Trust Accounting Compliance for Property Management: An Audit-Ready Workflow

Trust accounting violations cost more brokers their license than any other operational failure, and 80% of the violations the state finds are workflow problems, not theft. The fix is procedural.

Updated for 2026, The audit-ready workflow still passes commission examinations, but every PM platform now ships agentic AP and reconciliation features that touch the trust account. Read this alongside our newer AI trust accounting controls for property management before you let any agent move money or post a reconciliation entry. The violation isn't theft. It's the missing reconciliation from March. Every property management broker we have ever sat with assumed, going in, that the state real-estate commission audit was about catching theft. The auditor was coming to find the missing money. The defense was the bank statement and a clean conscience. That is not the audit. We have read enough state audit reports, across residential PM firms managing 200 to 4,000 doors, in states whose commissions enforce trust accounting actively and in states that enforce it episodically, to say it plainly: roughly four of every five violations the state cites are not theft. They are workflow failures. A deposit that hit the operating account before it was swept to trust. A security deposit that was commingled for nine days during a software migration. A three-way reconciliation performed monthly that cannot be reproduced for the specific date the auditor named. An owner statement that went out on the 12th instead of the 10th and nobody saved the email confirmation. None of those is theft. Several of them are license-threatening anyway. The state commission's posture, in most jurisdictions we have advised in, is that the broker is strictly responsible for the trust account whether the violation was intentional or not. A bookkeeper's data-entry error, a property manager's misclassification, a software upgrade that briefly held funds in an unintended ledger, each is the broker's violation, and each shows up in the same disciplinary docket as the broker who actually stole. What that means operationally is that "we have a clean conscience and a balanced bank statement" is the wrong defense. The defense the audit actually rewards is evidence: a daily, weekly, and monthly cadence of reconciliations, exception reviews, and signed-off variances that reproduces, on demand, the state of the trust account on any historical date. Brokers who can produce that evidence pass audits with technical findings. Brokers who cannot fail audits with the same balance sheet, because the regulator does not score the balance, the regulator scores the proof. This guide walks what a violation actually costs, the twelve requirements cited most across active US commissions, the three-way tie-out as the regulator actually examines it, the cadence that makes findings hard to manufacture, what your software does and does not do, and the fixed-scope diagnostic Securem runs on PM firms before the commission visits unannounced. The audience is the broker/owner of a residential PM firm and the controller running trust accounts at scale. US-only; specific state requirements vary, and the partners verify state-by-state divergence on every engagement. What a trust accounting violation actually costs The cost most brokers attach to a trust accounting violation is the financial penalty in the order. That number, typically a few thousand dollars per finding in the states we have advised in, sometimes higher, is the smallest of the four costs a violation actually generates. The under-reported costs are where the firm gets hurt. Cost one: license risk. Trust accounting violations are the single largest category of broker license discipline in residential PM. Most violations resolve as fines plus a remediation order. A meaningful minority, particularly where commingling is repeat, escheatment was missed, or the firm cannot produce reconciliation evidence, escalate to suspension, probationary status, or revocation. The broker carries the discipline indefinitely; in most states the public lookup tool exposes the order text. A firm acquiring a portfolio twelve years later still has to disclose the history during diligence. We have seen acquisitions repriced over a single 2018 finding. Cost two: financial penalties beyond the fine. The fine is the visible number. The remediation the order requires is the second-order cost. Many state orders require an independent CPA to conduct a defined-scope review, extended record retention, quarterly remediation reports, and reimbursement for the commission's follow-up time. The all-in cost of a single material finding, fine plus CPA work plus internal staff hours plus legal, runs in the tens of thousands routinely, six figures occasionally. The fine is the smallest line on that invoice. Cost three: reputational harm and owner attrition. In most active commission jurisdictions the disciplinary order is public and discoverable. An owner who learns mid-renewal that their broker is under a remediation order will, in our experience, leave. A 600-door firm that loses 8% of owners over a year following a finding is not making up the lost management fees with the new fee