What is a SOC 2 bridge letter?

A SOC 2 bridge letter is a document that provides information about the controls and systems of a service organization for a period of time that is not covered by a previously issued SOC 2 report. It is typically used when a service organization undergoes a SOC 2 audit on an annual basis, but changes or updates to its controls occur between audits.

The purpose of a SOC 2 bridge letter is to provide users of the SOC 2 report with an update on any material changes in the service organization's controls or systems that have occurred since the last audit. The bridge letter is issued by the service organization's management and is typically prepared in consultation with the auditor.

The bridge letter may include information about changes to the service organization's systems, processes, or personnel that may have affected the effectiveness of its controls. It may also provide details about any incidents or events that have occurred since the last audit that may have impacted the security, availability, processing integrity, confidentiality, or privacy of customer data.

Users of the SOC 2 report rely on the bridge letter to ensure that they have the most up-to-date information about the service organization's controls and systems.