One of the most important reports for third party (vendor) data security and SOX compliance is the SOC 2 Type 2 Audit.
Compliance and assurance are provided by the SOC 2 Type 2 attest report (also called audit report by clients). SOC 2 Attestation is also known as SOC 2 Audit (by clients), SOC 2 Engagement, SOC 2 Examination, SOC 2 Certification (by clients), and SOC 2 Compliance.
SOC 2 compliance reports are part of AICPA's SSAE 18 Attest Standard used for SOC 1, SOC 2, and SOC 3 reports. SOC reports have been known as SAS 3 since 1974, and SAS 70 audit reports since 1992. In 2011 SOC 1 was brought under SSAE 16 Standard and SOC 2 under AT 101. Finally, in 2017 the SSAE 16 and other SSAE standards merged into one SSAE 18, bringing all SOC 1, SOC 2, and SOC 3 reports under SSAE 18. This is the main difference between SSAE 16 vs 18 pertaining to SOC compliance reports. AT-C section 205 provides guidance on “Examination Engagements. AICPA Guide, SOC 2 Reporting on an Examination of Controls at a Service Organization”.
SOC stands for System and Organizational Controls. The definition got changed in 2017 from the earlier one as Service Organization Controls as these compliance reports were mainly used for vendor (third-party) compliance audits as these organizations were service organizations. The auditor auditing these service organizations is referred to as a Service Auditor or SOC Auditor.