SOC 26 min read

SOC 2 Bridge Letters: What They Are and When You Need One

If your SOC 2 report is approaching its anniversary and you're waiting for your next audit to complete, a bridge letter can help maintain continuity with customers. This guide explains what bridge letters are, when to use them, and how to obtain one.

Key Takeaways

Point Summary
Purpose Bridges the gap between an aging SOC 2 report and your next audit
Timing Typically used when reports are 9-12+ months old
Content Confirms no material changes since last report
Source Issued by your auditor or management
Limitations Not a substitute for a current SOC 2 report

Quick Answer: A SOC 2 bridge letter is a document that confirms no material changes have occurred to your control environment since your last SOC 2 report was issued. It helps maintain customer confidence when your report is aging while you await renewal.

What Is a Bridge Letter?

A bridge letter is a formal statement covering the period between your last SOC 2 report and the present. It confirms that:

  • Your control environment remains substantially unchanged
  • No material weaknesses have been identified
  • Your next SOC 2 audit is in progress or planned

Bridge letters are sometimes called "gap letters" or "assertion letters."

When You Need a Bridge Letter

Common Scenarios

Scenario Bridge Letter Helpful?
Report is 10-12 months old, renewal in progress Yes
Customer requires current documentation for contract Yes
Gap between Type 1 and Type 2 completion Potentially
Report is 6 months old, renewal starts soon Usually not needed
Report is 15+ months old with no renewal in progress May not be sufficient

Typical Timeline

Month 0:     SOC 2 Type 2 report issued
Month 9-10:  Report aging, customers may ask questions
Month 10-12: Bridge letter becomes useful
Month 12+:   Next SOC 2 report should be issued

The goal is to have continuous coverage. Your new report should be issued before the previous one becomes stale.

Types of Bridge Letters

Auditor Bridge Letter

Issued by your CPA firm, this carries more weight:

  • Confirms auditor awareness of control environment
  • States no material changes have come to their attention
  • References ongoing engagement or next audit

Pros: Third-party validation, more credibility
Cons: May involve additional fee, requires auditor engagement

Management Assertion Letter

Issued by your organization's management:

  • Management's statement about control environment
  • Confirms no material changes
  • States next audit timeline

Pros: Can be issued quickly, no additional cost
Cons: Less independent, may not satisfy all customers

What a Bridge Letter Contains

Standard Elements

Header information:

  • Date issued
  • Period covered
  • Recipient (or "To Whom It May Concern")

Core assertions:

  • Reference to the prior SOC 2 report
  • Statement that no material changes have occurred
  • Confirmation of ongoing compliance activities
  • Timeline for next audit

Signature:

  • Auditor signature (for auditor letters)
  • Management signature with title (for management letters)

Sample Management Bridge Letter Content

[Date]

To Whom It May Concern:

This letter is provided in connection with [Company Name]'s
SOC 2 Type 2 report dated [Original Report Date], covering
the period [Original Period].

We hereby assert that:

1. The system description in our SOC 2 report remains
   accurate and complete as of [Current Date].

2. No material changes have been made to our control
   environment since the report was issued.

3. We are not aware of any material weaknesses or
   significant deficiencies in our controls.

4. Our next SOC 2 Type 2 audit is [scheduled to begin /
   currently in progress], with an expected report
   issuance date of [Expected Date].

Should you have any questions, please contact
[Contact Name] at [Contact Information].

Sincerely,

[Name]
[Title]
[Company Name]

How to Obtain a Bridge Letter

Auditor Bridge Letter

  1. Contact your auditor 2-3 months before your report ages
  2. Request a bridge letter or gap letter
  3. Provide any updates on your control environment
  4. Review and approve the letter
  5. Receive signed letter for distribution

Timeline: 1-2 weeks typical
Cost: Varies; some auditors include in engagement, others charge separately

Management Assertion Letter

  1. Draft the letter using appropriate template
  2. Have appropriate executive review and approve
  3. Ensure statements are accurate and defensible
  4. Sign and make available for customers

Timeline: 1-3 days
Cost: Internal time only

Customer Acceptance

What Customers Typically Expect

Customer Type Bridge Letter Acceptance
Enterprise buyers Usually accept auditor letters
Security-conscious customers May prefer auditor letters
Standard procurement Management letters often sufficient
Regulated industries May have specific requirements

When Bridge Letters May Not Be Enough

Some situations require a current SOC 2 report:

  • Regulatory requirements specifying report currency
  • Contracts requiring reports within specific timeframe
  • Major security incidents occurred since last report
  • Significant organizational changes

Best Practices

Planning Ahead

The best approach is avoiding the need for bridge letters:

  • Start your renewal audit early enough
  • Target continuous SOC 2 coverage
  • Align observation periods with report cycles

If You Need a Bridge Letter

  • Request from auditor early (don't wait until last minute)
  • Be prepared to describe any changes since last report
  • Have your next audit timeline confirmed
  • Keep bridge letters updated if situation changes

Communication with Customers

  • Proactively share bridge letter if report is aging
  • Explain your renewal timeline
  • Offer to notify when new report is available

Limitations of Bridge Letters

What Bridge Letters Don't Provide

Bridge Letter Current SOC 2 Report
Management or auditor assertion Independent audit opinion
No testing performed Controls tested
Point-in-time statement Observation period coverage
Attestation of no changes Evidence of operating effectiveness

When to Prioritize Getting a New Report

  • Bridge letter period extending beyond reasonable timeframe
  • Customers expressing concerns
  • Material changes that need to be reflected
  • New customer requirements

Transitioning from Bridge Letter to New Report

Once your new SOC 2 report is ready:

  1. Notify customers who received bridge letters
  2. Provide updated report (under NDA)
  3. Update your sharing portal
  4. Archive the bridge letter

The Bastion Approach

We help you maintain continuous SOC 2 coverage:

  • Renewal planning - Starting audits early to avoid gaps
  • Bridge letter coordination - Facilitating with auditors when needed
  • Customer communication - Templates and guidance for customer conversations
  • Continuous monitoring - Identifying any changes that affect assertions

Our goal is ensuring you always have current, defensible documentation for customer conversations.

Questions about bridge letters or SOC 2 renewal timing? Talk to our team

Sources

← PreviousUnderstanding Your SOC 2 ReportNext →SOC 2 Readiness Assessment: Evaluating Your Starting Point
Back to SOC 2 guides