XMission's Company Journal

XMission Completes SSAE 16 Type 2 Audit

As VP of Operations, I oversaw XMission’s recent SSAE 16, type 2 audit certification. Since this was our first such audit, we decided to limit the scope to the two products where customers would benefit the most: colocation and our Stackable cloud hosting product.

In recent years, XMission has greatly expanded our focus on business products, including colocation, advanced web hosting (with our Stackable cloud product), hosted email (with Zimbra), and business telephony. As those products matured, it was only a matter of time before we saw the need to perform this audit, especially as enterprise clients started to look more seriously at XMission as a vendor. While we are a privately held company, and therefore have no Sarbanes Oxley compliancy concerns ourselves, we recognized that compliance sensitive companies often require SSAE 16 certification, which include publicly-traded enterprises, financial firms, and healthcare organizations.

Ultimately, I think that all of the work we did in preparation for the audit brought about many positive changes. While we have done many things related to IT security for years not only due to our own commitment to best practices but also to maintain PCI compliancy, we took this opportunity to review and refine our policies and procedures. We performed a new risk assessment and found better ways to mitigate, if not outright prevent, a few more potential issues. We had some productive conversations and better organized our documentation. All in all, the process brought renewed rigor and focus to things that warrant close scrutiny on an annual basis.

In order to complete the audit, XMission management developed rigorous internal control objectives to support first-class data center, hosting and networking management services. You can think of internal controls as the processes by which an organization manages its people and systems. It is how a business conducts business, day to day. These controls should be closely aligned with an entity’s goals and objectives. When an outside auditor comes in, they first review the organization’s control objectives to determine if they appear to be reasonable and then secondly test their processes and see if the entity reliably meets those objectives. Professing best practices isn’t enough; the proof is in the pudding. And since we chose a type 2 audit, we were required to prove the operating effectiveness of our internal controls throughout the audit period. Abiding by new requirements under SSAE 16, the report also contains a written assertion from management regarding the systems and a services auditor’s opinion letter.

An SSAE 16 audit report provides a framework for a service organization to have an outside entity examine their internal controls, which can then be provided to its enterprise clients. Therefore, an SSAE 16 certification assures new and existing customers that XMission’s policies and procedures are sound and that their critical Internet services and data are secure. Colocation and Stackable customers can request a copy of our audit report, which should make it easier for them to pass their own SSAE 16 audit. If anything is missing which could help them with their own audit, or better set them at ease regarding the products they purchase from XMission, we gladly welcome such requests. We have already started to evaluate how we will expand the scope in next year’s audit.

Our audit was conducted by CPA firm A-lign, who specializes in these audits for IT firms. SSAE 16 replaces the previous industry standard, SAS 70 and brings the US closer to the international standard, ISAE 3402.

For more information, please visit

Grant Sperry

XMission VP of Operations


, , , ,

Comments are currently closed.