Bridge Letters Explained: Covering the Gap Between SOC 2 Report Periods

Understand what a SOC 2 bridge letter is, when to issue one, what it should include, and why it matters between SOC 2 audit periods.

Accorp Compliance Team

Accorp Compliance Team

Our team of compliance experts specializes in PCI DSS, SOC 2, and other security frameworks to help businesses achieve and maintain compliance.

Follow meLinkedIn

Every SOC 2 report has an expiry problem built into it. A Type II report covers a fixed observation window — say, January 1 to December 31 — and the moment that window closes, the report technically starts going "stale." But audits don't finish the day the period ends. Fieldwork, evidence review, and report issuance usually take another four to eight weeks after the period closes. So what happens if a customer, an auditor, or a procurement team needs assurance about your controls right now, sitting in that gap between "period ended" and "report issued"?

That gap is exactly what a bridge letter is built to cover. It's a small document that does one very specific job, and it gets misunderstood more often than almost anything else in the SOC 2 world — including by the vendors who issue them.

What a Bridge Letter Actually Is

A bridge letter — sometimes called a gap letter — is a short, management-issued statement confirming that no material changes have occurred to a company's control environment since the end of its last SOC 2 audit period. It is not an audit. It is not issued by the CPA firm. It is not opined on by an auditor at all. It is a letter written and signed by the company's own management, addressed to whoever needs assurance during the gap — typically a customer, a customer's auditor, or an internal risk team conducting vendor due diligence.

Think of it as management standing behind its own last audited position and saying, in writing: "Nothing meaningful has changed since the period our last SOC 2 report covered." That's the entire function of the letter. Nothing more.

Why the Gap Exists in the First Place

SOC 2 Type II reports don't get issued the instant the observation period ends. The auditor still has to test evidence collected across the period, walk through control operation, resolve any exceptions, and draft and finalize the report — a process that commonly takes anywhere from four to ten weeks depending on the size of the engagement and how clean the evidence trail is.

During that window, the most recent report a company can hand a customer is already for a period that ended weeks ago. If a customer's renewal date, a procurement deadline, or an auditor's own fieldwork happens to fall inside that window, they're left asking a fair question: "Your last report ended two months ago — what's happened to your controls since then?" A bridge letter answers exactly that question, without requiring the company to commission a new audit just to cover a short interim stretch.

Who Actually Asks for One

Bridge letters get requested constantly, and usually by one of three groups:

Enterprise customers running vendor risk reviews. Many large buyers have a compliance calendar of their own, and if their renewal or annual review lands between your report periods, their security or procurement team will ask for a bridge letter to close the gap before signing off.

A customer's external auditor. If your customer is itself subject to a financial statement audit or its own SOC 1/SOC 2 examination, and your services touch their control environment, their auditors may need assurance covering the full period they're auditing — which can extend past your last report date.

Internal risk and GRC teams. Some organizations build bridge letter requests into their standard vendor management process as a matter of policy, requesting one automatically any time a vendor's SOC 2 report is more than a set number of months old.

What Goes Into a Bridge Letter

A well-written bridge letter is short — usually one page — but it needs a handful of specific elements to actually hold up under scrutiny:

  • A clear reference to the prior SOC 2 report, including the report type (Type I or Type II) and the exact period it covered

  • The specific gap period the letter is addressing (for example, "January 1, 2026 through the date of this letter")

  • A management assertion that no material changes have occurred to the design of the controls described in the prior report during the gap period

  • Disclosure of any known changes, incidents, or control modifications during the gap period — a bridge letter that hides a material change is worse than not issuing one at all

  • Signature from an authorized officer of the company, typically someone in a compliance, security, or executive role

  • A statement clarifying that the letter is not an audit opinion and does not extend or modify the conclusions of the original SOC 2 report

That last point matters more than people usually give it credit for.

What a Bridge Letter Is Not

This is where most of the confusion actually lives, so it's worth being blunt about it.

It is not audited. No CPA firm tests anything to produce a bridge letter. There's no fieldwork, no evidence sampling, no control testing behind it. It is entirely a management representation.

It does not extend the SOC 2 report. A bridge letter doesn't add three or six months onto the coverage period of the underlying report. The original report still only covers what it always covered. The bridge letter simply adds a management statement about the gap — it doesn't retroactively pull that gap into audited scope.

It is not a substitute for the next audit. Some vendors treat bridge letters as a way to delay their next SOC 2 cycle indefinitely, issuing letter after letter instead of commissioning a new report. Enterprise buyers have caught onto this, and a pattern of repeated bridge letters instead of a timely renewal is now a fairly well-known red flag in vendor risk reviews.

