Gap or Bridge Letters

Updated Attachments February 24, 2016.

Astute observers will note that most SSAE 16/SOC 1 reports often cover only a portion of the user organization’s calendar or fiscal year. For example, a report may have a coverage date of October 1, 2014 through September 30, 2015. If the user organization has a calendar year-end, how do they find comfort concerning the controls for the last three months of the year? The answer is simple. The service organization can provide a letter that covers the “gap” between the report date and another date (e.g., October 1, 2015 through December 31, 2015). This letter is called either a “gap” or “bridge” letter.  It is a great tool that can be used while waiting for the next report, which would be a year away.

Since the CPA firm is not opining on those controls within the gap period for the purposes of this gap or bridge letter, the CPA firm cannot issue the letter. However, management of the service organization can and should—in most cases—issue such a letter. Attached are two examples of such a letter that service organizations may find useful. The first attachment is a letter for service organizations that have had material changes to their internal control environment since the report date. The second attachment is a letter when no material changes have been made since the report date.

Also, a matter to reiterate. It is the service organization, not the service auditor, that sends the letter to the user organization. However, the service auditor can and probably should assist in the preparation of the letter given its semi-technical nature.

6 thoughts on “Gap or Bridge Letters

  1. In your honest opinion, is a bridge letter worth the paper it is printed on? Given the fact that there is no CPA firm checking after the service organization, I feel like in reality the average service organization would not be nearly as vigilant about what they are certifying as they would be in an ideal world.

  2. The bridge letter is only helpful to the extent that the user organization’s management wants an assertion from the service organization that controls are still in place and operating. I don’t think user organization management places any reliance on the letter. If they do, they should not. In any case, the time covered by the bridge letter will be tested by the auditors for the next go around for the examination. User management will just have to wait for a year to get that next report.

  3. Newel, are their standards on the length of time which a bridge letter can cover? For example, if a coverage date of a report ended October 31, 2012 and the next SOC 1 for the period ending October 31, 2013 was not scheduled for issuance until January 2014, could a bridge letter be issued covering the period from November 1, 2012 throgh December 31, 2013?

  4. There are no standards for a bridge letter. However, in practice bridge letters typically cover short periods (e.g., 2-3 months). So it would be unusual to have a 14-month bridge letter. Although, it would be permissible. Also, consider having your external auditors issue your report a bit faster (if possible) than 2+ months. Even the big-four should be able to issue within four to six weeks. I recognize we are already in January so this advice will not help this year.

  5. Sounds like your internal auditor is going a bridge too far. The following is a diagram that may help illustrate that your internal auditor should only be asking for a single bridge letter from each service provider (once a year) to cover the period between the report end date and your fiscal year end. It is unusual to ask for bridge letters throughout the year.

    Bridge Letter Diagram

Leave a Reply

Your email address will not be published. Required fields are marked *