Every year as summer draws to a close, one of the most sought-after topics for discussion that clients, business associates, and others reach out to our firm about is regarding Gap Letters— sometimes called Bridge Letters. These letters are specific to SSAE 16—also known as SOC 1—examinations.
Astute observers will note that most SOC 1 reports often cover only a portion of the user organization’s calendar or fiscal year. For example, a report may have a coverage date of October 1, 2013 through September 30, 2014. If the user organization has a calendar year-end, what does the user organization do to get comfort about the internal control environment for the last three months of the year? It would be easier if the report just covered the calendar year…right? Well, yes, it would be easier; however, most user organizations and especially their auditors (user auditors) want the SOC 1 reports while they are doing their interim internal control testing. This testing often occurs in the quarter prior to the user organization’s calendar or fiscal year-end. So, if a SOC 1 report only goes to September 30 as noted in the example, what about the last three months of the calendar year?
The answer is simple. The service organization can provide a letter that covers the “gap” between the report date and another date (e.g., October 1, 2014 through December 31, 2014). This letter is called either a “Gap” or “Bridge” Letter. It is a great tool that can be used instead of waiting for the next report, which would be a year away.
Since the CPA firm is not opining—or in other words attesting—on those internal controls within the gap period, the CPA firm cannot issue the letter. Once the service auditors have issued their SOC 1 report and have left the audit field, the auditors do not know if the internal control environment has changed or not. However, management of the service organization can issue such a letter if their user organizations are asking.
There are several key points that should be addressed in the letter. Namely, the report end date, material changes in the internal control environment (if any), a statement that the service organization is not aware of any other material changes, a reminder that user organizations are responsible for following the user control considerations (sometimes referred to as client control considerations), a request for user organizations to read the report, and a disclaimer that the Gap Letter is not a replacement for the actual SOC 1 report.
We have seen supremely complex Gap Letters and ones that are so simple that they do not really meet the requirements of user organizations. To aid service organizations, we have put together a template that covers all of the key points in a Gap Letter and should meet the requirements of discerning user organizations. Click here to download the Type II Gap-Bridge Letter.