A bridging letter — sometimes called a gap letter — is a representation by management of a service organization that extends the coverage of a SOC 1 or SOC 2 report to a period beyond the formal opinion date. They are commonly required when a user entity's fiscal year end falls after the service organization's SOC report period.
When a Bridging Letter Is Required
If a SOC 1 Type II report covers the period January 1 – September 30, but the user entity's audit covers the year ended December 31, there is a three-month gap. The user entity's auditor needs assurance that controls operated effectively during October–December as well.
Options include: (1) a bridging letter from the service organization's management, (2) an updated SOC 1 report covering the extended period, or (3) direct testing by the user auditor during the gap period.
What a Valid Bridging Letter Must Contain
- Explicit representation that the controls described in the SOC report remained in place and operated effectively during the gap period
- Disclosure of any significant changes to the control environment during the gap period
- Disclosure of any significant incidents, outages, or breaches during the gap period
- Signature from an officer with appropriate authority (typically CISO or CFO)
- Specific identification of the SOC report it is bridging (report date and period)
Auditor scrutiny: Bridging letters are management representations, not independent attestations. Your auditor will evaluate the credibility and specificity of the letter — vague representations ("no material changes occurred") are increasingly being rejected in favor of more specific evidence.