What Is a SOC 2 Bridge Letter? When You Need One and How to Get It
Learn what a SOC 2 bridge letter is, when you need one for vendor security reviews, what it contains, and how to obtain one from your auditor.
We field more questions about SOC 2 bridge letters than almost any other audit topic — typically from sales teams that need one yesterday to close a deal. Understanding what a bridge letter is and when you need one saves both time and stress.
If you have ever been mid-deal with an enterprise prospect and been told your SOC 2 report has expired or does not cover the current period, you have encountered the scenario where a bridge letter for SOC 2 becomes essential. A SOC 2 bridge letter is a formal assertion from your auditor that covers the gap between your most recent SOC 2 report period and the present day, confirming that your control environment has not materially changed. It is not a replacement for a current SOC 2 report, but it can satisfy a customer's vendor security review until your next report is issued.
This guide explains exactly what a SOC 2 bridge letter is, the scenarios where you will need one, what the letter contains, how to obtain one from your auditor (including typical costs), AICPA guidance on their use, how a bridge letter differs from a Type II report, and alternatives for continuous coverage.
What Is a SOC 2 Bridge Letter?
A SOC 2 bridge letter — sometimes called a gap letter, management assertion letter, or interim letter — is a document from your audit firm that addresses the period between the end date of your most recent SOC 2 report and the current date. The letter typically asserts that:
- Your control environment has not undergone material changes since the report period ended
- Operations have continued under the same controls described in the most recent SOC 2 report
- No significant incidents or control failures have occurred during the gap period
The letter is signed by your audit firm (often the engagement partner) and may include a brief inquiry or management representation confirming these assertions. It does not involve testing of controls — it is an assertion, not an audit.
Bridge letters are widely accepted in the market, though their authority comes from the auditor's professional reputation rather than from any formal AICPA standard. Most enterprise security review teams will accept a bridge letter alongside your most recent SOC 2 report to satisfy their vendor due diligence requirements.
When Do You Need a Bridge Letter?
Several common scenarios create the need for a SOC 2 bridge letter:
Customer Security Review During Report Gap
The most common scenario: your SOC 2 Type II report covers a period ending December 31, but a customer requests your report in March. The three-month gap between your report period end date and the customer's review triggers a request for bridge coverage. For details on how SOC 2 report periods work, see our SOC 2 report explained guide.
Annual Renewal Timing Misalignment
If your audit cycle shifts (for example, your report used to cover January-December but now covers April-March), there may be a gap between the old period end and the new period start.
Mid-Deal Urgency
Enterprise deals often have security review gates that require current compliance documentation. When your next SOC 2 report is weeks away but the deal cannot wait, a bridge letter fills the gap.
Delayed Audit Completion
Sometimes audits take longer than expected — evidence collection issues, auditor scheduling, or remediation delays can push your report issuance date beyond the previous period end date.
What a Bridge Letter Contains
A typical SOC 2 bridge letter includes the following elements:
- Addressee — Usually addressed to your organization (not to a specific customer), making it reusable
- Reference to the most recent SOC 2 report — Report type, period covered, and opinion type
- Gap period covered — The specific dates between the report period end and the letter date
- Management assertions — Your management's representation that no material changes to the control environment have occurred, no significant incidents have been identified, and operations continue under the described controls
- Auditor acknowledgment — The auditor acknowledges the management assertions and may note the procedures they performed (typically limited to inquiry and discussion, not testing)
- Limitations — A statement that the letter is not a SOC 2 report, does not include an opinion on control effectiveness, and should not be relied upon as a substitute for a current SOC 2 examination
- Signature — The audit firm's signature
How to Obtain a Bridge Letter
Obtaining a SOC 2 bridge letter is a straightforward process:
- Contact your audit firm — Reach out to your engagement partner or audit manager and request a bridge letter for the gap period
- Provide management assertions — Your firm will ask you to confirm in writing that no material changes to your control environment have occurred since the report period ended
- Review and sign — The auditor drafts the letter, you review the management assertions for accuracy, and the auditor issues the final signed letter
- Distribute to customers — Share the bridge letter alongside your most recent SOC 2 report
Cost
Bridge letters are a relatively modest expense compared to a full SOC 2 examination. The fee depends on your audit firm, the level of inquiry they perform, and whether you are an existing client. Many firms include bridge letter issuance as part of their annual engagement or charge a flat fee. Contact your auditor for their specific pricing.
Turnaround Time
Most auditors can issue a bridge letter within one to two weeks of receiving your management assertion. If you know you will need a bridge letter, notify your auditor in advance — they may be able to prepare the template proactively.
AICPA Guidance on Bridge Letters
It is important to understand that bridge letters are not a formally defined AICPA product. The AICPA has not issued specific guidance endorsing or standardizing bridge letters. They exist as a market practice that has become widely accepted through industry convention.
The AICPA's position is nuanced: they do not prohibit auditors from issuing bridge letters, but they also note that such letters should not be mistaken for a SOC 2 examination and should clearly state their limitations. Some auditors and firms have their own policies about what they will and will not assert in a bridge letter.
Because bridge letters are not standardized, the format, content, and assertions can vary between audit firms. If a customer has specific requirements for what the bridge letter must contain, share those requirements with your auditor before they draft the letter.
Bridge Letter vs. Type II Report
A bridge letter is fundamentally different from a SOC 2 Type II report in several critical ways:
| Dimension | SOC 2 Bridge Letter | SOC 2 Type II Report |
|---|---|---|
| Scope | Gap-period assertion only | Full examination of controls over the reporting period |
| Testing | No control testing | Detailed testing of each control's operating effectiveness |
| Opinion | No auditor opinion | Formal auditor opinion on control effectiveness |
| Authority | Market convention | AICPA attestation standard (AT-C 205) |
| Duration | Covers gap period (typically 1-6 months) | Covers examination period (typically 6-12 months) |
| Cost | Modest flat fee | Significant investment |
| Acceptance | Widely accepted but not universal | Universally accepted |
A bridge letter is not a substitute for maintaining a current SOC 2 report. It is a temporary measure to address timing gaps. If your bridge letter periods are consistently long (6+ months), that signals a need to adjust your audit cycle.
Alternatives to Bridge Letters
If you want to minimize or eliminate the need for bridge letters, consider these approaches:
Overlapping Audit Periods
Schedule your new SOC 2 examination to begin before the previous report period ends, creating overlap rather than a gap. For example, if your current report covers January 1 through December 31, begin your next examination period on October 1 rather than January 1.
Continuous Compliance Monitoring
Implement continuous compliance monitoring through platforms that provide real-time evidence of control effectiveness. While this does not replace a SOC 2 report, it provides supplementary assurance to customers during gap periods. See our SOC 2 compliance timeline guide for optimization strategies.
Shorter Audit Cycles
Some organizations move from annual to semi-annual reporting to reduce the maximum possible gap period. This increases audit costs but can be worthwhile if your customer base demands near-continuous coverage.
Management Assertion Letters
If your auditor does not provide bridge letters, you can issue your own management assertion letter (without auditor co-signature) stating that no material changes have occurred. This carries less weight but may satisfy some vendor security reviews. See our SOC 2 audit timeline guide for planning your audit cycle to minimize gaps.
Need a bridge letter or help optimizing your SOC 2 audit cycle? Contact Agency to ensure your compliance coverage never lapses.
Frequently Asked Questions
Agency Team
Agency Insights
Expert guidance on cybersecurity compliance from Agency's advisory team.
LinkedIn
