Blog Compliance What is a SOC 2 bridge letter and why do you need one? November 4, 2024 Cristina Bartolacci Every day counts when it comes to maintaining security and compliance. Indeed, the achievements of an entire fiscal year can be eclipsed by a single incident related to security or adherence to regulatory standards. That’s why the significance of a SOC 2 bridge letter is such an important document. The SOC 2 bridge letter (also known as a gap letter) is a temporary assurance document that serves to confirm the continued effectiveness of an organization’s controls in the span between the reporting period end date of the organization’s current SOC report and its next SOC 2 report. Key takeaways A SOC 2 bridge letter (aka a gap letter) serves as a temporary assurance document, maintaining stakeholder confidence in an organization’s control environment during the interim period between SOC 2 reports. The bridge letter provides a snapshot of the vendor’s compliance status for the period not covered by the last SOC 2 report, affirming that internal controls remain operational and effective. While bridge letters are essential for continuity of trust, they have limitations, including their short duration (typically up to three months) and inability to provide real-time assurance post-issuance. What exactly is a bridge letter/gap letter? A bridge letter is not required, but it is considered a best practice of SOC 2 compliance if there is ever a lapse in the period. If you stay on schedule, you don’t need one at all. Their main purpose is to provide continuity in trust between the conclusion of one SOC report period and the issuance of subsequent SOC reports. Essentially, these letters address any time gaps not covered by the most recent SOC 2 report, offering an update on the vendor’s compliance for that specific timeframe. This often occurs because SOC reports often cover only a portion of an organization’s fiscal year. For instance: Imagine your organization completed a SOC 2 report covering October 31, 2022, to November 1, 2023. However, your organization’s fiscal year-end is December 31, 2023. You can provide customers with a bridge letter stating that your controls did not significantly change between November 1 and December 31, 2023. These documents do more than just fill a gap. They affirm that an organization maintains a strong control environment even beyond the duration of its last SOC 2 report. Bridge letters extend confidence to stakeholders that despite the lack of new SOC audit outcomes available, an organization’s processes and controls remain robustly intact. Indeed, most bridge letters go beyond claiming sustained compliance—they give stakeholders some form of interim assurance regarding internal controls previously evaluated during audits, attesting to their continued effectiveness. While useful, it’s important to note that bridge letters are temporary documents. They’re generally limited to cover a period of up to three months. It’s essential to recognize that a bridge letter isn’t a substitute for a current SOC 2 report, it serves as a useful tool to offer assurance to clients during the interval between audits. Six key components of a SOC 2 bridge letter A SOC 2 bridge letter is composed of several essential elements that collectively give a full picture of an organization’s control environment between the issuance of SOC reports. Let’s look at some of the key components: The review period of the latest SOC 2 report: Beginning and end dates. The time frame for interim assurance: Clear start and end dates during which these assurances apply. Any material changes to your internal control environment (if applicable): This section provides insight into any significant modifications to systems or procedures occurring since the last audit was conducted. This element demonstrates openness by affirming that stakeholders will be informed about any noteworthy adjustments. A statement of no [further] material changes: An assertion from the organization confirming their understanding that no material changes have taken place besides those already communicated—changes that could potentially impact what auditors concluded in their previous SOC report. Note: Your bridge letter should acknowledge that a SOC 2 bridge letter is not a replacement for a SOC 2 report. It offers limited assurance and should not be considered a substitute for the comprehensive testing and scrutiny found in full SOC reports. Disclaimer: It is a best practice to include a disclaimer stating that this letter was created solely for the customer and should not be generalized or relied upon beyond its intended scope. Example bridge letter [Service Organization Letterhead] Date: [Insert Date] To Whom It May Concern: Subject: SOC 2 Bridge Letter for [Service Organization Name] Dear [Client Name or “Valued Clients”], We are writing to provide an update regarding the status of our System and Organization Controls (SOC) 2 compliance for the period following the end date of our most recent SOC 2 Type II report. Our last SOC 2 Type II report, covering the period from [Start Date] to [End Date], was issued by [Name of Independent CPA Firm]. This report detailed the design and operating effectiveness of our controls relevant to the security, availability, and confidentiality principles as defined by the American Institute of Certified Public Accountants (AICPA). As of the date of this letter, our next SOC 2 Type II examination is scheduled to cover the period from [Start Date of Next Report Period] to [End Date of Next Report Period]. The independent assessment will again be conducted by [Name of Independent CPA Firm]. We understand the importance of maintaining the trust and confidence of our clients, and we are committed to ensuring the ongoing effectiveness of our control environment. To that end, we confirm the following: Control Continuity: The controls described in our most recent SOC 2 report have continued to operate as designed since the end of the reporting period