ISAE 3402 Bridge Letter: The 3-Month Convention Nobody Can Find in the Standard

The 3-month convention isn't in ISAE 3402. It's in everyone's engagement letters anyway. Open the standard, search for "bridge letter," and the term doesn't appear once. Open ISA 402 . Not there either. The convention lives entirely in firm methodology and inspection observations, propagated through working-paper (WP) templates. Every auditor has written a bridge letter they privately thought was pointless. The Type II report ended 30 September, the user entity's year-end (YE) is 31 December, someone ticks "appears reasonable. Waive further pursuit." on the gap period, and the file moves on.

A bridge letter is a written management assertion that controls described in the Type II report continued to operate effectively during the gap period between the report's end date and the user entity's reporting date, allowing the user auditor to maintain reliance under ISA 402 . It's evidence. It isn't assurance. And the three-month boundary that governs whether it's enough evidence is entirely practitioner-made.

What is a bridge letter and why does it exist

ISAE 3402 requires the service auditor to test controls over a specified period. That period rarely aligns with every user entity's financial year-end. A payroll processor might have a Type II report covering 1 January to 30 September 2025, while user entities report on calendar year-ends. The user auditor needs assurance that the controls described in the report kept operating from 1 October through 31 December.

ISA 402.12 requires the user auditor to evaluate whether sufficient appropriate audit evidence is available about the relevant financial statement (FS) assertions. When a gap exists between the service auditor's report period and the user entity's reporting date, ISA 402 .A35 directs the user auditor to consider obtaining additional evidence for the gap period. The bridge letter is the primary mechanism.

The letter itself is not an assurance engagement. No auditor signs it. Management of the service organisation provides a written representation (RN) that specific conditions held during the gap period. It functions as one piece of evidence among several the user auditor evaluates under ISA 402 .

The gap period thresholds nobody codified

Every experienced practitioner knows the convention. A gap of up to three months is generally acceptable with a bridge letter alone. Three to six months is problematic and typically requires additional procedures. More than six months is insufficient for reliance, and the user auditor will ordinarily need a separate report or direct testing.

Search ISAE 3402 for these thresholds. They do not appear. Search ISA 402 . Not there either. Check ISAE 3000 (Revised). Nothing.

The three-month convention originated in practice, reinforced by firm methodology manuals at the larger networks and by inspection observations from regulators including the AFM and PCAOB. When the PCAOB reviews files where user auditors placed reliance on service organisation reports with extended gap periods, the inspection staff expect to see either a bridge letter (for short gaps) or additional procedures (for longer ones). The three-month boundary became the de facto standard because it roughly approximates one quarter of a financial year, a period over which the risk of undetected control changes remains low enough that a management assertion provides reasonable comfort.

For gaps of three to six months, user auditors typically need to supplement the bridge letter with additional procedures. These might include inquiries of service organisation management about changes, inspection of interim reports or communications to user entities, review of any incident reports or system change logs from the gap period, or testing of controls at the user entity that compensate for the reliance gap. At firms like ours, a bridge letter alone, without supplementary evidence, is unlikely to satisfy ISA 402.12 for a gap this long.

The supplementary procedures should focus on the specific risks most likely to have changed during the gap period. If the service organisation processes payroll, ask whether any system updates or staffing changes occurred. If it manages IT infrastructure, request the change log for the gap period and compare the volume and nature of changes against the report period. The procedures do not need to replicate the service auditor's testing. They need to give the user auditor a reasonable basis for concluding that no material changes occurred.

Beyond six months, the report is stale. The gap period exceeds half the typical reporting period, and management's assertion about continued operating effectiveness carries too much risk. In practice, this means the user auditor either obtains a new or updated Type II report or performs direct testing at the service organisation (if permitted by arrangement). If neither is feasible, the user auditor restricts reliance on the service organisation report and expands substantive testing at the user entity level.

Some service organisations issue reports with a 30 September end date specifically to accommodate December year-end user entities with a three-month gap. Others issue reports ending 31 December, creating no gap for calendar YE entities but a potential twelve-month gap for user entities with 31 December year-ends in the following year who rely on the prior-year (PY) report. The timing choice by the service organisation directly affects how many of its user entities can rely on the report without supplementary procedures. User auditors should verify the report end date early in the planning phase, not at completion when it is too late to request a bridge letter or plan additional work.

What the letter must contain

The ISAE 3402 template pack includes a four-page bridge letter template that covers each required element. Here is what each section addresses and why it matters.

