When it comes to the storage, management, and transmission of sensitive financial information or other customer data, internal and external stakeholders want assurance of the robust nature, trustworthiness and transparency of your procedures and services. Demonstrating these capacities in various ways is what System and Organization Controls (SOC) reports, which have been designed by the American Institute of Certified Public Accountants (AICPA), are designed to do. Even if you are familiar with this type of reporting, you may still be unsure about the definition and purpose of a SOC bridge letter, a document that often performs a crucial role in briefly extending the relevance of your SOC audit. Enhancing your knowledge of the SOC bridge letter can assist you in providing maximum assurance to all of the internal and external stakeholders involved with your organization of your ongoing commitment to data security.
The Benefits of Getting a SOC Report
SOC reporting provides your business with an opportunity to assess and report on all of the internal and external controls that you have put into place to keep your systems and data resources secure. Thanks to the documentation that is produced upon completion of this audit procedure, your firm can expect the following benefits:
- Fulfill contractual and customer obligations with customized, targeted reports;
- Identify and address organizational risk;
- Provide transparency to all stakeholders, thus facilitating trust;
- Document compliance with industry standards.
A SOC examination should be conducted annually in most cases in order to ensure and demonstrate the effectiveness of your company’s controls environment. However, there are instances when the end date of the report falls short of the end of the fiscal year. If this time period extends for three months or less, your business can add what is known as a bridge or gap letter to the documentation.
What is a Bridge Letter?
As the name implies, a gap letter fills the void between the end of a SOC review period and the completion of the fiscal year. Its purpose is to inform stakeholders that your controls have not undergone any significant changes or issues over that span of time, assuring all concerned parties that the findings of the SOC reporting remain valid. This notice is signed off by the management of your organization and is submitted directly to your customers with no further intervention by the CPA firm that performed the SOC examination. This is because the auditor does no additional work to attest to what is in the SOC 1 or SOC 2 bridge letter.
What Does a SOC Bridge Letter Contain
The bridge document that you submit to your stakeholders should contain the following components:
- The start and end dates of your most recent SOC report
- Divulgement of any changes in your company’s internal control environment since the SOC report’s end date (if no changes have occurred, this must be specified)
- A statement attesting to the fact that your service organization is not aware of any modifications or issues in the control environment that would affect the auditor’s findings.
- A statement that the bridge letter concerns itself only with your organization and not with any other entity.
- A reminder to user organizations that they must adhere to all control considerations.
Accompanying the bridge letter should be a copy of the SOC report to which stakeholders can refer. Under no circumstances should a gap letter be considered a substitute for your next SOC audit.
Bridge Letters in Detail
A clear and thorough gap letter is one of the best information supplements that your company can provide to your vital stakeholders when there is a disparity between your SOC examination end date and the completion of your fiscal year. To ensure that these insights are delivered to all parties in an understandable way, consider using the following guidelines:
- The first paragraph should contain a description of the various services your organization provides. Other information should include the name of the CPA auditor who conducted the SOC examination as well as the issuing, start and end dates.
- The next paragraph should address any changes to the internal control environment, underscoring the importance of ongoing monitoring, review and evaluation. If material changes occurred to the control environment after the SOC report was issued, they should be described in detail, including dates. If no changes occurred, this fact should be stated clearly as well. In either case, this paragraph should contain a statement attesting to the fact that the auditor’s findings have not been affected since the assessment was issued.
- The final paragraph emphasizes the service organization’s commitment to constant evaluation and the upgrading of physical and cloud-based technology, information security controls and procedures. Your organization should express the equal role that stakeholders play in safeguarding their own controls and systems. There should also be a disclaimer stating that the gap letter is not considered to be a substitute for an actual SOC report.
SOC reports provide stakeholders with detailed verification that you are doing all you can to protect data and safeguard your systems. When there is a lapse of weeks or even months between the end date of the report and the termination of your fiscal year, use a bridge letter to provide your clients with the reassurance they deserve. Doing so is one vital way that you can protect your company’s interests while providing full disclosure to your valued stakeholders.