Whether you’ve decided to pursue a SOC 2 Type I or Type II report, you’ll need to undergo an annual audit to maintain compliance and receive a renewed report. What can you do to provide assurance to your customers in between audit review periods?
This is where a bridge letter can be a helpful addition to your compliance toolkit.
What is a Bridge Letter?
A bridge letter (also known as a gap letter) bridges the gap between the end of your last SOC 2 report audit period and the current date.
Say your organization completed a SOC 2 report that covers September 30, 2020 - October 1, 2021. But your organization’s fiscal year-end is December 31, 2021.
You can provide customers with a bridge letter that states there have been no significant changes to your controls between October 1 and December 31. Or if there have been material changes, explain what they are and assure customers that they wouldn't affect the results of your SOC 2 report.
Bridge letters typically don’t cover a period of more than three months. A bridge letter isn’t a replacement for an up-to-date SOC 2 report, but it can be a helpful tool to provide assurance to clients between audits.
What’s Included in a Bridge Letter for SOC 2?
A bridge letter typically includes:
- The beginning and end dates of the most recent SOC 2 report’s audit period
- An explanation of any changes to the organization's systems or controls since the audit, if any. Or, a statement that the organization is unaware of any material changes that could alter the auditor's opinion in their latest SOC 2 report.
- A statement that the bridge letter relates solely to the organization and may not be relied upon by any other entity.
Who Issues a Bridge Letter?
Bridge letters are issued and signed by the organization’s management and sent directly to customers.
The CPA firm that conducted the SOC audit is not involved.
Say the company switched their cloud infrastructure after their audit window ended. The auditor can no longer attest that the customer’s environment operates in the same fashion.
Sample SOC 2 Bridge Letter
Dear ABC Company client,
ABC Company retains SOC 2 CPA Firm to issue bi-annual SOC 2 Type II reports for its Application Hosting Services. Currently, ABC Company issues two twelve-month reports with end dates of March 31 and September 30 respectively. The testing period covered by the most recent report was April 1, 2021 through September 30, 2021.
This letter confirms that, for the period from October 1, 2021 to the date of this letter, there have been no material changes to the system of internal controls that we believe would adversely affect the conclusions reached in the SOC 2 Type II report that you previously received.
This letter is not intended as a substitute for the 2021 ABC Company SOC 2 Type II report, or to provide you with a certification of ABC Company internal controls, or to suggest that ABC Company has performed a separate evaluation of its controls for the purposes of producing this letter.
ABC Company Management
Office Phone: 123-456-7890