As these files can be quite large, they can take some time to generate. It is important to provide enough time to meet the Mar. 31 due date.  

Rules 119.34 to 119.37 require law firms to record all financial transactions related to its legal practice, using a permanent and legible format.  

Please refer to the Prescribed Financial Records resource for a list of the prescribed financial records and an explanation of each record type. 

Bank reconciliation of trust and separate interest-bearing accounts must be properly completed before the end of the following month and should be printed/printed to PDF and retained.   

The monthly trust bank reconciliation package must include the following: 

• Bank Account Reconciliation Report, including the details of any outstanding cheques/deposits, adjustments 

• Bank Statements, including images of the negotiated cheques (not generated from accounting software and provided directly from Financial Institution) 

• Trust Journal  

• Client Trust Listing 

• Electronic banking transaction confirmations 

• Evidence of the Responsible Lawyer’s review of the monthly reconciliation 

Some software packages do not include general accounting or a financial statement package and only include trust accounting. Additional software may be needed to record your law firm general transactions and complete general bank account monthly reconciliations. If so, ensure you understand how the integration between the two systems works.  

Rule 119.36 requires additional prescribed financial records for general accounts and must include all records required to complete the general bank account reconciliation. 

A law firm must assign roles and related privileges for each user of its accounting system and align those to their role in the firm’s operations. This ensures adequate segregation of duties. Login credentials are an essential line of defence against unauthorized access to an IT system. Each user should have their own login credentials. 

All transfers between client ledgers should be executed within the accounting software to ensure the transaction is recorded in the Matter to Matter Transfer Journal. 

Consider who will be responsible for ensuring the accuracy and completeness of converted data if you switch software. The level of customer support, the timeline it will take for the data migration and how transactions occur during the data migration period are also important considerations.  

If you decide to move to a different vendor, you will need to ensure you can submit the Trust Safety Accounting Upload with the entire year of data. It is important to understand what that process may look like and what may have to occur to meet your annual reporting requirements. This could require submitting two uploads for the year the software is switched.  

It is always important to have access to the last activity date for client matters. For example, law firms occasionally hold trust funds for extended periods of time when they cannot locate the clients or other parties to whom the funds belong. In certain circumstances, the Rules allow firms to apply to pay such undisbursable funds to the Law Society. Before paying the funds to the Law Society, the firm must have held the trust funds for more than two years and be unable to locate the funds’ owners despite reasonable efforts to do so (Rule 119.43 and section 117(5) of the Legal Profession Act). It is important to identify relevant dates within the new software or have access to this information through the old system/ reports.   

Some software is best suited for sole and small firms and other options are better for mid-size or large firms. Make sure you consider this when you are making your choice.   

Before you meet with a prospective client, you must gather just enough information from them to run a conflict check. Because this is such an important step, you must be confident that the conflict management system built into your accounting/practice management software is robust and user friendly. You must also ensure that you have a conflict process in place so that all relevant information is obtained, entered and contained where it needs to be.  

Client intake is your first opportunity to earn your client’s confidence. If your intake process is clear and seamless, your clients will be more satisfied and it will create a favourable impression for your relationship ahead.  

An internal document management system can help you edit, store, access and share your client’s documents. Determine if the internal DMS integrates with other document management systems.  

When you select software, you need to consider whether the space is unlimited or what the capacity is, and whether it is suitable for your current and anticipated needs.  

If there is capacity, saving both open and closed files to the DMS could be helpful. Ensure you can securely delete your files when the file retention requirements have been met.  

Determine if you can use the calendar to keep track of tasks, important dates and limitation periods on your files. It is beneficial if all users can access shared calendars and there is also an option for individual calendars. Flexibility with the permissions and viewing of calendars is also helpful.    

It is helpful, if not essential, to have mobile access to your calendar. This convenience is not one many lawyers can do without.    

Although some clients are weary of so many different forms of electronic communication, having access to a client portal for a legal process can be helpful because it is a focused and secure way of communicating and sharing documents.   

As we spend considerable time on email correspondence, any assistance with email management is welcome. It’s best to consider what these features entail when you are making your choice. The ability to set up email templates and track time for sending and reviewing email correspondence is helpful.  

Workflow automation saves time by creating efficiency. Consider whether the software allows for tasks to be automatically assigned and if there is the ability to create document templates. Having internal document automation is ideal but if an add–on or integration is an option, that is also helpful.  

Matter management might include the ability to view all matters, view individual client matters or manage the contents of matters. It is best if client matters can include both created and imported documents so that all information relating to the client is together.   

Ease of time tracking is essential when running a practice. It is important to understand all functions and ensure that it is easily accessible when doing your work on your laptop or mobile.  

In addition to accurate time tracking, you will need to consider the software’s billing system. Determine if it is possible to create statements of account and if there is an opportunity for customized billing templates in the event you offer alternative billing options.  

The software should allow you to track client expenses and disbursements so that you can capture them on the statement of account. 

Consider if the software has built-in payment options or integrates with third-party payment applications. 

Determine if the software integrates with other applications and products you use in your practice, such as your email and calendar. 

The ability to track metrics, such as your referral sources, is essential from a business perspective. It can help drive your marketing efforts and provide information about your current clients.   

Training and ongoing support is necessary for the successful implementation of new technology. It can be helpful to investigate what type of training and support is available at the outset, throughout the maintenance phase of using the software and if you stop using the software.    

It is important to determine the steps taken by the vendor in relation to security measures. 

