2026 Independent Security Review
QuickBooks Online is one of the most popular accounting platforms for small businesses. Its securiy posture, however, has real gaps that decision makers ought to be aware of. MFA is available but cannot be enforced across its userbase by an administrator, there is no HIPAA BAA available, and QuickBooks Desktop files are a documented target for data theft malware. If your business handles sensitive financial data, consider pairing QuickBooks with deliberate access control policies and endpoint protection.
70
out of 100
AES-256 at rest, TLS in transit, key management not publicly documented
MFA available but not enforced by default
SOC 2 Type II (payroll only, NDA required), ISO 27001, PCI DSS
SOC report extremely difficult to obtain, no public subprocessor list
No core data breach; documented phishing campaigns targeting users
MFA not on by default; compliance docs not accessible without enterprise relationship
| Category | Max Points |
|---|---|
| Encryption | 20 |
| Access Controls | 20 |
| Compliance Certifications | 20 |
| Transparency | 15 |
| Breach History | 15 |
| SMB Fit | 10 |
The single biggest security gap in QuickBooks Online is that it does not provide centralized, auditable enforcement of MFA across all users in the way enterprise systems do. Each user must enable MFA individually, and there is no way for an admin to verify whether they have done so or and no way to block login for users if they haven't. Intuit's community forums show this feature has been requested since 2020 with no resolution as of 2026. For any business trying to prove MFA compliance to a cyber insurer, this is a serious issue.
QuickBooks is a popular and capable accounting tool with reasonable baseline security: 256-bit encryption in transit, automatic backups, and role-based user permissions. But the platform falls short on the controls that matter most for compliance and insurance readiness. No admin-enforced MFA, no HIPAA BAA, and a well-documented history of being targeted by data theft malware make it a tool you need to secure around rather than rely on. For most small businesses, QuickBooks is fine so long as you know its limits and compensate for them with solid endpoint protection, access control policies, and considerable permission management.
QuickBooks is widely used in the legal industry, usually because the firm's bookkeeper or outside accountant is already familiar with it. It works well for core accounting tasks like bank syncing, general ledger management, and standard financial reporting. But law firms face a specific compliance challenge: QuickBooks lacks built-in safeguards to prevent trust account overdraws or perform the three-way reconciliation that many state bars require. Most firms that use QuickBooks successfully pair it with legal practice management software like Clio or CARET to handle trust accounting and matter-based billing before pushing data to QuickBooks for final accounting. The Plus or Advanced tiers are the right fit for firms. If your firm uses QuickBooks, make sure every user has MFA enabled individually, restrict user roles to the minimum necessary, and never store client-privileged information in invoice descriptions or notes fields.
QuickBooks Online is not HIPAA compliant. Intuit states this explicitly: the platform meets industry standards for online security but does not comply with HIPAA privacy requirements. Intuit does not sign Business Associate Agreements. If your medical practice uses QuickBooks for billing, you cannot enter protected health information into the platform, including diagnostic codes, dates of service linked to patient names, or any data that could identify a patient's health condition. You can use QuickBooks for general accounting tasks like payroll, expense tracking, and vendor payments, but all PHI must stay in your EHR or a HIPAA-compliant billing system. Use tokenized patient IDs and generic service descriptions in QuickBooks invoices. If you need a HIPAA-compliant accounting platform, look at Sage Intacct or Cliniko, both of which sign BAAs.
Government contractors face a unique problem with QuickBooks: the platform was not built to meet the data handling requirements that come with federal contract work. If your business handles Controlled Unclassified Information or falls under DFARS 252.204-7012, you are subject to NIST SP 800-171 controls and, increasingly, CMMC Level 2 certification. QuickBooks Online does not meet these requirements. There is no FedRAMP authorization, no CUI marking or handling capability, and no conceivable way to enforce the access controls that NIST 800-171 demands. The inability to mandate MFA across the userbase is especially problematic here, since NIST 800-171 control 3.5.3 explicitly requires multi-factor authentication for network access to privileged and non-privileged accounts. If your accounting data touches contract financials, cost proposals, or employee clearance information, you need to isolate QuickBooks from any system that processes CUI. Many smaller defense subcontractors use QuickBooks for general business accounting and keep all contract-specific financials in a separate, NIST-compliant environment. If you are pursuing CMMC certification, document this separation clearly, because an assessor will ask.
Enable MFA on every user's Intuit account individually. Since QuickBooks cannot enforce this, you will need to walk each user through the setup at accounts.intuit.com under Sign-in & Security.
Audit user roles quarterly. Remove access for any former employees, former bookkeepers, or outside accountants who no longer need it. Restrict each active user to the minimum permissions their role requires.
If you use QuickBooks Desktop, check your file permissions after every database repair. File permission issues can occur during repair processes; administrators should verify access controls after maintenance.
Do not store protected health information, client-privileged details, or Social Security numbers in QuickBooks fields. Use tokenized IDs and generic descriptions for sensitive records.
Set up login alerts in your Intuit account to receive notifications for new device logins or changes to account settings. This gives you early warning if an unauthorized person gains access.
Yes, but access is limited. The SOC 2 Type II report covers payroll services only, requires an active payroll subscription, and must be requested through support under NDA. Multiple users report the process taking weeks.
No. Intuit does not offer a HIPAA Business Associate Agreement for QuickBooks. Do not use it to store or process protected health information.
MFA is available but not enforced by default on most plan tiers. Admins should enable it manually for every account.
Want to assess your full security posture, not just one vendor?
Take the free assessment