SOC 1 Bridge Letter Template
The fill-in gap letter your enterprise customers ask for every December — plus the pre-signing verification checklist that keeps it defensible.
Download Free Template (PDF)A bridge letter (gap letter) is management's written statement covering the months between the end of your last SOC 1 report period and a customer's fiscal year-end, stating whether your controls have materially changed. This free template gives you the complete letter with placeholders — report reference, gap window, material-change statement, known-failures disclosure, and the no-assurance caveats — plus a pre-signing verification checklist and usage notes. Issued by your management, not your CPA; adapt it with your auditor or counsel where needed.
What's Included
The Template Letter
One page, fill-in placeholders, standard structure user auditors recognise — nothing exotic to negotiate
Pre-Signing Checklist
Six verifications against your own records before an executive signs the representation
Usage & Timing Notes
Who signs, when customers ask (Dec–Jan for calendar year-ends), and how long a gap the letter can credibly cover
Caveat Language
The no-assurance and management-representation wording that keeps the letter honest and defensible
SOC 2 Adaptation
The one-line swap that turns it into a SOC 2 gap letter
Reader's Perspective
What your customers' auditors check the letter for — so you know why each element is there
Who This Is For
- →Service organizations with a SOC 1 or SOC 2 whose report period doesn't reach customers' year-ends
- →Compliance and finance leads fielding December bridge-letter requests from enterprise customers
- →User entities and their auditors who want to know what a credible bridge letter looks like
Bridge Letter FAQs
Who signs, how long a gap it covers, and what to verify before signing.
Who should sign the bridge letter?
An executive of the service organization who can genuinely speak to the control environment — typically the CISO, CFO, or compliance lead. It is a management representation: the CPA firm that performed your SOC 1 does not sign or issue bridge letters, and one on the auditor's letterhead would be non-standard.
How long a gap can a bridge letter cover?
Practice converges on about three months or less. Beyond a quarter, user auditors place little reliance on a management letter and will ask when the next examination period closes. If your report period ends more than a quarter before most customers' fiscal year-ends, consider shifting the period rather than bridging harder.
Does the template work for SOC 2 gap letters too?
Yes. The structure is identical — reference to the underlying report, the gap window, a material-change statement, known-failures disclosure, and no-assurance caveats. Swap the report references from SOC 1 (AT-C 320, control objectives) to SOC 2 (Trust Services Criteria) and the letter reads correctly.
What should we verify before signing?
Do not sign from memory. Review the change-management log for material system or control changes since the period end, the incident and exception registers, any change of subservice organization, and the remediation status of exceptions noted in the report. The template's pre-signing checklist walks through each of these — a bridge letter contradicted by your own next Type 2 is worse than no letter.
Is a bridge letter a substitute for a current SOC 1 report?
No. It extends a recent report across a normal gap; it provides no assurance and nobody audits it. If the underlying report is more than a year old, customers should treat the attestation as lapsed — the fix is scheduling the next Type 2, not a longer letter.
Keep Going
- →SOC 1 Bridge Letters, Explained— the full guide behind this template: anatomy, limits, and reader expectations.
- →SOC 1 Timeline— align your report period so you need less bridging in the first place.
- →SOC 1 Readiness Checklist— the 40-point self-assessment for your next examination cycle.
Report Period Not Cooperating?
We help service organizations plan report periods, draft descriptions, and coordinate with CPA firms — across 100+ SOC 1 engagements in India, USA, UK, Australia & UAE.
Book Free Consultation