schedule. A competitor's leasing agent will reference the public order in pitches indefinitely. Cost four: the under-reported "delayed renewal" effect. This is the cost most firms do not see coming. A broker license under remediation, a designated broker with a pending finding, an audit with an uncertain resolution date, each creates a window where the firm cannot cleanly close on a portfolio acquisition, cannot easily add a state of operations, cannot expand E&O coverage at favorable terms, and cannot pursue institutional management contracts that require a clean disciplinary disclosure. The firm is operationally functional but strategically frozen, often twelve to eighteen months. The cost of that window is the deals that did not happen, and those are not on any invoice. Three sanitized examples give texture. A 1,400-door firm in a Western state passed a routine audit on the balance and failed on documentation: they reconciled monthly but could not reproduce a per-property balance for the date the auditor named. The order required eighteen months of remediation reporting and a CPA-led review. A 350-door firm in a Southeastern state held two security deposits in the operating account for sixteen days during a Yardi-to-AppFolio migration; the commission cited commingling, levied a fine, posted the order publicly, and owner attrition the next year ran 11%. A multi-state firm acquired a smaller portfolio whose seller had a 2019 finding for a late owner-statement cadence; the acquirer's E&O carrier required additional underwriting and a six-month look-back, delaying close by ninety days and costing the seller a price concession. None had stolen anything. All had workflow gaps. All paid four-figure fines and five- to six-figure all-in costs. The twelve most-violated requirements across the top US PM states The state real-estate commissions do not coordinate. Each state's trust accounting rule is its own statute and regulation, with its own enforcement priorities and its own examiners. Twelve requirements, however, recur across the active commission states with enough consistency that any PM firm operating in multiple states should treat them as the floor. The list below is illustrative across California, Texas, Florida, Georgia, Arizona, Colorado, North Carolina, Nevada, Washington, Oregon, New York, and New Jersey, not exhaustive, and the partners verify the specific citation, threshold, and timing per state on every engagement. 1. Deposit timing. Most active states require funds received on behalf of others (rents, security deposits, owner contributions) to be deposited to the trust account within a defined window, frequently the next banking day, sometimes within 24 hours, sometimes within 72. The clock starts when the funds are received, not when the bookkeeper enters them. Mailroom delays count against the broker. Electronic payments routed through a processor before settling to trust require a documented audit of the processor timing. 2. Segregation of trust funds from operating funds. Trust funds must be in a designated trust or escrow account, separately titled, reconciled, and reported. The account title must indicate fiduciary status. Examiners look at the signature card directly. A trust account with an operating-style title is a finding regardless of whether the funds inside were ever commingled. 3. Commingling prohibitions. Operating funds (broker fees, management fees once earned, advances) may not sit in the trust account beyond a defined window. Trust funds may not sit in the operating account at all. The most common workflow violation is fees that have been earned but not yet swept on the cadence the rule requires. 4. Three-way reconciliation cadence. Most active states require a reconciliation between the bank statement, the trust account ledger (book balance), and the sum of beneficial-owner subledgers on a defined cadence, most commonly monthly, with a written reconciliation retained and signed by the broker. The cadence rule is rarely the gap; the evidence rule is. A reconciliation that exists in the software but cannot be exported, signed, and retained is not the reconciliation the rule requires. 5. Per-property and per-owner subledger accuracy. Beyond the aggregate tie-out, examiners frequently sample specific properties or owners and ask the broker to reproduce the subledger for a named date. A negative subledger balance, a single property whose accounting shows it owing the trust account, is a finding even if the aggregate is positive, because it indicates one owner's funds were used for another's expenses. 6. Security deposit handling and escrow disclosure. Many states layer additional rules on security deposits: separate trust account in some, separate subledger in all, written disclosure to the tenant of where the deposit is held, interest handling per state law. Disposition timing post-move-out (often 14 to 30 days, state-specific) is enforced separately and aggressively. 