Law firm trust account security IT controls Melbourne
Compliance

Trust Account Security: IT Controls Melbourne Law Firms Need

PN
Peter Nelson
· · 8 min read

Trust account security isn't just policy — it's IT infrastructure. Here's what the controls look like and what LIV auditors expect to find.

When Melbourne law firms think about trust account compliance, the focus is usually on the accounting side — reconciliations, ledger accuracy, LIV trust account audits. The IT side gets less attention, and when it does, it’s often treated as a separate matter handled by whoever manages the computers.

This separation is a problem. Trust account security is substantially an IT infrastructure problem. The controls that protect trust account data, prevent unauthorised access, create audit trails, and ensure data can be recovered after a disaster — these are all implemented in technology. If the IT isn’t configured correctly, the policy doesn’t help.

This article covers the specific IT controls that Melbourne law firms need for trust account security, what the LIV expects to see, and how to document them.

The Legal Profession Uniform Law (LPUL), administered in Victoria by the Law Institute of Victoria, imposes specific obligations on law firms around the management and protection of trust account funds. These obligations include:

  • Maintaining accurate and complete trust account records
  • Ensuring that trust funds are only accessible to authorised persons
  • Providing a complete audit trail of all trust account transactions
  • Protecting trust account data from loss, corruption, and unauthorised disclosure

These are statutory obligations with real consequences. A trust account audit that reveals inadequate controls can result in LIV disciplinary proceedings, mandatory remediation, and in serious cases, referral for investigation.

What the LPUL does not do is specify exactly which IT controls satisfy these obligations — that translation from legal requirement to technical implementation is left to each firm.

The Core IT Controls

1. Access Restriction to Trust Account Modules

Only staff who are authorised to view and modify trust account data should be able to do so. In IT terms, this means:

  • Role-based access control in your practice management software (LEAP, Smokeball, Actionstep, etc.) with trust account modules limited to authorised users — typically the principal, practice manager, and trust account administrator
  • Windows user accounts with least privilege — staff who don’t need trust account access should not have it, even if their Windows account has access to the shared drive where trust documents are stored
  • Separation of duties where possible — the person who enters trust transactions should not be the same person who approves them or reconciles the account

Access reviews should happen at least annually, and when staff roles change or staff leave. A former trust account administrator whose system access wasn’t revoked is a significant risk — both for fraud and for audit purposes.

2. Audit Logging

An audit log is a complete, tamper-resistant record of who accessed trust account data, what they did, and when. For LIV trust account auditors, audit logs are increasingly important evidence that controls are actually operating.

Audit logging for trust accounts needs to cover:

  • Practice management software: Most modern platforms (LEAP, Smokeball, Actionstep) have built-in audit logging for trust account transactions. This needs to be enabled, configured to capture the required events, and retained for the period required by law (at least seven years in Victoria)
  • Windows event logging: Login events, file access, and privilege use on workstations and servers that handle trust account data
  • Microsoft 365 audit logging: Exchange and SharePoint unified audit log, which records access to email and documents including trust-related communications

Logs are only useful if they are retained and reviewable. Many firms have audit logging enabled in principle but have never configured retention periods, tested retrieval, or actually looked at a log.

3. Network Segmentation

Network segmentation means placing trust account workstations on a separate network segment from general office traffic. This limits the blast radius of a security incident — if a general workstation is compromised by malware or ransomware, segmentation prevents the attacker from easily pivoting to the trust account machines.

For most Melbourne law firms, this means:

  • A separate VLAN for workstations that access trust account data
  • Firewall rules restricting lateral traffic between the trust account VLAN and the general office network
  • Strict access control lists limiting which applications and systems the trust account workstations can communicate with

This is a more advanced control and is not mandatory in small firms. However, it is increasingly asked about by professional indemnity insurers and cyber insurance providers, and is a recommended control in ACSC guidance that LIV auditors are beginning to reference.

4. Encrypted Backup with Tested Restores

Trust account records must be recoverable. The LPUL requires that complete trust account records be maintained — which means backup and recovery aren’t optional.

