Gap or Bridge Letters

Updated Attachments February 24, 2016.

Astute observers will note that most SOC 1 (f. SSAE 16) reports often cover only a portion of the user organization’s calendar or fiscal year. For example, a report may have a coverage date of October 1, 2014 through September 30, 2015. If the user organization has a calendar year-end, how do they find comfort concerning the controls for the last three months of the year? The answer is simple. The service organization can provide a letter that covers the “gap” between the report date and another date (e.g., October 1, 2015 through December 31, 2015). This letter is called either a “gap” or “bridge” letter.  It is a great tool that can be used while waiting for the next report, which would be a year away.

Since the CPA firm is not opining on those controls within the gap period for the purposes of this gap or bridge letter, the CPA firm cannot issue the letter. However, management of the service organization can and should—in most cases—issue such a letter. Attached are two examples of such a letter that service organizations may find useful. The first attachment is a letter for service organizations that have had material changes to their internal control environment since the report date. The second attachment is a letter when no material changes have been made since the report date.

Also, a matter to reiterate. It is the service organization, not the service auditor, that sends the letter to the user organization. However, the service auditor can and probably should assist in the preparation of the letter given its semi-technical nature.

10 thoughts on “Gap or Bridge Letters

  1. In your honest opinion, is a bridge letter worth the paper it is printed on? Given the fact that there is no CPA firm checking after the service organization, I feel like in reality the average service organization would not be nearly as vigilant about what they are certifying as they would be in an ideal world.

  2. The bridge letter is only helpful to the extent that the user organization’s management wants an assertion from the service organization that controls are still in place and operating. I don’t think user organization management places any reliance on the letter. If they do, they should not. In any case, the time covered by the bridge letter will be tested by the auditors for the next go around for the examination. User management will just have to wait for a year to get that next report.

  3. Newel, are their standards on the length of time which a bridge letter can cover? For example, if a coverage date of a report ended October 31, 2012 and the next SOC 1 for the period ending October 31, 2013 was not scheduled for issuance until January 2014, could a bridge letter be issued covering the period from November 1, 2012 throgh December 31, 2013?

  4. There are no standards for a bridge letter. However, in practice bridge letters typically cover short periods (e.g., 2-3 months). So it would be unusual to have a 14-month bridge letter. Although, it would be permissible. Also, consider having your external auditors issue your report a bit faster (if possible) than 2+ months. Even the big-four should be able to issue within four to six weeks. I recognize we are already in January so this advice will not help this year.

  5. Sounds like your internal auditor is going a bridge too far. The following is a diagram that may help illustrate that your internal auditor should only be asking for a single bridge letter from each service provider (once a year) to cover the period between the report end date and your fiscal year end. It is unusual to ask for bridge letters throughout the year.

    Bridge Letter Diagram

  6. Newel, what are your thoughts on bridge letters to bridge a gap period at the beginning of the fiscal year? For instance, the service organization only has SOC 1 reports from Jan 1 – Sept 30, and then a bridge letter to cover Oct 1 – Dec 31. To be clear, they never test the period Oct 1-Dec 31 as they only have calendar year end clients who accept 9 month SOC 1s. However, our fiscal year is Sept 30th. Is it acceptable to cover the Oct 1- Dec 31 period via a bridge letter and then use the Jan 1-Sept 30 SOC 1? Our external auditors find this acceptable, but I can’t understand why we can omit the Oct 1- Dec 31 from being actually tested and covered by the SOC 1.

  7. Hi Kathy – The period of Oct 1-Dec 31 should be included within the coverage period of your SOC 1 examination. Regardless of whether the it matters or not to certain clients. Or in other words, there should be continuous coverage. The user organization could still request a bridge letter from the service organization for that three month period that isn’t audited. The reason is that is a matter between the user organization and the service organization. So your original question was “Is it acceptable…?” If the primary reason is to satisfy the user audit firm and the user audit firm is okay with that approach, then that is your answer. My advice would be to instruct the service organization to have continuous coverage for the period and not leave any months as gaps.

  8. Hello Newel,
    Is there a standard between auditor regarding a period acceptable for a bridge letter? A bridge letter that covers 8 months is acceptable to my client’s auditor?

  9. Hi Gaétan – 3 months is about as long as I like. 8 months is too long in my opinion. Of course, if your client’s auditor is okay with an 8 month bridge letter, that’s up to them. Part of the consideration may be how often your environment changes. If it’s been relatively static for a number of years (some are but most are not static), then maybe a bridge letter covering a longer gap period may be okay. Generally though…3 months for a bridge letter.

Leave a Reply

Your email address will not be published. Required fields are marked *