7. Owner statement timing and content. Most states require periodic statements showing receipts, disbursements, and ending subledger balance. Cadence is typically monthly; content requirements vary. Late statements, statements missing required elements, or statements that cannot be reproduced for an audit period are common findings, and they are workflow findings, not financial ones. 8. Escheatment / unclaimed property. Funds held for an owner or tenant who cannot be located must be escheated under unclaimed-property statutes after a dormancy period (typically three to five years, state-specific). Brokers frequently miss escheatment because the funds are small and the workflow is annual. Both the commission and the state treasurer can cite the same gap. 9. Earnest money and pre-tenancy deposits. Earnest money received before lease execution is trust funds. Application fees vary by state; some are trust funds until the application is approved, some are not. The boundary is where firms most often misclassify, and a misclassification that puts trust funds in the operating account is a commingling finding by another name. 10. Disbursement authorization and segregation of duties. Examiners look at who can initiate, who can approve, and whether the same person can do both. A controller who can move funds without a second signature is a control deficiency even if no funds are missing. The auditor scores the control, not the outcome. 11. Record retention. State rules typically require trust accounting records to be retained for a defined period, five years is common, some states longer. Records that exist in the software but cannot be exported on commission demand do not satisfy retention. The rule is about producibility, not storage. 12. Designated broker oversight evidence. Almost every state's rule places the trust account under the personal responsibility of the designated/qualifying broker. Examiners ask for evidence the broker actually reviewed reconciliations, sign-offs, dated reviews, initialed exception logs. A reconciliation approved tacitly by silence is not the oversight the statute names. Twelve requirements, twelve places a workflow gap becomes a finding. None of them concerns whether the firm is solvent. Every one of them concerns whether the firm can produce, on demand, the evidence that it followed the rule. The three-way tie-out, defended against the regulator's actual question Most PM firms run a three-way reconciliation monthly. The reconciliation matches the bank statement to the book balance to the subledger total. If the three numbers agree, the broker signs, the controller files, and the firm moves on. That reconciliation passes the literal text of most state rules. It frequently does not pass the regulator's actual question. The regulator's actual question, in our reading of audit transcripts and findings letters, is rarely "did your three-way tie out at month-end." It is one of the following: "Reproduce the subledger for property 142 at the end of business on March 14." The auditor has named a specific property and a specific mid-month date. The aggregate month-end three-way does not answer this. The broker has to produce a per-property subledger valid as of an arbitrary date with deposits and disbursements categorized correctly. If the workflow generated the subledger only at month-end, the firm cannot answer the question and the answer-gap is itself the finding. "Show me every deposit categorized as a security deposit between January 1 and March 31, with the date of receipt, the date of deposit to trust, the property, the tenant, and the lease." The auditor is testing deposit timing on a specific category. Most software produces a filterable deposit register; most firms have not exercised it; most firms find on first run that the date-of-receipt field is unreliable because the workflow does not capture it. "Walk me through the $4,200 disbursement on February 8." The broker has to produce the disbursement authorization, the underlying invoice or owner instruction, the subledger entry showing funds were available before disbursement, and the reconciliation that included it. The aggregate three-way does not contain any of that. The disbursement file does, if it was assembled at the time. If it was assembled retrospectively, the retrospective assembly itself is an exception. "Produce the per-deposit-type aggregation for the trust account for the audit period." Some examiners want the account decomposed by deposit type, rents, security deposits, application fees, owner contributions, reserves, repair holdbacks. The chart of accounts has to support the cut. If categories were collapsed for software simplicity, the broker has to do a manual reconstruction that itself becomes an audit artifact. Each of those is a per-account, per-property, per-deposit-type, or per-transaction question. None is answered by a monthly aggregate. What good looks like is the firm whose reconciliation already includes the cuts the regulator asks for, per-property subledger retained at month-end, deposit register retained, disbursement files assembled at the time and retained, chart of accounts granular enough to produce per-deposit-type cuts on demand. The remediation is mostly procedural. The software typically supports the cuts; the workflow has not exercised them. The discipline is to add three or four standing reports to the month-end close, retain them in an audit folder organized by month, have the designated broker initial the folder rather than the aggregate reconciliation alone, and keep the folder for the state's retention