ISAE 3402 Bridge Letter: Purpose and Template

It’s January. Your client’s financial year closed 31 December. The Type II report from the service organisation covers 1 April to 31 March of the prior year. Nine months of your audit period have no control evidence. You could request an updated report, but the service organisation says the next one won’t be ready until May. You could perform substantive procedures to cover the gap, but that means rebuilding your entire audit approach for the affected assertions two weeks before sign-off. Or you could obtain a bridge letter.

A bridge letter is a written representation from the service organisation confirming that no significant changes occurred to the controls described in the most recent Type II report between the report period end date and a specified later date (typically the user entity’s financial year end), enabling the user auditor to extend reliance on the report under ISA 402.12 to cover the gap period.

What ISA 402.12 requires when the report period doesn’t match

ISA 402.12 states that when the Type II report covers a period that does not align with the user auditor’s audit period, the user auditor must obtain evidence about the design and operating effectiveness of the relevant controls during the period not covered. The standard gives you three routes: obtain additional evidence directly from the service organisation, rely on additional audit procedures performed at the user entity, or use a combination of both.

The standard doesn’t mention bridge letters by name. The term comes from practice. But the concept maps directly to ISA 402.12(a): obtaining information from the service organisation about whether significant changes have occurred since the date of the Type II report.

The gap period is the time between the end of the Type II report period and the end of your audit period. For Dutch audit engagements, where most service organisations issue reports on a calendar year or an April-to-March cycle, the gap is typically one to nine months. ISA 402 doesn’t set a maximum acceptable gap. Professional judgment applies. The AFM has informally indicated that gaps exceeding six months require more than a bridge letter alone, though this isn’t codified in a published standard. For gaps of one to six months, a bridge letter combined with management inquiry at the user entity is widely accepted as sufficient.

What a bridge letter is and what it is not

A bridge letter is a written representation from the service organisation’s management. It confirms that the controls described in the Type II report have not changed significantly since the report period ended. It does not provide tested evidence. No auditor has tested controls during the gap period. No samples have been examined.

This distinction matters for your documentation. You can’t describe the bridge letter as “evidence of operating effectiveness” during the gap period. It’s evidence that the service organisation’s management asserts no significant changes occurred. That’s a lower grade of evidence than a Type II report, which contains tested results. Your working paper should reflect this distinction: the Type II report covers the report period with tested evidence, and the bridge letter extends your reliance into the gap period based on management representations supported by your additional inquiry.

The five elements your bridge letter must contain

The letter must be addressed to your client (the user entity) or directly to you as the user auditor. It must be signed by an individual with sufficient authority at the service organisation (typically the COO, head of operations, or managing director). A letter signed by a relationship manager or sales contact doesn’t carry the same evidentiary weight.

Element 1: Reference to the Type II report

The letter must identify the report by name, the period it covers, and the service auditor who issued it. “The ISAE 3402 Type II report for the period 1 April 2023 to 31 March 2024, issued by Jansen & Partners Accountants on 15 June 2024.” Without this reference, the bridge letter floats without an anchor.

Element 2: System description accuracy

A confirmation that the description of the system in the Type II report remains materially accurate as of the bridge date. This covers process changes, IT system changes, and control environment changes.

Element 3: Controls continued to operate

A confirmation that the controls described in the Type II report continued to operate throughout the gap period with no significant changes. This is the core confirmation. “Significant” does the work here. Minor personnel changes or routine system patches don’t qualify. A change to the control design, a system migration, or the departure of a key control owner does.

Element 4: Known incidents or exceptions

A statement identifying any known control failures, exceptions, or incidents during the gap period that the service organisation is aware of. This is the confirmation most template bridge letters omit. Without it, the bridge letter only tells you what didn’t change. It doesn’t tell you what went wrong.

Element 5: Specific bridge date

The specific date through which the confirmations apply. This must cover your client’s financial year end. A bridge letter dated 15 January 2025 that confirms no changes “through the date of this letter” bridges to 15 January, not to 31 December 2024. Check this before filing.

When a bridge letter alone is not sufficient

A bridge letter is one piece of evidence. For short gaps (one to four months) with a reputable service organisation and no known changes, it’s often sufficient when combined with inquiry of user entity management. For longer gaps or higher-risk situations, you need more.

