How long do I really have to keep IOLTA records?

It depends on your state — common retention periods range from five to seven years, usually measured from final disposition of the matter. The safe default is to keep everything for seven years in digital, searchable form. If you practice in multiple states, follow the longest applicable rule.

Do digital copies satisfy retention requirements?

In almost every state, yes — as long as the copies are complete, legible, and retrievable on demand. A handful of state bars still want originals for specific items (some signed authorizations, for example). Check your state's rule, but for the bulk of bank statements, ledgers, and reconciliations, digital is fine.

Can my case management software replace a separate trust accounting system?

Sometimes — it depends on whether the software produces an audit-ready three-way reconciliation by matter and a real client ledger, not just a list of payments. Most case management tools weren't built for trust accounting and miss the ledger or the reconciliation piece. Run the "audit tomorrow" test and see what you can actually export.

What's the most common record-keeping failure auditors find?

Missing or incomplete client ledgers. California's CTAPP reviews found 89% of audited firms had noncompliant client ledgers and 83% had noncompliant three-way reconciliations. The pattern is the same nationwide: firms have bank statements, but they don't have the per-matter ledgers an examiner needs to trace each dollar.

Do I need to keep the originals or are scans okay?

For most records, scans are fine — most state bars accept electronic copies as long as they're complete, legible, and accessible. Some specific signed documents (client authorizations, certain releases) may have to be retained as originals depending on your state's rules. When in doubt, keep both.

What happens to records when a matter closes?

The retention clock typically starts at final disposition, not at intake. So a matter closed today triggers a five-to-seven-year retention obligation starting today. Move closed-matter records into your retention system the same week you close the file — don't leave them on a paralegal's desktop.

How long do I really have to keep IOLTA records?

It depends on your state — common retention periods range from five to seven years, usually measured from final disposition of the matter. The safe default is to keep everything for seven years in digital, searchable form. If you practice in multiple states, follow the longest applicable rule.

Do digital copies satisfy retention requirements?

In almost every state, yes — as long as the copies are complete, legible, and retrievable on demand. A handful of state bars still want originals for specific items (some signed authorizations, for example). Check your state's rule, but for the bulk of bank statements, ledgers, and reconciliations, digital is fine.

Can my case management software replace a separate trust accounting system?

Sometimes — it depends on whether the software produces an audit-ready three-way reconciliation by matter and a real client ledger, not just a list of payments. Most case management tools weren't built for trust accounting and miss the ledger or the reconciliation piece. Run the "audit tomorrow" test and see what you can actually export.

What's the most common record-keeping failure auditors find?

Missing or incomplete client ledgers. California's CTAPP reviews found 89% of audited firms had noncompliant client ledgers and 83% had noncompliant three-way reconciliations. The pattern is the same nationwide: firms have bank statements, but they don't have the per-matter ledgers an examiner needs to trace each dollar.

Do I need to keep the originals or are scans okay?

For most records, scans are fine — most state bars accept electronic copies as long as they're complete, legible, and accessible. Some specific signed documents (client authorizations, certain releases) may have to be retained as originals depending on your state's rules. When in doubt, keep both.

What happens to records when a matter closes?

The retention clock typically starts at final disposition, not at intake. So a matter closed today triggers a five-to-seven-year retention obligation starting today. Move closed-matter records into your retention system the same week you close the file — don't leave them on a paralegal's desktop.

Back to Resources

BlogIOLTACompliance·9 min read

What Records Do You Need for IOLTA Compliance?

If the state bar sent an audit letter tomorrow, could you produce every record they'd ask for? Here's the full IOLTA records checklist — source records, derived records, supporting docs, retention rules, and a one-hour drill to find your gaps before an examiner does.

Disbo Team

Published April 21, 2026

Quick Answer

Your IOLTA compliance depends on three categories of records: source records (bank statements, cancelled checks, wires, deposit slips, third-party docs), derived records (the trust account journal, individual client ledgers, monthly three-way reconciliations), and supporting documentation (settlement statements, fee agreements, lien releases, authorizations). Keep everything for at least seven years in digital, searchable form. The single most common audit failure is missing or incomplete client ledgers — 89% of firms in California's CTAPP reviews — because maintaining them manually across dozens of matters is brutally time-consuming.

If the state bar sent you an audit letter tomorrow, could you produce every record they'd ask for — in digital form, correctly reconciled, within the response window?

Most firms think they can. Then the letter arrives and the scramble begins: pulling bank statements from three different online portals, searching email for old settlement statements, asking the bookkeeper to reconstruct client ledgers that were never really maintained.

This is the checklist of records your IOLTA compliance depends on, broken into the three things auditors actually want: source records, derived records, and reconciliation records.

The Short Version

If you do nothing else, you need these ten things, organized by matter and preserved for at least seven years:

•Every bank statement for every trust account
•Every cancelled check (front and back) and wire confirmation
•Every deposit slip and incoming wire notice
•A general ledger (account journal) for each trust account
•An individual client ledger for every matter
•A monthly three-way reconciliation report
•Supporting documentation for every disbursement (settlement statement, fee agreement, lien payoff letter, invoice)
•Engagement letters and fee agreements
•Signed client authorizations for disbursements, where required
•Records of any account transfer, closed account, or successor account

Everything below explains what each of these actually means and what goes wrong.

Source Records — The Raw Inputs

These come from the bank or the counterparty. You don't create them; you preserve them.