period as a single artifact the broker can hand the auditor on day one. Firms that do this pass audits inside a week. Firms that do not spend three months reconstructing what the software could have produced in an afternoon. Daily, weekly, monthly: the cadence that survives a surprise audit A workflow that survives a surprise audit is built on a cadence, not a software feature. The cadence below assumes a firm with a designated broker, a controller, and property managers; smaller firms collapse the controller and broker into one person, which is workable if the dual-control points are preserved another way. Daily (controller). Reconcile the trust account bank balance to the prior-day book balance. Categorize and post every receipt before close of business; each receipt populates date of receipt, date of deposit, property, payer, type, and amount or it does not post. Review the exception report for uncategorized items, negative subledgers, duplicates, or deposits to the wrong account. Flag and resolve. The daily exception log is initialed by the controller and retained. Daily (property manager). Initiate any disbursement request through the standing workflow, never by email or Slack. Each request includes the property, owner authorization (if required), invoice or basis, amount, and disbursement type. Property managers do not approve their own disbursements. Weekly (controller and broker). Sweep earned management fees on the cadence the state's commingling rule requires; document basis, amount, date, signed by the broker. Review the week's exception log; broker initials the resolution column. Reconcile any subledger that has been negative at any point during the week, even if since resolved. Print the weekly disbursement register; broker initials. Monthly (controller). Run the three-way reconciliation. Resolve every variance to zero or to a documented timing item with an aging. Generate the standing reports: per-property subledger at month-end, deposit register filterable by type, disbursement register with authorization documents linked, owner statements meeting state content requirements, security deposit subledger if separately maintained. Assemble into the audit folder. Monthly (designated broker). Review and sign the three-way reconciliation. Review and initial the audit folder. Sign the owner statements (or sign the report attesting they were sent). Review and initial the exception log. The broker's signature on each artifact is the evidence the statute names; without it the workflow does not satisfy designated-broker oversight. Annually (designated broker). Confirm escheatment dormancy review and file any required unclaimed-property reports. Confirm retention is intact by pulling a random month from three years ago and verifying every artifact is producible. Confirm the trust account signature card, titling, and beneficiary indicators still match the rule. Renew the broker's bond or E&O coverage with trust account scope confirmed. This cadence is recognizable as good controller hygiene in any business with fiduciary funds. What separates the PM firms that pass audits from the firms that fail is whether the cadence is performed and evidenced, not whether it is conceptually understood. Most firms understand it. Roughly half perform it monthly; roughly a quarter evidence it weekly; almost none evidence it daily. The audit-resilient firm closes the daily and weekly loops, because that makes variance impossible to compound, the controller catches the misclassification on day one, not on day forty-five. What software does, what it doesn't PM software is not the trust accounting compliance program. The PM software vendors, Yardi, AppFolio, Buildium, Propertyware, and the smaller players, all support trust accounting at a feature level. None of them, on their own, will pass an audit for the firm. The distinction the broker has to internalize is between configuration and workflow. What the software does well, when configured. All four major platforms support a designated trust account separate from operating, per-property subledgers, standard receipts and disbursements types, three-way reconciliation reports, and exportable owner statements. AppFolio's trust accounting module is generally the most opinionated out of the box; Yardi Voyager is the most flexible and the most configuration-dependent; Buildium and Propertyware sit in between. All four can produce the standing reports the regulator asks for if the chart of accounts is set up correctly, deposit categories are mapped correctly, and the workflow uses the categories consistently. What the software does not do. It does not enforce deposit-timing, it records the date entered, not the date received. It does not enforce segregation of duties, it can be configured to require approvals but is regularly bypassed by over-permissioned admin roles. It does not produce the audit folder, it produces reports; somebody on the firm side has to assemble, retain, and have the broker sign. It does not perform escheatment, it can identify dormant balances, but the broker has to file with the state. It does not interpret state rule changes, it ships with vendor-recommended defaults, not a legal opinion. The configuration vs. workflow line. Configuration is one-time