It’s only with a Type II SOC report that the auditor validates that the stated controls are in place and reports on the effectiveness of the controls over a period of time and assesses how well they’re working. Generally speaking, controls must be in place for at least three months in order for a Type II report to be issued.