While service auditor reports (SARs), such as SOC 1 Type 2, or SOC 2 Type 2, offer detailed evaluation over a defined period, they don’t always align perfectly with the service organisation’s client or financial audit timelines. This can leave gaps between reporting cycles where assurance is still required.
To address this, many service organisations issue-bridge letters: brief, management-signed statements asserting if no significant changes have occurred to the control environment since the last attestation. These letters help maintain confidence during interim periods, particularly when a new SAR is not yet available. These letters reference the prior period report and, based on management’s current understanding, assert that the control environment remains stable and effective.
It’s important to note that bridge letters are not audit deliverables. They’re not prepared, signed, or validated by service auditors, and they don’t include results from independent testing or an auditor’s opinion. Instead, they are issued by the service organisation’s management to demonstrate commitment to maintaining continuity in assurance between formal reporting periods.
Bridge letters are commonly used in the following scenarios:
Below is an example timeline of a SOC 2 Type 2 report period and bridge letter coverage. It shows the SOC 2 report covers the period 1st October 2024 to 30th September 2025, and the bridge letter covers the period 1st October 2025 to 31st December 2025.
| 2024 | 2025 | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
October
|
November
|
December
|
January
|
February
|
March
|
April
|
May
|
June
|
July
|
August
|
September
|
October
|
November
|
December
|
|
SOC 2 Reporting Period
|
||||||||||||||
|
Bridge Letter
|
||||||||||||||
|
Service Organisation's Customer's Financial Year
|
||||||||||||||
Example timeline of a SOC 2 Type 2 report period and bridge letter coverage
Despite their usefulness, bridge letters come with issues from an auditor’s standpoint that need to be considered if they’re to be used effectively. These include:
Service organisations often expect auditors to prepare or issue bridge letters. However, bridge letters can only be issued by service organisation’s management, and auditors aren’t responsible for their content or timing.
Auditors are often asked whether bridge letters can cover periods exceeding three months. However, issuing bridge letters for extended durations, particularly beyond a three-month window can compromise their reliability and relevance. Although there’s no formal guidance, generally a statutory auditor wouldn't wish to support a bridging letter over three months as evidence.
Bridge letters shouldn’t be used if there have been significant changes to the organisation’s internal controls.
Some stakeholders mistakenly treat bridge letters as equivalent to a SAR. This is a misconception. Bridge letters lack the rigor, independence, and testing that define formal audit reports.
Where the above challenges arise, service organisations should consider issuing an interim SAR or accelerating the next audit cycle to ensure stakeholders continue to receive reliable and timely assurance.
A newly engaged client preparing for their annual audit needed assurance beyond our latest ISAE 3402 Type 2 report. They requested a bridge letter for auditor reliance during the interim and initially expected our audit firm to provide it.
We clarified that bridge letters are issued by management, not auditors, and shared guidance aligned with industry standards. It included the ISAE 3402 report details, control environment confirmations, and a disclaimer noting it had not been reviewed by the service auditor and was not a substitute for the ISAE 3402 report.
The client successfully issued the bridge letter to their auditors, maintaining continuity of assurance during the interim period. Our proactive support helped strengthen client trust and demonstrated our commitment to transparency and collaboration.
Bridge letters offer a practical way to provide assurance between formal audit periods, helping organisations uphold transparency and meet stakeholder expectations. When used appropriately and with a clear understanding of their limitations, they can support risk management efforts and reinforce confidence in the organisations’ control environment. However, they should be applied with care, ensuring they complement rather than replace the rigour of independent assurance.
For more information, get in touch with Tim Foster-Key.
TPR has sharpened expectations for pension scheme administration, highlighting key risks around governance, data integrity and oversight that trustees must act on.
UK crypto regulation is accelerating as the FCA issues new consultations. Learn what firms must do to prepare for authorisation under the incoming regime.
Boards are increasingly being called upon to take ownership of technology risk oversight as a strategic imperative, reinforced by the updated UK Corporate Governance Code and the new Cyber Governance Code of Practice. In 2026, staying ahead of technology risks and regulatory shifts isn’t optional - it’s essential. Are you clear on where to focus to keep your organisation in control?
