What must a Type 2 report include that a Type 1 report does not?

A Type 2 report, often associated with SOC 2 compliance, assesses not just the suitability of the design of controls at a service organization, but also the operating effectiveness of those controls over a specified period of time. This means that a Type 2 report includes a section detailing tests of controls and their results, which is crucial for understanding not just how controls are designed, but also how effectively they are implemented and function in practice.

In contrast, a Type 1 report evaluates the design and implementation of the controls at a specific point in time and does not include results from testing the controls over time. Thus, the absence of a testing section in Type 1 reports distinguishes it from Type 2 reports.

The other choices are elements that may be present in both report types or are not specifically required to differentiate a Type 2 report from a Type 1. For instance, a description of the control environment might be present in both types of reports, and management's certification, while common, is not exclusive to the Type 2 context. Additionally, SOC 3 reports have specific language but are not applicable when distinguishing between Type 1 and Type 2 reports.