AWA Security & Compliance Logo
Cybersecurity Services

Key Takeaways

1. A SOC 2 bridge letter, or a gap letter, is a temporary document the service organization provides to customers to assure them of their continuous compliance with SOC 2 requirements.

2. A SOC 2 bridge letter is not meant to replace a complete report but rather to close the gap between the last SOC 2 report and the current date.

3. I.S. Partners, LLC specializes in SOC 2 audit processes. Our experts can help you manage audit schedules and avoid the need for gap letters in the future.

What is a Bridge/Gap Letter for SOC 2 Audits?

A SOC 2 bridge letter — called a “gap letter” — is a document that helps close the gap between an organization’s last SOC 2 report and the current date. The provider writes gap letters and outlines any changes in its systems, security controls, and internal control environment that may have occurred since the last audit and report. They’re printed on the company’s letterhead and are often just a page or two long.

On the other hand, the SOC 2 report is an official attestation from a third-party auditor that an organization’s control design and operating effectiveness are up to scratch. However, a SOC 2 report period is only issued once a year, and their timing might be less than ideal for an organization’s customers.

This SOC 2 report is only good for 6-12 months, at which point the organization needs to perform another SOC 2 audit. Ideally, this audit will be completed before the previous report expires. However, if there is a coverage gap or if the timing of the latest report isn’t ideal for a customer, a SOC 2 bridge letter can assure customers that their provider’s systems remain secure.

A SOC bridge letter may not carry the same weight or level of assurance as a report by an external auditor. However, they enable a customer to assess whether the identified changes pose any additional risk to the customer.

what-is-a-bridge-letter-for-soc-2

Why Might a Gap Letter Be Needed?

Bridge letters are not intended to substitute a full SOC report. As mentioned, a SOC bridge letter is only issued to fill the gap between the SOC report period and issuance.

They’re generally used in one of two situations.

Delayed SOC 2 Audits

SOC 2 reports need to be renewed every year. This involves an extensive audit of an organization’s systems and processes against the desired criteria.

Ideally, a company will start the audit process in time for the new report to be issued before the previous one expires. However, things can go wrong, and audits may take longer than expected, leading to a gap in coverage between SOC 2 reports.

In this scenario, customers may request a bridge letter to help close the gap between official reports. While the letter doesn’t carry the same weight as a full, third-party SOC 2 report, it provides some level of assurance as customers wait for the real thing.

Inconvenient SOC 2 Report Cycles

Service providers have many customers, and these organizations might have different fiscal years and reporting calendars. Some might be aligned with the calendar year, and others might start in October. In all cases, a company likely wants a SOC 2 report that covers them through the end of their reporting period.

However, with annual reports, a provider’s report might be three months old by the end of the year, and their IT environments and processes may have undergone significant changes. In these cases, a SOC 2 bridge letter provides customers with updated information as they move into their new fiscal year.

Key Components of a SOC 2 Bridge Letter

The AICPA hasn’t published an official SOC 2 bridge letter template, so the contents of a bridge letter can vary.

Some of the common components that they contain include:

  • Dates that the previous SOC 2 report was valid through
  • Dates that the bridge letter covers
  • CPA firm that performed the previous SOC 2 audit
  • Changes to SOC 2 controls since the previous audit or attestation that no changes have been made
  • A statement that the company’s security controls are operating effectively based on the applicable trust services criteria
  • Disclaimer that the bridge letter isn’t a substitute for a full SOC 2 report

The changes to the security and compliance controls can be very detailed in this letter. The information can be useful when applying for an official SOC 2 report in the future.

Say Goodbye to Gap Letters!

Streamline your audits with I.S. Partners for a seamless compliance journey. Book a free 30-minute consultation with a specialist to find your path to compliance. Secure your spot today.

BOOK A MEETING

How Long Can a Bridge Letter Cover?

SOC 2 bridge letters are intended as temporary coverage between SOC 2 reports. Ideally, they should cover only short gaps and should never exceed three months.

