A security analyst is evaluating a SaaS application that the human resources department would like to implement. The analyst requests a SOC 2 report from the SaaS vendor. Which of the following processes is the analyst most likely conducting?

An internal audit is typically conducted by an organization's own staff to evaluate the effectiveness of its internal controls, risk management, and governance processes. In this scenario, the analyst is assessing an external vendor rather than examining internal processes, making internal audit an inappropriate choice.

Penetration testing involves simulating cyberattacks on an organization's systems to identify vulnerabilities. While this is crucial for security assessment, it does not involve the review of external vendor compliance like the SOC 2 report. Thus, penetration testing does not align with the analyst's request.

Attestation refers to an independent evaluation of a service or product, often resulting in a formal statement regarding its quality or compliance. However, requesting a SOC 2 report is more about assessing the vendor's practices rather than performing an attestation itself, which makes this option less applicable in this context.