Bank statements. You need statements for every IOLTA and non-IOLTA trust account, for every month of the retention period. Downloading PDFs from your online banking portal is fine — but you have to actually download them, because most banks purge online access after 18 to 24 months.

Cancelled checks. Front and back. The back matters because it shows endorsement — proof the intended payee actually received the funds. Many banks provide "check images" in online statements; confirm they include the reverse side.

Wire and ACH confirmations. For every outgoing wire, the bank-issued confirmation showing destination account, amount, and date. For every incoming wire, the deposit advice.

Deposit slips. For every deposit, documentation of what was deposited and on whose behalf. Electronic deposits should have corresponding bank confirmations.

Third-party records you received. Settlement statements from insurers, lien payoff letters from medical providers and government payers (Medicare/Medicaid), subrogation releases, release forms signed by clients.

Derived Records — What You Create

These are records you produce. They're where most audit failures happen.

The General Ledger (Account Journal)

Also called the trust account journal. This is a chronological record of every transaction in each trust account: deposits, disbursements, fees, adjustments. It's the "checkbook register" at the account level.

Each entry needs:

•Date
•Amount
•Payee or payer
•Purpose
•Matter the transaction relates to
•Running account balance

A spreadsheet can work. So can practice management software. So can a purpose-built disbursement platform. What doesn't work: reconstructing this from bank statements three years later.

Individual Client Ledgers

This is where the three-way reconciliation lives or dies. Every matter with funds in the trust account needs its own ledger. Not just active cases — every matter that's had trust activity during the retention period.

Each client ledger should show:

•Every deposit tied to that client
•Every disbursement made on their behalf
•The running balance for that matter
•Which bank transactions on the account journal correspond to each ledger entry

California's Client Trust Account Protection Program (CTAPP) reviews found that 89% of audited firms had noncompliant client ledgers — the single most common deficiency. It's not because attorneys don't know they need ledgers. It's because maintaining them manually across dozens of active matters is brutally time-consuming.

Three-Way Reconciliation Reports

Each month, you must reconcile:

•Bank balance (from the statement)
•Book balance (from the account journal)
•Sum of all client ledger balances

All three must agree. The reconciliation report documents that they do — and if they don't, what the discrepancy is, why, and how it was resolved.

An audit-ready reconciliation includes:

•The three balances as of month-end
•The reconciling items (outstanding checks, deposits in transit)
•Sign-off from the person who performed the reconciliation
•Any variance explanations

Reconciliations that say "balanced" with no supporting detail are not audit-ready.

Supporting Documentation — The "Why"

For every disbursement, an auditor can ask: why was this payment made? You need to be able to answer immediately.

For settlement disbursements, that means:

•The settlement statement (often called a closing statement) signed by the client
•The fee agreement showing the contingency percentage
•Payoff demands or lien release documents for every medical provider or third-party payee
•Authorization for the client's net disbursement

For case cost reimbursements: original invoices.

For fee transfers to your operating account: a fee statement showing earned fees and how they were calculated.

This documentation doesn't have to live in the same system as your ledgers, but it has to be retrievable and linked. "Let me search my email" isn't an answer that plays well in an audit.

Retention — How Long You Keep It

State rules vary. Common retention periods:

•California: Five years from final disposition of the matter (some records longer)
•New York: Seven years
•Texas: Five years after termination of representation
•Florida: Six years
•North Carolina: Six years

Best practice: keep everything for seven years, in digital and searchable form, with a defensible destruction policy afterward. The cost of digital storage is trivial compared to the cost of failing to produce records during an audit.

State-Specific Add-Ons

A few state requirements worth flagging:

•California (CTAPP): Annual self-certification of compliance; random review selection; specific required forms.
•Texas: Quarterly reconciliation minimum (many states allow monthly as the standard).
•North Carolina: Geography-based random audit program reportedly launched January 2026.
•New York: 22 NYCRR Part 1300 — specifies books of account that must be maintained and produced on request.

If you practice in multiple states, your record-keeping has to satisfy the strictest applicable rule.

The "Audit Tomorrow" Test

Run this drill once a quarter. It takes about an hour.

•Pick a random month from the last two years.
•Produce the bank statement, account journal, and client ledger reconciliation for that month.
•Pick three disbursements from that month.
•For each, produce: the cancelled check or wire confirmation, the client ledger entry, the settlement statement (or equivalent authorization), and the matter file's supporting documents.
•Time yourself.

If it takes more than an hour, your records system won't survive an actual audit. That's actionable information you can use today.

Why This Keeps Getting Harder (and What to Do About It)

The record-keeping burden on PI firms has quietly doubled in the last five years. More cases, more payees per settlement, more lien types (Medicare conditional payments, Medicaid, ERISA, hospital liens), more regulatory oversight.

At the same time, the primary compliance tools for most firms remain a spreadsheet, a bank portal, and a manual reconciliation once a month.

The firms that are staying clean are the ones moving to platforms where the records are a byproduct of the work, not a separate task to remember. Every Disbo disbursement is matter-aware, payee-verified, and journal-logged in real time on a purpose-built disbursement platform — the three-way reconciliation produces itself. Whether you use us or not, the direction of travel is clear: automation is how firms will keep up with what's coming next.

Related reading: What is IOLTA? A plain-English guide for new PI attorneys, and What triggers a state bar trust account audit?

This post is general educational content, not legal advice. Consult your state bar's published rules and a qualified ethics attorney for decisions specific to your practice.