What is a SOC 2 Bridge Letter?

A SOC 2 bridge letter, also known as a gap letter, is a document organizations provide to customers to assure them they are maintaining compliance with SOC 2 controls. Bridge letters address the period between the end of a previously issued SOC 2 report and the start of a new one. 

Annual SOC 2 audits are required to keep a report current. During that year-long period, an organization’s controls and systems may change or evolve. A bridge letter addresses this by providing details on any material changes to the organization’s systems, processes, or personnel since the last audit. 

Bridge letters only cover short periods, typically no more than three months. They are not a substitute for a full SOC 2 report. 

What Should Be Included in a Bridge Letter?

A bridge letter typically includes: 

• The start and end dates of the most recent SOC 2 report. 
• Information about any significant changes to the organization’s systems, controls, or personnel that have occurred since the last report. 
• A statement that the organization’s controls remain effective, or a description of any changes that have occurred. 
• The letter is issued by the service organization’s management, often in consultation with the auditor. 
• If and when a new audit is underway or scheduled.
• Information about the CPA firm that performed the previous SOC 2 audit.

Bridge letters are typically signed by an executive, such as a CISO or CFO.

Sample SOC 2 Bridge Letter

If your organization has not made any changes to its security controls since the audit period, its bridge letter could be worded similarly to this:

To Whom It May Concern,

Subject: SOC 2 Bridge Letter – Coverage for Period Ending [Insert Date] Through [Insert Date]

We are writing to assure you of the continued effectiveness of our internal controls related to the Trust Services Criteria covered under our most recent SOC 2 Type II report.

[Company Name] underwent an independent SOC 2 Type II examination conducted by [Auditing Firm Name], which covered the period from [Start Date of SOC 2 Period] to [End Date of SOC 2 Period]. This report evaluated the design and operating effectiveness of controls relevant to the following Trust Services Criteria: [e.g., Security, Availability, Confidentiality].

As of the date of this letter, no material changes have occurred to the control environment described in the aforementioned report. We affirm that to the best of our knowledge:

• No significant deficiencies or material weaknesses have occurred in our control environment since the end of the last audit period.
• We have not experienced any security breaches or control failures that would impact the scope or reliability of the controls covered in the SOC 2 report.
• We continue to operate under the same policies and procedures as described in the prior report.
• Our next SOC 2 Type II audit is scheduled to cover the period from [Next Audit Start Date] to [Next Audit End Date], with an expected completion in [Estimated Report Completion Date].

Please note that this bridge letter is a self-assertion and does not constitute a formal attestation or assurance report under the AICPA standards.

If you have any questions or require additional information, please feel free to contact us at [Contact Email or Phone Number].

Sincerely,
[Signature]
[Name]
[Title, e.g., Chief Information Security Officer]
[Company Name]

CompliancePoint can guide your company through every step of a successful SOC 2 attestation, from the initial assessment of your existing program to the official audit. Reach out to us at connect@compliancepoint.com to learn more about our services.