SSAE 18 Compliance

In today's global economy, service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. In addition, the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SSAE 18 audit reports even more important to the process of reporting on the effectiveness of internal control over financial reporting.

XIFIN Exceeds Stringent SSAE 18 Auditing Requirements to Provide the Highest Levels of IT Availability and Security

XIFIN, Inc. is committed to ensuring proper controls and safeguards are in place when delivering and supporting data belonging to its customers. The company has successfully completed all its SSAE 18 audits as determined by an independent accounting and auditing firm, since first undergoing the process in 2009. This designation distinguishes XIFIN as a provider of reliable software and services, built upon a solid set of operational controls and business processes.

Press Release

What is SSAE 18?

Statement on Standards for Attestation Engagements no. 18 (SSAE 18) is the new "attest" standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). The new SSAE 18 standard went into effect for any reports dated after May 1, 2017.

SSAE 18 supersedes SSAE 16, which in turn superseded the SAS 70 audit standard. SSAE 18 combines several prior SSAEs that were not related to SSAE 16. SSAE 16 was specific to SOC 1 reports which deal with the controls at a service organization that impact financial reporting of the customers of the service organization. By contrast, SSAE 18 refers to many different types of attestation reports, not just SOC 1 reports.

A service auditor's examination performed in accordance with the SSAE 18 standard represents that a service organization has been through an in-depth audit of its control objectives and control activities. SSAE 18 standards are a move toward more globally accepted accounting principles, which is evident when comparing the new U.S. standard from the AICPA to that of its international equivalent, ISAE 3402, put forth by the International Auditing and Assurance Standards Board (IAASB), a standard-setting board of the International Federation of Accountants (IFAC).

Understanding SOC 1 and SOC 2


SOC 1 is the reporting option for the SSAE 16 professional standard that results in a SOC 1 SSAE 16 Type 1 and/or a SOC 1 SSAE 16 Type 2 report.  SSAE 16 is for service organizations that have a credible relationship with Internal Control(s) over Financial Reporting (ICFR).


SOC 2 is the reporting option for companies who use cloud computing to transfer and store data and meet new business models and service types provided by service organizations within the last decade. SOC 2 reporting utilizes the AICPA AT Section 1010 and can be a Type 1 or a Type 2.  Additionally, SOC 2 reports are comprised of five Trust Services Principles (TSP), which are security, availability, processing integrity, confidentiality and privacy.


The HIPAA Privacy Rule is a set of federal standards to protect the privacy of patients’ medical records and other health information maintained by covered entities including health plans, doctors, hospitals, and other healthcare organizations. To improve the health care system, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, included provisions that required HHS to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. Congress also recognized that advances in electronic technology could erode the privacy of health information and incorporated provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.


The Office of the National Coordinator for Health Information Technology’s (ONC) work on health IT is authorized by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The HITECH Act gives the U.S. Department of Health and Human Services (HHS) the authority to establish programs, such as HIPAA, to improve health care quality, safety, and efficiency through the promotion of health IT, including electronic health records (EHRs) and private and secure electronic health information exchange.

HIPAA Certification

Contrary to popular belief, there is no such thing as HIPAA certification for data center or cloud providers.

However, to meet the HIPAA requirements for our clients (who do fall within HIPAA certification requirements), XIFIN has adopted all associated rules that make us compliant under examination within our data center and the cloud services we offer.

XIFIN’s information security program addresses the essential elements of HIPAA and HITECH. Contact us for more information.