Learn · SOC Reports
SOC 1 Bridge Letters,
Explained
A bridge letter — also called a gap letter — is a short statement from a service organization's management covering the months between the end of its latest SOC 1 report period and a customer's fiscal year-end. It says whether anything material changed. It is not an audit opinion.
Who signs it matters: bridge letters are issued and signed by the service organization’s management. The CPA firm that issued the SOC 1 performs no procedures on the gap period and gives no assurance over it.
Plain-English explainer · Applies to SOC 1 & SOC 2 · Last reviewed July 2026
A bridge letter (gap letter) is management’s written statement that its controls have — or have not — materially changed between the end of its last SOC report period and a date its customer cares about, usually the customer’s fiscal year-end. The need is structural: a SOC 1 Type 2 covers a fixed period — say, October 1 to September 30 — while the customers relying on it close their books on December 31. Their financial-statement auditors need something covering October through December. Rather than commissioning a second examination, the service organization issues a bridge letter for those months. It is a management representation, not an audit deliverable: the service auditor performs no procedures on the gap period. User auditors accept it as one input alongside the underlying report, their own inquiries, and their client’s CUEC mapping — and the longer the gap, the less weight it carries.
Anatomy
What a Bridge Letter Contains
There is no prescribed AICPA template — the letter is a management representation — but a credible bridge letter is one to two pages and covers five things:
- Identification of the most recent SOC 1 report: the service auditor, the report type (Type 1 or Type 2), and the period it covered.
- The gap period the letter addresses — from the end of the report period to a stated date (typically the customer’s fiscal year-end).
- A statement of whether there have been material changes to the system, the control environment, or the controls since the report period ended — and a description of any changes there were.
- A statement that management is not aware of control failures or incidents in the gap period that would affect the conclusions in the report (or disclosure of any that occurred).
- Explicit caveats: the letter is a representation of management, the service auditor has performed no procedures on the gap period, and the letter provides no assurance.
Timing example: a payroll processor’s Type 2 period runs October 1, 2025 – September 30, 2026. Its customers close December 31, 2026. In early January, the processor issues a bridge letter covering October 1 – December 31, 2026, referencing the September 30 report. Customers’ auditors read both together.
Limits
What a Bridge Letter Cannot Do
- It cannot provide assurance — no one tested anything. It is management telling you, in good faith, that nothing material changed.
- It cannot stretch indefinitely — past a few months, user auditors will ask when the next report lands, or perform their own procedures instead.
- It cannot cure a qualified report — if the underlying SOC 1 had exceptions, the bridge letter doesn’t neutralize them (and should acknowledge remediation status if relevant).
- It cannot replace a first report — a company with no SOC 1 cannot “bridge” to one; the letter only extends an existing examination’s relevance.
- It should not come from the CPA — service auditors do not issue bridge letters; a letter on the audit firm’s letterhead is a red flag worth querying.
For service organizations, the operational advice is simple: template the letter, decide who signs (typically the CISO, CFO, or compliance lead), verify against your change-management and incident logs before signing, and turn requests around in days — December and January are when your enterprise customers’ auditors come asking. Aligning your report period to end within a quarter of most customers’ year-ends reduces how much bridging you need at all.
Bridge Letters — Common Questions
Who signs them, what they cover, and when they stop working.
What is a bridge letter in a SOC 1 context?
A bridge letter — also called a gap letter — is a short written statement from a service organization’s management covering the period between the end of its most recent SOC 1 report period and a later date, usually a customer’s fiscal year-end. It states whether the system and controls described in the report have materially changed, and whether management is aware of control failures in the gap period. It carries no audit assurance.
Who issues and signs a bridge letter?
The service organization’s management — typically the CISO, CFO, compliance officer, or another executive who can speak to the control environment. The CPA firm that performed the SOC 1 examination does not issue bridge letters and performs no procedures on the gap period. A “bridge letter” on the auditor’s letterhead is not standard practice and should prompt questions.
How long can a bridge letter cover?
There is no rule, but practice has converged on short gaps — up to about three months is generally comfortable for user auditors. Beyond that, reliance drops quickly: a six-month “bridge” invites the question of why the next examination hasn’t started. Service organizations with annual Type 2 cycles typically time their periods so customer year-ends fall within a quarter of the period end.
Do bridge letters exist for SOC 2 as well?
Yes — the concept is identical for SOC 2: management attests that controls haven’t materially changed since the last report period. Bridge letters matter most in the SOC 1 world, though, because financial-statement auditors need coverage mapped to their client’s exact fiscal year; SOC 2 readers (security and procurement teams) are usually satisfied knowing the next annual report’s timing.
Is a bridge letter enough if a vendor’s SOC report is old?
No. A bridge letter extends a recent report across a normal gap; it does not substitute for a current examination. If the most recent report is more than a year old, or the gap letter would need to cover more than a quarter, treat the vendor as not currently attested: ask when the next report period closes, and consider additional monitoring or contractual protections in the meantime.
What should we check before signing a bridge letter as a service organization?
Verify, don’t assume: review the change-management log for material system or control changes since the period end, review incident and exception records, confirm no key subservice organization changed, and check remediation status of any exceptions noted in the report. The letter is a management representation — signing it without checking the underlying records is how organizations end up contradicted by their own next Type 2.
Related reading: the Learn hub, SOC 1 Type 1 vs Type 2, the SOC 1 timeline (and observation window), CUECs & CSOCs, and SOC 1 services. More terms in the compliance glossary.
Written By Expert Auditors
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours