Introduction

You're completing an ISAE 3402 engagement for a client's 2025 reporting period. The service organization's system description mentions controls that were in place for part of the year but then modified in September. Your client's user auditor needs clarity on what changed, when it changed, and how it affects their risk assessment. This is exactly why bridge letters exist.
Bridge letters under ISAE 3402 provide user auditors with essential information about significant changes to controls, processes, or other relevant circumstances that occurred between the service auditor's testing periods or after the end of the reporting period. These letters ensure continuity of assurance when gaps exist in the timeline of controls testing.
> What you'll learn:
How to determine when an ISAE 3402 bridge letter is required under ISAE 3402.25
The mandatory content elements that must appear in every bridge letter
How to structure and document the bridge letter using a proven template
Common mistakes that cause user auditor confusion and delay client audits

When Bridge Letters Are Required

Gap Coverage Under ISAE 3402


ISAE 3402.25 requires the service auditor to obtain sufficient appropriate evidence to support their opinion on the description of the service organization's system and the suitability of design and operating effectiveness of controls. When the service auditor's testing period does not align perfectly with the user entity's reporting period, or when significant changes occur after testing concludes, a bridge letter becomes necessary.
The standard does not explicitly mandate bridge letters, but professional judgment under ISAE 3402.A67 requires the service auditor to consider whether additional communication helps user auditors understand the implications of any changes. Bridge letters fill this gap by providing specific information about:

Timing Considerations


Bridge letters most commonly address three scenarios. First, when the service auditor's testing period ends before the user entity's year-end (for example, testing through September 30 for a user entity with a December 31 year-end). Second, when the ISAE 3402 report is issued early in the following year but user auditors need current information for their fieldwork. Third, when the service organization implements material changes to systems or controls after the service auditor's testing concluded.
Each scenario requires different approaches to evidence gathering and different levels of detail in the bridge letter communication.

  • System changes implemented after the testing period ended
  • New controls introduced during the gap period
  • Discontinued controls or processes
  • Changes in key personnel responsible for control execution
  • Modifications to complementary user entity controls (CUECs)

Mandatory Content Elements

System Description Updates


The bridge letter must clearly identify any changes to the service organization's system that occurred during the bridge period. This includes modifications to IT infrastructure, changes to data processing procedures, updates to security protocols, or alterations in the physical environment where controls operate.
According to ISAE 3402.35(b), the service auditor must evaluate whether changes to the system are adequately described. When changes occur after the testing period, the bridge letter serves as the vehicle for communicating these updates to user auditors who rely on current system information for their risk assessments.

Control Environment Changes


Changes in key personnel, organizational structure, or governance arrangements during the bridge period must be disclosed if they affect the control environment's effectiveness. ISAE 3402.A48 emphasizes that the control environment provides the foundation for all other components of internal control.
The bridge letter should specifically address whether new personnel received adequate training, whether segregation of duties remained effective during transitions, and whether management oversight continued without interruption during organizational changes.

New or Modified Controls


When the service organization implements new controls or modifies existing ones during the bridge period, the bridge letter must describe these changes and assess their impact on the control objectives. This assessment helps user auditors determine whether their planned audit procedures remain appropriate or require adjustment.
For modified controls, the bridge letter should explain what changed, when the change became effective, and whether the modified control addresses the same control objective as the original version.

