The Do’s and Don’ts of Bridge Letters (SSAE 16 Reporting)
You finally received your SOC 1/SSAE 16 report, only to realize that your coverage does not cover the entire year. So what happens in the remaining months of the year beyond the coverage of the report? Is it necessary that you receive another report to cover the remainder of the year? Does your previous report expire?
This is where bridge letters (also known as a gap letter) come into the picture. When a SOC 1/SSAE 16 report covers only a portion of a fiscal year, the service organization is able to provide a bridge letter between the end date of the review period and the end of the year. What the letter allows for is the service organization to describe any excluded controls where changes have been made that are relevant to user entities’ internal control over financial reporting. While the previous report does not expire, a bridge letter allows service organizations to provide continued assurance to users.
When creating a bridge letter, there are a few facets that need to be mentioned in order to both protect the organization and reassure service organization clients.
- Detail the review period of the SOC 1/SSAE 16 report.
- Briefly detail any changes in internal controls. If there are no changes in internal controls, it must be mentioned that the organization is not aware of any material changes in internal controls.
- Regardless of changes or not, as of the current date, the service organization is not aware of any material changes in the control environment that would change the auditor’s opinion reached in the SOC 1/SSAE 16 report ending on (date).
- Remind the user organizations that they are responsible for following all client control considerations.
- In order to appropriately determine the effectiveness of the bridge letter, user organizations should be provided with the SOC 1/SSAE 16 report in question in order to better understand that scope of any changes or stagnations in internal controls.
- This letter is not intended to be a substitute or replacement for SOC 1/SSAE 16 reporting.
Bear in mind that a bridge letter only provides user organization assurance for a certain amount of time. SOC 1/SSAE 16 reporting should still be regularly completed in order to maintain client confidence.
Want to learn more about SOC 1/SSAE 16 reporting?
Contact us at firstname.lastname@example.org or call 1-888-702-5446