Who Has Access to Your QuickBooks?

"Is there a limit to how many accountants I can have in QuickBooks?"

A client asked me this during an onboarding call. Then he pulled up his settings and found two accountants he didn't recognize.

One was labeled "CPA" and one was called "Easy Accounting." He had no idea who Easy Accounting was. Neither did his business partner.

Unknown people with accountant-level access to their financial data.

What Accountant Access Actually Means

In QuickBooks, accountant access isn't just view-only. Depending on the permissions, an accountant can:

• See all transactions and reports
• Make journal entries
• Export your data
• Issue payments
• Access connected bank accounts
• Essentially control your books

This is powerful access. If you hired a bookkeeper three years ago, fired them, and forgot to revoke access—they might still have a window into everything you do financially.

Same goes for accountants who helped you set up originally. Or software integrations that requested accountant access. Or people you don't remember giving access to at all.

When's the last time you actually checked?

The Risks Are Real

This isn't theoretical. Security researchers have documented attacks specifically targeting QuickBooks credentials and accountant access.

According to security firm ThreatLocker, QuickBooks data files have vulnerabilities that can leave access "wide open" when certain repair tools are used. And the FBI has warned about phishing scams that specifically target QuickBooks users by impersonating Intuit support.

But the bigger risk for most small businesses isn't sophisticated hacking—it's simple negligence.

Former employees who still have access. Old contractors whose permissions were never revoked. Past accountants who moved on but stayed connected.

If someone with bad intentions has access to your QuickBooks, they could alter financial records, initiate fraudulent transactions, or manipulate data in ways you might not notice for months.

And even if they're not malicious, they could accidentally make changes or access information they shouldn't.

The Five-Minute Audit

Here's how to check your QuickBooks access in five minutes:

In QuickBooks Online, go to Settings (gear icon) > Manage Users.

You'll see three categories:

• Users – People who can log in directly
• Accountant – People with accountant access
• Accounting firms – Firm-level access

Go through each one. For every person listed, ask yourself:

1. Do I know who this is?
2. Do they still need access?
3. Is their access level appropriate?

If the answer to any of these is "no," remove them. You can always add them back later if needed.

For the client I mentioned at the start, we removed "Easy Accounting" on the spot. They still don't know how that access got added—possibly an old software trial they forgot about, or someone they worked with briefly before the current team.

It doesn't matter how it got there. What matters is it's gone now.

Principle of Least Access

Here's a concept from security that applies perfectly: give people the minimum access they need to do their job, and no more.

Your CPA doesn't need admin access to run reports and prepare taxes. Give them accountant access with appropriate permissions.

Your bookkeeper might need more access than your CPA—but probably not the ability to write checks or transfer funds.

Your office manager might need to enter expenses and view reports but not export your entire customer database.

QuickBooks lets you customize permissions for each user. In QuickBooks Enterprise, you can set up to 115 different permission levels. Even in the standard versions, you can restrict what each person sees and does.

Take the time to configure this properly. It's a one-time setup that protects you ongoing.

Multi-Factor Authentication

While you're in the security settings, turn on multi-factor authentication (MFA) if you haven't already.

MFA means that even if someone has your password, they can't get in without a second verification—usually a code sent to your phone.

This protects against password theft, phishing attacks, and shared credentials. It's one of the simplest security measures you can take, and QuickBooks supports it.

In QuickBooks Online, go to Account > Security > Sign-in security to enable it.

Audit Log Review

QuickBooks keeps an audit log of all user activity. You can see who logged in, what they changed, and when.

If you've never looked at your audit log, now's a good time.

Go to Settings > Audit log (in QuickBooks Online) and scan through recent activity. Look for anything unusual—changes you didn't make, logins at strange times, exports you don't remember.

This isn't something you need to monitor daily, but checking quarterly is smart hygiene.

The Conversation to Have

If you work with an external accountant or bookkeeper, have a direct conversation about access:

"I'm reviewing who has access to our QuickBooks. Can you confirm exactly what access you have and what you need?"

A good accountant will appreciate this. They deal with security too, and they understand the importance of clean access management.

While you're at it, ask how they protect their own systems. If they get compromised, your data could be exposed through them.

Start Today

Go check your QuickBooks access right now. It takes five minutes.

You might find it's totally clean. Great.

You might find a former employee who still has access. Remove them.

You might find a mystery "accountant" you don't recognize. Definitely remove them.

The goal is simple: only people who need access should have it, and they should have only the access they need.

Your financial data is the core of your business. Treat access to it accordingly.