What Are Bridge (aka Gap) Letters & How Do They Relate to SOC Reports?

Bridge (gap) letters for SOC reports

Have you educated yourself on SOC reports but now find yourself wondering what a gap or bridge letter is and why it is relevant? A bridge letter, also referred to as a gap letter, is used to bridge the “gap” between the service organization’s SOC report date and the user entity’s year-end (i.e., calendar or fiscal year-end). In this post, we will cover common questions users have around gap or bridge letters as they relate to SOC reports (both SOC 1 and SOC 2), including further details on what bridge letters are, who provides them, how they are used, and their requirements.

What is the Purpose of a Bridge Letter?

SOC 1 and SOC 2 reports typically cover a period of 6 to 12 months and the SOC report period may not align with every user entity’s calendar or fiscal year. Meaning, the SOC report will often cover only a portion of a user entity’s calendar or fiscal year. For example, a report may have a period of October 1, 2020 through September 30, 2021. If a user entity has a calendar year-end (January 1, 2020 through December 31, 2021), the SOC report only provides coverage for 9 of 12 months in the period, leaving a 3-month gap in coverage. Common questions that we are asked in this situation are:

  • If the user entity has a calendar year-end, what does the user entity do to gain comfort (e.g., an understanding) around the operating effectiveness of the internal control environment for the last three months of the year?
  • Why aren’t all SOC reports issued to coincide with the calendar year-end?

There are various methods for a user entity to gain comfort around the operating effectiveness of the internal control environment for the remaining 3 months of the period and one of the most popular options is obtaining a bridge letter from the management of the service organization.

The timing of SOC report periods varies widely but they don’t typically coincide with calendar year-end because most user entities, especially their auditors, want the SOC reports while they are performing their interim internal control testing. This testing often occurs in the quarter prior to the user organization’s calendar or fiscal year-end. For example, if a user entity has a calendar year-end of December 31, the interim internal control testing will be performed sometime during the 3rd and/or 4th calendar quarter.

 

What is a bridge (gap) letter

What is a Bridge Letter?

In the scenario noted above, the service organization has a gap in its report coverage, which is defined as the period between the report end date and the end of the user entity’s calendar year. In which case, the user entity may request a bridge letter from the service organization. A bridge letter can be used to cover the gap period in order to provide user entities with additional information and confidence in the service organization’s compliance position.

A bridge letter—also known as a gap letter—is simply a letter that bridges the “gap” between the service organization’s report date and the user entity’s year-end (i.e., calendar or fiscal year-end). This letter is a great tool that can be used by service organizations instead of making their clients (i.e., user entities) wait for the next SOC report they issue, which might require them to wait another 12 months. This letter is on the service organization’s letterhead and signed by the service organization, not the service auditor that performed the SOC examination.

Who Provides a Bridge Letter?

Since the service auditor is not signing the bridge letter, they are not attesting to the design or operating effectiveness of the internal controls within the gap period. Once the service auditors have issued the SOC report, the service auditors do not know definitively if the internal control environment has materially changed or not. This is because the service auditors have not performed any additional control testing between the end of the report period and the user organization’s year-end. However, the service organization’s management knows if there have been any changes in the control environment and if internal controls are still operating effectively, which they capture in the bridge letter. Management of the service organization is responsible for writing and providing user entities a bridge letter upon request.

 

Bridge letter components

Bridge Letter Components

There are several key components that management should address in a bridge letter, including the following:

  • The SOC report period covered
  • Material changes in the internal control environment (if any)
  • A statement that the service organization is not aware of any other material changes outside of what is listed in the bridge letter (if any)
  • A reminder that user organizations are responsible for following the complementary user entity controls—sometimes referred to as client control considerations or user control considerations
  • A request for user organizations to read the report
  • A disclaimer that the bridge letter is not a replacement for the actual SOC report

The list above includes suggested components that will provide users of the bridge letter with sufficient information to gain some comfort around the compliance of the service organization during the gap period. The AICPA doesn’t actually cover bridge letter requirements in the SOC guidance so there is no guidance on the specific requirements for a bridge letter but the list above provides a good place to start.

