SOC 2 reporting and documentation
What is a SOC 2 bridge letter?
Your SOC 2 is only valid for a year after your audit. If you’re behind on renewing your SOC 2 report and it falls past the date in which it’s valid, you may need a SOC 2 bridge letter. In this guide, we’ll explain what a SOC 2 bridge letter is and the role it plays in maintaining trust with your customers as you renew your report.
What is a SOC 2 bridge letter and when to use it?
Completing a SOC 2 report isn’t a one-and-done process. It requires continued monitoring and requires you to complete a new audit every year. You’ll also need to maintain your controls between audits to ensure you’re upholding SOC 2 security standards.
A SOC 2 bridge letter, or gap letter, can be used to vouch for your credentials in between SOC 2 reports. The best practice is to complete a new SOC 2 audit and get a subsequent report each year before your current report is no longer valid. But if you’re unable to complete a new audit past that one-year mark, a bridge letter is a commonly accepted way to show stakeholders what updates you’ve made since your last audit and to self-attest that your controls still meet SOC 2 criteria.
Given how long the SOC 2 audit process takes, many businesses start the renewal process at the six-month mark, which eliminates the need for a bridge letter. But if your company conducts audits annually or other delays prevent you from renewing earlier, you may experience a gap in your current report’s coverage.
While a bridge letter doesn’t replace the efficacy of a new SOC 2 report, it can be a helpful asset when demonstrating security to new and existing customers.
What does a SOC 2 bridge letter include?
Most bridge letters are fairly simple and concise. They often fit on a single page and can even be as short as a few paragraphs if there have been no changes since your last SOC 2 report. While there’s no standard format, there are certain components you’ll need to include within a bridge letter.
Here’s what you should include in your SOC 2 bridge letter:
- The dates your last SOC 2 audit was valid through. For example, if your audit was performed between March 30 and June 30, 2022, then your report was valid between June 30, 2022 and June 30, 2023.
- The dates covered by the bridge letter. For example, if your report was valid until June 30, 2023 and you expect to be done with your new audit by July 31, 2023, the bridge letter would cover between July 1 and July 31, 2023.
- The name of the CPA firm that performed your last audit.
- Any changes you’ve made to your SOC 2 controls since your last audit.
- If your controls have not changed since your last SOC 2 audit, include a statement that your prior report still accurately reflects your security controls.
How long is a bridge letter valid?
The purpose of a bridge letter is to self-attest to your SOC 2 controls in between official audits and is intended to only cover short gaps between reporting periods. Ideally, these gaps should be as short as possible. The industry standard is that a bridge letter should cover no more than three months.
Who writes and delivers a SOC 2 bridge letter?
Only your organization should draft, approve, and send out the SOC 2 bridge letter to relevant parties. The CPA firm or audit institution won't be responsible for creating, approving, or issuing this letter. This is because, without performing an audit, they are unaware of any changes you’ve made to your systems since the last report. By generating and distributing the bridge letter, you're asserting that your organization's SOC 2 compliance status remains sound.
Example SOC 2 bridge letter
While there’s no exact formula for a SOC 2 bridge letter, we have drafted an example to give you an idea of where to start. Here’s our example letter:
To our valued customers, partners, and prospects,
Ilma, Inc. recognizes the importance of protecting your data and upholding best-in-class security standards. We know how critical it is to maintain an internal control environment and report on the effectiveness of our systems by providing a SOC 2 report. We also recognize our responsibility to state any material changes to our system controls in between our audit cycles.
Our most recent SOC 2 Type II report conducted by Awesome Auditors was valid between June 30, 2022 and June 30, 2023. We value the trust of our customers and know how important SOC 2 compliance is, which is why we are currently in the process of attaining an updated SOC 2 Type II report.
This letter serves as a confirmation that, to the best of our knowledge based on our records, Ilma, Inc. has not made any changes to its internal controls since its prior report. This letter covers the dates of June 30th, 2023 through July 31st, 2023 and nothing has come to our attention during this time that we believe would change the conclusions reached in our most recent SOC 2 Type II report.
This letter is not intended to be a substitute for the SOC 2 Type II report for Ilma, Inc., or provide a certification of its compliance with SOC 2 Type II.
Maintain SOC 2 with automated compliance
Maintaining your SOC 2 compliance is a continuous process and a bridge letter can give you some additional time to complete your next audit. But renewing your SOC 2 report doesn’t need to take months to complete.
With SOC 2 compliance automation tools like Vanta, you can easily maintain and monitor the controls from your last audit, get contextual findings, and get recommended actions to address any issues. When it comes time to renew your report, the audit process can be cut down to just a few weeks with simple evidence collection and a centralized Trust Center where your auditor can investigate all your controls.
See how you can simplify your annual SOC 2 audit by requesting a demo.