A SOC report’s covered period does not always coincide with your customers’ fiscal calendar. It might, for example, have an end date of October 31, which leads to a two-month gap with a customer’s fiscal year-end (December 31). To address this gap, organizations use a best-practice document called a bridge letter.
Here’s how you can use bridge letters to demonstrate transparency and maintain customer trust during the interim period between SOC (System and Organization Controls) audits.
What Is a SOC Bridge Letter?
Also called a gap letter, bridge letters serve as a standard workaround document that closes the gap between the covered period of a SOC report and a stakeholders’ calendar year.
During this gap period, your company’s internal controls have not been examined by the auditor. This may lead existing customers or prospective partners to feel less confident about the reliability of your systems and processes.
A bridge letter assures such stakeholders of the continued relevance of the SOC report by declaring the continued validity of the auditor’s conclusions about your internal controls during the gap period. Note that such a declaration is possible only if there have not been any significant changes in your internal controls that would have affected the findings of your most recent SOC audit.
While bridge letters DO NOT function as a substitute for a fresh SOC report, they can briefly extend the validity of a SOC report as long as no material changes have been made to your internal controls.
Importance of a Bridge Letter
Bridge letters serve as an essential tool for sustaining stakeholder trust during the transitional period between two consecutive SOC audits. By providing assurance that your internal controls remain effective during a brief unaudited period, bridge letters help stakeholders feel confident that engagement with you still meets their compliance standards.
Who Provides a Bridge Letter?
Bridge letters are issued by the audited organization, not by the auditor or CPA firm that prepared the SOC report. They are provided by the organization’s management and signed off by top executives such as the CEO, CIO, or CFO.
The auditor cannot issue such a letter because their opinion about your company’s internal controls applies only to the period covered by the relevant SOC report. Moreover, the auditor is unaware of any changes you have made to your internal controls after the audit period. This makes it incumbent only upon company management to issue the bridge letter.
What Is Included in a SOC Bridge Letter?
A bridge letter typically includes the following:
- The name of your organization and the requesting stakeholder (customer, partner, investor, etc.)
- The issuance dates (or covered period) of the relevant SOC report
- The assurance statement (This statement affirms the continued validity of the conclusions in the relevant SOC report because there have been no significant changes in your internal controls that will affect the auditor’s opinion.)
- A statement that the bridge letter does not serve as a substitute for an updated SOC report
- A disclaimer that the bridge letter was issued only for the requesting stakeholder
- Contact information of company officers who can provide insight, guidance, and more information about your SOC compliance posture and activities
- A copy of the SOC report the requesting stakeholder can refer to for more information
Duration of a SOC Bridge Letter
The duration of a SOC letter varies depending on the situation. Designed as an interim solution, a SOC bridge letter covers the gap between the audited period of a SOC report and the organization’s (or its stakeholder’s) fiscal year.
Bridge letters typically cover a three-month period. In cases where the gap exceeds three months, it is better to perform another SOC audit to provide the requesting stakeholder with greater assurance.
Bridge Letter Sample
A SOC bridge letter demonstrates your adherence to best practices and your commitment to safeguarding the interests of your clients and partners. Use it to establish transparency and provide assurance to your customers that your systems and processes can be relied on even during the interim period between audits. By promptly issuing a bridge letter, you can provide updated security information, address stakeholder concerns, and maintain their confidence.
SOC reports are valuable tools for building customer trust. Our experts provide guidance in all aspects of SOC compliance, including bridge letters.
[Note: While SOC reports and the auditor’s opinion therein do not necessarily expire, it has become industry norm to consider one year from issuance date as the report’s validity period. Many businesses consider SOC reports older than one year as stale or unacceptable. That is why the vast majority of businesses renew their SOC reports annually, with some companies even going for a six-month audit cycle. Finally, you can always request for a special SOC audit anytime to meet the compliance standards of prospective clients, partners, or investors.]
SAMPLE SOC BRIDGE LETTER
Letter Date Here
Dear [Customer/Partner Name]
ACME LLC acknowledges the security and compliance standards of valued stakeholders such as your organization. That is why we retain the services of CPA Firm Corp. to conduct regular SOC attestation audits to meet those standards and establish a secure business environment for relationships to flourish.
Our most recent SOC audit has a testing period from 01 October 2021 to 31 September 2022.
This letter confirms that based on our records, we have made no material changes to our internal controls from 01 October 2022 to date, and we are confident that the favorable audit conclusion in the SOC report you previously received and herein attached remains valid.
Of course, this letter is not intended as a substitute for an updated SOC report or to suggest that we have conducted a different assessment of our controls. Nonetheless, ACME LLC diligently monitors its systems and processes to proactively address risks and vulnerabilities that may affect our operations and those of our customers and partners.
CEO, ACME LLC
For more information, contact us at:
Email: [email protected]