Gaps exceeding six months strain the reliability of a management representation. The further the bridge date is from the Type II report period end, the more likely it is that something changed. For a nine-month gap, consider supplementing the bridge letter with your own inquiry of the service organisation’s management, inspection of interim monitoring reports, or additional substantive procedures at the user entity covering the gap period.

Known changes during the gap period disqualify the bridge letter from standing alone. If the service organisation migrated to a new IT platform, replaced its head of operations, or reported a control incident, the bridge letter can confirm what changed, but it can’t provide evidence that the controls operated effectively after the change.

When the service organisation is central to a high-risk assertion (revenue recognition, investment valuations, complex financial instruments), the bar for evidence quality is higher regardless of gap length. ISA 402.12 applies professional judgment, and professional judgment for high-risk assertions tilts toward more evidence, not less. Document your assessment of why the bridge letter (alone or combined with other procedures) is sufficient given the risk level.

How to evaluate the bridge letter as evidence

When the letter arrives, don’t file it and move on. Read it against the five elements above. If any element is missing, go back to the service organisation and request a revised letter. Accepting an incomplete bridge letter is the most common error the AFM flags in this area.

Assess the signer’s authority. The person signing the letter should be senior enough to have oversight of the control environment. If the letter is signed by someone you haven’t heard of, check their role. A bridge letter from the service organisation’s client relationship manager doesn’t carry the same weight as one from the COO or head of internal audit.

Compare the letter’s confirmations against what you know. If your client’s finance team mentioned that the service organisation upgraded its platform in September, but the bridge letter says nothing changed, that’s a contradiction you need to resolve before accepting the letter. Inquiry of user entity management under ISA 402.12(b) serves as a corroboration check on the bridge letter’s representations.

Document your evaluation in a working paper separate from the service organisation report review. State what the bridge letter confirms, what it doesn’t cover, how you corroborated its representations, and your conclusion on whether it provides sufficient evidence to extend reliance.

What to do when the service organisation won’t provide one

Some service organisations refuse to issue bridge letters. They may cite legal risk, internal policy, or just not have a process for producing one. This doesn’t end your audit. It means you need to take one of the other routes under ISA 402.12.

Perform inquiry of the service organisation’s management directly (by phone or in a meeting) and document the responses. Ask the same questions the bridge letter would have answered: have controls changed, have incidents occurred, has the system been modified. Record who you spoke to, their role, the date, and their responses. This is weaker evidence than a signed letter, but it’s still evidence under ISA 402.12(a).

Alternatively, increase your substantive procedures at the user entity to cover the gap period without relying on the service organisation’s controls. If you were planning to rely on the service organisation’s three-way matching control to reduce your substantive testing of payables, and you can’t obtain gap-period evidence for that control, you test payables substantively for the full period.

In either case, document why the bridge letter wasn’t obtained, what alternative procedures you performed, and why those procedures provide sufficient evidence. The file should show that the gap was addressed, not that it was ignored because the service organisation declined to cooperate.

Worked example: Bakker Logistics B.V.

Scenario: Bakker Logistics B.V. is a Dutch freight forwarding company with €54M revenue, audited by a mid-tier firm. Bakker outsources its freight billing and accounts receivable processing to TransPort Services N.V. The engagement team received a Type II report from TransPort’s service auditor covering 1 January 2024 to 30 June 2024. Bakker’s financial year ends 31 December 2024. The gap period is six months (1 July 2024 to 31 December 2024).

Step 1: Request the bridge letter

The engagement team sent a bridge letter request to TransPort Services N.V. on 10 December 2024, using the template from the ISAE 3402 Workbook. The request specified the five required elements and asked for confirmations through 31 December 2024.

Documentation note: Retain the request letter in the file (WP ref: D.2.3a). Date-stamp the request. If the service organisation doesn’t respond within three weeks, follow up in writing. Late bridge letters are a recurring cause of delayed audit completions.

Step 2: Receive and review the bridge letter

TransPort’s COO (M. van der Berg) signed and returned the bridge letter on 8 January 2025. The letter confirmed: the Type II report (covering 1 January to 30 June 2024, issued by De Wit Accountants on 20 August 2024) accurately described TransPort’s system as of 31 December 2024. No significant changes to controls occurred during the gap period. TransPort’s billing platform (FreightCalc v4.2) was not upgraded or replaced. One incident was disclosed: a server outage on 14 October 2024 delayed billing processing by 48 hours, with all delayed invoices processed by 16 October 2024 and no data loss confirmed by TransPort’s IT team.