Worked Example: Software Company Migration

Sistemas de Nómina Europeos S.L., a Madrid-based payroll processing service with €15.2 million in annual revenue, completed their ISAE 3402 Type II engagement for the period January 1 through September 30, 2025. During October 2025, the company migrated their primary payroll processing system from their legacy platform to a new cloud-based solution.
The service auditor's testing had confirmed the operating effectiveness of 47 control activities through September 30. However, three major user entities have December 31 year-ends and their auditors need assurance coverage through December 31, 2025.
Step 1. The service auditor meets with Sistemas de Nómina's IT director to understand the migration timeline and control changes.
Documentation note: Meeting minutes filed in bridge letter working paper BL-01, including migration project timeline and control mapping.
Step 2. The service auditor identifies that 12 of the original 47 controls required modification for the new platform, while 8 controls became automated and no longer require manual execution.
Documentation note: Control mapping matrix prepared showing old controls, new controls, and gaps requiring new procedures.
Step 3. The service auditor tests the 12 modified controls for the period November 1-December 15, 2025, using the same testing procedures applied during the original engagement where applicable.
Documentation note: Testing results documented in working papers BL-02 through BL-13, with sample selections following original engagement methodology.
Step 4. The bridge letter is drafted, addressing each affected control objective and explaining how the migration impacts user auditor risk assessments.
Documentation note: Bridge letter draft reviewed by engagement partner and approved December 20, 2025, issued to user auditors December 22, 2025.
The resulting bridge letter provides user auditors with confidence that payroll processing controls remained effective throughout their audit periods, despite the system migration that occurred after the original ISAE 3402 testing period ended.

Bridge Letter Template Structure

Header and Introduction


Begin with a clear statement identifying this as a bridge letter, the service organization name, the original ISAE 3402 report date, and the bridge period being addressed. Include the specific control objectives or service commitments covered by the bridge communication.
State the purpose explicitly: "This bridge letter provides information about changes to [Service Organization]'s system and controls that occurred between [original testing end date] and [bridge period end date] to assist user auditors in their assessment of control risk."

Changes Summary Section


Provide a concise summary of all material changes that occurred during the bridge period. Group changes by category (system changes, control modifications, personnel changes) and use consistent formatting to help user auditors quickly locate relevant information.
For each change, specify the effective date, the reason for the change, and the control objective(s) affected. This summary allows user auditors to quickly determine which areas of their audit might be impacted.

Detailed Change Analysis


For each material change identified in the summary, provide detailed analysis including:

Conclusion and Recommendations


Conclude with the service auditor's overall assessment of how the changes affect the user auditor's reliance on service organization controls. Provide specific recommendations for additional audit procedures if the changes create new risks or eliminate previously tested controls.

  • The specific nature of the change
  • Testing procedures performed by the service auditor (if any)
  • Results of that testing
  • Implications for user entity controls
  • Any compensating controls implemented during the transition period

Practical Implementation Checklist

  • Document the bridge period scope - Clearly define start and end dates, focusing on the gap between service auditor testing and user entity year-ends or current audit fieldwork requirements.
  • Inventory all system changes - Review change management logs, interview key personnel, and examine system documentation to identify modifications during the bridge period.
  • Assess control impact - Map each change to affected control objectives from the original ISAE 3402 report, identifying new controls, modified controls, and discontinued controls.
  • Perform targeted testing - Test modified or new controls using procedures consistent with the original engagement methodology, focusing on the bridge period.
  • Draft comprehensive communication - Use the template structure to ensure all mandatory elements are addressed and user auditors receive actionable information.
  • Obtain management representation - Secure written confirmation from service organization management that all material changes during the bridge period have been disclosed and accurately described.

Common Implementation Mistakes

Insufficient change identification: Service auditors sometimes focus only on obvious system changes while overlooking personnel transitions, policy updates, or environmental changes that affect control execution. International inspection findings show this accounts for approximately 30% of bridge letter deficiencies.
Inadequate testing procedures: Applying different testing methodologies in the bridge letter compared to the original engagement creates inconsistency that user auditors struggle to evaluate and integrate into their risk assessments.
Vague impact assessment: Bridge letters that describe changes without clearly explaining their implications for user auditor procedures provide limited value and may require follow-up communications that delay user entity audits.

Related Content

---

Recibe información práctica de auditoría, semanalmente.

Sin teoría de examen. Solo lo que hace que las auditorías funcionen más rápido.

Más de 290 guías publicadas20 herramientas gratuitasCreado por un auditor en ejercicio

Sin spam. Somos auditores, no vendedores.