.svg){kind=logo}
You’ve run audits, wrestled with controls, and seen reporting windows close before the next audit starts. That gap creates uncertainty for your customers, and you know they’ll ask the hard questions about security and compliance.
Every service organization faces that timing mismatch when a SOC 2 report expires. You need a reliable way to fill the void and maintain trust.
A bridge letter can carry you through that void until your next audit delivers fresh assurance.
In this article, you’ll learn exactly what a SOC 2 bridge letter contains, why it matters when your audit window closes, and how to craft one that customers and auditors accept without hesitation.
You’ll also see real examples, receive a customizable template, and learn how to integrate this process into your compliance workflow, ensuring you never leave a gap unaddressed.
Let’s dive into it.
What Is a SOC 2 Bridge Letter? (Definition and Meaning)
A SOC 2 bridge letter is a written management assertion that affirms your controls still meet SOC 2 criteria as of its issue date. It fills the gap between formal audit reports and reassures your customers that security and compliance didn’t waver.
When you issue a bridge letter, you declare that “no significant changes” occurred in your control environment since the prior SOC 2 report. It’s your direct way of telling clients that your security posture remains rock solid, even after the audit period closed.
This visual underscores how a bridge letter fills the gaps in between audits and why you need that interim assurance to keep stakeholders confident:
“Interim assurance” means a statement given in the middle of a reporting period to confirm that certain systems or processes are working properly. In finance, it might confirm that interim financial reports are accurate. In other cases, it might show that internal controls or other systems are working as expected during the ongoing period.
Looking to get SOC 2 compliant?
Join ComplyJet for a fully automated compliance software that can complete your Type 1 audit in weeks, with 100+ integrations and exclusive AI assistance.
Start your demo NOW!
Bridge Letter vs Gap Letter vs Other Terms
You’ve seen different names for the same document and wondered which one matters the most. Understanding the terminology ensures you issue the right letter.
The word “bridge” highlights its role in spanning the gap between audit cycles, and your bridge letter answers “What happened after the last report expired?” by affirming continuity in your controls. It soothes stakeholder concerns.
Many refer to the bridge letter as a comfort letter because it provides comfort that everything remains in order, and you can direct curious clients to reputable guides for more context.
Bridge letter and gap letter appear interchangeably in SOC reporting, and both describe filling the audit coverage gap between two SOC 2 reports. Sometimes you’ll hear a bridge-of-contract letter or simply an annual statement in SOC 1 or SOC 2 contexts, and these terms all serve the same function of bridging control assurance between reporting periods.
Regardless of the label, the purpose remains constant: to confirm that your controls continued operating effectively through the interim. This straightforward affirmation reinforces stakeholder trust when you can’t yet share a fresh audit report.
Remember that bridge letters do not extend the audit report’s authority beyond its original period, and they simply clarify what happened during the interim. They act as management’s assurance, not as additional auditor opinions.
Up next, you’ll see how SOC 1 bridge letters compare to SOC 2 versions so you can adapt your approach to financial-control audits without missing a beat.
SOC 1 vs SOC 2 Bridge Letters
You know SOC 1 focuses on financial-reporting controls, while SOC 2 addresses security, availability, and related trust criteria. Yet the bridge letter concept applies equally to both frameworks.
When you issue a SOC 1 bridge letter, you cover the gap between a SOC 1 Type II report and the next scheduled audit, affirming that no material changes have impacted your financial control environment in the interim.
Key similarities between SOC 1 and SOC 2 bridge letters include:
- A clear statement of “no material changes” since the last audit period
- Defined coverage dates matching the audit end through the letter date
- A management signature on official letterhead
In SOC 1 contexts, you might see references to SSAE 18 or SSAE 16 bridge letters, both reflecting historic and current auditing standards for financial controls, yet the assertion of continuity remains consistent.
Your SOC 2 bridge letter follows the same structure, but you tailor the language to the Trust Services Criteria to reassure clients about operational controls.
Because both SOC 1 and SOC 2 letters share core elements, you can adapt templates easily between frameworks, tweaking only the scope descriptions and criteria references to match each report’s focus.
Next, you’ll learn when and why to issue your bridge letter so you can keep audits on schedule and stakeholders confident in your controls at all times.
Read: SOC 1 vs SOC 2 Report
Why and When You Need a SOC 2 Bridge Letter
Your last SOC 2 Type II report likely expires before your next audit completes, creating a coverage gap. Rather than leaving customers without up-to-date proof, you issue a bridge letter to cover the interim window seamlessly.
Clients or auditors request bridge letters when your SOC 2 report does not align with their fiscal year-end or vendor risk assessment schedule. Anytime a current report lacks coverage, providing a bridge letter demonstrates your commitment to transparency.
A bridge letter matters because it maintains trust during the in-between times.
