Frequently Asked Questions: SOC 2 Bridge Letter

  • Updated

What is a bridge letter?

  • A SOC 2 bridge letter, or gap letter, can be used to vouch for your credentials between an expired SOC 2 report and the time it takes to obtain a new one. SOC 2 reports do not necessarily expire, but many potential prospects or partners will not accept a SOC 2 report if it is older than a year. 

 

Do I need a bridge letter?

  • Many businesses renew their SOC 2 Type I or Type II at the six-month benchmark, eliminating the need for a bridge letter. If your company decides to conduct audits within a 12-month, you may experience a gap in report coverage if your audit dates do not align with your fiscal year. 

 

What should a bridge letter include? 

  • The date of your most recent audit
  • The auditing body that conducted your audit
  • The anticipated dates of the new SOC 2 audit
  • Any changes within your company that might affect controls, policies, or compliance automation platform
  • If no changes have occurred to your compliance process, include this information in the bridge letter.
  • Reiterating your company's commitment to security and compliance is always helpful.

 

Who should compose the bridge letter? 

  • Your organization should be the sole entity that drafts, authorizes, and delivers the SOC 2 bridge letter to any interested party. The bridge letter's goal is to ensure interested parties know that your company's security posture is in good standing between audits. 

What does a bridge letter look like? 

To Interested Party: 
Llama Time, Inc. recognizes the need to maintain an appropriate internal control environment and report on the effectiveness of its system of internal control. We also recognize our responsibility to state any material changes to our system. 
This letter serves as a confirmation that based on our records, and to the best of our knowledge, for the period of (date) through (date), we are not aware of any material changes to the system of internal control provided by Llama Time, Inc., nor has anything come to our attention we believe would impact the conclusions reached in the SOC 2 Type II report. 
Llama Time, Inc. continually evaluates risks to the system of controls that could be introduced to the scope of Llama Time, Inc.’s control environment.

This letter is not intended to be a substitute for the SOC 2 Type II report for Llama Time, Inc., or provide interested parties with a certification of Llama Time, Inc.’s internal control, or suggest that Llama Time, Inc. has performed a separate evaluation of its controls for the purposes of producing this letter. 
Sincerely,
Llama Time, Inc. 

 

How else can I showcase my company's commitment to security and compliance within Vanta?