It doesn't carry an auditor's signature or firm letterhead in most cases. Some CPA firms are willing to review or acknowledge a draft bridge letter for their client, but the letter itself is issued under management's own signature, not the auditor's.

How Long Should the Gap Actually Be

There's no regulatory rule fixing the maximum length of a bridge letter period, but in practice, most experienced auditors and risk teams treat anything beyond three to six months with real skepticism. A bridge letter covering six weeks between period-end and report issuance is completely normal and expected. A bridge letter covering eight or nine months because a company has quietly delayed its next audit cycle is a very different story, and it tends to draw exactly the kind of questions a vendor doesn't want during a renewal conversation.

A Practical Example

Say a company's SOC 2 Type II report covers January 1 through December 31, 2025, and the final report isn't issued until mid-February 2026 once fieldwork wraps up. A customer's contract renewal falls on January 15, and their security team wants current assurance before signing off. The company can't hand over a report that doesn't exist yet — so instead, management issues a bridge letter dated January 15, stating that no material changes have occurred to the control environment described in the December 31, 2025 report, covering the period from January 1 to the date of the letter. Once the actual Type II report is finalized in February, that becomes the new reference point going forward, and the bridge letter has done its job.

Common Mistakes Companies Make With Bridge Letters

A few patterns show up again and again in practice, and they're worth flagging directly:

Issuing a bridge letter without genuinely reviewing whether anything material actually changed, rather than treating it as a rubber-stamp formality. Skipping disclosure of a known incident or control change because it's inconvenient to mention. Letting the gap period stretch far longer than it should because the next audit keeps slipping. And perhaps most common — assuming a bridge letter carries the same weight as an audited report when presenting it to a sophisticated buyer, which almost always backfires once that buyer's security team actually reads it closely.

Why This Matters Beyond Just "Ticking a Box"

A bridge letter is a small document, but it says something real about how seriously a company treats its own compliance posture. Issuing one accurately, disclosing changes honestly, and keeping the gap short signals exactly the kind of operational discipline that a SOC 2 program is supposed to represent in the first place. Treating it as a formality to rush through, on the other hand, tends to show up later — either in a strained renewal conversation or in an auditor asking harder questions the following year.

For companies maintaining an ongoing SOC 2 program, the real fix isn't relying on bridge letters more — it's tightening the audit calendar so the gap stays as short as it's supposed to be in the first place.

Need help structuring your SOC 2 audit calendar so gap periods stay minimal, or want a bridge letter reviewed before it goes out to a customer? Our team works with SaaS, fintech, and cloud service providers through the full SOC 2 lifecycle — readiness, audit, and everything that comes up in between report periods.

Learn more- https://accorppartners.com/services/risk-assurance/soc-2

Also Read

Over 500+ clients have chosen Accorp for their compliance, tax, and risk assurance needs.

MFA on Every CDE Access, Not Just Admins — Why This One Requirement Is Failing More Companies Than Any Other
Blog

MFA on Every CDE Access, Not Just Admins — Why This One Requirement Is Failing More Companies Than Any Other

Read More about MFA on Every CDE Access, Not Just Admins — Why This One Requirement Is Failing More Companies Than Any Other
AI Governance Framework: What Enterprise Buyers Expect Before Signing an AI Vendor Contract
Blog

AI Governance Framework: What Enterprise Buyers Expect Before Signing an AI Vendor Contract

Read More about AI Governance Framework: What Enterprise Buyers Expect Before Signing an AI Vendor Contract
How Should AI Companies Manage Third-Party Vendor Risks Under SOC 2?
Blog

How Should AI Companies Manage Third-Party Vendor Risks Under SOC 2?

Read More about How Should AI Companies Manage Third-Party Vendor Risks Under SOC 2?
SOC 2 Type 1 vs Type 2 for AI Startups: Which One Do Enterprise Clients Actually Require?
Blog

SOC 2 Type 1 vs Type 2 for AI Startups: Which One Do Enterprise Clients Actually Require?

Read More about SOC 2 Type 1 vs Type 2 for AI Startups: Which One Do Enterprise Clients Actually Require?
What Data Protection Controls Do AI Companies Need for SOC 2 Compliance?
Blog

What Data Protection Controls Do AI Companies Need for SOC 2 Compliance?

Read More about What Data Protection Controls Do AI Companies Need for SOC 2 Compliance?