Sean intends to ask a vendor he is interested in working with for an audit report and wants to review the auditor's evaluations of the vendor's security and privacy controls. Which type of Standard for Attestation Engagements (SSAE) should he ask for?

A SOC 2 engagement evaluates the security and privacy controls that have been implemented, and a Type 2 report details the auditor's evaluation of the controls' effectiveness. In contrast, an SOC 1 report assesses controls that affect financial reporting accuracy. A Type 1 report reviews management's description of the controls' suitability as designed, but it does not evaluate the actual operating effectiveness of the controls.