What is a SOC 2 Bridge Letter?

What is a SOC 2 Bridge Letter?

How do you assure your employees, stakeholders, and customers of your SaaS company that their information is private and secure between compliance audit review periods?

Provide them a SOC 2 Bridge Letter.

A SOC 2 bridge letter is issued after your company or organization's SOC 2 report audit period has ended. It bridges the gap between the end of your last SOC 2 report audit and when you're ready to conduct your next audit, which is why it's also referred to as a 'gap letter.'

Usually, SOC 2 reports cover a user entity for 6 months to a year, but if your company follows a calendar year, then your report’s validity may leave you uncovered.

Does a SOC 2 bridge letter provide any coverage? In its most simple form, the answer would be: No. 

Bridge letters aren’t meant to take the place of another SOC 2 report, but to provide coverage of your company and trustworthiness to your customers and clients.

What Does a SOC 2 Bridge Letter Look Like & What is Included?

What a SOC 2 bridge letter should include:

• Significant changes to any systems or controls since the audit

OR

• A statement that the organization or company is unaware of any material changes from the latest SOC 2 report to its expiration.

What a SOC 2 bridge letter should NOT Include:

Remember, a bridge letter is sent to cover the gap between SOC 2 audit reports. It isn’t meant to take the place of the actual audit, therefore it shouldn’t include specific details like

• Test procedures 

• Test results

• System descriptions

Here's an example of a SOC 2 Bridge letter template Johanson Group provides to our clients:

Who Writes and Issues a SOC 2 Bridge Letter?

Management of the company that received the previous SOC 2 report completes and sends the SOC 2 Bridge Letter to its stakeholders (not the auditor).

The letter intends to assure all intended recipients that there have been no significant changes to your SaaS company's controls between audit renewal periods. If there have been material changes, the SOC 2 bridge letter is where you would explain changes to your controls — if any— and assure your customers or clients how they wouldn't affect the results of your SOC 2 report.

The CPA firm conducting the SOC 2 audit is not involved in the writing or disbursement of a SOC 2 bridge letter. Why?

The entire purpose of the SOC 2 bridge letter is to attest that client, stakeholder, and employee privacy and security are still in compliance. If something were to change with the company's security services after a SOC 2 is complete, the CPA firm that conducted the audit could not speak to the passing of any new changes after the audit expires.

Why are Bridge Letters Important?

As you can see, bridge letters are an essential part of your SOC 2 compliance program. The written assurance to your customers and stakeholders that you are still in compliance after your SOC 2 report helps bring confidence and peace of mind that their information is secure and private and trust service commitments and requirements are being met.

LEARN MORE: Why Saas Start-Ups Should Prioritize SOC 2 Compliance

As we have seen, SOC 2 bridge letters are critical to your SOC 2 compliance. They help you to demonstrate that your controls are appropriately designed and operating effectively and can be relied upon by all stakeholders.

ABOUT JOHANSON GROUP:

Johanson Group, based in Colorado Springs, CO, provides audits and professional services to public and private companies in a variety of industries world wide.

We serve:

• SaaS Start-ups

• SaaS Healthcare Organizations

• Established SaaS Companies

• Government SaaS Organizations

We provide:

• SOC 2 assessments

• HIPPA assessments

• ISO/IEC 27001 reports