What is an SOC 2 bridge letter and when do you need one?
What Is a SOC 2 Bridge Letter?
A bridge letter (also called a gap letter) is a written statement from your management that covers the time between the end of your most recent SOC 2 report period and the present date. If a prospect requests your report in March but your audit period ended in December, the bridge letter fills that 3-month gap by asserting that controls continued to operate without material changes.
When Do You Need One?
| Scenario | Bridge Letter Needed? | Why |
|---|---|---|
| Prospect requests report and audit period ended 2+ months ago | Yes | Buyers want assurance controls are still in place |
| Between audit periods with renewal in progress | Yes | Old report is aging while new one is in fieldwork |
| Type I report is 4+ months old | Yes | Point-in-time snapshot is getting stale |
| Report period ended last week | No | Gap is negligible |
| Current Type II with period ending within 3 months | Usually no | Most buyers accept this as current |
What Goes in a Bridge Letter?
A bridge letter typically includes:
- Reference to the SOC 2 report — report type, period covered, auditor name
- Assertion of no material changes — confirmation that your control environment has not changed significantly
- Description of any changes — if you did make changes, disclose them and explain impact
- Date and signature — signed by an authorized executive
Is a Bridge Letter a Substitute for a Current Report?
No. A bridge letter is a stopgap, not a replacement. It is your management's assertion, not an auditor's opinion. Most buyers accept bridge letters for gaps of 3–6 months. Beyond 6 months, buyers will push for a new audit.
The best way to minimize bridge letter needs is to time your audit periods so coverage stays current. Screenata helps maintain continuous evidence collection so your next audit period starts immediately after the prior one ends.