What report should Susan request for operating effectiveness details if she has received a SAS-70 Type 1 report?

In this scenario, if Susan has received a SAS-70 Type 1 report and is looking for details on operating effectiveness, the most appropriate report to request is an SOC Type 2.

A SAS-70 Type 1 report specifically evaluates the design of controls as of a specific point in time, but it does not provide any insight into how effectively those controls operate over time. An SOC Type 2 report, on the other hand, assesses not only the design but also the operational effectiveness of those controls over a defined period (typically a minimum of six months). This makes it particularly valuable for understanding whether the controls are functioning as intended in a real-world context.

In contrast, other report types such as compliance audit reports may assess adherence to certain regulations but do not focus on the operational effectiveness of specific controls. Similarly, a financial audit report focuses on financial statements and their accuracy, rather than on operational controls. Therefore, for insights into the ongoing operational effectiveness following the SAS-70 Type 1 report, the SOC Type 2 report is the most relevant and informative choice.