Copied 06-16-08

 

Improving QuickBooks Internal Control with Passwords

 

Author: Bonnie Nagayama  Created: Thu Jun 12 14:15:52 2008

          As QuickBooks has become more widely used as a bookkeeping tool by small business owners, the concerns and issues raised by accounting professionals deserve some attention. Based on the experience of this author, the most common concern relates to the audit trail: the ability to change entries after they have been recorded. This issue is compounded for the accountant because there are no formal month (or year-end) closing procedures that must be followed. This is a double edged sword because it means that the data can be quickly and easily corrected when mistakes happen, but it can also be easily changed after the books have been reconciled, financial statements issued, and/or the tax returns have been filed.  The password protection feature and related closing date password helps to reduce the likelihood of such problems when used consistently.  In addition, QuickBooks Premier and QuickBooks Enterprise Solutions products have several reports to assist in finding such changes.

General Password Discussion

          QuickBooks has a single level password.  This means that as long as the user has the right login name and password, they are in.  For this reason additional security as provided by the Windows operating environment should also be required for all users to access the software and data files.  While Windows security is beyond the scope of this discussion, it is an area that should be addressed as part of the internal control environment for the accounting data.

          Version 6.0 first offered enhancement in the password feature by permitting each person to be setup individually. The designation of the specific areas of the software that the user is allowed to work in, as well as limiting the activities a user can perform, offers improved flexibility by releasing certain functions to permit effective and efficient use of the program.  The password feature within QuickBooks continues to serve several functions:

Ease of Use Versus Internal Control

          As with any internal control procedures, it is important to manage ease of use versus protecting the integrity of the data.  If the process is too cumbersome or difficult, people will find ways around the system to get the work done.  If there are not enough controls in place, it is impossible to manage the process and have accountability.  While Intuit has a tendency to err on the side of ease of use, it is still important for the client and their consultants to implement a system that includes both administrative and accounting control.  One without the other cannot be successful.

          The password protection feature in the Pro and Premier products is extremely limited with 9 functional areas of the program that can be turned on and off.  QuickBooks Enterprise Solutions, in contrast, has two parts of setting up password access:

  1. Establish a role – this can be a general role (such as AR Clerk) or it can be a specific role for a specific user.  There are 115+ different options that can be turned on and off.  This includes specific features, such as the ability to create invoices but not credit memos, access to only specific bank accounts, and view only roles to name a few.
  2. Set Up the user – the user name and password is set up and roles added to the user.

Who Should Have Access?

          The time and thought invested in who should have access to what areas of the program, including the ability to edit and delete transactions cannot be over emphasized.  The best way to improve internal controls is to only provide access to users on an as needed basis. 

Tip          The Admin password in QuickBooks provides access to various aspects of the program including Company Preferences, creating an Accountant’s Copy, etc.  For this reason it is important that the client have the Admin access, but that the password is kept confidential.  In addition, it should be strongly suggested that no one uses the Admin password for day-to-day transactional data entry.  It should only be used for setting up new users and performing tasks that require the Admin password.

Trick          If a user should no longer have access to the data file, the proper procedure is to edit the name and/or password.  DO NOT delete the user.  If the user is deleted, the audit trail will be blank in the user column so the historical information is compromised.  DO NOT change the user name and password to that of the new person.  Again, the historical transactions will be updated to reflect the change and if there is ever a need to know who specifically has touched the transactions, the report will no longer be as useful.  If fraud is discovered, an accurate audit trail report may be the most complete if not the only proof that is available of what has transpired.

Integrated Applications and Internal Control

          When thinking about “users” do not forget about integrated third party applications. There are more than 500 software programs and services that work with QuickBooks to provide a wide variety of solutions available at www.marketplace.intuit.com.  Some of the issues that they address include: inventory, document management, time and billing, customer relationship management, and much more.  In addition there are industry specific solutions for property management, child care providers, retail establishments, and much more.  As third party developers continue to “build out” the functionality of QuickBooks, there continues to be more data exchanged electronically.  While this is a great benefit for the business that is using QuickBooks, it also introduces another level of complexity from an internal control perspective.

          Each integrated application that will have access to the QuickBooks data file should be set up with a unique user name and password.  This is important for two reasons:

  1. To control unauthorized access to QuickBooks data by users who would not have access to the information through QuickBooks alone.
  2. And more importantly, so the audit trail will specifically designate those transactions that have been entered by the integrated application. 

