Gap or Bridge Letters for SOC 1 Reports

Gap or Bridge Letters

This blog post is going to answer common questions related to SOC 1 (formerly SSAE 16 or often misnamed SSAE 18) gap/bridge letters. Common questions include:

Background: SOC 1 Timing & Dates

Astute observers will note that most SOC 1 reports often cover only a portion of the user organization’s calendar or fiscal year. For example, a report may have a coverage date of October 1, 2016 through September 30, 2017. If the user organization has a calendar year-end, what does the user organization do to get comfort (e.g., an understanding) about the internal control environment for the last three months of the year? It would be easier if the report just covered the calendar year…right?

Well, yes, it would be easier; however, most user organizations and especially their auditors (user auditors) want the SOC 1 reports while they are doing their interim internal control testing. This testing often occurs in the quarter prior to the user organization’s calendar or fiscal year-end.

For example, if a user organization has a calendar year-end of December 31 and this user organization is also an SEC registrant, the interim internal control testing will be performed by the user organization’s external auditor (e.g., Big Four accounting firm) sometime during the 3rd and/or 4th calendar quarter. Or in other words, this interim testing will occur right before Christmas.

In the typical scenario noted above, the service auditor prepares a report ending September 30 and the user auditors (e.g., Big Four) are doing their interim work before Christmas. In this typical scenario, the service organization has a gap, which is defined as the period between the report end date and the end of the user organization’s calendar year. The gap may be one or more (e.g., three) months. This of this like you would a gap in the road. What do we need when there is a gap in the road? A bridge, but in this case, not an actual bridge, the service organization needs a bridge letter.

What is a bridge letter

What is a Bridge Letter?

A bridge letter—also known as a gap letter—is simply a letter that bridges the “gap” between the service organization’s report date and the user organization’s year-end (i.e., calendar or fiscal year-end).

This letter is a great tool that can be used by service organizations instead of making their clients (i.e., user organizations) wait for the next report, which in any case might require waiting another 12 months. This letter is on the service organization’s letterhead and typically signed by the service organization.

The bridge letter is never on the service auditor’s letterhead nor is the bridge letter signed by the service auditor. Since the service auditor is not opining—or in other words attesting—on those internal controls within the gap period, the service auditor cannot issue the letter. Once the service auditors have issued their SOC 1 report, the service auditors do not know definitively if the internal control environment has materially changed or not. However, management of the service organization knows or should know this information.

There are several key points that should be addressed in the letter. Namely, the report end date, material changes in the internal control environment (if any), a statement that the service organization is not aware of any other material changes, a reminder that user organizations are responsible for following the complementary user entity controls—sometimes referred to as client control considerations or user control considerations—a request for user organizations to read the report, and a disclaimer that the bridge letter is not a replacement for the actual SOC 1 report.

How Long Can the Coverage be for a Bridge Letter?

The answer to this question really depends on the user auditor. Most Big-Four audit firms would like to see a bridge letter that covers a period of not more than three months. We’ve seen service organizations ask nine month bridge letters. That is what we might call…a bridge too far. If service organizations are finding that the report period for their examination is not meeting their users requirements from a timing stand-point, it may be worth the service organization revisiting the examination period with the service auditor.

What Does a Bridge Letter Look Like?

We have seen supremely complex Gap Letters and ones that are so simple that they do not really meet the requirements of user organizations. To aid service organizations, we have put together a couple templates that cover all of the key points in a bridge Letter and should meet the requirements of discerning user organizations. Use these gap letter examples as your own gap/bridge letter templates.

Download Type 2 SOC 1 Bridge Letter TemplateDownload Type 2 SOC 1 Bridge Letter Template (Material Changes)

Need help with SOC audits and bridge letters? Linford & Co LLP specializes in SOC 1 audits and SOC 2 audits for companies and organizations. Contact us today.


Disclaimer: This blog post has been updated from its original publish date of September 22, 2014.

15 thoughts on “Gap or Bridge Letters for SOC 1 Reports

  1. A23. — Neither SAS No. 70 nor SSAE No. 16 address such communications. A service
    organization may choose to issue a letter that describes updates or changes in its
    controls since the previous type 1 or type 2 report. However, there are no provisions in
    SSAE No. 16 for service auditors to report on such a letter. Service auditors and user
    auditors are cautioned against providing assurance on or inferring assurance from such
    letters, respectively.