on [End Date of Last Report]. No Material Changes: There have been no material changes to our control environment or to the processes that underpin our system and organization controls since [End Date of Last Report]. Monitoring Activities: We have continued to perform monitoring activities and internal assessments to ensure that our controls are operating effectively. Incident Reporting: There have been no known incidents or control failures that would materially impact the effectiveness of our control environment since [End Date of Last Report]. This bridge letter is intended to provide assurance of our ongoing commitment to the principles of security, availability, and confidentiality as outlined in the SOC 2 framework. We anticipate that our next SOC 2 report will be issued by [Expected Date of Next Report Issuance]. Please note that this letter is not intended to be a substitute for the SOC 2 report. The SOC 2 report provides a comprehensive, independent assessment of our control environment, and we encourage you to review the full report when it becomes available. This letter is intended solely for the information and use of our customers and is not intended to be, and should not be, used by anyone other than our customers. Should you have any questions or require further information, please do not hesitate to contact us at [Contact Information]. Sincerely, [Name][Title][Service Organization Name][Contact Information] Who issues a SOC 2 bridge letter? Most commonly, bridge letters are issued by the CPA firm that issued the SOC 2. Either way, your organization is responsible for providing the bridge letter. The auditor who conducted your SOC examination will not create or provide a bridge letter on your behalf because they are unable to attest to the operating effectiveness of your controls beyond the SOC 2 reporting period. They are also not informed of any changes that may have been made to your internal controls.In most cases, high-ranking officials such as the CEO, CIO, or CFO are those who endorse this important document with their signature—thereby ensuring its importance is acknowledged appropriately. This duty should not be underestimated because it reflects on the integrity and public standing of your organization. Unlike an auditor from a CPA firm or even that performing duties specifically tied to auditing compliance standards like SOC 2 audits—the onus rests with these members of your organization. They must proactively issue this letter attesting ongoing adherence to compliance standards. How long is a bridge letter valid for? Because the letter acts as a provisional measure to maintain trust between SOC reports, it is intended only for brief periods—ordinarily no longer than three months. This interval suffices to bridge the gap until an organization undergoes its next audit. The brief period of the bridge letter’s validity underscores its function as a temporary solution within the realm of compliance. The specific dates of coverage will be included in the letter itself. In situations where verification is required after the typical three-month threshold has passed, organizations are encouraged to pursue either another SOC examination or re-audit. This step ensures their adherence to regulations remains current and accurately represents their present operational environment. Limitations of bridge letters Bridge letters should not be mistaken for replacing detailed SOC 2 audit reports but instead serve as an interim measure, bridging only a part of the compliance narrative. These documents offer less assurance compared to full-fledged SOC examinations and primarily exist as gap letters meant to extend trust during brief intervals between comprehensive SOC report completions. The application of bridge letters is specific. Each is uniquely crafted for the particular organization it pertains to and its respective clients. Most bridge letters include a disclaimer stating that they relate solely to the identified organization, thereby discouraging inappropriate generalization or reliance on them beyond their intended scope. It’s important to note that bridge letters do not include real-time updates after they are issued. Any changes to the control environment that happen after the letter is sent out won’t be captured until the next audit. This is a major limitation because it means the letter can’t guarantee that compliance and stability are maintained after its issuance date. More FAQs Who writes a bridge letter? After finishing a SOC 2 audit, the service provider composes a bridge letter to notify of any alterations in their systems or procedures that have occurred up until the commencement of the subsequent audit. This letter is not authored by the auditor, but by the service provider themselves. How long can a SOC 2 bridge letter cover? The letter for a SOC 2 bridge is valid for up to three months. It is designed to bridge the gap from the last audit until the upcoming scheduled SOC examination. It’s crucial that this letter maintains its validity within these specified limits. Can a bridge letter replace a SOC 2 audit report? A bridge letter is not an adequate substitute for a SOC 2 audit report as it offers only limited assurance without the comprehensive testing and scrutiny found in full reports. Viewed as a stopgap solution, the bridge letter cannot stand in place of the complete assessment performed during a SOC 2 audit. Who should sign a SOC 2 bridge letter? The letter for the SOC 2 bridge should bear signatures from the executive leadership of the service organization, such as the CEO, CIO, or CFO. This affirms the reliability and responsibility of those at the helm of the organization for its contents. Are bridge letters required by all organizations that have SOC reports? While not mandated for all entities, bridge letters are deemed a best practice to provide ongoing compliance and assurance verification to clients in the intervals between SOC reports. Share this post with your network: Facebook Twitter LinkedIn