Bridge letters are an important element of SOC 1 and SOC 2 examinations that you may not be aware of and can help provide your clients with additional confidence regarding the effectiveness of your organization’s controls environment at no additional cost or time.
What is a Bridge Letter?
SOC 1 and 2 examinations take a lot of preparation and time to ensure compliance, but as you may have noticed, SOC reports often cover only a portion of an organization’s fiscal year. What do you do if your organization’s SOC report doesn’t cover the entire fiscal year? Thankfully, there are bridge letters.
As the name implies, a bridge letter – also known as a gap letter – is a letter that bridges the gap between the end date of the review period from your most recently completed SOC report and the date of the bridge letter. For instance, if your organization’s most recently completed SOC 1 report covers the period from November 1st, 2017 through October 31st, 2018, but your organization’s fiscal year-end is December 31st, 2018, you can provide your clients a bridge letter that states there has been no significant changes, issues or deficiencies to your organization’s controls between October 31st and December 31st. This notice gives your clients confidence that there have been no significant changes to their controls environment that could adversely impact the conclusions reached in their most recently completed SOC examination.
Note that a bridge letter is signed off by the organization itself and provided directly to its customers. The CPA firm who performed the SOC examination does not attest to anything in the bridge letter or sign the bridge letter, as they did not perform any additional procedures to verify whether the organization’s controls environment changed or continued to operate effectively since the actual SOC audit was completed.
How Long Can a Bridge Letter Cover?
A bridge letter normally covers a period of three months, as it is only meant to cover a short duration of time between the report period end date and the organization’s fiscal year-end. If you are wanting to use a bridge letter to cover a period of more than three months, you should consider whether it is time to perform another SOC examination. Because bridge letters are meant to cover a short duration, it is important that SOC examinations be regularly completed (at least annually), as they provide actual third-party assurance on the effectiveness of your organization’s controls environment.
What’s in a Bridge Letter?
There are a few important elements of a bridge letter including:
- The review period of the most recently completed SOC 1 report, including beginning and ending dates
- Any changes in the organization’s controls environment (if applicable). If there are no changes, the letter must state that the organization is not aware of any material changes in their controls environment
- A statement that, as of the date of the bridge letter, the service organization is unaware of any material changes, issues or deficiencies in the control environment that could change the opinion of the auditor who performed the SOC examination
- A statement that the bridge letter relates solely to the organization and may not be relied upon by any other entity
Protecting Your Organization and Business Relationships
By providing your clients with additional confidence in your organization’s compliance, a bridge letter can save your organization additional cost and time. While not a replacement for an actual SOC examination, a bridge letter can be a vital and helpful asset for your organization and its clients in between examinations.
If you have any questions or if you would like to learn more about undergoing a cybersecurity or compliance assessment, please reach out to one of A-LIGN’s experienced assessors today.