You know the value of a SOC report: It offers independent assurance to your current customers, prospects and their financial auditors that your organization’s processes and controls are sound and secure. But what about the period between the end date of the last report and the issuing of the new one?
The best way to assure customers that the attested to internal controls are continuing to operate as usual during this gap is to provide a bridge letter.
These letters are useful for customer relationship management, but they are not the responsibility of the auditors to send. It is up the management of your organization to create, sign and send the letter to clients.
A bridge letter can cover any length of time, but typically it addresses a period shorter than six months.
Why do you need a bridge letter?
When you are performing your annual due diligence or reviewing financially significant vendor operations, the letter “bridges” the time until an auditor can provide a SOC examination. While they are not a requirement, they may come in handy and are considered a best practice.
If material changes in the internal controls have occurred since the last report, the bridge letter should note those. Other important points to include:
- A statement that your organization is unaware of any other material changes outside of what is listed in the letter
- A reminder that user organizations are responsible for following the complementary user entity controls
- A request for user organizations to read the report previously provided
- A disclaimer that the bridge letter is not a replacement for the actual SOC report
How Wipfli can help
Wipfli has deep experience in helping organizations protect and tailor their business operations to mitigate risk, improve efficiencies and provide a competitive advantage. Learn more about our consulting services that provide clients with a higher level of confidence through a variety of System and Organization Controls (SOC) examinations.