Which SOC 2 report would be run to determine if security controls are suitable based on design and intent?

The correct choice is to refer to a Type 1 report when determining if security controls are suitable based on design and intent. A Type 1 SOC 2 report assesses the suitability of design and operational effectiveness of the controls in place at a specific point in time. This type of report evaluates whether the controls are well-designed and if they meet the intended objectives as per the criteria established by the AICPA.

This means a Type 1 report can effectively provide insights into whether the security controls in a system are appropriate and capable of addressing the risks they are meant to mitigate, focusing on the structure and design of those controls rather than their ongoing effectiveness over a period. Thus, it evaluates the framework established for security controls without extending into an assessment of their operation over time.

In contrast, Type 2 reports examine the operational effectiveness of those controls over a specified period, while Type 3 reports are not standard SOC reports but rather a summary of the Type 1 and Type 2 information. Aged reports do not have relevance within this specific context.