          Control over integrated application access to QuickBooks begins with the Company Preference.  To access or edit this information requires the Admin user be logged into the data file in single user-mode.  To protect the data if no integrated applications will be used, it is possible to disable this option.  Keep in mind, however, that there are some Intuit provided integrated applications that will no longer be available if the preference does not allow any applications to access the file.  Two examples are QuickBooks Financial Statement Designer and QuickBooks Fixed Asset Manager.

QBRA-2008: Edit > Preferences > Integrated Applications > Company Preferences


Integrated Application Preferences

        The user is designated the first time the integrated application attempts to access the data.  Below is an example for SourceLink, a document management solution that permits attaching an electronic supporting document to a specific transaction in QuickBooks. Note that there is control over the access that this application can have to QuickBooks including no access at all.  If yes, the application does have permission to access this specific data file, it is possible to designate the user to be used.  While it may be tempting to choose the Admin user, creating a new user with the appropriate access specifically designated for use by this application is preferred.
Certificate Information

Password Warning

          For QuickBooks Pro and Premier products as well as the QuickBooks Enterprise Solutions products, there is an internal control weakness that you should be aware of.  If a user is set up with access to a specific area of QuickBooks but does not have permission to edit or delete transactions, they will still be able to do so in the same session, just not in subsequent sessions.  For example, if a user enters an invoice which is saved as it is printed, then it is discovered that there was a typographical error in the description on the invoice, as long as the user has not logged out of QuickBooks yet (i.e. it is the same session) the invoice can be changed for the correction.  If, however, the user had logged out of QuickBooks after saving and printing the invoice, when they log back in they will no longer be able to edit or delete that transaction.

Tip          For this reason, regular review of the reports that are available within QuickBooks such as the Voided/Deleted Transactions report and the Audit Trail report are critical to good internal control procedures.

Pro and Premier Password Set Up

          The process for Pro and Premier has not changed since prior to version 2002.  The first time that the Set Up Users option is chosen, a password for the Admin user will be requested.  Subsequently, the screen to manage the user access will appear.  From here it is possible to Add, Edit, Delete, or View Users.

QBRA-2008: Company > Setup Users & Passwords > Set Up Users
User List

          The process for creating a new user is to “Add User. . .” and enter the name and password that will be used for accessing this specific QuickBooks data file.  Access by functional area is then allowed or prohibited. 

          QBRA-2008: Company > Setup Users & Passwords > Set Up Users > Add User > User Name > Password > Confirm Password

Set up User Password and Access window

Note: The check box to add this user to my QuickBooks license deals with the issue if additional licenses for QuickBooks will be required to allow this user access from a different computer into the same data file.

          Each user will need to be set up individually.  If there are multiple QuickBooks data files the passwords will need to be set up for each one.  The specific areas that are available for no access, full access, or selective access (i.e. create transactions, create and print transactions, or create transactions and generate reports) are as follows:

With this enhancement, real time user tracking is available, and the audit report has been modified to include the user responsible for entering/modifying specific transactions.
To make the process easier, a checklist is available to aid in setting up new users.

Password Set Up Checklist

User Name:

 

Password:

 

Selected/Full

Features

None

Full

Selective/Create

Selective/Create & Reports

Sales/A/R

 

 

View CC (Y/N)

 

View CC (Y/N)

 

View CC (Y/N)

Purchases/A/P

 

 

 

 

Checking/CCd

 

 

 

 

Inventory

 

 

 

 

Time Tracking

 

 

 

 

Payroll

 

 

 

 

Acc’tg Activity

 

 

 

 

Financial Rept

 

 

 

 

Change/Delete

Areas:

Yes/No

Closed Periods:

Yes/No

QBRA-2008: Company > Setup Users & Passwords > Set Up Users > Add User > User Name > Password > Confirm Password  > Selected Ares of QuickBooks > Next
Set up User Password and Access Sales and Accounts Receivable window

New for 2008          A PCI compliant feature was added in with QuickBooks 2008 products.  As each user is set up, there is a check box on the Sales and Accounts Receivable screen to “View complete customer credit card numbers.”  When this box is checked, the user will be required to have a “complex” password (at least 7 characters that contains at least one capital letter and at least one number) and the user will be prompted to change the password every 90 days. 

