Have you ever been asked by a client for a bridge letter? Have you received one from a vendor, and you’re curious as to what it means? Is it an official document, or can anyone write and issue one? Read on to find out!
What is a Bridge Letter?
A bridge letter, also known as gap letter, is a document that can be sent to relay to third parties that you are maintaining compliance with SOC requirements during the interim period of the previous SOC report and a new SOC report. It can also relay the fact that the next assessment is either scheduled to begin on a specific date or that one is currently in progress.
As the name suggests, the document bridges the gap between the date of the most recent SOC report and the release of the new report. The letter confirms that there have been no crucial changes related to the environment or controls within the organization since the last assessment.
The bridge letter however is not a formal document, it is merely a letter on company letterhead written by someone within the organization making a statement regarding changes to the environment and/or status of the next assessment. It is not issued by a CPA nor is there any CPA opinion or confirmation regarding the organization’s compliance statement, so keep that in mind when receiving a bridge letter from a vendor.
What Does it Include?
There are a few crucial elements that should be in a bridge letter:
- The review period or as of date of the most recent SOC report.
- If the next SOC report has been contracted and if so, the estimated delivery date of the final report of that assessment.
- Any changes that may have occurred regarding the control environment since the last assessment.
- If appropriate, a statement that as of the letter’s date, the organization is not aware of any material changes, deficiencies, or issues in the control environment that could potentially change the opinion of the auditor who had conducted the most recent SOC examination.
- A statement that the bridge letter relates solely to the stated organization and is not to be relied upon by other entities.
Who Issues a Bridge Letter?
The document is signed and issued solely by the organization and offered to their customers. It is important to note again that there is no CPA firm attestation in the bridge letter.
How Long Can it be Used?
A bridge letter is only meant to make a statement covering the interim period between the most recent SOC assessment and the following SOC assessment. SOC examinations are usually conducted on a regular basis as it certifies the effectiveness of the control environment of the organization. With that being said, a letter should only be used as a one-time statement to the requesting third party that the control environment has been static since the previous assessment – it is not meant to cover a period of time.
What are its Limitations?
A bridge letter is simply a document with a statement from the organization communicating a continuance of compliance since the last SOC assessment; a bridge letter cannot be a replacement for a SOC report. SOC assessments are typically reperformed periodically, therefore a letter should only provide an assurance that the control environment is unchanged while the next SOC assessment is being finalized.
By offering your clients confidence in the compliance of the organization while between SOC assessments, the bridge letter can help assure your clients that the control environment has not changed since the previous assessment. Many times, the letter will help keep clients satisfied until the next final SOC report is provided.
Speaking of SOC assessments, if you’re in the market for an assessment (or looking to change vendors), please check out our SOC 1, SOC 2 and SOC advisory pages for more information!