SOC 2 attestation is only valid for a year. So, what happens if a customer asks for a SOC 2 report between the end of your earlier SOC 2 report period and the start of your next assessment? Do you stand to lose your compliance status in the gap period? What about when there’s a gap between your customer’s financial year-ending and your SOC 2 report expiry date? What should you tell your customers in the interim? Enter SOC 2 Bridge Letter. A SOC 2 bridge letter bridges the ‘gap’ between your organization’s SOC report date and your customer’s year-end.
Read on to understand the answers to the common questions about gap or bridge letters, including what bridge letters are, who issues them, how they are used, their duration, and the requirements they must meet.
What is a Bridge Letter?
A SOC 2 bridge letter is a document that fills the gap between the report date of your last SOC 2 audit and the customer’s fiscal year-end. Say your organization’s most recent SOC audit has an end date of October 31, 2022, but your customer’s fiscal year-end is December 31, 2022. You can issue a bridge letter here to cover the gap period.
It assures your customers of your organization’s continued security posture, and that there have been no material changes in your internal controls that could adversely affect the conclusions arrived at in the earlier SOC 2 report.
What’s included in a SOC 2 Bridge Letter?
Although the AICPA’s SOC 2 compliance guidance doesn’t specifically talk about bridge letters, it’s a good practice to include the following components in the letter:
- Start and End Date of your most recent SOC 2 attestation.
- A statement on the modifications or changes made, if any, to your organization’s system of internal controls since the end date of your most recent SOC report; an explanation of the changes made since the audit.
- In case of no changes, include a statement that the organization is unaware of any material changes that might affect the auditor’s opinion.
- Disclaimer that the bridge letter is not a replacement for the SOC 2 report.
- A statement that the bridge letter is only meant for the customer to whom it is issued and no other entity.
- The final paragraph of a gap letter should reiterate your organization’s commitment to constantly evaluating and upgrading physical and cloud-based technology and information security controls and procedures.
You could also share an accompanying copy of your last SOC 2 report with your customer, so they can refer to it. However, note that you cannot use a gap letter to replace your SOC 2 audit report.
Who Issues a Bridge Letter SOC?
Upon request, the management of the service organizations can issue bridge letters to their customers. The auditor (or CPA firm) that conducted your SOC 2 audit doesn’t publish these letters. For one, they aren’t in a position to hold any opinion on your internal controls’ design and operating effectiveness outside the SOC 2 report period. Two, they aren’t aware of any material changes the service organization may have made to their system of internal controls.
For instance, if a service organization adds a new SaaS application or changes its DevOps software package outside its audit window, the auditor cannot attest to its continued compliance.
Therefore, only the management of the service organization that knows material changes (if any) can issue these bridge letters.
Bridge Letter Example
Here’s a SOC 2 Bridge Letter example for your reference.
Duration of a SOC Report Bridge Letter
For how long is a bridge letter valid? SOC bridge letters cover short durations to bridge the gaps between SOC 2 reports or between the end date of a SOC 2 report period and the date on which a customer requests the bridge letter. Thus, a bridge letter typically covers no more than three months.
In cases where a bridge letter is needed for more than three months, you might want to perform another SOC 2 audit or revisit the examination period with the service auditor.
It is, therefore, advisable to complete the annual SOC audits on time to establish continued trust in the strength of your internal controls.
Importance of SOC Bridge Letter for Vendor Relationship
Even though bridge letters aren’t a replacement for SOC 2 audit reports, they make for a nifty stop-gap measure in the interim. The importance of bridge letters for vendor relationships cannot be overemphasized. For one, they give your customers and prospects reasonable reassurance on your information security posture in the interim period. Two, it saves time and cost, and helps you remain a trusted vendor in your customer’s ecosystem.
Overall, bridge letters make for a smart way to maintain customer confidence and trust, and, consequently, future sales.
Do SOC 2 reports have Bridge letters?
SOC 2 reports don’t chrome with bridge letters. Bridge letters aren’t issued by the SOC 2 auditor. Service organisations issue bridge letters when a customer asks for a SOC 2 report between the end of the earlier SOC 2 report period and the start of the next assessment.
What is the purpose of a bridge letter?
The purpose of a bridge letter is to cover the gap period between the report date of the service organization’s last SOC 2 audit and their customer’s fiscal year-end. It is a stop-gap measure to showcase no material changes to the internal controls were made during the period covered by the letter.