Bridge Letters for SOC Audits

Long bridge over a river

A bridge letter, also referred to as a gap letter, can be used to bridge the “gap” between the service organization’s SOC report date and the user entity’s year-end (i.e., calendar or fiscal year-end).  Bridge letters are used for both SOC 1 and SOC 2 reports.

SOC reports typically cover a period of 6 to 12 months and the period may not align with every user entity’s calendar or fiscal year. In other words, the SOC report will often cover only a portion of a user entity’s calendar or fiscal year. For example, a SOC report may have a period of November 1, 2021 through October 31, 2022. If a user entity has a calendar year-end (January 1, 2022 through December 31, 2022), the SOC report only provides coverage for 10 of 12 months of that period, leaving a 2-month gap in coverage. 

In the scenario above, a user entity may gain comfort around the operating effectiveness of the internal control environment for the remaining 2 months of the period by obtaining a bridge letter from the management of the service organization.  It is important to note that bridge letters are not provided by the SOC auditor.

SOC Report Bridge Letter Components

There are several items that management should consider including in a bridge letter, such as the following:

  • The period covered by the most recent SOC report, including beginning and end dates
  • Material changes in the internal control environment (if any)
  • A statement that the service organization is not aware of any other material changes outside of what is listed in the bridge letter 
  • A reminder that user organizations are responsible for following the complementary user entity controls set forth in the SOC report
  • A request for user organizations to read the most recent SOC report
  • A disclaimer that the bridge letter is not a replacement for the actual SOC report

The information listed above will provide users of the bridge letter with sufficient information to gain comfort around the compliance of the service organization during the gap period. 

What Length of Time Can a SOC Report Bridge Letter Cover?

A bridge letter’s purpose is to cover a limited amount of time between the last SOC report end date and the user entity’s year-end.  Most bridge letters typically cover a period of no more than three months.  There are no formal rules or requirements from the AICPA or other standard setting bodies about the maximum length of time that bridge letters can cover.  However, some organizations and some audit firms have internal policies that prohibit them from accepting bridge letters that cover periods in excess of 3 months.

SOC 1 and SOC 2 Bridge Letter Templates

If you need a SOC 1 or SOC 2 bridge letter template, check out the SOC Resources tab on the K Financial website.  

Thanks for reading!