Who Writes the Bridge Letter?

A bridge letter is written by the service provider, not the auditor. After completing a SOC 2 audit, the auditor doesn’t know if the provider has made any changes to their environment or processes until the next audit begins.

As a result, bridge letters are written by the service organization and will not be signed by the CPA firm that performed the audit.

bridge-letter-soc-2-

Example of a SOC 2 Bridge Letter

A bridge letter will vary from case to case. The letter may contain any material changes that occurred during the time. It can also include any major changes in the company’s security compliance status.

Despite this, a bridge letter has essential elements that it must have to serve its purpose. The bridge letter must state that the company is still within compliance with the applicable trust services criteria and that its customers’ data are intact and secured.

Here is an example bridge letter that you can use as a guide:

FREE DOWNLOAD

Download our FREE SOC 2 bridge letter and get a clear path to compliance.

Limitations of Bridge Letters

A bridge letter is intended as a temporary measure to bridge the gap between a SOC 2 audit and the present day. This means that a gap letter is not as comprehensive as a SOC report.

Some key limitations include:

  • Overlooked Issues: Bridge letters don’t involve a full audit of an organization’s systems. Therefore, it might overlook significant changes to an organization’s systems and processes, introducing additional risk.
  • Lack of Detail: Bridge letters are also designed to provide a high-level summary of changes rather than detailed descriptions of the controls in place. A customer can’t perform an effective risk assessment with a bridge letter.
  • Limited Duration: Ideally, a bridge letter is only valid for less than three months. The provider should complete a new SOC audit and report before the letter expires.
  • Dependency on Assurance Providers: A bridge letter’s effectiveness relies on the assurance provider’s credibility and thoroughness. If the assurance provider fails to conduct a comprehensive assessment or misses critical issues, the bridge letter’s value may be diminished.

Customers should always review the full SOC 2 report rather than relying solely on a bridge letter. Bridge letters supplement this report but are not a replacement for them and should be used only for short periods before the next report.

Maintaining SOC 2 Compliance with ISP

SOC 2 bridge letters allow you to appraise customers of changes since the last SOC 2 report. The most common usage of these letters is to close gaps between the end of coverage of one SOC 2 report and the beginning of the next.

Ideally, a company should never need to issue a gap letter if audits are scheduled and performed efficiently. I.S. Partners offers expert-led SOC 2 audits, ensuring accuracy and efficiency. Our team has been helping service organizations for 20 years, guiding these businesses to adapt to important transitions.

We can help you avoid needing gap letters by creating a comprehensive plan for your SOC 2 audit. Get a complete SOC 2 service package when you work with us at I.S. Partners.

Learn more about achieving SOC 2 compliance without the hassle.

Get a Quote Try our Compliance Checker

SOC 1®, SOC 2® and SOC 3® are registered trademarks of the AICPA (American Institute of Certified Public Accountants). The AICPA® Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy is copyrighted by the Association of International Certified Professional Accountants. All rights reserved.

About The Author

Howard Poston
Howard Poston is a renowned cybersecurity expert with over a decade of experience. He holds a Master's in Cyber Operations from the Air Force Institute of Technology, is a Certified Ethical Hacker and holds a CBSP certification. Howard has served in key roles at Sandia National Labs, Ubiq Security, and Infosec.

As an educator and author, Howard has developed numerous courses and written books on blockchain security and Python for cybersecurity. His articles, whitepapers, and case studies are widely recognized for their depth and practicality.

With his unique blend of academic expertise and practical experience, Howard is a trusted authority in helping organizations navigate the complex world of cybersecurity and blockchain technology.

Comment on this article

Related Content

Gain Deeper Insights

Get started

Get a quote today!

Fill out the form to schedule a free, 30-minute consultation with a senior-level compliance expert today!

Want to speak to us now?

Call us at (866) 335-6235

or

Start a live chat

Great companies think alike.

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.

GET A QUOTE
GET A QUOTE
Scroll to Top