Updated Attachments February 24, 2016.
Astute observers will note that most SOC 1 (f. SSAE 16) reports often cover only a portion of the user organization’s calendar or fiscal year. For example, a report may have a coverage date of October 1, 2014 through September 30, 2015. If the user organization has a calendar year-end, how do they find comfort concerning the controls for the last three months of the year? The answer is simple. The service organization can provide a letter that covers the “gap” between the report date and another date (e.g., October 1, 2015 through December 31, 2015). This letter is called either a “gap” or “bridge” letter. It is a great tool that can be used while waiting for the next report, which would be a year away.
Since the CPA firm is not opining on those controls within the gap period for the purposes of this gap or bridge letter, the CPA firm cannot issue the letter. However, management of the service organization can and should—in most cases—issue such a letter. Attached are two examples of such a letter that service organizations may find useful. The first attachment is a letter for service organizations that have had material changes to their internal control environment since the report date. The second attachment is a letter when no material changes have been made since the report date.
Also, a matter to reiterate. It is the service organization, not the service auditor, that sends the letter to the user organization. However, the service auditor can and probably should assist in the preparation of the letter given its semi-technical nature.