What is a SOC Bridge Letter

What is a SOC Bridge Letter?

Key Points

  • A bridge letter (gap letter) covers the void between the most recent SOC report’s end date and the user organization’s fiscal year-end. It states that no material changes in the service organization’s internal controls have taken place in the gap period.
  • Service organizations sign off on bridge letters, which typically cover no more than three months. 

When a cloud computing company pursues a SOC2 certification, it has to undergo regular examinations to maintain it. But, SOC reports cover only a part of the user organization’s/client’s calendar or fiscal year.

How can the vendor assure its customers about the internal control environment in the interim period?

They issue a SOC2 bridge letter or a SOC1 bridge letter. It states that no material changes have occurred in the internal control environment in the time between the date of the last SOC report and the date of the next audit report. 

Bridge letters are critical documents that provide assurance about the strength of a service vendor’s internal controls and security environment.

We’ll discuss the details of a SOC bridge letter, when it is used, who issues it, how long it lasts, and who issues it. 

What is a SOC Bridge Letter?

SOC

A SOC bridge letter is a document that fills the gap between the report date of a SOC2 audit and the user organization’s fiscal year-end. It can also cover the gap between two audit reports. It is also called a gap letter. 

This occurs because a SOC report covers only a part of a fiscal year.

It provides user organizations with extra information about the service organization’s compliance posture. This builds confidence in the user organization/client.

For example, your company’s most recent SOC2 audit has an end date of October 31, 2021, but the fiscal year-end is December 31, 2021. You can issue a bridge letter to cover the gap period. You state that no significant issues or changes have occurred in your internal controls in that time gap that may alter the conclusions of the SOC2 report. 

SOC 2 bridge letters or SOC1 bridge letters are issued on the service provider’s letterhead and signed by them. The SOC auditor who completed the most recent examination does not sign the letter. 

Thus, a bridge letter is an essential document issued to assure clients that the service organization is compliant with SOC1 or SOC2 requirements in the interim period between the expiry of the previous year’s SOC report and the issue of the new SOC report. 

You may wonder what is a bridge letter and why it is needed. In this post, we have discussed the most common components of a bridge letter that is likely to satisfy user organizations. 

Let’s see how user organizations/clients use the SOC bridge letter, which is basically a guarantee given by service organizations about their SOC compliance posture.

When is a Bridge Letter used?

A bridge letter is used by user organizations/clients to assure management that no material changes have occurred in the service organization’s internal control environment until the next SOC report is available. 

User organizations typically have bridge letters on file as part of their annual due diligence. It is used to show management that, as far as they are aware, the service organization’s internal controls have not changed significantly. 

User organizations will request a new SOC report once it is made available by the service organization.

Who issues the Bridge Letter?

The management of service organizations issue a SOC bridge letter on their own letterhead. They provide it directly to their clients/user organizations.

The SOC auditor or the CPA firm that has conducted the most recent SOC audit does not attest to anything in the bridge letter nor do they sign it. 

Once they issue the SOC report and leave the site, they are not aware of any significant changes in the internal controls of the service organization. Hence, they do not perform any additional procedures to confirm if the internal controls are continuing to operate effectively in the period between the two reports.

What are the components of a Bridge Letter?

Bridge Letter Component

Although the AICPA does not cover bridge letter requirements in its SOC guidance, here are a few components that should satisfy user organizations:

  • The start and end date of the most recent SOC certificate
  • A statement about any modifications or changes to the service organization’s internal controls since the end date of the most recent SOC report
  • If changes have occurred, a statement about the modifications that have been made
  • A reminder that user organizations are responsible for following the complementary user/client entity controls
  • A disclaimer that the bridge letter is not a replacement for the SOC report
  • A statement that the bridge letter concerns itself only with the user organization to which it is being issued and no other entity

The final paragraph of a gap letter should reiterate the service organization’s commitment to constantly evaluating and upgrading physical and cloud-based technology and information security controls and procedures. 

A copy of the SOC report should accompany the bridge letter to allow stakeholders to refer to it. It’s important to note that a gap letter cannot be considered a substitute for the service organization’s next SOC audit. 

How long does a Bridge Letter last?

Bridge letters are meant to cover a short duration between the date of the most recent SOC report and the fiscal year-end of the company or between two audit reports. Thus, a bridge letter typically covers no more than three months.

If you need a bridge letter that covers more than three months, you may want to consider performing another SOC audit. Or you can discuss the period of your SOC audit with the SOC auditor. 

