Safeguard Your Intuit Access, A Practical SOP

Why this works

• Separate identities: Different emails for recovery, daily work, and proposals reduce exposure.
• Least privilege: Proposal intake uses minimal access so an inbox breach reveals nothing.
• Fast revocation: Accept invite, assess scope, then remove the proposal user immediately.
• Recoverability: A never-used backup admin gives you a lifeline if primary access is lost.
• Alias or New Email: This process requires additional email addresses. Depending on your email provider, the process my change, but here is how you can create an Alias for Google Workspace or Outlook

Implementation for solo practitioners

1. Create a never-used backup admin
   • Email: [email protected]
   • In QBOA, add as Firm admin. Store credentials in a password manager. Never use for daily work.

2. Set your operational primary as an Alias that is different than your real email address
   • Email: [email protected]
   • Make this your QBOA owner or daily admin. This is the only identity you use for client work. but you will change the email to this email inside of QBOA.

3. Add a proposal-only user with minimal access
   • Email: [email protected]
   • Create a custom, least-permission role only to accept client invites. No billing, no app management.

4. Intake flow for new clients
   • Client invites quotes@ to their QBO.
   • You accept using quotes@, do only what is needed to scope the work.
   • Immediately log out of quotes@, log in as nottelling@, and remove quotes@ from that client’s user list.

5. Do the actual work
   • Perform all work as nottelling@. Keep quotes@ idle until the next intake.

Implementation for multi-staff firms Add structure and controls so the same pattern scales across your team.

1. Identities and roles
   • Recovery admins, 2 people only: Two execs or partners get backup admin identities, for example [email protected] and [email protected]. Store separately in a firm password vault with break-glass procedures.
   • Operational primaries: Each staff member has a named identity, for example [email protected], mapped to a standard QBOA role for their job function.
   • Proposal inbox pool: Create a shared mailbox, [email protected], plus one or more rotating aliases, quotes+1@, quotes+2@, if volume is high.

2. Role design in QBOA
   • Firm owner/admin: Limited to 2 to 3 trusted leaders.
   • Engagement leads: Custom role with client management, no firm billing or app admin.
   • Staff accountant/bookkeeper: Custom role with only the permissions needed per engagement.
   • Proposal-only: Custom, least-privilege role used only to accept client invites. No billing, no app permissions, no company admin.

3. Standardized intake workflow
   • Marketing and sales direct all access invites to quotes@.
   • Assigned intake specialist signs in to quotes@, accepts the client invite, reviews scope, and documents findings.
   • Immediately, the specialist logs out of quotes@, signs in with their operational primary, and removes quotes@ from that client’s user list.
   • Engagement lead then adds actual staff users to the client file with the right role.

4. Separation of duties and approvals
   • Only intake team uses quotes@.
   • Only engagement leads can add or change client-level permissions.
   • Only firm admins can grant or change firm-level roles and app connections.

5. Monitoring and logs
   • Weekly audit: Report of client user lists to confirm quotes@ is not attached anywhere.
   • Monthly permission review: Sample 10 percent of clients to verify least privilege and remove stale users.
   • Break-glass test: Quarterly sign-in verification for backup admins, then sign out.

• Passwords: Unique, 20+ characters, stored in a password manager. Prohibit reuse.
• MFA: Enforce MFA on every identity. Prefer authenticator apps or hardware keys over SMS.
• Passkeys: a file stored on a device that can use biometrics to sign in.
• Authenticator Apps: Another layer of security outside of Intuit ecosystem to ensure it's you when signing in.
• Email security: Disable auto-forwarding unless required. Audit filters and rules monthly. Turn on DMARC, SPF, and DKIM.
• Device hygiene: Encrypted devices, current OS and browser patches, reputable endpoint protection, separate browser profiles for admin work.
• Access boundaries: Restrict by country and known devices if possible. Alert on new device sign-ins.
• Vendor app review: Quarterly review of connected apps in Intuit, remove anything not in use.
• Phishing protocol: Never click “verify your Intuit account” links. Navigate directly to intuit.com.

SOP templates

• Step 1: Sign in to quotes@, accept invite, capture scope notes.
• Step 2: Sign out, sign in as nottelling@, remove quotes@ from that client’s user list.
• Step 3: Add yourself with the correct role if needed, do the work as nottelling@.
• Step 4: Weekly: confirm quotes@ has zero client attachments.
• Step 5: Quarterly: test backup admin sign-in and update recovery codes.

• Intake
  • Sales routes invites to quotes@.
  • Intake specialist accepts invite via quotes@, completes scope checklist.
  • Intake specialist signs out of quotes@, signs in with their operational primary, removes quotes@, and posts the scope summary in the client record.
• Provisioning
  • Engagement lead assigns staff access by role, time-bounds temporary access when possible.
• Audits
  • Ops runs weekly quotes@ detachment report and monthly permission cleanup.
• Break-glass
  • Only two admins hold backup credentials. Quarterly test and re-seal.

• Using the backup admin for daily tasks even once.
• Granting quotes@ more than the absolute minimum.
• Forgetting to remove quotes@ immediately after acceptance.
• Sharing MFA devices or recovery codes across identities.
• Letting stale staff accounts linger on client files after offboarding.

• Backup admin: [email protected], Firm admin, recovery only.
• Operational primary: [email protected], Firm owner/admin, all client work.
• Proposal-only: [email protected], Custom least-privilege, invite acceptance only, removed immediately.