One of the most critical reports for third-party (vendor) data security, and SOX compliance is the SOC 1 Type 2 Attestation (some call Audit).
The SOC 1 Type 2 attest report provides for compliance and assurance of financial data processing for the service provider's ICFR (Internal Controls over Financial Reporting) and may fulfill SOX compliance. SOC 1 Attestation is also known as SOC 1 Audit (by clients), SOC 1 Engagement, SOC 1 Examination, SOC 1 Certification (by clients), and SOC 1 Compliance.
SOC 1 compliance reports are part of AICPA's SSAE 18 Attest Standard used for SOC 1, SOC 2, and SOC 3 reports. Since 1992, these reports have been known as SAS 70 reports. In 2011 SOC 1 was brought under SSAE 16 Standard and SOC 2 under AT 101. Finally, in 2017, SSAE 16 and other SSAE standards were merged into one SSAE 18. This brought all SOC 1, SOC 2, and SOC 3 reports under SSAE 18. This is the main difference between SSAE 16 vs SSAE 18 pertaining to SOC 1 Type 2 compliance reports.
AT-C section 320 provides guidance on “Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting”.