Trials of the Audit Trail
December 2025Maintaining audit trails within a legal context is essential. They provide proof of adherence to regulatory and legislative requirements, in turn supporting accountability. Further, by demonstrating transparency and professionalism, they help foster trust between law firms and their clients, regulatory bodies and professional indemnity insurers.
However, the increasing use of a wide range of messaging platforms for client communications (outside of established case management systems) is steadily undermining the fundamental integrity of audit trails. When communications are spread across multiple channels, such as mobile messaging apps and external platforms, it becomes more challenging to maintain a clear and reliable record of all interactions. Such fragmentation makes it difficult to ensure that all relevant correspondence is captured, tracked and retrievable, and may cause law firms to breach their legal and regulatory obligations, particularly if the chosen methods are not secure.
This article considers the negative impact that using multiple messaging platforms can have upon audit trails and the wider implications for law firms and their clients.
Audit trails
Law firms can employ a range of audit trails; some are obligatory, and others are discretionary. Examples are below:
Legislation/regulatory compliance
Data integrity/security
Regulations set out in both the UK General Data Protection Regulation (Art 5), and the Solicitor Regulation Authority (SRA) Rules require regulated companies to have adequate internal policies in place to ensure data is accurate and unaltered. Information must be retained in secure, retrievable and auditable communication records, and disposed of in a prescribed manner.
In circumstances where there is a suspicion of data breach or misconduct, audit trails will provide crucial evidence.
However, most messaging apps do not offer any of the sophisticated tools required for effectively managing data retention and deletion, therefore increasing the risk of unauthorised sharing of sensitive information.
Other than a device passcode, most messaging apps do not have a unique security code of their own and therefore don’t possess the extra level of protection that most companies attach to their hardware, making its messages containing sensitive data more vulnerable to access by unauthorised users. This can also expose firms to cyberattacks, including phishing and impersonation scams.
Protection of client funds/fraud detection
The SRA Account Rules require regulated law firms to undertake annual audits, primarily focused on financial compliance and client money protection. This ensures that client money is handled appropriately and protects against fraudulent activity.
Similarly, law firms falling within the scope of the Money Laundering Regulations 2017 must implement strong anti-money laundering frameworks. Regulation 21 specifically mandates that an independent audit function be applied, to guarantee adherence to the regulations.
However, many apps allow message deletion or editing without leaving a trace. If financial instructions or confirmations occur via these apps, the absence of a permanent record (either by deletion or never having been transferred from the app to a central filing system) undermines audit trail integrity and can amount to a regulatory breach.
Case continuity and supervision
Paragraph 4.4 of the SRA Code of Conduct for Firms states that firms must have “an effective system for supervising clients’ matters”.
Maintaining visible case progression is imperative when establishing a system for supervision.
If communication flow on a file is interrupted by the absence of information, case progression will not be visible and adequate file monitoring will not be possible. Irregularities in the management of a case will be exponentially harder to identify. Issues in establishing case continuity will also be problematic when effecting file takeovers between fee earners.
Admissibility in court
If an audit trail passes the Court’s prescribed requirements on integrity, accuracy and authenticity, then its content can often be relied upon as evidence in litigation.
The use of external messaging apps would most likely fail the authenticity requirements. Authenticity issues relate to whether metadata – including timestamps, contact information and message content, has been properly preserved. While screenshots or recordings capture message content, they often fail to retain essential metadata, making digital evidence vulnerable to manipulation and therefore inadmissible in court.
In addition, accessing someone else’s private messages without their prior authorisation may violate their right to privacy, breach privacy laws and cause the evidence to be inadmissible.
Key takeaways
Audit trails within a commercial context are most effective when all communication on a matter is collated within an established internal case management system and not spread over a myriad of different messaging platforms. The use of external messaging platforms can cause a break in an audit trail, resulting in regulatory breaches and security vulnerabilities – issues that traditional case management systems are designed to avoid. Additionally, the lack of integration may also result in a failure to record time spent on communications made via other platforms and thus can have a significantly adverse effect on a firm’s profitability.
Whilst it isn’t automatically disastrous to use non-standard platforms, it is vital that whatever method is chosen that the communications are also transferred and evidenced in a centralised file. Care must also be taken not to commit any security or data breaches or lose any important metadata upon retrieval and transfer to a central file.
In circumstances where integration is possible, either by using an Application Programming Interface or third-party tools to aggregate logs, such methods can be complex and costly.
In short, as technology continues to advance at an unprecedented pace, COLPs¹ and COFAs² are advised to carefully consider the impact on audit trails when developing internal policies regarding the integration of external platforms for client communications.
If you have any questions relating to the information discussed in this article or wish to understand how these apply to your business practices, please contact Joe Bryant.
¹ Compliance Officer for Legal Practice
² Compliance Officer for Finance and Administration
Download PDF