SOC 2 Bridge Letters: How to Keep Your Inheritance Current
What a SOC 2 bridge letter is, when you actually need one, and how to read the fine print before your auditor calls it stale.
On this page
If you’ve inherited controls from a hosting provider’s SOC 2 Type II report, you’ve already done the hard part. You know what’s in scope, you’ve mapped the complementary controls, and your auditor has the report in their evidence folder.
Then your audit window slips. The provider’s report covered January through September. Your auditor wants coverage through December. You have a three-month gap, and the report you’ve been relying on suddenly doesn’t reach the finish line.
That gap is what a bridge letter exists to close — and the small print on how it’s written is what determines whether your auditor accepts it.
What a bridge letter actually does
A SOC 2 bridge letter (sometimes called a “gap letter” or “interim letter”) is a short signed statement from the service organization. It says, in essence: between the end of our last SOC 2 Type II reporting period and today, nothing material changed in our control environment.
That single sentence does real work. It lets your auditor rely on the prior SOC 2 report’s testing for the period the report didn’t formally cover — without making the auditor design and run their own substantive tests against the provider.
Without a bridge letter, your auditor has two unappealing options for the gap period:
- Treat the provider’s controls as untested for those months and pick up the burden themselves (expensive, slow)
- Disclose the coverage gap and reduce the level of assurance your own report can provide (worse than expensive)
Bridge letters exist because the alternative is a real cost to you, not because the AICPA mandates them.
When you need one
You need a bridge letter any time your audit period extends past the end of your provider’s SOC 2 reporting period.
The timing math is the trap. Most providers run their SOC 2 on a calendar-year offset — say, October 1 through September 30 — with the report itself issued one to two months later. If your audit period ends December 31, you need the provider’s October 1 – September 30 report plus a bridge letter covering October 1 through December 31.
If you’re in continuous-monitoring mode for an annual audit, you’ll need a fresh bridge letter every three months or so. Build that into your evidence calendar.
What’s actually in the letter
A real bridge letter includes:
- A reference to the underlying SOC 2 report — by date range, report version, and (ideally) the auditor’s name
- The bridge period — explicit start and end dates, no ambiguity
- A statement of no material changes — covering the control environment described in the underlying report
- An exception list, if applicable — anything that did change, called out explicitly
- Signatures — by an executive with authority over the control environment, dated on or after the bridge period’s end date
If a bridge letter you receive is missing the date, the underlying report reference, or the no-material-change statement, send it back. Those omissions aren’t pedantic — they’re the parts your auditor reads.
What auditors will and won’t accept
The standard most auditors apply, in practice:
- Bridge period of three months or less from report-end — usually accepted without comment
- Bridge period of three to six months — accepted with scrutiny; expect questions about why a newer report isn’t available
- Bridge period of six months or more — usually rejected; the auditor will ask for a current report or supplemental testing
- Bridge letter signed before the bridge period ended — invalid; the signatory can’t attest to a period that hadn’t happened yet
- Bridge letter that lists material changes without explanation — sends the auditor straight to those changes, often expanding scope rather than closing it
Your auditor’s tolerance ultimately depends on your industry and their risk posture. If you’re in a regulated sector where control assurance is itself the point, expect the tighter end of the range.
The exception list nobody reads carefully
Most bridge letters include a stock phrase like “no material changes occurred” or “no exceptions noted.” That’s the easy case.
Read carefully when there are exceptions. A well-written bridge letter will say something like:
During the bridge period, the following changes were made to the control environment: (a) the firewall vendor was migrated from X to Y on November 12; (b) the VP of Information Security position was filled on November 30. Neither change is considered material to the controls described in the underlying report.
That’s a useful disclosure. Your auditor sees it, accepts the materiality assessment, and moves on.
A poorly written one says:
No material changes occurred. (Some routine personnel and vendor changes occurred during the period and are not considered material.)
That parenthetical tells your auditor nothing and forces them to ask. Push back on bridge letters that wave at change without describing it.
How to ask for one
Most providers will issue a bridge letter on request, but the request itself can be done well or badly. The good version, sent to your provider’s compliance contact:
Hi — for our [audit type] covering the period through [end date], we’ll need a SOC 2 bridge letter referencing your most recent Type II report (period ending [date]) and covering the bridge through [bridge end date]. Please confirm you can provide one and an expected delivery date. Happy to provide more context if useful.
That gets you a complete response on the first reply. Vague requests (“can you send me a bridge letter?”) get vague responses, often without the key dates filled in.
If your provider needs more than a week to produce a bridge letter, that’s worth noting in your evaluation. A mature compliance program treats these as routine, not bespoke.
Common gotchas
Five things that quietly invalidate bridge letters:
- The bridge period overlaps the underlying report period. The bridge starts the day after the report ends, not the same day.
- The bridge letter is dated mid-period. A signature dated November 1 cannot validly attest to anything through December 31.
- The signatory isn’t named in the underlying report. Auditors check that the signing executive has actual authority over the control environment.
- The letter references an auditor that no longer audits the provider. Provider switched CPA firms? You may need a fresh report, not a bridge.
- No reference to the underlying report’s specific reporting period. Without that anchor, your auditor can’t tie the bridge to anything.
Putting it in your audit calendar
If you’re running an annual audit and inheriting controls from one or more providers, plan for:
- Report renewal date — when the provider’s next Type II report is expected
- Last-known good bridge letter date — when your most recent bridge expires (typically three months from issuance)
- Audit period close — when you actually need everything stitched together
Send the bridge-letter request 30 days before your evidence-collection cutoff. That gives the provider time to produce one and you time to read it.
For more on what to ask a hosting provider before you sign and start inheriting controls in the first place, see Choosing a SOC 2 Type II Hosting Provider.
Phoenix Network Solutions issues bridge letters on request, typically within two business days, with explicit dates and an exception list when warranted. If you want to see what one of ours actually looks like, reach out and we’ll send a sample.