  2. We’re just working on getting a bridge letter prepared for our organization and you’re format has helped me immensely..

    I wanted to personally thank you for the same.

    I don’t understand the comment above from Jason – can you please clarify that for me

  3. I believe the part of Jason’s comment that may need clarification is that the bridge letter comes is prepared by the service organization. The service auditor can not prepare the letter because the auditor cannot opine on something not audited. I hope this helps clarify.

  4. What if the bridge letter does completely cover one’s fiscal year end? For example the bridge letter is dated Sept 30 20×5 for your year end Dec 31 x5? I heard that while there are no bright lines, if the bridge letter was within 6 months of your year end you could interview your service provider and ask the same questions about whether there have been any control changes etc since the last bridge letter. Document the interview and you would be OK. yes?

  5. Service organization had a Type 1 engagement…do you have template for a Type 1 bridge letter?

  6. There are no templates and therefore no bridge letters for a Type I engagement, since a Type I engagement is as of a point-in-time report.

  7. In regards to Ken Wong’s comment on March 22, 2016. Consider asking the service organization (provider) to provide you a bridge letter that covers the report date until the date you need. Many user organizations feel (and rightly so) that a bridge letter > three months is just too long. If the bridge letter date covers too long of a period, interviewing the service organization may be a good alternative option.

  8. Hi All,
    Any idea what the minimum period for testing the controls are? Meaning at what point is a bridge letter required/not required.

    Say my Type2 audit period is Jan-Dec however Auditor is conducted the review in November thus not reviewing the controls for the month of December.

    From a Design of Controls & Operating Effectiveness can/should December be covered by a Bridge Letter?

    Finally, at what point are you required to conduct a Refresh/Roll forward to cover the remaining period? (If auditor conducts his review in August leaving 4 month un-accounted for, Auditor can return in January to review the periods Sep-Dec and issue 1 report covering Jan-Dec.

    Thanks for your response.

  9. In response to James: The minimum period for testing controls is: six months for a Type II SOC 1 (refer to 2.15 in the latest AICPA audit guide) or and two months (refer to 2.11 in the latest AICPA audit guide) for a Type II SOC 2 audit. Importantly though, it is usually the user organization that dictates the minimum period that they are willing to accept for a SOC report. In practice, most SOC 1 and 2 reports have a 12-month period.

    Bridge letters are only required by user organizations or their external auditors (ie, user auditors). Bridge letters are often required by user organizations when the user organizations have a SOC report date ending October 31, 20XX—for example—and the user organizations has a calendar year end of December 31, 20XX. In this example, a bridge letter covering the two months (ie, November and December) might be required by the user organization.

    In your example, you have a Type II audit period of January – December 20XX. The service auditor is conducting the examination in November; this is normal. The service auditor will ask the service organization at the end of December or in early January if there were any internal control changes from when the service auditor left fieldwork in November to the report date ending December 20XX. In this example, there would likely be no need for a bridge letter since most United States based companies have a calendar year end of December 31.

    Your last question about a refresh/roll forward is entirely dependent on the auditor’s judgement and audit methodology. Some of the big four firm allow work to be performed as early as six months prior to the report end date with limited testing that’s required for the remaining six-month period.

  10. Our vendor has a SOC1 report that ends in March. We were provided a bridge letter through June. Our clients are now asking for a bridge letter through the end of December. Is that normal, or in general are bridge letters just for one quarter after the SOC1 audit and then the next year’s audit covers the remaining gap?

  11. Is there a governing body that requires a bridge letter be provided (e.g. is there a standard that discusses bridge letters including when and why they need to be provided from the service organization?)?

  12. If we are unable to obtain a gap letter what other alternative procedures can we make to not get a deficiency from our external auditor?

  13. If you are unable to get a gap letter from your service organization; it could be because they are unaware of what that gap letter looks like. You might find some success by educating them about the purposes of a gap letter. Unfortunately, if the services you receive from this company are significant and the gap period cannot be closed, it may very well turn into a deficiency noted by your external auditor. Since every audit is unique, you may also try (if you have not already tried) talking to your auditor about what they suggest in lieu of a gap letter. Sorry, we couldn’t be of more help.

Leave a Reply

Your email address will not be published. Required fields are marked *