What is a bridge letter?

A bridge letter is a written representation from the management of a service organization confirming that no significant changes have occurred to the control environment since the ISAE 3402 report period ended. It "bridges" the gap between the report's coverage period and the user entity's financial year-end.

For example, if a payroll service provider's ISAE 3402 Type II report covers 1 January to 30 September, and the user entity's year-end is 31 December, there is a three-month gap. The bridge letter addresses this gap by providing a management representation that controls continued to operate as described during October, November, and December.

A bridge letter is not an assurance report. It is signed by management of the service organization, not by the service auditor. This distinction is important because the representation is not independently verified — the user auditor must assess its reliability based on the circumstances, including the length of the gap, the risk profile of the outsourced process, and any other available evidence.

Key Points

  • Bridges the gap, does not replace the report. A bridge letter supplements an ISAE 3402 report by covering the period between the report date and the user entity's year-end. It does not provide the same level of assurance as a Type II report.
  • The three-month convention. Most audit firms accept a bridge letter for gaps up to three months. Beyond that, additional procedures are typically required — such as roll-forward testing, direct inquiry, or site visits.
  • Management representation, not auditor assurance. The bridge letter is signed by service organization management. The user auditor must evaluate whether this unaudited representation is sufficient given the risk profile of the outsourced process.
  • Content matters. A useful bridge letter explicitly confirms that no significant changes to controls, key personnel, or IT systems occurred during the gap period. Vague or generic language reduces its value as evidence.

Why it matters in practice

Worked example: Dekker Accountancy

Dekker Accountancy audits three clients that outsource payroll to the same service organization, Horizon Payroll Services. Horizon's ISAE 3402 Type II report covers 1 January to 30 September 2025. All three clients have 31 December year-ends, creating a three-month gap.

Dekker requests a bridge letter from Horizon's management. The letter, dated 15 January 2026, confirms:

  • No changes were made to the payroll processing controls described in the Type II report during October-December 2025.
  • No changes occurred in key IT systems (payroll software version, access controls, backup procedures).
  • No significant personnel changes affected control operators or supervisors in the payroll department.
  • No control exceptions or incidents were identified by internal monitoring during the gap period.

Dekker evaluates the bridge letter and concludes it is sufficient for two clients with straightforward payroll arrangements. For the third client — a larger entity with complex variable compensation — Dekker performs additional roll-forward procedures, including reperforming a sample of payroll reconciliations from Q4.

What reviewers catch

Regulatory inspections frequently identify bridge letter deficiencies:

  • No bridge letter obtained. The most common finding. User auditors relied on the ISAE 3402 report without addressing the gap period at all, leaving an unaudited window in their control assessment.
  • Bridge letter not evaluated. The bridge letter was obtained and filed but the user auditor did not assess whether its content was sufficient or whether additional procedures were needed given the risk profile.
  • Gap exceeds three months without additional procedures. When the gap between the report date and year-end exceeds three months, a bridge letter alone is generally insufficient. Reviewers expect to see roll-forward testing or other supplementary evidence.

Bridge letter vs Type II report

  • Author. A bridge letter is signed by service organization management; a Type II report is issued by an independent service auditor.
  • Assurance level. A bridge letter provides no independent assurance; a Type II report provides reasonable assurance over control operating effectiveness.
  • Testing. A bridge letter contains management assertions only; a Type II report includes the service auditor's description of tests performed and results.
  • Typical coverage. A bridge letter covers 1-3 months; a Type II report covers 9-12 months.

Key standard references

  • ISA 402.12(b): When the service auditor's report does not cover the period needed by the user auditor, the user auditor must obtain evidence about the operating effectiveness of controls during the remaining period.
  • ISA 402.A30: Methods to address a gap period, including inquiring of the service organization, requesting a bridge letter, or performing procedures at the service organization.
  • ISAE 3402.A36: The relationship between complementary user entity controls and the service organization's control environment.
  • ISA 580.9: Written representations as audit evidence — applicable to evaluating the reliability of bridge letters as a form of management representation.

Related terms

ISAE 3402CUECs (Complementary User Entity Controls)Audit SamplingGoing Concern

Related tools

ISAE 3402 Audit Template Pack
ISAE 3402

Related reading

ISAE 3402: Service Organisation Controls Guide
Blog guide

Frequently asked questions

How long a gap period can a bridge letter cover?

There is no fixed rule in the standards, but the three-month convention is widely accepted. A gap of up to three months is generally considered manageable with a bridge letter alone. Beyond three months, most firms require additional procedures — such as roll-forward testing or direct inquiry with the service organization — because a management representation alone provides insufficient evidence over a longer period.

Who signs a bridge letter?

The bridge letter is signed by management of the service organization, not by the service auditor. This is a critical distinction: it is a management representation, not an assurance report. The service organization's management confirms that no significant changes to the control environment have occurred since the ISAE 3402 report period ended. Because it is not independently verified, the user auditor must assess whether the representation is reliable given the circumstances.

What are the limitations of a bridge letter?

A bridge letter is an unaudited management representation. It provides no independent assurance that controls continued to operate effectively during the gap period. Key limitations include: management may not be aware of all control failures; there is no testing of operating effectiveness; and the letter typically covers only controls described in the original ISAE 3402 report. For higher-risk outsourced processes, user auditors should supplement the bridge letter with additional procedures such as direct testing or inquiry.

This glossary entry is for educational purposes and does not constitute legal or professional advice. Always consult the applicable standard text for authoritative guidance.

Last reviewed: March 2026 · Standards version: IAASB 2024 Handbook