work to set up the chart of accounts, deposit categories, report templates, user roles, and approval workflows. Most firms we audit have configuration gaps, categories collapsed for simplicity, approvals turned off for velocity, retention set to the vendor default rather than the state requirement. Workflow is the daily/weekly/monthly cadence above, performed by humans and evidenced. Configuration without workflow produces software that could pass an audit but does not. Workflow without configuration produces a firm performing the cadence on incomplete data. Both have to be right. The questions to ask the software vendor are: which state's defaults does the platform ship with; what is the audit log retention default and how do we extend it; can the chart of accounts be locked against unaudited edits; what standing reports support the cuts the regulator asks for; what approval workflow do we need to enable. Vendors will answer. Most firms have not asked since onboarding. Where the Diagnostic fits Securem runs a fixed-scope diagnostic on PM firms who want to know where they stand on trust accounting before the state commission visits unannounced. The Trust Accounting Compliance Diagnostic is a written, audit-grade assessment across the twelve requirements above, with a per-state overlay for every state the firm operates in, and a remediation plan ranked by audit-finding likelihood and cost-to-fix. It is not a CPA review (we are not your CPA), not an attestation (we do not opine on financials), and not a vCISO retainer (the partners run vCISO only as a productized retainer, separately scoped). It is a defined-scope written assessment the broker hands to the board, the auditor when they arrive, the firm's general counsel, or the next acquirer. The Diagnostic runs two to three weeks at a fixed fee disclosed before engagement. A five-day inventory captures every trust account, every state of operation, every PM software instance, the current chart of accounts, the reconciliation cadence, the owner-statement workflow, and the firm's last commission audit if any. A five-day control walkthrough samples three months of reconciliations, twenty disbursements, ten owner statements, and walks three randomly-named properties from receipt to subledger to statement. A five- to ten-day write-up produces a state-by-state findings register, a workflow gap register, a software configuration gap register, and a prioritized remediation plan with effort estimate, owner, and timeline. The output is a 30- to 60-page written report the broker keeps. Remediation can be performed by the firm's internal team, the firm's CPA, the software vendor, or Securem on a separately-scoped engagement; the Diagnostic does not lock the broker into any of those. What the Diagnostic does, that internal review usually does not, is ask the questions the regulator asks rather than the questions the controller is comfortable answering. For firms not ready to engage, the same methodology can be run internally, the State Real-Estate Trust Accounting Audit Prep Checklist paired with this guide is the working version of that exercise. What to fix before the next audit cycle Three actions any PM broker can take this quarter, regardless of whether they engage Securem: 1. Run the surprise-audit dry run on the highest-risk state. Pick the state with the most doors and the most active commission. Pretend the auditor is arriving Monday. Pull the audit folder for the most recent three months; if there is no audit folder, that's the first finding. Walk the twelve requirements against the firm's posture; flag every one where the evidence is incomplete. Most firms find at least three gaps on the first pass. 2. Add the four standing reports to the month-end close. Per-property subledger at month-end, deposit register filterable by type, disbursement register with authorization documents linked, owner statement archive with proof of delivery. Retain in a single audit folder per month, organized so any month is producible in under thirty minutes. Have the designated broker initial the folder. This single change moves most firms from "we reconcile monthly" to "we can answer the regulator's actual question." 3. Verify the per-state divergence with counsel. The twelve requirements above are illustrative. The specific deposit-timing window, commingling tolerance, retention period, escheatment dormancy, and owner-statement cadence in each state is a question for the firm's general counsel and the commission's published rule. Confirm in writing for each state. Most firms operate on what the software vendor's defaults imply; the rule is what the rule says. Three actions, ninety days, no engagement required. If the dry run surfaces gaps the firm cannot close internally, or if multi-state divergence is large enough that getting it wrong is expensive, that is where the Diagnostic comes in. The State Real-Estate Trust Accounting Audit Prep Checklist paired with this guide is the working version of step one. It walks the twelve requirements with check-cells for evidence type, retention status, designated-broker sign-off, and per-state overlay. Use it on the highest-risk state first, then on every state on a rolling annual cadence, and the partners will keep doing the same on our side.