The IT requirements for trust account backup:

  • Encrypted backup of all trust account data, both on the server (on-premises LEAP/Smokeball installations, SQL databases) and in the cloud (LEAP Online, SharePoint/OneDrive documents)
  • Regular backup verification — automated backup completion alerts, and periodic manual verification that backups actually contain the expected data
  • Tested restore procedures — at least annually, actually restore a backup to a test environment and verify the data is intact and the practice management software can open it. Many firms discover backup failures only when they try to use a backup after a disaster

Backup retention should align with the LPUL seven-year record-keeping obligation for trust account data, not just the standard 30-90 day retention common in small business IT environments.

5. Application Control on Trust Account Workstations

Application control — also called application allowlisting — restricts which software can run on a workstation to a pre-approved list. On trust account workstations, this means only your practice management software, Microsoft 365, and approved business applications can execute. Random downloaded software, scripts, and unknown executables are blocked.

This is one of the Essential Eight controls mandated by the ACSC, and it is particularly valuable on trust account workstations because it prevents malware from executing even if a staff member clicks a malicious link or attachment.

Application control is more operationally demanding than most other controls because it requires maintaining the allowlist as legitimate software is updated. It is not the right control for every firm, but for any firm that has experienced a malware incident on a trust account workstation or is required to demonstrate Essential Eight compliance, it is necessary.

The most common trust account fraud mechanism is business email compromise — an attacker intercepts or spoofs email communications around a settlement to redirect trust funds. The email security controls that protect against BEC are also trust account security controls:

  • DMARC at reject policy on all firm domains, preventing domain spoofing
  • Anti-impersonation rules in Microsoft Defender for Office 365
  • Payment verification procedures requiring callback verification before acting on any change to bank account details

These are covered in detail in our article on BEC protection for law firms.

What LIV Trust Account Auditors Are Asking About

The LIV trust account audit program has traditionally focused on the accounting records — reconciliations, ledger accuracy, receipt and payment documentation. IT has been background context.

This is changing. LIV auditors are increasingly asking about IT controls as part of trust account audits, particularly in the wake of several high-profile BEC incidents targeting Victorian conveyancing practices. Specific questions being asked include:

  • Who has access to the trust account module in your practice management software, and how is that access managed when staff leave?
  • What backup procedures are in place for trust account data, and when was the last restore test?
  • What email security controls protect communications involving trust transactions?
  • Is access to trust account workstations logged?

Firms that have documented their IT controls — and can produce that documentation during an audit — are in a materially better position than firms that have to reconstruct the picture from scratch under audit pressure.

Documenting Your IT Controls for LIV Auditors

Documentation of IT controls doesn’t need to be a formal compliance framework. At minimum, it should cover:

  • Access control register: Who has access to what in your practice management software, reviewed and signed off
  • Backup register: What is being backed up, how often, where backups are stored, and the date and result of the last restore test
  • Incident log: Any security incidents involving trust account data, including BEC attempts, even if unsuccessful
  • Software and patch log: Current versions of practice management software and the date of last update

This documentation serves multiple purposes: it satisfies LIV audit questions, supports professional indemnity insurance renewals (which increasingly ask about IT controls), and provides the internal discipline that makes the controls actually work rather than existing only on paper.

Getting Your Trust Account IT Right

For most Melbourne law firms, the gap between current state and adequate trust account IT security is not large. The controls are not technically complex — they require configuration, documentation, and ongoing maintenance rather than exotic technology.

What’s usually missing is someone with the combination of legal practice knowledge and IT competence to translate the LPUL obligations into specific technical configurations, implement them, and produce documentation that makes sense to both an IT auditor and an LIV auditor.

CX IT Services provides trust account IT security configuration and LIV-ready documentation for Melbourne law firms. See our IT support for law firms service for the full managed IT picture, or read about our cybersecurity for law firms controls. Book a Right Fit Call to discuss your current setup and what needs to change.

Related Articles

Free Clarity Call

Want to Talk Through What This Means for Your Business?

Book a free 15-minute Right Fit Call. No obligation - just a straight conversation about your IT situation.

  • No lock-in contracts - ever
  • Valued at $250 - completely free
  • 4.5-star Google rated
  • Answer in 60 seconds or less

See If You Qualify

Takes 2 minutes · No obligation · Free

Apply Now
4.5 Google Rated No Lock-In Contracts