You explicitly state whether any material changes occurred since the last audit. Management’s “no material changes” assertion reassures customers that prior conclusions still hold true.
Remember that a bridge letter does not replace your SOC 2 report. It acts as a stopgap measure with a clear disclaimer, guiding readers back to the full audit report for comprehensive evaluation rather than attempting to extend its authority.
Most bridge letters remain valid for a short duration, typically 90 days or less. Many firms limit coverage to one to three months beyond the prior report’s end date, after which you should update the letter or complete the next audit.
When you understand why and when to issue a bridge letter, you can avoid lapses in customer assurance and keep audit cycles aligned with stakeholder needs.
In the next section, you’ll learn who should prepare and request your bridge letter so you can assign responsibility clearly and streamline approvals.
Who Issues a SOC 2 Bridge Letter and Who Requests It?
You might assume auditors handle bridge letters, but in fact, management prepares and signs them because they know all changes in control environments since the last audit.
Management at your service organization issues the bridge letter on official letterhead, typically signed by a CISO, CTO, or other executives. Their signature validates the assertion that controls remained effective.
Auditors cannot issue opinions outside their audit period, and they lack the standing to attest to your controls beyond the cut-off date. That responsibility falls to management, ensuring continuous interim assurance.
Clients or their auditors commonly request bridge letters under vendor risk assessments or financial audits. You might see requests from:
- A customer’s auditor seeking coverage through their year-end
- A prospect’s security team verifies up-to-date compliance
- Internal teams wanting to preempt due diligence delays
Not every organization needs a bridge letter if audit schedules align perfectly with stakeholder demands. Yet many keep a template ready in case their SOC 2 report is several months old and a client requests interim proof.
Some companies include a standing offer on their trust portal: “Contact us for a SOC 2 bridge letter covering the period since our last report.” That proactive approach prevents a last-minute scramble when stakeholders need assurance.
Although not part of formal AICPA guidelines, bridge letters have become industry practice, especially in finance. They serve as a critical tool for vendor risk management, offering continuous compliance visibility even when a SOC 2 report has lapsed.
Understanding who issues and who requests your bridge letter lets you streamline the process, assign clear ownership, and ensure timely delivery whenever stakeholders need proof of ongoing controls.
What are the Key Components of a Bridge Letter?
You need a bridge letter that communicates clearly and covers every critical detail so stakeholders never question your interim assurance. Including the right elements ensures you deliver confidence and maintain compliance continuity.
Here are the main elements your bridge letter must include:
Previous audit details
Your first element is the previous audit details, where you name the service organization, the auditor firm, the report type, and the audit period dates. Then you specify the gap period covered, from that report’s end date through the letter date.
Scope coverage criteria
Clarify scope coverage by listing the Trust Services Criteria audited, such as Security and Confidentiality. Emphasize that this bridge letter applies only to the interim dates and does not alter the original audit scope.
Material change statement
The material change statement is the heart of your letter. You affirm whether any material changes occurred in systems or controls since the last report.
Use wording like “We are not aware of any material changes” if none arose.
If changes did occur, list each one briefly and explain why it does not undermine prior audit conclusions. Transparency in describing updates to infrastructure or processes reassures readers that you manage controls vigilantly
Limitations disclaimer
Include a clear limitations disclaimer reminding readers that this bridge letter is not a substitute for a full SOC 2 audit report. State that interim assurance ends with the next audit, and auditors did not verify this interim period.
Signature block
Your signature block must include the name, title, and date, signed by responsible management such as your CISO or CEO. Placing this on official letterhead shows accountability for every assertion in the letter.
Many organizations use standardized templates to cover all sections consistently. We recommend including an explicit “no changes” or detailed change description to meet best practices.
With these components in place, you’ll craft a bridge letter that’s clear, comprehensive, and credible. Next, you’ll see a full example of a SOC 2 bridge letter to guide your drafting process.
Example of a SOC 2 Bridge Letter
To illustrate, here is an example excerpt from a SOC 2 bridge letter:
[Your Company Letterhead]
Date: March 31, 2025
To: [name], CFO
ClientCorp Ltd.
Subject: SOC 2 Bridge Letter for Our Service
Dear Jane,
On September 15, 2024, AuditCo LLP issued a SOC 2 Type II report for OurCompany, covering the period January 1, 2024, through June 30, 2024. As of March 31, 2025, we have not observed any material changes in the controls and processes that were in place since the end of that audit period. Our internal control environment and security measures continue to operate as described in the SOC 2 Type II report for these services, pursuant to Statement on Standards for Attestation Engagements #18 (SSAE #18).
Should any significant change occur, we will promptly communicate its impact. At this time, however, we affirm that no material changes have occurred that would affect the conclusions of the last SOC 2 audit report.
