What is a SOC 2 Bridge Letter? (Including a Bridge Letter Example)

SOC 2 is one of the most common ways service organizations can prove the integrity of their security posture and security practices to partners.

But sometimes, the reporting period of your SOC 2 audit may not line up perfectly with a customer’s financial year-end or date requirements. Say you got an unqualified SOC 2 attestation on November 10, 2024, that’ll cover you until November 9, 2025. However, if your customer’s year-end goes from January 1st, 2025, to December 31st, 2025, there will be a period of their calendar year (November 10th - December 31st) where there’s a gap. That’s when you may meed a SOC 2 bridge letter.

What Is a SOC 2 Bridge Letter?

A SOC 2 bridge letter covers the time between your last SOC 2 report and the customer’s financial year-end or calendar year-end. Typically, they’ll cover short periods of time, often up to three months. A bridge letter is also sometimes known as a gap letter.

A bridge letter simply states that there have been no significant changes to your security controls or processes since your last SOC 2 audit or if you have made any updates, you’re able to share them (and what they mean for customers) in your letter.

You’ll still need to go through your next SOC 2 audit, bridge letters can’t be used as a replacement for official attestation. Bridge letters are used to reassure procurement teams that they can put trust in a service organization’s systems between audits.

When Is a Bridge Letter Needed?

Bridge letters aren’t a requirement for SOC 2 compliance. But they can be helpful to assure customers that you’re keeping up your security procedures and processes between audits. You typically need a bridge letter in a couple of specific scenarios (and often only if a customer or prospect requests one:

1. Administrative Lag

Even after your audit period ends (e.g. December 31st), you don’t get the report immediately. It can take an auditor 2-8 weeks to draft and issue the final attestation.

If you are trying to close a deal on January 20th, you technically don't have a current report. You only have the prior year's, so you could issue a bridge letter to cover the few weeks between the period end date and the final report issuance.

2. Calendar Alignment

Let’s say your audit cycle follows the calendar year (Jan–Dec). However, your biggest enterprise customer operates on a fiscal year of April–March.

When they run their annual vendor risk review in April, your SOC 2 report will not cover the last three months of their fiscal year (January–March). To satisfy their internal compliance requirements, they may ask you for a bridge letter covering the period from December 31st through March 31st.

Limitations of a Bridge Letter

A bridge letter is a temporary measure to bridge the gap between SOC 2 reports, not a replacement for a renewed SOC 2 report.

By nature, bridge letters are very high-level and don’t disclose detailed information about your organization’s security systems and processes, so they can mean your clients are taking on additional risk as there’s no detailed description of the controls you have in place right now, which means a client can’t do effective risk assessment.

The trustworthiness and effectiveness of a bridge letter relies fully on the reputation of credibility a service organization has with its clients. If a service organization doesn’t have a background of unqualified SOC 2 reports, clients may not be satisfied with a bridge letter.

Bridge letters are purely a stop gap between reports, not a replacement.

Who Issues a Bridge Letter?

Bridge letters are almost exclusively issued by a service organization’s management team.

Under AICPA independence rules, an auditor can’t attest to controls they haven't actually tested, so they can’t authorize a letter saying the controls are in place or effective outside of audit windows.

While you can work with an auditor to issue a "Comfort Letter" or an "Engagement Letter" (which simply confirms an audit is scheduled), a bridge letter asserting control effectiveness must come from your company.

Who Signs It?

It carries legal weight, so a bridge letter must be signed by an officer of the company with knowledge of your security posture. This could be your Chief Information Security Officer (CISO), Chief Technology Officer (CTO), or Chief Financial Officer (CFO).

What’s Included in a Bridge Letter?

Bridge letters don’t need to be long, winding essays. The best practice (like with almost every aspect of security and compliance) is to get directly to the point. That said, a bridge letter has a few standard elements:

1. Period Covered: The dates covered by the bridge letter. Generally, this is the gap between your last audit and the date of the next one.
2. Security Continuity and Updates: List any material changes to your security posture that weren’t covered by your last SOC 2 report. You’ll also need to attest that the controls outlined in your latest SOC 2 report remain in place, plus state that this bridge letter isn’t a replacement for a new SOC 2 report.
3. Signatory: The signature of an authorized person from within your organization.

SOC 2 Bridge Letter Example

To [Client Name],

[Your Company Name] is committed to the highest cybersecurity standards and protecting your data. Our chosen way to report on the effectiveness of our security controls is via a SOC 2 Type II report.

Our existing SOC 2 Type II report issued by [Auditor Name] covers the testing period between [Date of Start] to [Date of Your Most Recent SOC 2 Report]. We’re currently working towards attaining an updated SOC 2 Type II report with [Auditor Name] and expect to be able to supply the final report by [Date of Your Next Report].

This letter confirms that from the period of [Date of Your Most Recent SOC 2 Report] to the [Date of Your Next Report], we’ve made no material changes to the internal controls covered in our last testing period as documented in our prior report.

This letter is not intended to be a replacement for a SOC 2 Type II report from [Your Company] or an attestation of SOC 2 compliance.

Sincerely,
[Your Company Name]

Final thoughts

A bridge letter is a way to assure your clients they can still trust your company’s cybersecurity controls and practices between SOC 2 audits, not a substitute for a SOC 2 report. But renewing your SOC 2 shouldn’t be an annual headache.

Compliance should be something your organization thinks about every day to ensure your company builds trust with customers. At Workstreet, we cover every aspect of SOC 2 readiness to audit management to continuous compliance. Get in touch with our team to learn more.

Frequently Asked Questions About Bridge Letters

What Is a Bridge Letter?

A bridge letter is a formal document from a service organization (you) attesting that no material changes have occurred to your SOC 2 security controls during the "gap" between your last SOC 2 report end date and the current date. It bridges the trust gap for customers reviewing your security before your next audit.

When Do I need One?

You need one when your SOC 2 report is "stale" (usually 3+ months old) and a prospect refuses to sign a deal without assurance that you are still secure today. It is most common when audit cycles don't align with a customer’s fiscal year or when administrative delays hold up a final report.

Who Can Issue It?

There is frequent confusion here. While customers may ask for a letter from your auditor or CPA firm, management from the service organization (your business) issues the bridge letter. Auditors generally cannot attest to time periods they haven't tested. It is a "Management Assertion," not an audit opinion.

Is It a Substitute for a Current SOC 2?

No. It is a temporary measure. If you try to use a bridge letter to skip a year of auditing, you will fail vendor reviews. It is designed to cover administrative gaps, not to replace the audit process.

Does My Auditor Charge for This?

Generally, no. Because you write it. However, if you ask your auditor to draft it, review it, or issue a specific "Comfort Letter" on their letterhead (which is rare and limited), they will likely bill you for their time.

What If Something Did Change During the Gap?

You must disclose any changes in your organization’s controls within letter with a brief explanation of why the changes and how it doesn't negatively impact the control environment.