What is a SOC Bridge Letter or Gap Letter?

What is a SOC Bridge Letter or Gap Letter?

February 10, 2025

A SOC bridge letter, also known as a gap letter, is a document used to bridge the gap between the end date of a service organization's SOC (System and Organization Controls) report and the user entity's (customer’s) year-end. This letter asserts to clients that there have been no significant changes to the internal controls since the last SOC report. Producing this letter also avoids obtaining a new SOC audit for each variation of periods to match user entities’ needs. A bridge letter is prepared by management of the service organization and does not need or have any assurance provided by the independent service auditor.

Use Case

SOC reports typically cover a period of 6 to 12 months, but this period may not align with every user entity's calendar or fiscal year. For instance, if a SOC report covers the period from October 1, 2023, to September 30, 2024, but the user entity's fiscal year ends on December 31, 2024, there is a three-month gap that the SOC report is not covering. Therefore, a bridge letter helps to cover this gap by confirming that there have been no material changes to the internal controls during this period.

Example of a SOC Bridge Letter

Below is an example of a SOC bridge letter:

[Service Organization Letterhead]

Date

Re: SOC 2 Type II Audit Report Bridge Letter

To Whom It May Concern:

We have received your request for information regarding the internal controls related to our System and Organization Controls (SOC) 2 Type II audit. Our most recent SOC 2 Type II audit was conducted by [Service Organization] and includes tests of operating effectiveness for the period November 1, 2023, to October 31, 2024.

[Service Organization] recognizes the need to maintain an appropriate internal control environment and report upon the effectiveness of, as well as any material changes to, its internal controls in a timely manner. For the period of November 1, 2024, to December 31, 2024, there have been no material changes to the design and effectiveness of the internal controls or procedure environment as described in [Company Name]'s October 31, 2024, SOC 2 Type II Report.

Name
Title
Signature

This letter provides an assertion to clients that the internal controls have remained effective and unchanged during the gap period. It is important to note that a bridge letter is not a substitute for a SOC report but serves as an interim measure until the next SOC report is issued.

If you need more information or further assistance, feel free to consult with a Larson SOC professional.  Larson and Company has developed a suite of services specifically to serve the needs of companies of all sizes in a wide range of industries.  Find out more about a SOC audit here.