SOC 219 June 2026 5 min read

SOC 2 Bridge Letter: When and How to Issue One

A SOC 2 bridge letter covers the gap between your report period and the current date. Learn when customers need one and how your auditor can issue it.

Key Takeaways

A bridge letter (also called a gap letter) covers the period between your last SOC 2 report end date and today.
Enterprise buyers request bridge letters when your current report ends more than a few months ago.
Your management (not your auditor) issues the bridge letter — it is a management representation, not an audit report.
The bridge letter states that controls have continued to operate effectively in the gap period with no significant changes.
A bridge letter is not a substitute for a current SOC 2 report — it is a supplement for existing report holders.

In this guide

What Is a Bridge Letter?
When Customers Need One
What the Letter Must Contain
Who Issues the Letter
Limitations of Bridge Letters

What Is a Bridge Letter?

A SOC 2 bridge letter (also called a gap letter or representation letter) is a formal statement from management that covers the period between the end date of your most recent SOC 2 report and the current date. It bridges the temporal gap for users of the report who need assurance that nothing material has changed since the report period ended.

Bridge letters are management representations — they are not audit opinions. No CPA auditor signs the bridge letter as an auditor. The bridge letter supplements your existing SOC 2 report; it does not replace it.

When Customers Need One

Enterprise customers typically request bridge letters when: your SOC 2 Type II report covers a period that ended more than 3–4 months ago, and they are conducting security due diligence close to their contract signing date or annual security review cycle.

Example: your Type II report covers April 2025 – March 2026. A customer conducts their security review in August 2026. They want assurance that controls have continued to operate effectively from April to August 2026 — a 5-month gap. A bridge letter from management covers this gap.

What the Letter Must Contain

A bridge letter typically states: (1) The company name and reference to the existing SOC 2 report (report date and observation period). (2) The bridge period covered by the letter (from report end date to today). (3) A statement that controls have continued to operate effectively in the bridge period. (4) A statement that no significant changes occurred (or a description of significant changes, if any). (5) A statement that management is not aware of any material incidents affecting the security of customer data during the bridge period (or a description of any incidents).

The letter is signed by a senior executive (same level as the management assertion signatory in the SOC 2 report).

Who Issues the Letter

The service organisation's management issues the bridge letter — not the auditing CPA firm. Your auditor may provide a template (many do), but the letter is your management's representation, not the auditor's.

Some auditors offer an "agreed-upon procedures" engagement to provide independent verification of a bridge period — this is more expensive than a management bridge letter but carries greater credibility. For most enterprise due diligence purposes, a management bridge letter is sufficient.

limitations of Bridge Letters

Bridge letters are unverified management representations. Sophisticated enterprise security reviewers know this — they treat bridge letters as supplementary context, not as independently verified assurance.

The best approach: maintain an annual SOC 2 audit cycle so the gap between report periods is never more than 3–4 months. Companies with an October–September observation period who deliver their report in December have a gap of less than 90 days from report delivery to start of next observation period — bridge letters are rarely needed for more than 2–3 months in a well-timed programme.

Frequently Asked Questions

Is there a standard format for a SOC 2 bridge letter?

There is no AICPA-mandated format. Most bridge letters are 1–2 pages on company letterhead, signed by the CEO or CTO. Your auditor can provide their recommended template. The content requirements are substantive (described above), but the format is flexible.

Can we issue a bridge letter if we had a security incident in the gap period?

Yes, but you must disclose the incident in the letter. A bridge letter that states "no significant incidents occurred" when one did is a material misrepresentation. Describe the incident, its nature, and what was done to contain and remediate it. Enterprise security reviewers can evaluate the incident in context.

How long of a gap period can a bridge letter cover?

Practically, bridge letters covering more than 6 months are unusual and provide weaker assurance. Enterprise buyers typically expect a current report covering the trailing 12 months. If your programme has a gap larger than 6 months, address the audit timing rather than relying on a bridge letter.

Do all SOC 2 report recipients need a bridge letter?

Only those who are conducting security reviews and find the gap period significant for their risk assessment. Many customers who received your report at signing will not request a bridge letter at annual renewal if the report is less than 12 months old and a new audit cycle is underway.

Can a bridge letter cover a change of auditor?

A bridge letter is issued by management, so the change of auditor does not affect its issuance. However, if you're switching auditors, your new auditor will typically need to review your prior report and may conduct a predecessor auditor inquiry — this is standard practice and shouldn't affect your bridge letter.

Automate your compliance today

AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.