Skip to main contentChat with us
Free Template

SOC 1 Bridge Letter Template

The fill-in gap letter your enterprise customers ask for every December — plus the pre-signing verification checklist that keeps it defensible.

Download Free Template (PDF)

A bridge letter (gap letter) is management's written statement covering the months between the end of your last SOC 1 report period and a customer's fiscal year-end, stating whether your controls have materially changed. This free template gives you the complete letter with placeholders — report reference, gap window, material-change statement, known-failures disclosure, and the no-assurance caveats — plus a pre-signing verification checklist and usage notes. Issued by your management, not your CPA; adapt it with your auditor or counsel where needed.

What's Included

The Template Letter

One page, fill-in placeholders, standard structure user auditors recognise — nothing exotic to negotiate

Pre-Signing Checklist

Six verifications against your own records before an executive signs the representation

Usage & Timing Notes

Who signs, when customers ask (Dec–Jan for calendar year-ends), and how long a gap the letter can credibly cover

Caveat Language

The no-assurance and management-representation wording that keeps the letter honest and defensible

SOC 2 Adaptation

The one-line swap that turns it into a SOC 2 gap letter

Reader's Perspective

What your customers' auditors check the letter for — so you know why each element is there

Who This Is For

  • Service organizations with a SOC 1 or SOC 2 whose report period doesn't reach customers' year-ends
  • Compliance and finance leads fielding December bridge-letter requests from enterprise customers
  • User entities and their auditors who want to know what a credible bridge letter looks like

Bridge Letter FAQs

Who signs, how long a gap it covers, and what to verify before signing.

Who should sign the bridge letter?

An executive of the service organization who can genuinely speak to the control environment — typically the CISO, CFO, or compliance lead. It is a management representation: the CPA firm that performed your SOC 1 does not sign or issue bridge letters, and one on the auditor's letterhead would be non-standard.

How long a gap can a bridge letter cover?

Practice converges on about three months or less. Beyond a quarter, user auditors place little reliance on a management letter and will ask when the next examination period closes. If your report period ends more than a quarter before most customers' fiscal year-ends, consider shifting the period rather than bridging harder.

Does the template work for SOC 2 gap letters too?

Yes. The structure is identical — reference to the underlying report, the gap window, a material-change statement, known-failures disclosure, and no-assurance caveats. Swap the report references from SOC 1 (AT-C 320, control objectives) to SOC 2 (Trust Services Criteria) and the letter reads correctly.

What should we verify before signing?

Do not sign from memory. Review the change-management log for material system or control changes since the period end, the incident and exception registers, any change of subservice organization, and the remediation status of exceptions noted in the report. The template's pre-signing checklist walks through each of these — a bridge letter contradicted by your own next Type 2 is worse than no letter.

Is a bridge letter a substitute for a current SOC 1 report?

No. It extends a recent report across a normal gap; it provides no assurance and nobody audits it. If the underlying report is more than a year old, customers should treat the attestation as lapsed — the fix is scheduling the next Type 2, not a longer letter.

Keep Going

Report Period Not Cooperating?

We help service organizations plan report periods, draft descriptions, and coordinate with CPA firms — across 100+ SOC 1 engagements in India, USA, UK, Australia & UAE.

Book Free Consultation

Written By Expert Auditors

Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Last reviewed: July 2026Content verified by certified lead auditors