What Is a SOC 2 Bridge Letter (Gap Letter)?

A SOC 2 bridge letter — also called a gap letter — is a short statement your own organization writes to cover the gap between the end of your last SOC 2 report period and a customer's reliance date. It is your management's assertion that nothing material changed, not a new audit opinion, and never a substitute for a fresh report.

What a SOC 2 bridge letter actually is

A SOC 2 bridge letter, often called a gap letter, is a short written statement issued by the service organization itself — not by its CPA firm — that covers the gap between the end date of its most recent SOC 2 report's coverage period and a customer's current reliance date. A SOC 2 Type II report covers a defined window (commonly three to twelve months), and that window always ends on a fixed date in the past. The moment the period closes, a gap begins to open between "the last day the auditor observed your controls" and "today, when a customer wants assurance." The bridge letter is the document that spans that gap.

The defining feature of a bridge letter is whose voice it speaks in. It is your organization's own representation, signed by management — typically an officer such as the CEO, CFO, or CTO. The CPA firm that performed your SOC 2 examination does not write, sign, or issue a bridge letter, and reputable firms will tell you so directly. The letter is not part of the audit, not an extension of the audit period, and not a new opinion. It carries the credibility of your management's word, backed by the formal report that sits behind it — and nothing more.

That distinction is the single most important thing to understand. A SOC 2 report is independent assurance: a licensed CPA firm examined your controls and expressed an opinion. A bridge letter is self-assurance: you are telling a customer, in writing, that the control environment the auditor examined has not materially changed since the report period closed. Both have a legitimate place, but they are not the same instrument, and treating the second as if it were the first is exactly the mistake this article exists to prevent.

Why customers ask for one — and the typical interim length

The reason bridge letters exist is timing. SOC 2 reports are almost always retrospective: by the time a Type II report is issued, its coverage period has already ended, and most organizations renew on an annual cycle. So there is a routine, recurring stretch — between one report's end date and the next report's availability — during which a customer's vendor-risk team has no current independent coverage to point to. A bridge letter lets you answer the question "what about the months since your report period ended?" without waiting for the next examination to finish.

The gap a bridge letter covers is meant to be short. Industry practice, and what most auditors and customers expect, is an interim period of up to roughly three months. The logic is straightforward: the longer the gap, the weaker an unverified management assertion becomes as a stand-in for independent testing. A few months of "nothing material changed" is a reasonable thing for management to attest to and for a customer to accept; a year of it is not, because too much can change and none of it has been independently checked. Auditors and security reviewers actively discourage stretching a bridge letter to cover long gaps, and a customer who sees you leaning on one for half a year or more should — and usually will — ask for a current report instead.

The practical trigger is often a customer's own calendar. A prospect or existing client closing its fiscal year, completing its own audit, or running a periodic vendor review may need assurance through a date that falls just after your last report period ended. The bridge letter is the lightweight, no-cost way to give them that interim comfort while your next SOC 2 examination is underway, rather than leaving a hole in their third-party risk file.

What a bridge letter should — and should not — state

A good bridge letter is narrow and precise. It should identify the SOC 2 report it relies on (the report type, the service auditor, and the exact coverage period and end date), define the interim gap period it covers (from the report's end date to the stated current or reliance date), and make management's core representation: that, to management's knowledge, no material changes to the control environment relevant to that report occurred during the interim period — or, if changes did occur, a candid description of them. It should be signed and dated by an authorized officer and, ideally, name the customer or context it is being provided for.

Equally important is what a bridge letter must not claim. It should not state or imply that the auditor examined, tested, or opined on the gap period — because the auditor did not. It should not present itself as an extension of the SOC 2 coverage period or as new independent assurance. It should not assert that controls "operated effectively" over the gap in the testing sense a Type II report uses, because no testing occurred; management can attest to the absence of material change, not to audited operating effectiveness. And it should never overstate certainty: the honest framing is management's knowledge of material changes, not a guarantee.

Most well-drafted bridge letters include an explicit disclaimer to keep these boundaries clear — language confirming that the letter is management's own representation, that it does not constitute an audit opinion or an extension of the examination, and that it is not a substitute for a SOC 2 report. Including that disclaimer is not a weakness; it is what makes the letter credible. A bridge letter that quietly blurs the line between management assertion and auditor opinion is both misleading and, ultimately, less trustworthy to the sophisticated buyers most likely to read it carefully.

It is not a substitute for a new SOC 2 report

This deserves its own section because it is the most common misunderstanding. A bridge letter supplements a SOC 2 report; it never replaces one. The only thing that can replace a SOC 2 report is another SOC 2 report — a fresh examination performed by a licensed CPA firm covering a new period. A bridge letter buys you a short window of interim comfort on the strength of an existing report; it does not generate independent assurance about the gap, and it cannot stand alone if the underlying report becomes stale.

The failure mode to avoid is treating bridge letters as a way to defer renewal indefinitely. If your last report period ended many months ago and you keep issuing bridge letters rather than completing a new examination, you are asking customers to rely on an ever-lengthening stretch of unverified self-attestation built on an increasingly dated independent test. Auditors discourage this, customers see through it, and it undermines the very trust the SOC 2 program is supposed to build. The bridge letter is a bridge — it connects you to the next report, not away from the need for one.

The right mental model is a cycle. You complete a SOC 2 Type II examination covering a period; the period ends; you renew by starting the next examination; and a bridge letter covers only the brief, good-faith interval in between. Used that way, it is a sensible, low-friction tool. Used as a permanent substitute for current independent assurance, it stops being honest. When in doubt, the conservative answer to "can a bridge letter cover this?" is to ask how long the gap is and whether it is time to simply provide a current report instead.

