What is a SOC Bridge Letter?

Service organizations often issue SSAE 18 SOC reports with reporting periods inconsistent with user entity financial reporting years, creating a “gap” in the internal controls. For example, a SSAE 18 SOC 2 type II report with a period ending September 30 would leave a three month gap in reporting for user entities with a calendar year ending in December 31. In instances where there is a gap between the SSAE 18 SOC 1 or SOC2 reporting period and user entities reporting period, service organizations can issue a “bridge letter” to user entities to provide additional comfort over the controls for the period not covered by the type II report. The bridge letter is provided by management of the service organization and should address any material changes to the internal control environment and any control deficiencies noted during the period.