The vendor should do regular system penetration testing. System penetration testing is a simulated cyberattack on a computer system to identify and fix security vulnerabilities before they can be exploited by malicious actors. Generally, annual testing is a good frequency for this testing, but it may be longer depending on the type of information that may be held in the system. A vendor should be able to provide you with proof that they have completed the testing and remediated all major and minor issues identified. 

Another example of proof that the vendor and their application is complying with security best practices is if they have a current Service Operations Control (SOC) Type 2 audit report that they can provide you with.  

It is a good idea to ask questions regarding other industry standard security protocols.  

Strong passwords are no longer the only method needed to secure systems. Multi–factor authentication is a crucial security method for systems by adding an extra layer of security making it much harder for unauthorized users to access systems even if they obtain a password. Multi-factor authentication is a security process that requires you to provide two or more verification methods, like a password and a text message code to access your account, making it much harder for someone to hack into it. 

If the system contains personal information, you will have obligations to only collect what is reasonably necessary and must take steps to ensure it is protected and disposed of when no longer needed. A good practice is to complete a privacy impact assessment for new and existing systems.   

A security incident is where unauthorized individuals gain access to data, networks or devices, potentially compromising sensitive information. A privacy breach is the unauthorized access to, or unauthorized disclosure of personal information or individually identifying information.  

Carefully review contracts with vendors to determine how quickly they will notify you in the case of a breach or security incident so that you can take timely and appropriate measures regarding the incident.   

If the breach involves personal information, refer to the Law Society’s resource Privacy Breached: Now What? 

You should also determine if you need to report a breach through ALIA’s Universal Cyber Coverage Program.  

Data stored outside Canada may be subject to foreign laws so be sure to ask questions about privacy and protection of the information if choosing to store data outside Canada.  

You should seek client consent for email communication and cloud usage outside of Canada in your retainer letter.  

While the software vendor may be backing up the system for their own disaster recovery purposes, it may not mean that you can restore your data in the case of an incident affecting only your data. For example, you may not be able to restore your data to a point in time if your staff makes a mistake and deletes a lot of data or if there was another type of major issue.  It’s important to confirm how quickly and to what extent the vendor would be able to restore data. 

If you decide to move to different software or need to get your data out of the previous system, it is important to understand what that process may look like and what may have to occur. For example, if information can be moved out of the system in a usable format including all relevant metadata (e.g., when the information was created, who created it, when it was last modified, etc.) and how you will submit your Trust Safety Accounting Upload with this data.  

Ask the vendor questions related to retention of information to understand if it will be retained for as long as you need it in accordance with your obligations and best practices and if you can delete it if you need. Understand how you will be able to prove deletion, such as with audit logs or a certificate of destruction, if you need it and whether the information will be irrevocably deleted.  

Over time, systems accumulate a lot of data. Check to see if there are limits on database, license count or amounts of data flowing through the system that may result in additional costs or even prevent you from using the system. Also confirm if the system will slow down or perform differently as your volume of data grows. 

Consider if you have critical times when the system is needed, such as during core business hours, and if you need the system outside of those hours. The vendor should have performance benchmarks, such as when the system is available. It may be important to you to have guaranteed availability. 

Configurations to systems, which are modifications to the system that can be done through settings available in the administrative side of the system, are preferable over customizations that make changes to the actual code of the system. Customizing a system can present challenges when the vendor releases new features or upgrades to their system.   

It is also good to understand how often the vendor will release upgrades to the system to understand the impact on your staff in supporting the upgrades and the impact on your users.   

Consider whether the system is accessible to users with disabilities, including being able to adjust font or screen size, and the availability of voice recognition or recording functions. Consider the accessibility standards they are in compliance with, such as Web Content Accessibility Guidelines (WCAG). How the vendor tests their system for accessibility compliance is also important. Using screen readers and people with lived experience of a disability for testing can be more reliable than testing with tools. 

Artificial intelligence offers both great promise of efficiency and for automating repetitive tasks and much more. Yet it can make mistakes, may be biased and could lead to unfair or incorrect decisions, and expose sensitive information if not closely controlled. It is therefore important to spend time to understand how the software vendor is using AI and what risks it may pose to your information.    

You can find more information about the use of AI in the Law Society’s Generative AI Playbook. 

Knowing how a vendor manages the development of the application and support can be important as it can identify potential security risks. For example, some vendors may not do background checks or monitor security clearances on staff who may have access to highly sensitive data or are the developers of the system and have access to the code of the system itself. It is good to understand if the development or support team does “live testing” on real client data. If so, ask how they protect against data breach and disclosure. 

Licensing is only one part of the overall cost of a solution. The costs may be per user, or for the entire system and may be paid monthly, annually or even as a one-time fee. It’s also good to understand what typical annual increases a vendor charges. In addition, determine if there are any other costs associated with cloud storage volumes or transactional volumes as these are often not as clearly outlined. Support costs are also a significant part of the overall cost of a solution and therefore important to understand. You should ask how support will be managed, what typical support costs may look like and if support is billed as a fixed fee or on a per incident basis. 

The following resources may be useful as you work through the technical considerations: 

• Baseline Cyber Security Controls for Small and Medium Organizations, Government of Canada 
• Cybersecurity Best Practices, Cybersecurity & Infrastructure Security Agency 
• Digital Standards Playbook, Government of Canada 
• Get Cyber Safe Guide for Small and Medium Businesses, Government of Canada​ 
• Legal Ethics in a Digital Context, Canadian Bar Association 
• Office of the Information and Privacy Commission of Alberta 
• The Generative AI Playbook, Law Society of Alberta