Please note that this bridge letter covers the period July 1, 2024, through March 31, 2025, and is intended solely to bridge the gap until our next SOC 2 audit report is available. This letter is not a substitute for the full SOC 2 report, and it should be read in conjunction with September 15, 2024, SOC 2 Type II report for a comprehensive understanding of our control environment.
Sincerely,
Name Chief Information Security Officer (CISO), OurCompany
(Signature)
In this sample, the company reassures the client (ClientCorp) that from July 1, 2024, up to Mar 31, 2025, nothing material has changed in their controls. It references the last audit report’s date and scope, includes the no-material-change statement, provides a clear disclaimer, and is signed by an appropriate executive.
Such a letter would give ClientCorp’s auditors enough comfort to rely on OurCompany’s controls through Q1 2025, until the next SOC 2 report is ready.
SOC 2 Bridge Letter Template - Free Download
Many organizations craft their bridge letters based on a standard template and customize them to their details. Below is a template that can serve as a starting point. You can use this as a guide for wording and structure, inserting your company’s specifics where needed:
CTA Button for SOC 2 Template download.
Using the Template: Replace all [Bracketed] sections with your information (dates, names, details). Ensure the wording aligns with your situation; for example, if you did have a major infrastructure change, include a brief description in the letter.
Keep the tone factual and assurance-focused. It’s wise to have your compliance or legal team review the letter to make sure it’s accurate and appropriately scoped. Once finalized, put it on official letterhead and have the designated executive sign it.
Often, organizations will prepare this letter draft around the time their SOC 2 report expires, so it’s ready to go if a customer requests it. Some compliance platforms and auditors provide template verbiage (similar to the above) to their clients as a value-add. You can download our provided template as a Word document for convenience.
Frequently Asked Questions (FAQ)
What does a bridge letter do?
A bridge letter is your management-issued letter that temporarily covers the gap after a SOC 2 report’s coverage period ends and before the next report is issued. It reassures clients that your controls remain effective and that no major changes occurred in the interim.
Are “bridge letters” and “gap letters” the same thing?
Yes. The terms bridge letter and gap letter describe the same concept in SOC compliance. Both cover the gap between audit reports. When someone asks for a gap letter, they mean a bridge letter, and vice versa.
When is a SOC 2 bridge letter required or expected?
No formal standard mandates a bridge letter, but audits and clients often expect one when your SOC 2 Type II report expires. If a vendor risk review or financial audit needs coverage beyond your last report, stakeholders will request a bridge letter to ensure continuous assurance.
How long is a bridge letter good for (when does it expire)?
Bridge letters serve short durations, typically 90 days or less from the audit’s end date. Beyond that window, its value fades, and clients will insist on a new SOC 2 report. Plan for up to three months of coverage at most.
Who writes and signs a SOC 2 bridge letter?
You, as management, prepare and sign the bridge letter on official letterhead. A C-level executive, often a CTO, CISO, or CFO, affirms the assertions. Auditors do not issue bridge letters because they cannot attest outside the audit period.
Is a bridge letter mandatory for SOC 2 Type II compliance?
No. SOC 2 Type II compliance stands on the audit report itself. Yet customers and partners often treat a bridge letter as a necessary supplement if your report is not current. Having one avoids trust gaps even though it lies outside the formal standard.
How often should bridge letters be updated or provided?
Issue bridge letters only when gaps arise, ideally once between annual SOC 2 audits. If you need one for more than a quarter, you should expedite your next audit. Large providers may update monthly, but most startups only need one interim letter per cycle.
Does AWS (or other major providers) provide a SOC 2 bridge letter?
Yes. For example, AWS offers a “SOC Continued Operations Letter,” updated monthly via its compliance portal. Other cloud and SaaS vendors publish similar gap letters on their trust pages to maintain customer confidence between reports.
Can clients rely on a bridge letter alone for due diligence?
Not entirely. A bridge letter gives interim comfort but lacks the detailed testing evidence of a full SOC 2 report. Clients and auditors will use it alongside your last SOC 2 report. Always follow up with the fresh audit report once available.
Why do auditors or customers request a bridge letter?
They request it to eliminate any gap in assurance about your controls. Auditors need evidence that your controls stayed effective after the last report. Customers need to manage risk and trust that nothing critical has changed in the interim.
Conclusion
We covered what a bridge letter is, why and when you need one, who issues it, and the key components it must include, with an example and template to guide your drafting. You now understand its purpose and best practices.
Remember that a bridge letter complements your formal SOC 2 reports rather than replacing them. Maintaining a regular audit schedule remains essential, while bridge letters demonstrate your proactive stance on security and transparency.
Next steps to embed bridge letters into your compliance workflow:
- Review and align your audit calendar with customer reporting needs
- Draft and approve a bridge letter template for interim assurance
- Automate reminders and template generation with a compliance platform
Try ComplyJet for Free to automate your SOC 2 preparation.
Start our FREE TRIAL now!