Start with identification of the most recent Type II report (report date, opinion date, period covered, service auditor's name). This anchors the letter to a specific engagement. Without it, the user auditor cannot verify which report the bridge assertion relates to.

A clear statement of the gap period follows. The letter identifies the exact dates between the report's end date and the date of the letter (or the user entity's reporting date, whichever is earlier). Ambiguity here is the most common deficiency. A letter that says "the period since the report" without specifying dates is not usable.

The management assertion: four elements that matter

The assertion paragraph is the core of the letter. It must address four distinct points, each phrased as a positive assertion by management.

First, control design. Management asserts that the controls described in the Type II report were suitably designed throughout the gap period. This means no control was removed, replaced with a materially different process, or left without an owner.

Second, operating effectiveness. Management asserts that the controls operated effectively throughout the gap period. This is the assertion that carries the most weight and the most risk. It means the controls did not just exist on paper. They were performed as described, at the stated frequency, by the designated personnel. If the payroll variance review described in the report was supposed to happen monthly, management is asserting it happened every month of the gap period.

Third, system description accuracy. Management asserts that the system description included in the Type II report remained accurate during the gap period. No material changes to the IT environment, the organisational structure, the processing workflow, or the control environment occurred that would make the description misleading. If a major system migration happened in October but the Type II report described the pre-migration system, the bridge letter cannot assert description accuracy without disclosing the change.

Fourth, no new material risks. Management asserts that no events, conditions, or risks arose during the gap period that would materially affect the control environment or the achievement of control objectives. This catches items like regulatory investigations, staff turnover in control-relevant roles, cyber incidents, or operational disruptions that could undermine control effectiveness even if individual controls technically continued to operate. In our experience, it's this fourth element reviewers probe hardest. Ticking and bashing past a generic "no material events" statement is where the file falls apart under scrutiny.

Subservice organisations in the bridge period

How the original Type II report handled subservice organisations determines what the bridge letter must address.

Under the carve-out method, the subservice organisation's controls are excluded from the service auditor's report, and the service organisation describes only its monitoring controls over the subservice organisation. The bridge letter must assert that these monitoring controls continued to operate during the gap period. It does not (and cannot) assert anything about the subservice organisation's own controls. The user auditor needs separate assurance for the subservice organisation, either through that entity's own Type II report or through direct testing.

Under the inclusive method, the subservice organisation's controls are included in the report, and the service auditor tested them during the report period. The bridge letter must assert continued effectiveness for the subservice organisation's controls as well. This is a materially stronger assertion and requires management of the primary service organisation to have a basis for making it. In practice, this means the primary service organisation needs ongoing monitoring evidence (internal reporting from the subservice organisation, or its own bridge letter from the subservice organisation's management).

The ISAE 3402 template pack includes a table in the bridge letter that distinguishes these two methods and prompts the appropriate assertions for each. Failing to address subservice organisations at all is one of the more frequent deficiencies user auditors encounter when reviewing bridge letters.

Who signs and why it matters

A bridge letter is a management representation. It carries the same weight as a management RN letter in a financial statement audit under ISA 580 . Signatories must have the authority and the knowledge to make the assertions contained in it.

This means CEO, CFO, or equivalent senior management. Not a relationship manager. Not a compliance officer who wasn't involved in the control environment. Not a junior staff member authorised to sign "on behalf of" management. The PCAOB has flagged instances where user auditors accepted bridge letters signed by individuals without appropriate authority. The AFM's inspection observations include similar findings about the adequacy of management representations from service organisations.

If the service organisation pushes back on having senior management sign, that itself is a risk indicator. A service organisation confident in its controls during the gap period has no reason to resist a senior-level assertion.

What the user auditor does with the letter

Receiving a bridge letter is not the end of the user auditor's work. ISA 402 requires the user auditor to evaluate the evidence obtained and determine whether it provides a sufficient basis for reliance.

Under ISA 402 .A36, the user auditor considers the length of the gap period, the nature of any changes communicated, the quality of the service auditor's report, and whether additional evidence is available. A bridge letter for a two-month gap from a service organisation with a clean Type II opinion and no changes is straightforward. A bridge letter for a five-month gap from an organisation whose report contained testing deviations requires more scepticism.

The user auditor should document the evaluation of the bridge letter in the audit file, including the assessment of the gap period length against the three-month convention, the evaluation of the signatories' authority, a review of whether the assertions are specific enough to be useful, and the conclusion on whether supplementary procedures are needed. ISA 230 documentation standards apply. The file should tell a story. An experienced auditor picking it up cold should be able to follow what evidence was obtained and what conclusions were drawn.

