Bridge letters are a crucial component of SOC 1 and SOC 2 assessment reports. You might be unaware of it but they provide valuable confidence to your clients about the effectiveness of your organization’s control environment.
This article explains everything you need to know about bridge letters and why they are important for organizations.
Table of Contents
What is a Bridge Letter?
A bridge letter is a crucial document provided by the service organization or your vendor. Also known as gap letters, a bridge letter covers the time between the end of the current SOC report until another SOC report is being published.
The SOC bridge letters are provided to third parties to confirm that your company is in compliance with SOC regulations between the last issued SOC report & the new SOC 2 compliance report. It can also communicate that the next SOC assessment is either due shortly on a specified date or is presently underway.
The document, as you can understand from the name, bridges the interim gap between the last SOC report & the new SOC 2 report. The letter indicates that no major changes have occurred in the organization’s environment or controls in the interim period.
However, unlike a formal document, it is just a reassurance letter on the company’s letterhead by the company. This is to ascertain that the control environments have not changed between the interim of the two SOC reports. It assures the organization’s partners regarding the organization’s compliance statement. It is important to note that CPA does not issue bridge letters. The letters are not even reviewed or validated by the CPA.
How Long Can a Bridge Letter Cover?
A bridge letter only provides a statement covering the interim time between the most recent SOC evaluation and the next SOC evaluation. SOC inspections are normally undertaken on a regular basis as it confirms the efficacy of the control environment within the company.
Consequently, a letter should only be used once to inform the requesting third party that the control environment has remained unchanged since the prior assessment. Hence a bridge letter only covers the interim period between the old SOC report & the new SOC 2 report to be generated.
What’s in a Bridge Letter?
The crucial elements in a bridge letter are as follows:
- Details about the review of the last SOC report issued by CPA.
- The projected date when the assessment of the next SOC report will be conducted.
- Any modifications to the control environment that may have taken place after the last SOC evaluation.
- A statement indicating that the company is unaware of any major changes, or defects in the safety and control environment.
- A declaration stating that the bridge letter is intended solely for the specified organization and can not be used by other parties.
Who Issues the Bridge Letter?
The Bridge letter is issued and signed by the service company and sent directly to their clients. Therefore, the Bridge letter is essentially a guarantee provided by the service organization that the compliance of your organization remains the same as reviewed by the CPA in the last SOC assessment.
What Are the Limitations of a Bridge Letter?
A bridge letter can be used as proof of compliance during the interim period of two SOC reports. Note that this is a letter from the service provider, not a third-party vouching for the reliability of the service provider’s internal controls. Rather, the letter should be read in conjunction with the real SOC report. The standard interval between SOC audits is one year, and most bridge letters cover a period of upto three months.
The bottom line
Bridge letters are normally signed by the service organization and cover no more than three months. They are not intended to replace SOC reports but rather to bridge the gap between the SOC report and SOC 2 report. Hence, the organization is solely responsible for any discrepancies that may arise later.
Protecting Your Organization and Business Relationships
Even though bridge letters aren’t a replacement for SOC/ SOC 2 reports, they are vital to bridge the gap between the old SOC report & the new SOC 2 report to be generated. Bridge letters are essential to maintain the business relationship with vendors intact.
This is because they give the company’s customers and clients reasonable reassurance about the compliance state and other security measures in the interim period. Moreover, it also helps the company remain trusted among the customers.
Overall, bridge letters can help companies make a smart move to maintain customers’ trust in the company and boost future sales.