The Complete Guide to Trust Account Audits

Introduction: The Audit Playbook

This guide is the operational companion to everything else in this content series. If the IOLTA Compliance Guide explains the rules, and the Trust Account Audit Triggers guide explains what initiates scrutiny, this guide answers the practical question: when the audit notice arrives, what do you actually do?

Trust account audits follow a predictable structure. The bar or CPA contacts your firm. You gather records. The auditor reviews them. The auditor issues findings. You remediate or respond. But within that structure, there are dozens of decisions, deadlines, and documentation requirements that determine whether the audit is a routine review or a career-defining crisis.

This guide walks through the audit process step by step -- from the moment you receive notice through final resolution. It is written for the managing partner, the designated compliance officer, or the paralegal who will be responsible for managing the firm's response.

Step 1: Receiving the Audit Notice

When you receive a trust account audit notice -- whether from your state bar's disciplinary authority, the OAE (in New Jersey), or a CPA firm (under CTAPP in California) -- the first thing to do is nothing rash. Do not start deleting, editing, or "cleaning up" records. Any alteration of records after receiving an audit notice can be treated as obstruction and will dramatically worsen the outcome of any proceedings.

Read the notice carefully. Identify exactly what the auditor is requesting. Typical audit notices specify the audit period (usually two to three years of activity), the categories of records requested (bank statements, trust ledgers, client sub-ledgers, reconciliation reports, disbursement documentation), the deadline for producing records, and the contact information for the auditor or the assigned investigator.

Note the deadline. Audit record requests typically come with a 30 to 60 day response window. This is not a suggestion -- it is a deadline that carries the same weight as a court order. Failure to comply, or requesting excessive extensions, creates a negative impression before the substantive review even begins.

Notify your malpractice carrier. Most legal malpractice policies require notification of any bar investigation or audit. Check your policy language and report the audit within the required timeframe.

Consider engaging ethics counsel. For routine audits where you are confident in your records, self-representation may be fine. For audits triggered by a complaint, an overdraft, or any situation where you have concerns about the state of your records, ethics counsel is a worthwhile investment. An attorney who specializes in bar discipline can advise on the best approach to document production, identify potential issues before the auditor finds them, and manage the process to minimize exposure.

Step 2: Gathering Your Records

The record-gathering phase is where the quality of your ongoing trust account management practices is either validated or exposed.

If you have been maintaining monthly three-way reconciliation, individual client ledgers, and complete disbursement documentation all along, this step is straightforward. You export or compile the requested records from your trust accounting system, organize them chronologically, and produce them to the auditor.

If your records are incomplete -- reconciliations were not performed monthly, client ledgers have gaps, disbursement documentation is scattered across case files and email -- this step becomes a significant project. You will need to reconstruct records from bank statements, case management data, and whatever documentation exists. This reconstruction effort is time-consuming and expensive, and it is exactly the kind of cost that ongoing compliance prevents.

Organize records by category, not by matter. Auditors work through categories -- they will review all reconciliation reports together, then all client ledgers, then all disbursement documentation. Organizing your production to match the auditor's workflow demonstrates competence and makes the review more efficient.

Prepare an index. A simple table of contents showing what is included in the production, where each category of records can be found, and any gaps or exceptions (with explanations) shows the auditor that you take the process seriously and have nothing to hide.

Flag known issues proactively. If you know that reconciliation was not performed for certain months, or that a specific matter had documentation problems, it is generally better to acknowledge these issues in your cover letter than to wait for the auditor to discover them. Proactive disclosure is almost always treated more favorably than concealment.

Step 3: The Auditor's Review Process

Understanding how auditors work helps you prepare more effectively.

CPA auditors under programs like CTAPP follow a systematic approach. They begin with an overall assessment of the trust account -- total balances, number of matters, transaction volume, and the type of practice. This gives them a sense of the complexity they are dealing with.

Next, they verify reconciliation. The auditor will select one or more months from the audit period and perform their own three-way reconciliation using the bank statement, trust ledger, and client sub-ledger data you provided. If your reconciliations are accurate, this step confirms compliance. If there are discrepancies, the auditor will investigate further.

Then, they sample transactions. The auditor will select a sample of individual transactions -- typically 10 to 25 percent of total transactions, with a focus on larger transactions and any that appear unusual -- and trace them from origin (receipt) through disposition (disbursement). For each sampled transaction, they verify that the amount is correct, that the payee or payor is documented, that the transaction is recorded in both the trust ledger and the appropriate client sub-ledger, and that supporting documentation (settlement statement, invoice, fee agreement) exists.

Finally, they look for systemic issues. Beyond individual transaction accuracy, auditors assess whether the firm has adequate procedures, whether those procedures are being followed, and whether there are patterns of deficiency (such as consistently late reconciliation, missing documentation for a particular type of transaction, or residual balances across multiple closed matters).

Step 4: Responding to Preliminary Findings

Most audit processes include an opportunity to respond to the auditor's preliminary findings before the final report is issued. This is a critical step -- it is your chance to provide context, explain apparent discrepancies, and demonstrate remediation of any issues found.

For each finding, prepare a response that addresses the substance. If the auditor found a reconciliation discrepancy, explain the cause and demonstrate that the underlying balances were correct (if they were). If documentation was missing, provide whatever supplementary documentation you can locate and explain the circumstances.

Do not be defensive. Auditors are looking for compliance, not perfection. An attorney who acknowledges deficiencies, explains the context, and demonstrates that corrective measures have been implemented receives fundamentally different treatment than one who is evasive or combative.

If the findings include anything suggesting missing funds, engage ethics counsel immediately if you have not already. The stakes at this point are too high for self-representation.

Step 5: The Final Report and Remediation

The audit culminates in a final report -- the auditor's conclusions about the state of your trust account and the adequacy of your compliance practices.

A clean report means the auditor found no material deficiencies. This is the best outcome, and for firms with strong ongoing compliance practices, it should be the expected outcome. File the report with your records and continue your existing practices.

A report with findings requiring remediation is the most common outcome. The report will identify specific deficiencies and may include requirements for corrective action. Typical remediation requirements include bringing reconciliation current and performing it monthly going forward, establishing or improving client sub-ledger practices, completing a trust account management CLE course, implementing written trust account procedures, and submitting to a follow-up audit within 6 to 12 months to verify compliance.

Take remediation requirements seriously. The follow-up audit is your opportunity to demonstrate that you have addressed the deficiencies. Firms that remediate fully and pass the follow-up audit typically close the matter without further consequences.

A report with findings suggesting misappropriation or serious misconduct is referred to the state bar's disciplinary authority for formal proceedings. This is the worst outcome and requires immediate engagement of experienced bar discipline counsel. The audit report becomes evidence in the disciplinary proceeding, and everything from this point forward must be managed with the utmost care.

The Audit Preparation Checklist

Use this checklist to assess your audit readiness at any time -- not just when an audit notice arrives.

If you answered "no" or "I'm not sure" to more than two of these questions, your firm has audit preparation work to do. The time to do it is now -- not when the audit notice arrives.