funding to enable expansion of data products to support fraud detection and risk mitigation. The San Francisco-based company builds APIs that enable their clients to leverage vast datasets to build people profiles and records as well as power predictive modeling, drive artificial intelligence and build new tools. The new funding, announced in November 2021, will enable the company to expand its data products to support fraud detection, risk mitigation and insurance underwriting.
- Demyst raised A$33m and announced plans to issue an IPO. Demyst is an external data deployment company that works with banks, insurers and fintechs providing operationalized access to external data sources through a secure data platform.
What might this mean for the IAASB?
Access to quality data is at the heart of enabling technological transformation within the assurance profession. APIs represent a key route to success. The availability of accessible, standardized data created by APIs builds opportunities to improve finance functions, enhance audit quality, and radically streamline the audit process.
The increasing accessibility of entity-specific third-party data, such as entire populations of bank transactions that have been made possible by Open Banking APIs, may present a need to envision how this will reshape the audit process—particularly in regard to obtaining audit evidence.
The growing use of web APIs within entity core operations, across many industries, from retail to banking, may lead to web APIs becoming relevant to financial statements preparation and, therefore, auditors’ risk assessment procedures. Jurisdiction-specific guidance may help auditors better understand and assess how entities are managing the risks related to using APIs available in their jurisdiction.
Finally, the quantum of external data sources available to auditors presents an additional challenge of assessing the relevance and reliability of these data sources—and perhaps a need to address these matters centrally.
- What is an API and how does it work? (In plain English) - YouTube (7 min video)
- What Is an Application Programming Interface (API) | IBM
- What Is an API and How Does It Work? (cleveroad.com)
Accounting Profession insights
- What Impact Will Open Banking Have on Accounting? | INAA
- How third-party information can enhance data analytics | Deloitte Insights
- Not All API Companies are the Same: the 4 Types | Datamation
- Open banking has evolved — what’s next? And who are the players to watch?| Sifted
What do you think about this bulletin?
Please take the time to fill out our quick survey to let us know your thoughts about this bulletin, how it can be improved and what you would like to hear about going forward.
Our next Market Scan bulletin will be distributed in February 2022.