How to write a bridge letter

Start from your most recent SOC 2 report and pull the exact facts: the report type (almost always Type II), the name of the service auditor, and the precise coverage period with its end date. These anchor the letter, because everything you assert is relative to that report. Then define the interim period explicitly — from the day after the report's end date through the current or customer-specified reliance date — and keep that span short, ideally within about three months.

Write the body in management's voice and keep it factual. State that the organization is providing the letter to bridge the interim period; that the referenced SOC 2 report describes the controls examined; and that, to management's knowledge, no material changes to the relevant control environment occurred during the interim period. If something did change — a new subservice organization, a significant system migration, a reorganization of the security team, a material incident — disclose it plainly rather than papering over it; an honest "here is what changed and how we addressed it" is far more valuable to a customer than a blanket denial. Add the disclaimer paragraph clarifying that the letter is management's representation, not an auditor's opinion, not an extension of the examination, and not a replacement for a SOC 2 report. Close with the signature, title, and date of an authorized officer.

A few practical cautions. Do not ask your CPA firm to sign it — they will decline, and the letter is not theirs to issue. Do not copy a sample template verbatim without confirming every fact matches your actual report and environment, since an inaccurate representation is worse than none. And do not let the letter outlive its usefulness: re-issue against your newest report as soon as it is available, rather than refreshing the date on an old letter tied to a report that is aging out. Because a bridge letter is a formal representation that customers rely on, it is reasonable to have counsel or your compliance lead review the wording before it goes out.

Where the documentation layer fits

A bridge letter is one small piece of a larger SOC 2 documentation set — the layer of policies, procedures, mappings, and records that supports the whole program between examinations. The letter itself is short, but its credibility depends on everything behind it: that your control environment really is documented, really is being operated, and really has not drifted in the interim period you are attesting to. The stronger and more current your underlying documentation, the more defensible your management's "no material changes" representation actually is.

This is where an editable starting point helps with the groundwork. The ComplianceDocs SOC 2 toolkits — the SOC 2 Policy Pack — Core at $59 (15 editable policies mapped to the Trust Services Criteria) and the SOC 2 Complete Toolkit at $99 (22 policies plus a risk register, full Trust Services Criteria mapping, and an audit evidence checklist) — give you the documentation layer as editable files you tailor to your environment rather than draft from a blank page. (Current list prices; a launch discount may apply at checkout. Any figures here are illustrative, not quotes; actual costs vary.) A well-maintained policy set is exactly what makes a bridge letter's assertion believable, because it gives you a documented baseline to compare against when you decide whether anything material has changed.

Be clear about the boundaries, because honesty is the whole point of a bridge letter. No toolkit, template, or document set makes your organization "SOC 2 compliant," "certified," or "attested," and no toolkit can issue a bridge letter for you — the letter is your management's own representation, and a SOC 2 report comes only from a licensed CPA firm after it examines the controls you actually operate. What the documentation layer does is speed your readiness and give you a structured, current baseline. The assurance — both the independent kind in the report and the self-assertion in the bridge letter — still has to reflect controls that genuinely operate in your business.

Frequently asked questions

Who issues a SOC 2 bridge letter — the company or the auditor?

The service organization issues and signs its own bridge letter; the CPA firm does not. A bridge letter is management's own representation, typically signed by an officer such as the CEO, CFO, or CTO. The licensed CPA firm that performed your SOC 2 examination will not write or sign a bridge letter on your behalf, because the letter is not part of the audit and is not an auditor's opinion. If anyone offers you a bridge letter signed by the audit firm, treat that as a red flag — that is simply not how bridge letters work.

How long a gap can a SOC 2 bridge letter cover?

In common practice, a bridge letter covers an interim gap of up to roughly three months between your last SOC 2 report's end date and the customer's reliance date. There is no hard rule fixing the number, but auditors and customers discourage stretching it further, because the longer the gap, the weaker an unverified management assertion becomes as a stand-in for independent testing. If the gap grows to many months, the right answer is to provide a current SOC 2 report rather than another bridge letter. Used to cover a short, good-faith interval until your next report is ready, a bridge letter is reasonable; used to defer renewal indefinitely, it is not.

Does a bridge letter replace a SOC 2 report?

No. A bridge letter supplements an existing SOC 2 report; it never replaces one. It provides short-term, interim comfort on the strength of a report that already exists, but it generates no new independent assurance about the gap period and cannot stand alone. The only thing that replaces a SOC 2 report is another SOC 2 report — a fresh examination by a licensed CPA firm covering a new period. Most organizations renew annually and use a bridge letter only to span the brief interval until the next report is available.

What should a SOC 2 bridge letter say?

It should identify the SOC 2 report it relies on (type, service auditor, and exact coverage period and end date), define the interim period it covers, and state management's core representation: that, to management's knowledge, no material changes to the relevant control environment occurred during that interim period — or describe any changes that did occur. It should be signed and dated by an authorized officer and include a disclaimer that the letter is management's own representation, not an auditor's opinion, not an extension of the examination, and not a substitute for a SOC 2 report. It should not claim the auditor examined or opined on the gap period, because no testing took place during it.

Can a SOC 2 toolkit or template produce a bridge letter or make us compliant?

No. A toolkit gives you the documentation layer — editable policies, procedures, and mappings — that supports your SOC 2 program and makes a bridge letter's assertion more defensible, but it cannot issue the letter for you, because the letter is your management's own representation about your actual environment. More fundamentally, no template, toolkit, or document set makes an organization SOC 2 compliant, certified, or attested. A SOC 2 report comes only from a licensed CPA firm after it examines the controls you genuinely operate. Documentation speeds readiness and gives you a current baseline to assess change against; it does not replace the work, the examination, or the report.

Related guides: SOC 2

Toolkits that help

← All articles