Whether you’ve decided to pursue a SOC 2 Type I or Type II report, you’ll need to undergo an annual audit to maintain compliance and receive a renewed report. What can you do to provide assurance to your customers in between audit review periods?
This is where a bridge letter can be a helpful addition to your compliance toolkit.
What is a Bridge Letter?
A bridge letter (also known as a gap letter) bridges the gap between the end of your last SOC 2 report audit period and the current date.
Say your organization completed a SOC 2 report that covers September 30, 2020 - October 1, 2021. But your organization’s fiscal year-end is December 31, 2021.
You can provide customers with a bridge letter that states there have been no significant changes to your controls between October 1 and December 31. Or if there have been material changes, explain what they are and assure customers that they wouldn't affect the results of your SOC 2 report.
Bridge letters typically don’t cover a period of more than three months. A bridge letter isn’t a replacement for an up-to-date SOC 2 report, but it can be a helpful tool to provide assurance to clients between audits.
What’s Included in a Bridge Letter for SOC 2?
A bridge letter typically includes:
- The beginning and end dates of the most recent SOC 2 report’s audit period
- An explanation of any changes to the organization's systems or controls since the audit, if any. Or, a statement that the organization is unaware of any material changes that could alter the auditor's opinion in their latest SOC 2 report.
- A statement that the bridge letter relates solely to the organization and may not be relied upon by any other entity.
Who Issues a Bridge Letter?
Bridge letters are issued and signed by the organization’s management and sent directly to customers.
The CPA firm that conducted the SOC audit is not involved.
Why?
Say the company switched their cloud infrastructure after their audit window ended. The auditor can no longer attest that the customer’s environment operates in the same fashion.
Sample SOC 2 Bridge Letter
Dear ABC Company client,
ABC Company retains SOC 2 CPA Firm to issue bi-annual SOC 2 Type II reports for its Application Hosting Services. Currently, ABC Company issues two twelve-month reports with end dates of March 31 and September 30 respectively. The testing period covered by the most recent report was April 1, 2021 through September 30, 2021.
This letter confirms that, for the period from October 1, 2021 to the date of this letter, there have been no material changes to the system of internal controls that we believe would adversely affect the conclusions reached in the SOC 2 Type II report that you previously received.
This letter is not intended as a substitute for the 2021 ABC Company SOC 2 Type II report, or to provide you with a certification of ABC Company internal controls, or to suggest that ABC Company has performed a separate evaluation of its controls for the purposes of producing this letter.
Sincerely,
ABC Company Management
Email: management@abccompany.com
Office Phone: 123-456-7890
FAQs
What is a SOC 2 Type 2 bridge letter?
A SOC 2 Type 2 bridge letter is a document that covers the gap between an organization's last SOC 2 Type II report and the current date. Customers may request it if there is a gap between the organization's SOC 2 report audit period and their own calendar or fiscal year-end.
Do SOC 2 reports have bridge letters?
No, SOC 2 reports do not have bridge letters. SOC 2 reports are based on an independent, third-party accounting and auditing firm who evaluated the design and operating effectiveness of an organization's processes, procedures, and controls for a specified period of time. Bridge letters are meant to bridge the gap between your last SOC 2 report's audit period and your next.
Who provides a SOC 2 bridge letter?
Bridge letters are issued and signed by the organization's management. They provide the bridge letter directly to customers. The auditor that conducted the organization's SOC 2 audit does not provide a bridge letter because they can't attest to the suitability of the design or operating effectiveness of the organization's controls outside of the report's audit period.
Are bridge letters required?
Bridge letters are not required, but can serve as assurance to customers and prospects that your organization is maintaining its processes, procedures, and controls for security and any other applicable Trust Services Criteria between SOC 2 audits.