 

Bridge letter coverage period

What Length of Time Can a Bridge Letter Cover?

You may be wondering, how long of a period can a bridge letter cover? The answer to this question really depends on the user of the report. A bridge letter’s purpose is to cover a limited amount of time between the report end date and the user entity’s year-end.

Keeping this in mind, most bridge letters typically cover a period of no more than three months. SOC examinations are meant to recur on at least an annual basis, in order to provide user entities with continuous coverage.

If service organizations are finding that the report period for their SOC examination is not meeting their users’ requirements from a timing standpoint, it may be worth the service organization revisiting the examination period with the service auditor rather than issuing a bridge letter for a period over 3 months.

SOC 1 Bridge Letter Template

We have seen both extremely complex bridge letters and ones that are so simple that they do not meet the requirements of user entities. If service organizations are unsure of what to include in their bridge letter or what it should look like, they should consult their service auditor.

Additionally, to aid service organizations, we have put together a couple of bridge letter example templates for a Type II SOC 1 report that covers all of the key points in a bridge letter and should meet the requirements of discerning user entities.

Download Type 2 SOC 1 Bridge Letter TemplateDownload Type 2 SOC 1 Bridge Letter Template (Material Changes)

Bridge Letter Limitations

Bridge letters are helpful tools to service organizations in showing compliance throughout a user entity’s calendar or fiscal year, but they have limitations. Bridge letters are not a replacement for the actual SOC report. SOC examinations are meant to recur on at least an annual basis and bridge letters typically cover no more than 3 months. Bridge letters do not include the details included in the actual report such as the system description, test procedures, and test results. The user entity needs to review the SOC report, in addition to obtaining a bridge letter, in order to monitor the systems or services provided by the service organization and gain comfort around service commitments and system requirements being met throughout the period.

Summary

In this post we have discussed that a bridge letter (also referred to as a gap letter) is used to obtain coverage over the gap between the SOC report end date and the user entity’s year-end. Additionally, bridge letters are signed by the service organization’s management and typically cover no more than 3 months. Within a bridge letter, management is stating if there have been any material changes in the control environment since the end date of the SOC reporting period. Bridge letters are not meant to take the place of a SOC report but rather provide some form of coverage over the gap period. Lastly, we have provided users with a couple of example bridge letter templates to aid in their understanding of what a bridge letter should look like.

For any additional inquiries on bridge letters, SOC 1 audits or SOC 2 audits, or inquiries on how Linford & Company LLP can assist your organization, please contact us.

This article was originally published in 2015 and was updated on 2/15/2022. It has been updated several times over the years to reflect the most current information.

19 thoughts on “What Are Bridge (aka Gap) Letters & How Do They Relate to SOC Reports?

  1. A23. — Neither SAS No. 70 nor SSAE No. 16 address such communications. A service
    organization may choose to issue a letter that describes updates or changes in its
    controls since the previous type 1 or type 2 report. However, there are no provisions in
    SSAE No. 16 for service auditors to report on such a letter. Service auditors and user
    auditors are cautioned against providing assurance on or inferring assurance from such
    letters, respectively.

  2. We’re just working on getting a bridge letter prepared for our organization and you’re format has helped me immensely..

    I wanted to personally thank you for the same.

    I don’t understand the comment above from Jason – can you please clarify that for me

  3. I believe the part of Jason’s comment that may need clarification is that the bridge letter comes is prepared by the service organization. The service auditor can not prepare the letter because the auditor cannot opine on something not audited. I hope this helps clarify.

  4. What if the bridge letter does completely cover one’s fiscal year end? For example the bridge letter is dated Sept 30 20×5 for your year end Dec 31 x5? I heard that while there are no bright lines, if the bridge letter was within 6 months of your year end you could interview your service provider and ask the same questions about whether there have been any control changes etc since the last bridge letter. Document the interview and you would be OK. yes?

  5. Service organization had a Type 1 engagement…do you have template for a Type 1 bridge letter?

  6. There are no templates and therefore no bridge letters for a Type I engagement, since a Type I engagement is as of a point-in-time report.