Trick          Even if the customer credit card information is not stored in QuickBooks, for internal control purposes, checking this box will require users to use better passwords and change them regularly.

          Once the users have been set up, the chart at the end of the set up provides an opportunity to double check that each user has been set up properly.

          QBRA-2008: Company > Setup Users & Passwords > Set Up Users > Add User > User Name > Password > Confirm Password  > Selected Ares of QuickBooks > Continue through each screen to designate the appropriate level of access until you reach page 10 of 10
 Set up User Password and Access window

QuickBooks Enterprise Solutions Role List

New with QuickBooks Enterprise Solutions version 5 was a complete overhaul of the password protection feature.  Prior to creating a user, at least one role is required.  The password role controls more than 115 areas of access.  There are several roles that are automatically created.  In addition, it is possible to create new roles, edit existing roles, duplicate a role, or delete a role. 

          The two boxes at the bottom of the role list display the description that typically includes the type of user who will use the role and the activities this role permits access, as well as any users assigned to the role.

QBEA-5: Company > Users > Set Up Users & Roles > Role List
Users and Roles window

QBEA-8: Company > Users > Set Up Users & Roles > Role List > Banking > Edit
Edit Role

For most of the areas of activity there are several choices:

          There are two significant differences between the password level access for the Pro and Premier products as compared to the QuickBooks Enterprise Solutions products.

  1. The view only option has been requested for a long time to permit a user to “look but not touch” the accounting records.  It is now available in the QuickBooks Enterprise Solutions products only.  There is not a “view only” option for the Pro and Premier products.
  2. The ability to access only specific bank accounts.  This permits banking functionality while controlling access to accounts such as payroll or savings accounts.

New For 2008          Related to the password section and internal control especially was the addition of a PCI compliant feature with QuickBooks Enterprise Solutions 8 products.  There are two related role access points: use credit card numbers and view credit card numbers.  With either, the two choices are none or full. When full is chosen, the user will be required to have a “complex” password (at least 7 characters that contains at least one capital letter and at least one number) and the user will be prompted to change the password every 90 days. 

Trick          Even if the customer credit card information is not stored in QuickBooks, for internal control purposes, checking this box will require users to use better passwords and change them regularly.

          It is often helpful to discuss what access a user should have prior to setting up the role on the computer.  The Password Protection Set Up Checklist can be helpful to organize the decision making process.

QuickBooks Enterprise Solutions Users List

          Once the roles list has been set up, the next step with QuickBooks Enterprise Solution is to set up the user.

QBEA-5: Company > Set Up Users And Roles > User List
Users and Roles window

          As with previous versions of QuickBooks, the default user is called Admin.  This name should be left as such, with a password that only those individuals who have access to changing company preferences and setting up users and roles know.

          From the User List tab, it is possible to set up new users, edit existing users, duplicate or delete users.  The box at the bottom of the screen details which roles have been assigned to that user.

QBEA-5: Company > Set Up Users And Roles > User List > New
New User window

          The user name and password (and password confirmation) are set up, and roles that have been created can be added to the user.  Once the user has been entered, click on OK.  To view the permissions, click on the appropriate button at the bottom of the user list screen.

          Another enhancement to this feature is the ability to print the permissions from the view screen.

          QBEA-5: Company > Set Up Users And Roles > User List > Click on user > View Permissions
Access by Users and Roles

Enter Closing Date

          The closing date will help to protect the data from any changes.  As passwords are created for each user, only the admin password should have the ability to change or delete transactions in a closed period.  With version 2002 and higher is the ability to make the password for changing the closed period different than the admin password to add one more level of protection for the historical transactions.

QBRA-2008: Edit > Preferences > Accounting > Company Preferences > Set Password
Set Closing Date and Password

Tip           In prior versions, all Company Preferences could only be changed by the Admin password, except one: the Closing Date.  This could be changed by anyone with “sensitive accounting activities” access.  This was a significant breech of internal control, especially since most QuickBooks users and consultants were not even aware of the problem.  With version 2006, this preference has been updated so only a user logged in as Admin will be able to make a change to this date.

Summary

          By using the password features in QuickBooks there are many ways to help improve the accounting controls.  Taking the time to develop familiarity with what is available, and implementing effective password access can definitely help improve the internal control environment of the business.