While service auditor reports (SARs), such as SOC 1 Type 2, or SOC 2 Type 2, offer detailed evaluation over a defined period, they don’t always align perfectly with the service organisation’s client or financial audit timelines. This can leave gaps between reporting cycles where assurance is still required.
To address this, many service organisations issue-bridge letters: brief, management-signed statements asserting if no significant changes have occurred to the control environment since the last attestation. These letters help maintain confidence during interim periods, particularly when a new SAR is not yet available. These letters reference the prior period report and, based on management’s current understanding, assert that the control environment remains stable and effective.
It’s important to note that bridge letters are not audit deliverables. They’re not prepared, signed, or validated by service auditors, and they don’t include results from independent testing or an auditor’s opinion. Instead, they are issued by the service organisation’s management to demonstrate commitment to maintaining continuity in assurance between formal reporting periods.
Bridge letters are commonly used in the following scenarios:
Below is an example timeline of a SOC 2 Type 2 report period and bridge letter coverage. It shows the SOC 2 report covers the period 1st October 2024 to 30th September 2025, and the bridge letter covers the period 1st October 2025 to 31st December 2025.
| 2024 | 2025 | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
October
|
November
|
December
|
January
|
February
|
March
|
April
|
May
|
June
|
July
|
August
|
September
|
October
|
November
|
December
|
|
SOC 2 Reporting Period
|
||||||||||||||
|
Bridge Letter
|
||||||||||||||
|
Service Organisation's Customer's Financial Year
|
||||||||||||||
Example timeline of a SOC 2 Type 2 report period and bridge letter coverage
Despite their usefulness, bridge letters come with issues from an auditor’s standpoint that need to be considered if they’re to be used effectively. These include:
Service organisations often expect auditors to prepare or issue bridge letters. However, bridge letters can only be issued by service organisation’s management, and auditors aren’t responsible for their content or timing.
Auditors are often asked whether bridge letters can cover periods exceeding three months. However, issuing bridge letters for extended durations, particularly beyond a three-month window can compromise their reliability and relevance. Although there’s no formal guidance, generally a statutory auditor wouldn't wish to support a bridging letter over three months as evidence.
Bridge letters shouldn’t be used if there have been significant changes to the organisation’s internal controls.
Some stakeholders mistakenly treat bridge letters as equivalent to a SAR. This is a misconception. Bridge letters lack the rigor, independence, and testing that define formal audit reports.
Where the above challenges arise, service organisations should consider issuing an interim SAR or accelerating the next audit cycle to ensure stakeholders continue to receive reliable and timely assurance.
A newly engaged client preparing for their annual audit needed assurance beyond our latest ISAE 3402 Type 2 report. They requested a bridge letter for auditor reliance during the interim and initially expected our audit firm to provide it.
We clarified that bridge letters are issued by management, not auditors, and shared guidance aligned with industry standards. It included the ISAE 3402 report details, control environment confirmations, and a disclaimer noting it had not been reviewed by the service auditor and was not a substitute for the ISAE 3402 report.
The client successfully issued the bridge letter to their auditors, maintaining continuity of assurance during the interim period. Our proactive support helped strengthen client trust and demonstrated our commitment to transparency and collaboration.
Bridge letters offer a practical way to provide assurance between formal audit periods, helping organisations uphold transparency and meet stakeholder expectations. When used appropriately and with a clear understanding of their limitations, they can support risk management efforts and reinforce confidence in the organisations’ control environment. However, they should be applied with care, ensuring they complement rather than replace the rigour of independent assurance.
For more information, get in touch with Tim Foster-Key.
Five reasons why system implementations fail with actionable recommendations that empower charities to navigate system implementation more effectively.
New autonomous AI tools are changing how risk enters organisations, often without visibility or approval. How can the people responsible for security and resilience tackle them.
Rising insurer exposure to private credit is attracting increasing regulatory scrutiny, with concerns over transparency and systemic credit, liquidity and underwriting risks.
