Which of the following SOC report subtypes spans a period of time?

The correct choice is Type II, which is one of the subtypes of SOC (Service Organization Control) reports. Type II reports evaluate the effectiveness of a service organization's controls over a specified period of time, typically ranging from six months to a year. This assessment includes an examination of the operational effectiveness of controls in practice rather than just their design.

Type II reports provide assurance to users about the consistency and reliability of the service organization's controls, as they demonstrate that these controls are functioning effectively throughout the measurement period. This is particularly important in cloud services, where ongoing risks and compliance are a significant concern for customers.

In contrast, other types of SOC reports do not cover a period of time. For instance, SOC 1 focuses specifically on the internal controls over financial reporting and is usually issued as a Type I report, which assesses the design of controls at a specific point in time. Similarly, SOC 3 is a general use report designed for public distribution, which also reports on the controls at a single point in time and does not detail their operational effectiveness over a duration. SOC 2 reports can be either Type I or Type II, but it is the Type II report that specifically encompasses a period of time regarding operational effectiveness.