Bridge Letter

What is a bridge letter?

Most SOC 1 and SOC 2 reports cover a period ending September 30 or June 30. If your client's fiscal year ends December 31, you have a gap of three to six months with no independent assurance over controls at the service organization. ISA 402.12 requires you to determine whether sufficient appropriate audit evidence is available about the relevant controls at the service organization. When the SOC report period does not cover the full period under audit, ISA 402 .A20 directs you to consider what additional evidence is needed for the uncovered period.

A bridge letter addresses this gap. The service organization (or its auditor) confirms in writing that during the uncovered period: the system description in the SOC report remains accurate, the service organization made no significant changes to the controls described, no control exceptions occurred that would affect the conclusions in the report, and no changes in key personnel or IT systems affected the control environment. If changes did occur, the letter must describe them.

The letter is management's representation, not independently tested evidence. ISA 402 .A22 acknowledges that the user auditor may also need to perform additional procedures if the gap is long or the risk assessment warrants it.

Worked example: Ardennes Verzekeringen N.V.

Client: Belgian insurance company, FY2024, gross written premium €120M, Belgian GAAP reporter. Uses Aon Hewitt for pension administration (a function affecting reported employee benefit liabilities).

Aon Hewitt's SOC 1 Type II report covers January 1 to September 30, 2024. The client's fiscal year ends December 31, 2024. Gap: three months.

Request a bridge letter from Aon Hewitt. The letter should confirm, at a minimum: the system described in the SOC 1 report has not changed materially, the controls tested in the report continued to operate during Q4 2024, no control exceptions occurred during the gap period that would alter the service auditor's conclusions, and no changes in subservice organization arrangements affected the control environment.

Evaluate the gap period risk. For Ardennes Verzekeringen, pension liabilities are calculated quarterly. The Q4 calculation is the one that hits the year-end financial statements. A three-month gap without a bridge letter means no evidence over the controls governing the most material calculation.

Conclusion

the bridge letter, combined with the SOC 1 Type II report, provides coverage for the full fiscal year. If Aon Hewitt had refused to issue the letter, ISA 402 .A22 would require alternative procedures over Q4 (direct testing of controls or re-performance of key reconciliations).

What reviewers and practitioners get wrong

A second frequent issue is obtaining the letter but not reading it critically. A bridge letter that states "no material changes" without specifying the controls covered or the period addressed does not satisfy ISA 402 .A20. The letter must be specific enough that you can conclude controls operated during the gap period.

Key standard references

• ISA 402.12 : Requires the user auditor to determine whether sufficient appropriate audit evidence is available about relevant controls at the service organization.
• ISA 402 .A20–A22: Application guidance on addressing the gap between the SOC report period and the user entity's fiscal year end.

Related terms

Related reading

Frequently asked questions