It’s only with a Type II SOC report that the auditor validates that the stated controls are in place and reports on the effectiveness of the controls over a period of time (how well are they working). Generally speaking, controls must be in place for at least six months in order for a Type II report to be issued.