Documentation note: Record each of the five elements and whether the letter satisfies them. Flag the October incident for follow-up. The incident doesn’t invalidate the bridge letter, but it requires the engagement team to assess whether the 48-hour delay affected the completeness of Bakker’s Q4 revenue. Cross-reference to the revenue completeness substantive test (WP ref: E.1.4).

Step 3: Corroborate with user entity management

The engagement team asked Bakker’s finance director (S. Dekker) whether TransPort communicated any control changes, service disruptions, or billing errors during H2 2024. Dekker confirmed awareness of the October outage and stated that Bakker’s internal reconciliation of TransPort billing output to the freight management system identified no missing invoices after the incident. No other service disruptions or changes were communicated.

Documentation note: Record the inquiry, the person, the date, and the response. Note the consistency between the bridge letter’s disclosure (October outage) and management’s confirmation. This corroboration supports the reliability of the bridge letter’s representations under ISA 402.12(b).

Step 4: Assess sufficiency and conclude

The gap period is six months. The bridge letter contains all five required elements. The disclosed incident (48-hour processing delay) was isolated, resolved without data loss, and corroborated by Bakker’s own reconciliation. The engagement team concluded that the bridge letter, combined with management inquiry at Bakker, provides sufficient evidence to extend reliance on TransPort’s controls to 31 December 2024 for the assertions relevant to freight billing and accounts receivable processing.

Documentation note: State your conclusion explicitly. Reference the Type II report review (WP ref: D.2.1), the bridge letter (WP ref: D.2.3b), the management inquiry note (WP ref: D.2.4), and the CUEC testing (WP ref: D.2.2). ISA 402.15 requires sufficient appropriate evidence. Your conclusion should tie all four sources together in one paragraph.

Practical checklist for your next bridge letter

1. Request the bridge letter at least six weeks before your planned completion date. Service organisations with hundreds of user auditors process these requests in batches. Late requests delay your sign-off.
2. Use a template that specifies the five required elements. Don’t rely on the service organisation’s standard form letter; it will typically omit element four (known incidents). The ISAE 3402 Workbook includes a request template with all five elements pre-drafted.
3. When the letter arrives, check it against the five elements before filing it. A missing element means going back to the service organisation. Don’t discover this at review stage.
4. Corroborate the bridge letter with inquiry of user entity management under ISA 402.12(b). Ask whether the user entity experienced any service disruptions, billing errors, or control change notifications during the gap period. Consistency between the bridge letter and management’s account strengthens your evidence.
5. For gaps exceeding six months, document why the bridge letter alone is sufficient or what additional procedures you performed. The AFM treats gap-period evidence as a binary check: addressed or not addressed.
6. If the service organisation declines, document the refusal, switch to alternative procedures under ISA 402.12, and adjust your audit approach within one week of the refusal. Waiting erodes your timeline.

Common mistakes regulators flag

• The AFM’s 2023 thematic review identified files where the bridge letter was obtained but contained no confirmation about control incidents or exceptions during the gap period. The letter confirmed “no changes” to the control design but didn’t address whether the controls actually operated. ISA 402.12 requires evidence about operating effectiveness, not just design continuity.
• The FRC’s 2022–23 Audit Quality Inspection found that some bridge letters were signed by individuals without sufficient authority at the service organisation (client relationship managers, sales contacts) and the user auditor did not assess the signer’s competence to make the representations. ISA 402.16’s requirement to evaluate the service auditor extends by analogy to evaluating the credibility of representations obtained directly from the service organisation.

Related Ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• IAASB Handbook 2024: the authoritative source for the complete ISA 402 text, including the gap-period requirements at ISA 402.12.
• ISAE 3402, Assurance Reports on Controls at a Service Organisation: the standard governing the Type II report the bridge letter extends.
• ISA 315 (Revised 2019), Identifying and Assessing Risks of Material Misstatement: the risk assessment that determines which service organisation controls are relevant.
• ISA 500, Audit Evidence: the framework for evaluating the sufficiency and appropriateness of the bridge letter as audit evidence.