Though rarely needed, a bridge letter is an important resource in every service organization’s toolbox. It helps to maintain the organization’s reporting and compliance integrity, even during times of unexpected or mismanaged change. Properly written, it helps to keep customers or earn prospects by showing consistent controls.
What is a bridge letter?
A bridge letter, also known as a gap letter, provides customers and prospects with information about anything missing from a service organization’s auditor-prepared SOC 2 report. It offers context for what was happening with the organization during the period that was not reported on and an explanation for why that information was omitted. It is usually not a “bad” thing for an organization to need a bridge letter. Rather, the letter provides an organization the opportunity to answer any questions before they arise.
While the information in this letter fills a gap, it also provides a bridge between SOC 2 reports. It is included with the short SOC 2 report.
Who provides the bridge letter?
It is commonly, and incorrectly, assumed that a service organization’s auditing firm prepares the bridge letter. In actuality, the service organization, or vendor, writes and provides the bridge letter to any customer or prospect who requests it.
Every organization that provides outsourced technology services is a service organization, and every one of those is likely to be asked by customers or prospects for their most recent SOC 2 report.
During an audit, an auditor will likely highlight if they had to leave a gap in the SOC 2 that could benefit from a bridge letter, though that letter is not mandatory for the audit. Many auditing firms are happy to provide a service organization with guidance on preparing a letter. They may even offer bridge letter templates that an organization can populate with their own unique information and wording. This allows an organization to meet even an immediate request by a customer or prospect with useful information.
What is a bridge letter used for in SOC 2?
Since a service organization can ideally furnish a customer or perspective with a SOC 2 report that covers every month of every year, including the most recent, a bridge letter is the solution to explain any time not reported on.
SOC stands for System and Organization Controls, and SOC 2 reports on internal controls across security, availability, confidentiality, processing integrity, and privacy criteria. It is one of the most common attestations by an auditor that an organization is up-to-date with their security compliance. So, it is rare that a service organization allows its auditing, and reporting schedule to lapse. That said, any vendor can face curveballs, and regardless of if they’re surprised or anticipated, all of these could have an understandable effect:
- Cuts in the auditing budget
- Data migration
Any unexpected and/or drastic societal disruptions; new limits on finances, time, or other resources; or changes to processes or procedures can affect an audit schedule and cause a gap between SOC 2 reports. Suddenly, the SOC 2 auditor who annually reviews a service organization’s records and practices in December is hired for February, two months later than usual. They will prepare a SOC 2 report, but it will be missing information from January. With the auditing firm’s guidance, if requested, the service organization can prepare and attach a bridge letter seeking to answer what happened at the organization in January.
What information is in a vendor bridge letter?
A bridge letter includes:
- The dates of the most recently completed SOC 2 report
- Any material changes in the service organization’s control environment, if there are any; if there are no material changes, the letter should directly note that
- A statement that, as of the writing of the bridge letter, there are no material changes, deficiencies, or other issues in the control environment that could change the findings of the auditor who completed the most recent SOC 2 report
- A statement that the bridge letter speaks for only this organization
There is an example bridge letter template later in this post.
Duration of a bridge letter
There is no minimum or maximum amount of time that a bridge letter is allowed to cover. There is, however, an advisable cap on the duration. Most customers or prospects will have no concerns about a bridge letter covering three months or less. If a bridge letter covers many months or even years, the service organization may be at risk of losing business. It is not meant to replace an auditor-prepared SOC 2 but rather to supplement when necessary.
Importance of bridge letters for vendor relationships
An audit typically happens annually, covering a year’s worth of data, because data both changes frequently and gets stale quickly. A recent complete year of data offers a customer or prospect reasonable assurance that a service organization is in compliance. A bridge letter is worth way more than the ink it’s printed within customer confidence and trust—and consequent future sales.
Example bridge letter
Dear [Customer Name]:
Our independent service auditor, [audit firm name], has examined the description of our [name of system] system for the period [review period] and the suitability of the design and operating effectiveness of controls to meet the trust services criteria relevant to Security set forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, (AICPA, Trust Services Criteria) (applicable trust services criteria), throughout the same period. Officially, this report is called a Type 2 Service Organization Control (SOC) 2 report that covers the applicable trust services criteria.
The Type 2 SOC 2 report offers an independent assessment of whether a service organization’s system of controls was placed in operation, suitably designed, and operating effectively. It provides users of our system with more detailed information about our operations and underlying internal controls.
To the best of my knowledge, there have not been any material or significant changes to the description of the system in the Type 2 SOC 2 report referenced above, or any material weaknesses in such internal controls and procedures that require corrective action through the date of this letter.
[Company Contact Title]
Starting the conversation
An audit may look backward, but a service organization can’t change its past. If there’s a gap between SOC 2 reports, there’s a gap — no correcting whatever happened that created that lapse. An organization can start the conversation with their auditing firm about writing a bridge letter, however. There is always time to take action on assuring stakeholders.