Have you have educated yourself on SOC reports but now find yourself wondering what a gap or bridge letter is and why it is relevant? A bridge letter, also referred to as a gap letter, is used to bridge the “gap” between the service organization’s report date and the user organization’s year-end (i.e., calendar or fiscal year-end). In this post, we will cover common questions users have around gap or bridge letters as they relate to SOC reports (both SOC 1 and SOC 2), including further details on what bridge letters are, how they are used, and their requirements.
Background on SOC Report Timing
Observers will note that most SOC 1 and SOC 2 reports often cover only a portion of the user organization’s calendar or fiscal year. For example, a report may have a coverage date of October 1, 2017, through September 30, 2018. Common questions that we get are:
- If the user organization has a calendar year-end, what does the user organization do to get comfort (e.g., an understanding) about the internal control environment for the last three months of the year?
- Why aren’t SOC reports issued to coincide with the calendar year-end?
The timing of SOC report periods vary widely but they don’t typically coincide with calendar year-end because most user organizations, especially their auditors, want the SOC reports while they are doing their interim internal control testing. This testing often occurs in the quarter prior to the user organization’s calendar or fiscal year-end. For example, if a user organization has a calendar year-end of December 31, the interim internal control testing will be performed sometime during the 3rd and/or 4th calendar quarter.
When is a Bridge Letter Used?
In the typical scenario noted above, the service organization has a gap, which is defined as the period between the report end date and the end of the user organization’s calendar year. In which case, the service organization needs to provide the user organization with a bridge letter. A bridge letter can be used in the gap period to provide clients with additional information and confidence in the service organization’s compliance position.
What is a Bridge Letter?
A bridge letter—also known as a gap letter—is simply a letter that bridges the “gap” between the service organization’s report date and the user organization’s year-end (i.e., calendar or fiscal year-end). This letter is a great tool that can be used by service organizations instead of making their clients (i.e., user organizations) wait for the next SOC report they issue, which might require them waiting another 12 months. This letter is on the service organization’s letterhead and signed by the service organization, not the service auditor that performed the SOC examination.
Since the service auditor is not signing the bridge letter, they are not attesting on the design or operating effectiveness of the internal controls within the gap period. Once the service auditors have issued the SOC report, the service auditors do not know definitively if the internal control environment has materially changed or not between the end of the report period and the user organization’s year end because they have not performed any additional control testing over the gap period. However, the service organization’s management knows if there have been any changes in the control environment and if internal controls are still operating effectively, which they capture in the bridge letter.
Bridge Letter Components
There are several key components that should be addressed in a bridge letter, including the following:
- The SOC report end date
- Material changes in the internal control environment (if any)
- A statement that the service organization is not aware of any other material changes outside of what is listed in the bridge letter (if any)
- A reminder that user organizations are responsible for following the complementary user entity controls—sometimes referred to as client control considerations or user control considerations
- A request for user organizations to read the report
- A disclaimer that the bridge letter is not a replacement for the actual SOC report
The list above includes suggested components that will provide users of the bridge letter with sufficient information to gain some comfort around the compliance of the service organization during the gap period. The AICPA doesn’t actually cover bridge letter requirements in the SOC guidance so there is no guidance on the specific requirements for a bridge letter but the list above provides a good place to start.
How Long Can a Bridge Letter Cover?
You may be asking yourself how long can the coverage for a bridge letter be? The answer to this question really depends on the user of the report. A bridge letter’s purpose is to cover a limited amount of time between the report end date and the user organization’s year-end.
Keeping this in mind, most bridge letters typically cover a period of no more than three months. SOC examinations are meant to recur on at least an annual basis, in order to provide user entities with continuous coverage.
If service organizations are finding that the report period for their SOC examination is not meeting their users’ requirements from a timing standpoint, it may be worth the service organization revisiting the examination period with the service auditor rather than issuing a bridge letter for a period over 3 months.
What’s in a Bridge Letter?
We have seen both extremely complex bridge letters and ones that are so simple that they do not meet the requirements of user organizations. If service organizations are unsure of what to include in their bridge letter or what it should look like, they should consult their service auditor.
Additionally, to aid service organizations, we have put together a couple bridge letter example templates for a Type II SOC 1 report that covers all of the key points in a bridge letter and should meet the requirements of discerning user organizations.
Bridge Letter Limitations?
Bridge letters are helpful tools to service organizations in showing compliance throughout a clients calendar or fiscal year but they have limitations. Bridge letters are not a replacement for the actual SOC report. SOC examinations are meant to recur on at least an annual basis and bridge letters typically cover no more than 3 months.
In this post we have discussed that a bridge letter (also referred to as a gap letter) is used to obtain coverage over the gap between the SOC report end date and the user organization’s year-end. Additionally, bridge letters are signed by the service organization’s management and typically cover no more than 3 months. Within a bridge letter, management is stating if there have been any material changes in the control environment since the end date of the SOC reporting period. Bridge letters are not meant to take the place of a SOC report but rather provide some form of coverage over the gap period. Lastly, we have provided users with a couple of example bridge letter templates to aid in their understanding of what a bridge letter should look like.
Megan Kovash works primarily on SOC audits with experience in financial audit and internal audit as well. Megan started her career in January 2012 after completing her Masters of Accountancy with the University of Denver. She worked in the Risk Assurance group at Ernst & Young, then moved to the Internal Audit Data Analytics group at Charles Schwab. She is now a Partner at Linford & Co., LLP. Megan enjoys working with clients and coworkers to find and implement solutions to better her client’s business.