What Is a Bridge Letter for SOC 2 Reports?

A bridge letter, also known as a gap letter, is a document used in the context of System and Organization Controls (SOC 2) reports. It serves as a supplementary statement provided by a service organization to offer ongoing assurance to its clients and stakeholders. This letter helps to maintain confidence in the service organization’s control environment during periods not fully covered by a formal, audited SOC 2 report.

Understanding the Need for a Bridge Letter

Service organizations obtain a SOC 2 report to demonstrate the effectiveness of their controls relevant to security, availability, processing integrity, confidentiality, or privacy. These reports cover a 12-month period, providing a snapshot of control effectiveness. However, the need for assurance extends beyond the end date of the most recent audit report.

Customers or other stakeholders require continuous validation of a service organization’s control posture, especially when their own fiscal years or compliance cycles do not align with the SOC 2 report period. A bridge letter addresses this challenge by providing an attestation of control effectiveness for the interim period following the last SOC 2 report’s end date. It offers assurance until a new audited report becomes available, supporting ongoing due diligence and trust in vendor relationships.

Components of a Bridge Letter

A bridge letter contains key elements to communicate the service organization’s continued adherence to control objectives. It begins by referencing the most recent SOC 2 report, including its type (e.g., Type 2) and the specific period it covered. This establishes the context for the interim assurance provided.

The letter includes a statement from the service organization’s management asserting the continued effectiveness of the controls during the bridge period. This is a management attestation, not an auditor’s opinion, as the auditor does not provide assurance outside the audited report period. The letter must also disclose any material changes, control failures, or security incidents that may have occurred during the bridge period. This transparency helps recipients understand the current control environment.

The specific period covered by the bridge letter is defined, and it includes a disclaimer clarifying that it is not a substitute for an audited report. Finally, the letter bears the date of issuance and the signature of a responsible management official, formalizing the attestation.

Issuance and Application

The preparation and issuance of a bridge letter are the responsibility of the service organization’s management. Unlike a SOC 2 report, which is issued by an independent auditor, the bridge letter is drafted and signed internally by the company. The auditor who conducted the previous SOC 2 audit is not involved in its creation or distribution, as they cannot attest to controls outside the scope of their engagement.

Service organizations provide bridge letters directly to customers, prospective clients, or other interested parties, often upon request. Recipients utilize these letters for various purposes, such as conducting ongoing vendor risk assessments or satisfying their own compliance requirements. The bridge letter serves as a temporary measure, offering continuous assurance until the service organization’s next full SOC 2 report is completed and issued.