A SOC bridge letter is an important document made available by a service organization to cover a period of time between the reporting period end date of the current SOC report and the release of a new report.
When and Why Is a SOC Bridge Letter Needed?
The bridge letter can be used by your organization as an interim assurance while waiting for the next SOC audit report. The bridge letter shows examiners that, as far as you’re aware, controls are still in place and that you are prepared to request the new SOC report once it has been made available.
What is the Importance of a Bridge Letter?
A bridge letter is your vendor management’s assertion that controls are still in place and operating effectively. However, you should keep in mind that a bridge letter may not always suffice. A bridge letter identifies and addresses any material changes to the control environment that have occurred during the “gap” period covered by the letter.
Let’s break it down further:
- Vendors should be identifying significant changes to ensure that internal controls continue to be designed and operate effectively.
- If changes are identified, the vendor should identify those changes in the control environment during the period covered by the letter.
- Vendors should include any details concerning the changes that have occurred and if those changes would affect the Auditor’s Opinion of the previously issued SOC report.
The auditor is not included in the creation of a bridge letter and does not attest to the content of the bridge letter. With that in mind, the vendor should communicate clearly in the letter that the recipient should review the most current SOC report prior to concluding on the design and operating effectiveness of controls.
The bridge letter should not be used in place of a SOC report, but only as an interim assurance.
Contact us today if you are unsure whether your organization should have a bridge letter.