Bridge letter and its significance in a SOC Report

Published on : 09 Sep 2020

Bridge Letter and SOC Report

Listen Audio Version


While most of you may be aware of SOC reports and its application, but for those of you undergoing a SOC Attestation for the first time may be unfamiliar with the term Bridge letter. A Bridge letter which is also popularly known as a gap letter is an important part of the SOC1 and SOC2 examination process. It is a document issued to help you (service organization) prove to your clients regarding the effectiveness of your organization’s control environment between reports. The document is typically issued during the interim period between the reporting period end date of the SOC report and the release of a new SOC report.

For your better understanding of a Bridge Letter, we have today briefly discussed the relevance and significance of a bridge letter in a SOC1 and SOC2 Report. This post will cover most of the common questions users have about the bridge letter related to SOC reports (both SOC 1 and SOC 2).

What is a Bridge Letter?

Bridge letter or Gap letter as we call it is an essential document issued to you (service organization) to ensure your clients that you are compliant to SOC1 or SOC2 requirement even during the interim period between the expiry of previous years SOC report and the release of new SOC report. For your better understanding, let me give you a brief background of SOC reporting time. Often a SOC 1 and 2 attestation reports cover only a portion of an organization’s fiscal year. For instance, if your organization has recently completed a SOC 1 report which covers the period from November 1st, 2019 through October 31st, 2020. However, your organization’s fiscal year-ends on December 31st, 2020, so, what do you show your clients for the 3 months between October 31st –December 31st, 2020. This is exactly when a bridge letter comes in place.

As the name suggests, a bridge letter is a document that bridges the gap between the end date of your most recently completed SOC reporting period and the release of the new report. The document or the letter serves as a supporting notice suggesting that there have been no significant changes, or issues in your organization’s controls between the period October 31st and December 31st. The letter gives your clients confidence that there have been no significant changes to your controls environment that could impact the reports of the most recently completed SOC examination.

Who issues the Bridge Letter?

The Bridge letter is signed off and issued by the service organization themselves and provided to their customers directly. So, the Bridge letter is basically a guarantee provided by you (service organization) that during the interim period between the SOC reporting end date and the release of the new report there have been no significant changes in the control environment of your organization that could impact the reports issued by the CPA firm. The CPA firm that performs the SOC examination does not attest to anything in the bridge letter. The SOC report which is valid up to a year as defined in the report only verifies till the date mentioned in the report that the service organization controls were well in place. Beyond that, since they do not perform any additional procedures to verify whether the organization’s controls environment changed or continued to operate effectively after the expiry of the issued report, they cannot in any capacity attest or confirm the details mentioned in a bridge letter.

Also Read: Difference between SOC 1 and SOC 2 Report

What is the purpose of a bridge letter and when exactly are they used?

Bridge letter is simply a guarantee given by your service organization to your customers that your organization is compliant even during the interim period between the expiry of the previous SOC report and the issuing date of the new report. Providing your clients with a guarantee and additional confidence in your organization’s compliance can save your organization additional cost and time.

However, it is important to note that a bridge letter is in no way a replacement for an actual SOC examination.  But it definitely can serve as a useful document for your organization and its clients during the interim examination period. A bridge letter is an assertion by you that your organization’s controls are still in place and operating effectively while waiting for the next audit report. As a service organization, you need to have the bridge letter as part of your annual due diligence. This is to show examiners that, to the best of your knowledge and awareness, controls are still in place during the interim period and that you are prepared for a new SOC report.

One of the fastest ways to implement these security controls and collect evidence automatically is to do it via “Sprinto”‘s compliance automation software. Sprinto is the fastest way to accelerate your security compliance with expert guidance.

What does a Bridge letter contain?

A Bridge letter is an important part of the SOC Report and hence contains a few essential elements that suggest your organization’s controls are in place and effective until the next audit or examination. Following are the elements in a Bridge Letter-

  • The date of the most recently completed SOC  report, including beginning and ending dates
  • Specifications or details of any changes in the organization’s controls environment (if applicable) that were made during the time frame between the recently completed SOC report and the new one.
  • If there are no changes, the letter must clearly state that the organization to its best knowledge and awareness does not know of any material changes in its control environment.
  • A statement that, as of the date of the bridge letter, the service organization is unaware of any material changes, issues, or deficiencies in the control environment that could change the result of the report provided by the CPA firm who performed the last SOC examination.
  • A statement that the bridge letter is solely relative to your service organization and it does not rely upon any other entity.

Till what duration can a Bridge letter be used?

Bridge letters are only meant to cover the short duration or the interim period between the last SOC Examination report and the next or new SOC report examination. The letter typically covers a period of three months, between the report period end date and the organization’s fiscal year-end. Beyond which you must consider performing a new SOC examination for the bridge letter cannot be used as a replacement to any SOC examination report. It is important that SOC examinations be regularly conducted (at least annually), as they actually ascertain the effectiveness of your organization’s controls environment.

What are the limitations of a Bridge Letter?

A Bridge letter serves as a document that shows compliance throughout a client’s calendar or fiscal year. However, it is important to note that it is a letter from the service organization themselves and not an assurance from the third-party of the organization’s control effectiveness.  The letter cannot be a replacement for the actual SOC report. SOC examinations are meant to recur annually and bridge letters typically cover not more than a time frame of 3 months.

Final thought

As stated earlier, bridge letters are signed by the service organization’s themselves and typically cover not more than 3 months. Moreover, Bridge letters are not meant to replace a SOC report but just bridges the gap period. So, liability of any misunderstandings or “oversights” lie on you and your organization.

For more details and guidance on SOC1/SOC2/SOC3 Audit & Attestation, you can contact our expert in-house auditors. Our team will handhold you through the entire process and help you successfully achieve SOC Attestation.

SOC 2 Audit & Consultant

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.