SOC bridge letters cover short durations to bridge gaps between SOC reports or between the end date of a SOC report and the date on which a client is asking for assurance. So, SOC audits should be annually completed to establish third-party assurance about the strength of your internal controls. 

Conclusion

In this post, we have discussed how a bridge letter (also called a gap letter) is employed to provide coverage between two audit reports or the end date of a SOC report and the fiscal year-end of the company. 

Note that bridge letters cannot replace SOC reports and you should perform (at least) annual SOC audits to receive a SOC certificate issued by a CPA-approved auditor.

SOC audits typically require lots of time and effort that diverts your resources from strategic tasks like focusing on product development. Instead, you can use Sprinto to automate and streamline the process of getting a SOC2 audit report, thus reducing the timeframe from months to weeks. 

FAQ: SOC Bridge Letter

  • What is a gap letter in SOC reports?

Bridge letters or gap letters are documents that bridge the gap from the date of the review period from the most recent SOC audit and the date of the gap letter. 

For example, if your SOC report covers a period until October 31 and your company’s fiscal year-end is December 31, you can issue a gap letter to your clients. It states that significant changes or issues have not occurred with your company’s security controls in that period. 

  • What exactly is a Bridge Letter?

A bridge letter bridges the gap period between the end date of the latest SOC report and the user organization’s calendar or fiscal year-end. It’s intended to give clients confidence that significant changes have not occurred to the service organization’s controls in the gap period. 

  • When should a Bridge Letter be used?

SOC reports cover only a portion of an organization’s fiscal year. Bridge letters are used to cover the gap between the end date of the review period and the fiscal year-end of the company. Its purpose is to inform stakeholders that the service vendor’s controls have not undergone significant changes over the period for which the letter is issued. It assures all parties concerned that the findings of the SOC report are still valid.

  • Who is responsible for issuing the Bridge Letter?

The service organization signs off on the SOC bridge letter and provides it directly to the user organizations. The SOC auditor who performed the most recent review does not sign the bridge letter or attest to anything in the bridge letter.  

  • What is included in a Bridge Letter?

A bridge letter contains the following components:

  • The SOC report end date
  • Any material changes in the internal control environment (if no changes have occurred, it must be specified)
  • A sentence stating the service organization is not aware of any modifications or changes apart from what is mentioned in the bridge letter that could affect the auditor’s findings
  • A reminder that user organizations/clients are responsible for following user control considerations
  • A statement that the bridge letter concerns itself only with the user organization to which it is issued and no other entity
  • A request for user organizations to read the SOC report (except when it is the service organization’s first SOC audit)
  • A disclaimer that the bridge letter does not replace the actual SOC report 
  • How long does a Bridge Letter last?

Most SOC bridge letters last for no more than three months. They’re meant to cover a short duration between the report period end date and the user organization’s calendar or fiscal year-end. 

Posted in:

Cybersecurity SaaS Bussiness Security

Photo of author

Pritesh Vora

Pritesh is a founding team member of Sprinto. He is a strong data-driven person with over a decade of experience in growth strategy, sales, and marketing designed to get traction and increase 10X revenue, and grew two early-stage SaaS startups from zero to 7 digit revenues within a year. Connect with him on Linkedin: https://www.linkedin.com/in/thevora/

You may also like

  • SOC 1 vs. SOC 2: What is the Difference?

    Key Points A SOC 1 audit examines and reports on the design of a cloud-hosted company’s internal controls relevant to its customers’ financial reporting. A SOC 2 audit examines and reports on a cloud-hosted company’s internal controls relevant to the five Trust Services Criteria. Type 1 reports focus on the design of internal controls at ... Read more

  • What does SOC 2 Compliance Really Cost (Complete Guide)

    What-does-SOC-2-cost

    SOC 2 isn’t cheap. We won’t pretend that it is! But that doesn’t make it any less worthwhile – in fact, you should view it as an investment that could bring invaluable business later down the line. It proves to clients and customers that you take cybersecurity and protecting their data seriously. “SOC 2 is ... Read more

  • SOC 2 Controls: All You Need To Know About Security

    SOC-2-Security-Controls

    Frustrated and confused? SOC 2 can have that effect. Especially if you’re trying to document your security controls for the first time. “If you’re not sure where to start when it comes to security controls, then you’re in the right place.”  We’ve been through the process plenty of times and are well-positioned to offer a ... Read more