A letter issued by the vendor that covers the “gap” between the last SOC report period end date and the date of the letter. It can be used by the user entity (you) as an interim assurance by management while waiting for the next audit report.
Note: The CPA firm who performed the audit is not attesting to anything in the gap letter. Once the auditors have issued their report and left the site, they don’t know if the internal control environment has changed or not. Therefore, a gap letter is merely management’s (management from your vendor) assertion that controls are still in place and operating effectively.