SOC 2 Bridge Letter: Examples with Template

A SOC 2 report (whether Type 1 or Type 2) is a critical document for businesses that need to demonstrate their commitment to maintaining high standards of security, availability, processing integrity, confidentiality, and privacy—whichever of these trust service criteria are relevant to the company.

The validity of reports is crucial, as they offer assurance to customers and partners that your company is operating securely and in compliance with industry regulations. Failing to renew or maintain an up-to-date SOC 2 report can lead to a loss of trust and potential business risks, as clients may question your ability to meet their security requirements.

So, what happens if you miss a report? One solution is to create a bridge letter, which provides a temporary assurance to customers that your company is still in compliance while awaiting the next audit. This letter is a helpful way to fill the gap between audit periods, ensuring customers are reassured that security standards remain intact. One of the main benefits of a bridge letter is that it allows you to maintain customer trust and avoid disruptions in business relationships.

Read more on how to create an effective bridge letter and ensure continued confidence in your compliance efforts.

What is a Bridge Letter?

A bridge letter (also known as a gap letter) is a temporary document that provides an interim solution to customers and stakeholders that your company is still compliant with the necessary security and operational controls, even when a SOC 2 report is not up to date. It acts as an interim communication tool between SOC 2 audits, ensuring that your compliance status remains transparent during periods when the official SOC 2 report is not yet available. However, it is not a substitute for a formal SOC 2 report.

The frequency of preparing a bridge letter typically depends on your audit schedule and customer requirements. It is usually prepared for the period between the end of one SOC 2 report and the completion of the next. However, in certain scenarios, it can be created more frequently, such as if there are delays in the audit process or if a client specifically requests assurance before the next official report is issued. These letters rely on the results of the previous SOC 2 report and do not represent an updated or new audit.

Example: Imagine a company whose SOC 2 Type 2 report expires in June, but the audit for the next report won’t be completed until October. In this case, the company can prepare a bridge letter to assure its clients that the organization continues to follow the controls and security measures evaluated in the prior SOC 2 report.

The bridge letter doesn’t replace a SOC 2 report but acts as supplementary assurance until the next report is available. It provides a clear, temporary solution that bridges the gap, maintaining customer trust while waiting for the next official SOC 2 report to be completed.

Who writes and delivers a bridge letter?

A bridge letter is written by the service provider (the organization undergoing the SOC 2 audit), not the auditor or CPA (Certified Public Accountant) firm. After completing a SOC 2 audit, the auditor cannot confirm if the provider has made any changes to their environment or processes until the next audit begins. 

As a result, the service organization is responsible for drafting the bridge letter, which assures stakeholders that the company remains in compliance with the relevant Trust Services Criteria (TSCs) during the gap between SOC 2 audit periods. The letter is not signed by the CPA firm that performed the audit, as it is based on the service provider’s own assessment of their ongoing compliance.

What is included in the SOC 2 bridge letter?

A SOC 2 Bridge Letter is crucial for businesses that need to maintain trust and demonstrate adherence to previously assessed controls between SOC 2 audit periods. The bridge letter outlines key components to provide clarity and transparency to stakeholders.

Key components of a SOC 2 bridge letter:

1. Date of the last SOC 2 report: To establish context and the timeframe of the previous audit, start by referencing the date of the most recent SOC 2 report.
2. Specific period covered by the bridge letter: Clarify the time period the bridge letter covers, helping stakeholders understand the gap between the last report and the next audit.
3. Statement of compliance: Clearly state, based on management’s assertion, that the company continues to adhere to the relevant TSCs at the time of the letter.
4. No significant changes to risk profile: Reassure clients that no significant changes have occurred to the organization’s risk profile or security posture since the last audit.

• If no changes have been made: You may want to state that you are unaware of any material changes that may impact the opinion of the auditor who performed the SOC 2 audit.
• If any changes have been made to the internal control environment, list them and explain.

5. Assurance of ongoing practices: Confirm, based on management’s assessment, that the company’s processes and security posture remain intact and unchanged during the gap period.
6. Evidence of continued monitoring: Mention that the company continues to actively monitor its security controls and practices to ensure ongoing compliance.
7. Audit timeline and next steps: Provide transparency on when the next audit is scheduled and when the updated SOC 2 report will be available.
8. Contact information for further inquiries: Close with contact details for any questions or further clarification.
9. A note that the bridge letter is not a replacement for a SOC 2 report: This disclaimer is crucial to set the correct expectations. A bridge letter provides interim assurance but does not replace the comprehensive evaluation and validation provided by a full SOC 2 report. It’s important to communicate that the bridge letter is a temporary solution, not a substitute for the full, formal SOC 2 report.
10. A disclaimer that the letter was created only for the customer: This helps limit liability and clarify that the bridge letter is tailored to a specific client or stakeholder. This ensures the company is not held responsible for the contents of the letter beyond the intended recipient, which is important for maintaining legal and compliance boundaries.

SOC 2 Bridge Letter Example Template

1. Personalize the template with your organization’s details and audit information.
2. Utilize this letter to inform clients and partners about the continued commitment to upholding security standards.
3. Issue the bridge letter to cover the time gap between your previous SOC 2 report and the upcoming audit.
4. Include a statement, based on management’s assertion, that no significant changes have taken place in your control environment.