  7. In regards to Ken Wong’s comment on March 22, 2016. Consider asking the service organization (provider) to provide you a bridge letter that covers the report date until the date you need. Many user organizations feel (and rightly so) that a bridge letter > three months is just too long. If the bridge letter date covers too long of a period, interviewing the service organization may be a good alternative option.

  8. Hi All,
    Any idea what the minimum period for testing the controls are? Meaning at what point is a bridge letter required/not required.

    Say my Type2 audit period is Jan-Dec however Auditor is conducted the review in November thus not reviewing the controls for the month of December.

    From a Design of Controls & Operating Effectiveness can/should December be covered by a Bridge Letter?

    Finally, at what point are you required to conduct a Refresh/Roll forward to cover the remaining period? (If auditor conducts his review in August leaving 4 month un-accounted for, Auditor can return in January to review the periods Sep-Dec and issue 1 report covering Jan-Dec.

    Thanks for your response.

  9. In response to James: The minimum period for testing controls is: six months for a Type II SOC 1 (refer to 2.15 in the latest AICPA audit guide) or and two months (refer to 2.11 in the latest AICPA audit guide) for a Type II SOC 2 audit. Importantly though, it is usually the user organization that dictates the minimum period that they are willing to accept for a SOC report. In practice, most SOC 1 and 2 reports have a 12-month period.

    Bridge letters are only required by user organizations or their external auditors (ie, user auditors). Bridge letters are often required by user organizations when the user organizations have a SOC report date ending October 31, 20XX—for example—and the user organizations has a calendar year end of December 31, 20XX. In this example, a bridge letter covering the two months (ie, November and December) might be required by the user organization.

    In your example, you have a Type II audit period of January – December 20XX. The service auditor is conducting the examination in November; this is normal. The service auditor will ask the service organization at the end of December or in early January if there were any internal control changes from when the service auditor left fieldwork in November to the report date ending December 20XX. In this example, there would likely be no need for a bridge letter since most United States based companies have a calendar year end of December 31.

    Your last question about a refresh/roll forward is entirely dependent on the auditor’s judgement and audit methodology. Some of the big four firm allow work to be performed as early as six months prior to the report end date with limited testing that’s required for the remaining six-month period.

  10. Are bridge letters provided for SOC 2, Type 2 reports? Or are these limited to SOC 1, Type 2 reports?

  11. Our vendor has a SOC1 report that ends in March. We were provided a bridge letter through June. Our clients are now asking for a bridge letter through the end of December. Is that normal, or in general are bridge letters just for one quarter after the SOC1 audit and then the next year’s audit covers the remaining gap?

  12. Is there a governing body that requires a bridge letter be provided (e.g. is there a standard that discusses bridge letters including when and why they need to be provided from the service organization?)?

  13. If we are unable to obtain a gap letter what other alternative procedures can we make to not get a deficiency from our external auditor?

  14. If you are unable to get a gap letter from your service organization; it could be because they are unaware of what that gap letter looks like. You might find some success by educating them about the purposes of a gap letter. Unfortunately, if the services you receive from this company are significant and the gap period cannot be closed, it may very well turn into a deficiency noted by your external auditor. Since every audit is unique, you may also try (if you have not already tried) talking to your auditor about what they suggest in lieu of a gap letter. Sorry, we couldn’t be of more help.

  15. Is it possible to issue a bridge letter for month lets say Jan- Feb , and still covering that period as a part of SOC Assessment.

  16. The bridge letter is for the months that are not covered by the report. Let’s say a report period for a Type II report ends October 31, 2020. A user organization might ask the service organization for a bridge letter to cover the period November 1, 2020 – February 28, 2021. The service organization (not the auditor) issues the bridge letter. Also, that Nov – Feb period is not covered by the audit.

  17. I am asking myself whether a bridge letter can be issued for a certain period in advance or whether this can only be done retrospectively. Let’s say the bridge letter is to cover October to December. Can I issue it in November or do I have to wait until December is over?

Leave a Reply

Your email address will not be published. Required fields are marked *