SOC reports usually cover a period of 6-12 months and often these periods do not correspond to the service organization’s fiscal year. Therefore, at times a service organization’s client will ask, “How can we be comfortable with the operating effectiveness of the internal control environment for the periods that the SOC report does not cover within the fiscal year?”
A possible solution to provide comfort to the client that ensures service organization controls are still in place and functioning can be found through a SOC bridge letter. SOC bridge letters are also commonly referred to as gap letters because they bridge the “gap” between the user entity’s fiscal or calendar year-end and the company’s SOC report date. This document is essential to provide assurance to current customers and potential clients that your organization is compliant during the gap period. It is typical for a gap letter to contain the following key components:
- The period of the most recent SOC certification that was completed.
- Any changes to the control environment that are material, which addresses the strength of the internal controls during the gap period.
- The service organization confirms there are no material changes outside of what is listed in the bridge letter.
- A statement which declares that the letter applies only to the service organization authoring the bridge letter as well as a request for user entities to read the SOC report that was issued by the auditor.
While the auditor issues the SOC report, it is the responsibility of the management of the service organization to prepare and sign off on the bridge letter. Auditors will not be aware of any material changes to the control environment after the audit period end date because their testing only covers the period that is covered within the SOC report. Therefore, service auditors would be unable to issue a bridge letter on behalf of an organization. Management should be aware of changes in the internal control environment and whether the operating effectiveness of internal controls remains; these are things they must outline in the bridge letter.
Bridge Letter Essentials
Bridge letters serve a very important purpose. However, there are a few things to keep in mind about them. First, they cannot be taken as a replacement for a SOC report. Auditors complete the SOC report from an independent perspective and develop an opinion based on the testing of design and operating effectiveness of controls. SOC 2 reports are highly regarded and not able to be replaced by a document prepared by a service organization’s management. Second, bridge letters have an expiration date. The maximum “freshness” for a bridge letter is 90 days. After that, most auditors agree that too much time has passed since the audit for management’s assurance through a bridge letter to be reliable.
That being said, bridge letters are still needed as part of your annual due diligence. It provides clients with the peace of mind that the service organization is still maintaining controls that were used during the SOC audit period. Bridge letters can be very useful in an environment where more businesses are increasingly interested in only working with SOC-compliant organizations, as they provide that additional confidence for customers between examinations.
If you would like more information regarding security incidents or help setting up your company’s incident response plan, McKonly & Asbury would be happy to help. We currently offer the full suite of SOC services to clients in a broad variety of industries. Be sure to visit our System and Organization Controls (SOC) service page and don’t hesitate to contact us with any questions.