SOC 2 bridge letter template To [Client Name]: This letter provides information regarding [Company Name] (referred to as “[Company Name]” or the “Company”) in relation to the services rendered in connection with the product/services described in the most recently issued System and Organization Controls (SOC) 2 Type II report. This letter should be treated as confidential information, in the same manner as the SOC 2 Type II report. [Company Name] uses [Audit Firm Name] (“[Audit Firm Name]”) to provide the independent System and Organization Controls (SOC) reporting opinion on the Company’s system supporting its [Product/Service Name] (e.g., [list relevant products/services]) in relation to [specific Trust Services Criteria, e.g., Security]. These reports are issued in accordance with TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria). [Company Name] recognizes the importance of maintaining an appropriate internal control environment and reporting on the effectiveness of, as well as material changes to, its internal controls. As of [current date], we are not aware of any material changes in our control environment from [date of last report] through the date of this letter that would adversely affect the Auditor’s Opinion reached in the SOC report covering the period from [period start date] to [period end date]. Material changes are those that would require disclosure to [Audit Firm Name], as the Company’s independent service auditor, in the process of their work required to produce these reports. Please be aware that [Company Name], as part of its ongoing operations, continually updates its services and technology. Additionally, the controls for the system supporting [relevant product/service] were designed with certain responsibilities required of the system users (See “Complementary User Entity Controls” in section III of the SOC report). [Company Name] controls must always be evaluated in conjunction with an assessment of the strength of the applicable complementary user entity controls. Finally, to conclude on the design and operating effectiveness of internal controls at [Company Name], you must request and review the current SOC 2 report. This letter is not intended to replace the SOC 2 report, certify the effectiveness of the Company’s internal controls, or suggest that the Company has performed a separate evaluation of its internal controls for the purposes of this letter. Sincerely, [Name] [Title] [Company Name] Sincerely, [Name] [Title] [Company Name]

Reassure your customers that your security standards remain intact—get your free SOC 2 Bridge Letter template today! 

What is the importance of a bridge letter for SOC 2?

1. Maintains customer confidence: A bridge letter communicates management’s assertion that your company continues to adhere to the controls assessed in the previous SOC 2 report.  This helps maintain customer trust and confidence in your security practices, preventing any concerns about lapses in compliance.

2. Prevents disruption in business relationships: Without a valid SOC 2 report, clients may begin to question your ability to meet their security requirements. A bridge letter helps address this concern by communicating that your security and privacy controls remain intact, allowing you to continue business relationships smoothly.

3. Fills the gap between audits: A bridge letter is an essential tool for filling the gap between SOC 2 audits. Since SOC 2 reports are typically issued annually, a bridge letter provides interim communication to customers and partners that security controls remain effective and unchanged during the period between audits.

4. Facilitates ongoing compliance communication: By providing a clear, documented statement of continued adherence to controls, a bridge letter helps communicate your company’s ongoing commitment to security and privacy standards. It ensures that clients and stakeholders are continuously informed about your compliance status, even outside of formal audit periods.

5. Supports contract renewals and new business opportunities: Many clients, especially in regulated industries, require up-to-date compliance documentation as a prerequisite for renewals or new contracts. A bridge letter can support contract discussions by communicating that controls have been maintained during the interim period.

6. Mitigates risk of non-compliance perception: When a SOC 2 report is outdated or pending, clients may perceive the organization as non-compliant. A bridge letter mitigates this risk by assuring them of ongoing control effectiveness and reinforcing the company’s commitment to maintaining high security standards.

7. Aids in internal control oversight: A bridge letter can serve as a reminder internally that the company is still adhering to security policies and controls during the gap period. It can help ensure that business operations stay aligned with security practices while awaiting the next audit.

Why are vendor relationships important in bridge letters?

Vendor relationships are crucial in the context of a bridge letter because clients often rely on their vendors to meet strict security and compliance standards. In situations where a SOC 2 report expires, or the next audit is still pending, the bridge letter serves as the management’s assurance to vendors that the organization continues to uphold the same standards outlined in the previous SOC 2 report.

By openly communicating with vendors through a bridge letter, organizations can demonstrate accountability and keep strong, trust-based partnerships intact. This is particularly important for vendors who need assurance before renewing contracts or continuing business with your company.

Interested in streamlining your compliance processes? Book a demo with Scrut today to see how we can help you manage your security and compliance needs more efficiently.

FAQs 

What information is taken from SOC 2 reports to prepare the bridge letter?

To prepare a bridge letter, key information from the most recent SOC 2 report is utilized. This includes:

• The report’s completion date
• The SOC 2 Trust Services Criteria (TSCs) covered
• Opinion of the auditor on whether the company’s controls met the TSC at the time of the last audit. 

The bridge letter also reflects whether there have been any material changes to the company’s controls since the last audit. This ensures that clients and stakeholders are reassured that the company is still meeting the required standards until the next audit report is available.

How long is a SOC 2 report valid for?

A SOC 2 report doesn’t have a formal “expiry date,” but it is generally relevant for one year from the audit date. After this period, the report no longer reflects the current state of the organization’s compliance. To maintain continuous assurance, it is recommended to conduct annual audits, ensure ongoing compliance, and generate updated reports. Most companies start the next audit process 3 to 4 months before the current report’s relevance ends to avoid any gaps.

Is a SOC 1 bridge letter the same as a SOC 2 gap letter?

No, a SOC 1 bridge letter is not the same as a SOC 2 gap letter. Although both serve similar purposes in providing interim communication regarding adherence to controls., they are used for different types of audits. SOC 1 reports focus on financial reporting controls, while SOC 2 reports address security, availability, processing integrity, confidentiality, and privacy. The specific language, criteria, and scope covered in a bridge letter will vary based on the type of audit report it pertains to.

How long does a SOC 2 bridge letter last?

A SOC 2 bridge letter is typically valid until the next SOC 2 audit report is finalized and made available to stakeholders. This period is generally 3 to 6 months, depending on when the next audit is completed. Once the new SOC 2 report is issued, the bridge letter becomes outdated, and the updated audit report takes its place in providing assurance to clients and partners.