A letter issued by the vendor that covers the “gap” between the last SOC report period end date and the date of the letter. It can be used by the user entity (you) as an interim assurance by management while waiting for the next audit report. It should be noted that the CPA firm who performed the audit is not attesting to anything in the gap letter. Once the auditors have issued their report and left the site, they do not know if the internal control environment has changed or not. Therefore, a gap letter is merely management’s (management from your vendor) assertion that controls are still in place and operating effectively.