This blog post is going to answer common questions related to SOC 1 (formerly SSAE 16 or often misnamed SSAE 18) gap/bridge letters. Common questions include:
- What are bridge letters?
- How long can the coverage be for a bridge letter?
- What does a bridge letter look like?
Background: SOC 1 Timing & Dates
Astute observers will note that most SOC 1 reports often cover only a portion of the user organization’s calendar or fiscal year. For example, a report may have a coverage date of October 1, 2016 through September 30, 2017. If the user organization has a calendar year-end, what does the user organization do to get comfort (e.g., an understanding) about the internal control environment for the last three months of the year? It would be easier if the report just covered the calendar year…right?
Well, yes, it would be easier; however, most user organizations and especially their auditors (user auditors) want the SOC 1 reports while they are doing their interim internal control testing. This testing often occurs in the quarter prior to the user organization’s calendar or fiscal year-end.
For example, if a user organization has a calendar year-end of December 31 and this user organization is also an SEC registrant, the interim internal control testing will be performed by the user organization’s external auditor (e.g., Big Four accounting firm) sometime during the 3rd and/or 4th calendar quarter. Or in other words, this interim testing will occur right before Christmas.
In the typical scenario noted above, the service auditor prepares a report ending September 30 and the user auditors (e.g., Big Four) are doing their interim work before Christmas. In this typical scenario, the service organization has a gap, which is defined as the period between the report end date and the end of the user organization’s calendar year. The gap may be one or more (e.g., three) months. This of this like you would a gap in the road. What do we need when there is a gap in the road? A bridge, but in this case, not an actual bridge, the service organization needs a bridge letter.
What is a Bridge Letter?
A bridge letter—also known as a gap letter—is simply a letter that bridges the “gap” between the service organization’s report date and the user organization’s year-end (i.e., calendar or fiscal year-end).
This letter is a great tool that can be used by service organizations instead of making their clients (i.e., user organizations) wait for the next report, which in any case might require waiting another 12 months. This letter is on the service organization’s letterhead and typically signed by the service organization.
The bridge letter is never on the service auditor’s letterhead nor is the bridge letter signed by the service auditor. Since the service auditor is not opining—or in other words attesting—on those internal controls within the gap period, the service auditor cannot issue the letter. Once the service auditors have issued their SOC 1 report, the service auditors do not know definitively if the internal control environment has materially changed or not. However, management of the service organization knows or should know this information.
There are several key points that should be addressed in the letter. Namely, the report end date, material changes in the internal control environment (if any), a statement that the service organization is not aware of any other material changes, a reminder that user organizations are responsible for following the complementary user entity controls—sometimes referred to as client control considerations or user control considerations—a request for user organizations to read the report, and a disclaimer that the bridge letter is not a replacement for the actual SOC 1 report.
How Long Can the Coverage be for a Bridge Letter?
The answer to this question really depends on the user auditor. Most Big-Four audit firms would like to see a bridge letter that covers a period of not more than three months. We’ve seen service organizations ask nine month bridge letters. That is what we might call…a bridge too far. If service organizations are finding that the report period for their examination is not meeting their users requirements from a timing stand-point, it may be worth the service organization revisiting the examination period with the service auditor.
What Does a Bridge Letter Look Like?
We have seen supremely complex Gap Letters and ones that are so simple that they do not really meet the requirements of user organizations. To aid service organizations, we have put together a couple templates that cover all of the key points in a bridge Letter and should meet the requirements of discerning user organizations. Use these gap letter examples as your own gap/bridge letter templates.
Disclaimer: This blog post has been updated from its original publish date of September 22, 2014.