A common mistake is filing the bridge letter without any evaluation. The letter sits in the service organisation section of the file, but no WP documents that the user auditor actually read it, assessed its content, evaluated the signatories, or considered the gap period length. This is the file equivalent of receiving audit evidence and not looking at it. The evaluation WP does not need to be long. A half-page memo covering the four elements (gap period assessment, signatory authority, assertion completeness, reliance conclusion) is sufficient.

When multiple user entities rely on the same service organisation, the bridge letter typically covers all user entities rather than being issued individually. The user auditor should verify that the letter's scope includes the specific services used by their client, particularly if the service organisation provides different services to different user entities. A bridge letter covering payroll processing does not provide assurance over fund administration, even if the same service organisation provides both.

Worked example: Vermeer Payroll Services B.V.

Vermeer Payroll Services B.V., a Dutch payroll processor serving 45 user entities, issued a Type II report for the period 1 January to 30 September 2025. The service auditor (a mid-tier Dutch firm) issued an unqualified opinion dated 15 November 2025. One of Vermeer's user entities, a logistics company with a 31 December 2025 year-end, asks its user auditor for assurance over the October-to-December gap period. Vermeer uses a cloud infrastructure provider under the carve-out method.

1. Identify the gap period and assess its length. The gap runs from 1 October 2025 to 31 December 2025: exactly three months. This falls within the acceptable range under the industry convention. A bridge letter without additional procedures should be sufficient, provided its content is adequate. Documentation note: Record the gap period calculation in the planning section of the service organisation reliance working paper. State the assessed length and the conclusion on acceptability.

2. Request the bridge letter with specific content requirements. The user auditor sends Vermeer a request specifying the four required assertion elements: continued control design, continued operating effectiveness, system description accuracy, no new material risks, and explicit treatment of subservice organisations. The request also asks for explicit treatment of the cloud infrastructure provider under carve-out. Documentation note: Retain a copy of the request letter in the file. Document that the request specified the required content elements.

3. Evaluate the received letter. Vermeer's CFO and CEO sign a letter dated 15 January 2026. The letter references the specific Type II report, identifies the gap period as 1 October to 31 December 2025, makes all four assertions, and includes a carve-out table confirming that monitoring controls over the cloud provider operated during the gap period. It discloses one change: a new payroll team leader started in November 2025, but no control responsibilities changed. Documentation note: Record the evaluation of each assertion element. Note the disclosed change and assess whether it affects the control environment. Conclude that the personnel change does not affect operating effectiveness because control responsibilities remained with the same roles.

4. Document the reliance conclusion. The user auditor concludes that the bridge letter, combined with the unqualified Type II opinion and the three-month gap period, provides sufficient appropriate evidence under ISA 402.12 for the October-to-December period. No additional procedures are needed. Documentation note: State the overall reliance conclusion in the service organisation working paper. Reference the bridge letter, the Type II report, the gap period assessment, and the ISA 402.12 requirement satisfied.

A reviewer opening this file sees a complete chain: the Type II report, the gap period assessment with the industry convention applied, the bridge letter with all required elements, the signatory evaluation, the reliance conclusion tied to ISA 402 , and the gap period assessment.

Practical checklist

Common mistakes

• Accepting a bridge letter that states "controls continued to operate" without specifying which controls, which period, or whether the system description remained accurate. The AFM has flagged bridge letters lacking specificity in service organisation reliance files.
• Treating a bridge letter as sufficient for a gap period exceeding three months without performing or documenting any additional procedures. The PCAOB's inspection observations note that extended gap periods require supplementary evidence beyond a management assertion.
• Filing the bridge letter without evaluating the signatories' authority or the completeness of the assertions, leaving no documented conclusion on whether the letter actually satisfies ISA 402.12 .

Related content

• ISAE 3402 glossary entry. Explains the difference between Type I and Type II reports, the role of the service auditor, and the relationship between ISAE 3402 and ISA 402 for user auditors evaluating service organisation reliance.
• ISAE 3402 template pack. Includes the four-page bridge letter template with pre-built assertion paragraphs, the carve-out/inclusive method table, and gap period guidance referenced throughout this post.
• CUECs: how to test them through the full audit period. Covers complementary user entity controls, which must also be evaluated during the bridge period if the user auditor relies on the service organisation report.

Related tools

Put audit concepts into practice with these free tools: