Fraud Prevention

Your Most Trusted Employee Is Your Biggest Fraud Risk

Earmark Team · February 23, 2026 ·

If you’re an accountant cramming in your last CPE credits while reading this, Caleb Newquist has a message for you: “Have fun. You’re in for something.”

The host of Oh My Fraud just wrapped up 2025 with 26 episodes of financial fraud stories that share one depressing pattern: they were completely preventable. In episode 101, Caleb and co-producer Zach Frank sat down to recap a year that started with co-host Greg Kyte’s departure and continued with tales of embezzlement, gambling addictions, and presidential pardons.

The biggest takeaway? The person most likely to steal from you isn’t some sophisticated hacker. It’s the assistant who sets up your bank accounts, the business manager you’ve trusted for years, or the administrator who’s been ordering computers for decades.

When Your Interpreter Controls Your Bank Account

The year’s most talked-about fraud case involved baseball superstar Shohei Ohtani and his interpreter, Ippei Mizuhara. The setup was almost embarrassingly simple. Ippei handled everything when setting up Ohtani’s bank account during spring training in Arizona: the setup, the passcodes, and the access. Ohtani himself couldn’t access his own money. Neither could his business manager.

“Don’t let your assistant set up your account for you,” Zach emphasized during the recap. The only person who could touch that money was the interpreter who eventually stole from it.

The DOJ charging documents revealed desperate text messages between Ippei and his bookie. When the bookie suggested Ippei might be covering for Ohtani, Ippei insisted, “No, this was all me.” He made phone calls to the bank pretending to be Ohtani, claiming he was buying cars while actually funneling money to cover massive gambling debts.

Ippei is now serving time at Allenwood in Pennsylvania, after which he’ll be deported. Lionsgate TV and Stars are developing a series about the scandal, because apparently financial disasters go great with a side of popcorn.

The Business Manager Who Managed Beyoncé (Before the Fraud)

Episode 81 was the podcast’s most popular of the year, featuring an interview with Jonathan Todd Schwartz. Before stealing $7 million from Alanis Morissette, Schwartz managed finances for Beyoncé and Gwyneth Paltrow, back before they became the cultural forces they are today.

“Everyone loves hearing from the person who committed the crime and hearing why and how they committed the crime,” Zach noted. Schwartz’s story connected directly to another recurring theme of 2025: the devastating combination of gambling and drug addictions creating pressure that makes theft seem like the only solution.

Both the Ohtani and Morissette cases featured one person with total financial control and zero independent oversight. They’re failures of basic internal controls that any first-year accounting student could spot.

When Yale Lost $40 Million in Computers (And Nobody Noticed)

If celebrity cases seem distant from everyday fraud risk, consider Yale Medical School. An administrator within the finance function stole approximately $40 million in computer equipment over several years by simply keeping purchases under $10,000 to avoid triggering review thresholds.

“Forty million dollars should replace every computer at that entire school,” Zach pointed out. “Not just the medical school, like all of Yale.”

The university’s multi-billion dollar endowment meant these losses barely registered as statistical noise. As Caleb noted, Yale wasn’t exactly a sympathetic victim, “but that doesn’t mean you should steal $40 million worth of computers and sell them on the black market.”

The solution was painfully obvious. Omri from Routable (the podcast’s sponsor) summed it up in an earlier bonus episode: “A procurement process probably solves that problem.” Not revolutionary thinking; just basic purchasing controls that require someone other than the person ordering equipment to also receive and verify it.

The Columbus Zoo Plays Hardball

The Columbus Zoo case from episode 79 showed what happens when organizations decide to fight back. After executives were convicted of misspending and stealing funds, the zoo didn’t stop at criminal prosecution. They sued three executives to foreclose on their homes, determined to recover restitution.

The case came to light thanks to investigative reporting by the Columbus Dispatch, a reminder that journalism often serves as the last line of defense when internal controls fail. It’s a pattern that repeated throughout 2025: local reporters doing the unglamorous work of following paper trails and asking tough questions.

The Mental Gymnastics Olympics

Understanding how fraud happens mechanically is one thing. Understanding why people convince themselves it’s okay is another entirely.

Carlos Watson’s Ozy Media case pushed rationalization to its limits. Watson, who was convicted of fraud but subsequently pardoned by President Trump (with his restitution expunged), reportedly did “whatever it took” to make his business succeed. The SEC decided not to pursue further civil litigation after the pardon.

“The mental gymnastics that guy must have been going through in order to rationalize what he was doing,” Caleb observed. “Weird, but impressive.”

The Spotify streaming fraud case included another common justification: “Who am I really stealing from?” Perpetrators faking streams saw themselves taking from faceless tech giants rather than individual artists. The same logic appeared in cases involving fake invoices to Google and Facebook.

Where Are They Now? The 2025 Updates

Beyond the new cases, the year brought updates on ongoing sagas:

Mair Smyth, the con artist featured in Johnathan Walton’s episode was sentenced to four years in UK prison for mortgage fraud. Walton helped Northern Ireland authorities locate her. He flew to the UK for the trial but remains frustrated by what he sees as a light sentence for a career criminal.
First NBC Bank. A listener from New Orleans shared a local rumor that the bank’s massive Directors & Officers insurance policy allowed CEO Ashton Ryan to draw out his legal proceedings for seven years before finally being sentenced. He’s now in a prison infirmary.
Miriam Baer, the podcast’s first guest of 2025, left Brooklyn Law School to become Dean and President at California Western School of Law in San Diego.
The Rare Book Find. Caleb tracked down a copy of Australian con man Johann Friedrich Hohenberger’s ghost-written autobiography at a Maryland rare book store. When he apologized for taking months to complete the purchase, the seller reassured him, “In the rare books business, this was actually fast.”

What 2025 Taught Us (Again)

The year’s cases delivered a maddeningly consistent message: basic controls work, but only if you actually use them. Whether it’s a baseball star’s interpreter, a rock legend’s business manager, or a university administrator, the pattern never changes.

“The classics constantly get covered because people are going to constantly fall for them and commit those crimes,” Zach summarized. Ponzi schemes, embezzlement, and wire fraud are not going anywhere.

For accounting professionals, it’s crucial to maintain skepticism about single-person financial control. It’s not paranoia; it’s professional responsibility. Those boring internal controls you learned about in school are boring because they work.

Want the full conversation, including discussions about whether crypto is just one giant Ponzi scheme, why procurement departments exist, and how the hosts feel about having to do it all over again in 2026, listen to episode 101 of Oh My Fraud.

Because if you’re going to learn about fraud, you might as well learn from people who can make you laugh about it, even if the punchline involves prison sentences and presidential pardons.

When 37,000 Japanese Investors Discovered Their Dividends Were Now “Divine”

Earmark Team · January 24, 2026 ·

Picture opening your quarterly dividend envelope in February 2007, expecting yen, one of the world’s most stable currencies, but instead finding paper vouchers denominated in “Enten,” which literally means “divine money” in Japanese. These heavenly tokens were only good in one man’s bizarre marketplace where you could buy bedding, socks, and produce, but definitely couldn’t pay your rent.

This actually happened to 37,000 Japanese investors who discovered their life savings had been converted into monopoly money.

In the latest Oh My Fraud episode, “Divine Yen, Devilish Fraud,” host Caleb Newquist unpacks one of Japan’s most absurd financial frauds. The story of Kazutsugi Nami and his Ladies & Gentleman company—yes, that was the actual name—offers critical lessons for accounting professionals in a time of growing cryptocurrency schemes.

A Career Built on Fraud

You might think a fraud conviction would end someone’s career in finance. Kazutsugi proved otherwise, repeatedly.

His criminal timeline reads like a fraudster’s greatest hits. In the 1970s, as vice president of APO Japan, he helped market fake exhaust gas removers through a pyramid scheme. The devices didn’t work, but 250,000 people bought in before the company went bankrupt and authorities came knocking.

Most people would have learned their lesson. Not Kazutsugi.

By 1973, he’d already founded Nozakku Co., selling “magic stones” that supposedly purified tap water. The timing was perfect, as Japan faced severe water contamination from rapid industrialization, and desperate people wanted solutions. At its peak, Nozakku pulled in roughly ¥2 billion annually (about $6-8 million in late 1970s dollars). The stones weren’t magic. They didn’t purify anything. By 1978, Kazutsugi was in prison for fraud.

In a move that should make every accounting professional pause, in 1987, while his fraud record was still fresh, Kazutsugi founded Ladies & Gentleman (L&G). Eventually, 37,000 investors would hand over billions of yen to a convicted fraudster. One victim later justified their investment because L&G had been “in business for a long time.”

The bizarre culmination came on February 4, 2009, when police arrived to arrest him. Instead of hiding, Kazutsugi held court at a restaurant, charging reporters ¥10,000 each to attend his breakfast press conference while he sipped beer at 5:30 AM. He’d even packed spare underwear, expecting the arrest.

When asked about defrauding investors, his response was pure theater. “Do you think I could behave openly like this if there had been a fraud?” Later, he added, “Time will tell if I’m a con man or a swindler.”

The Divine Currency Revolution That Wasn’t

Kazutsugi didn’t just promise returns; he promised revolution. He called Enten the future of money, a currency that would break free from Japan’s economic system. He claimed governments would eventually adopt it and that he had a divine decree to eliminate poverty worldwide.

At investor events that resembled religious revivals, Kazutsugi styled himself as a modern-day Oda Nobunaga, one of Japan’s great historical figures, who unified Japan through military conquest in the 16th century.

The 36% annual returns Kazutsugi promised should have been an immediate red flag. In 2007, when Japanese government bonds yielded around 1.5%, 36% guaranteed returns defied financial gravity. Yet thousands of investors, many elderly and seeking retirement security, handed over their savings.

The scheme’s genius was its gradual escalation. Initially, L&G paid dividends in real yen, establishing trust. Then in early 2007, dividends became partially Enten. Finally, they were paid entirely in this imaginary currency that could only be spent in L&G’s internal marketplace, essentially a curated flea market offering comforters, vitamins, and produce.

As Caleb observes in the episode, these are exactly the products “multi-level marketing companies love because you can just claim it’s enhanced by whatever mystical bullshit you are selling that year.”

When Vision Meets Delusion

During the episode, Caleb and producer Zach Frank explore fascinating parallels between cult leaders and modern tech CEOs. Both sell transcendent visions that attract devoted followers.

“They see themselves as right. They’re cocky, they know the way, and they’re the only ones who know the way,” Zach observes.

This absolute certainty becomes magnetic. Caleb notes how Elon Musk, before his political involvement exposed his character. “He had this vision for the world. We’re going to Mars and we’re going to save the world. And people are like, yeah, I’ll follow you anywhere.”

Zach offers crucial insight about why these figures gain traction. “We’re in a time where gurus are becoming more popular than ever. It has to do with the lack of trust in institutions and science in general. People want to find someone to give them the answers to everything.”

When traditional systems seem to be failing, like during the 2007-2008 financial crisis when L&G was collapsing, the person who claims to have all the answers becomes irresistibly attractive.

The Spectacular Collapse

When L&G announced dividends would only be paid in Enten—no more real yen—investors understandably panicked. Some wanted to know whether they could exchange Enten for things like rent and food. They could not.

Like a classic bank run, investors crowded outside L&G locations demanding money and answers. The Japanese press pounced on the story. In November 2007, L&G filed for bankruptcy with estimated losses between ¥126 billion to ¥226 billion (roughly $1-2 billion USD). It was rumored to be Japan’s largest consumer investment fraud ever.

Even as police led him away, Kazutsugi insisted, “I am the poorest victim. Nobody lost more than I did.”

In March 2010, Kazutsugi was sentenced to 18 years in prison, a harsh sentence by Japanese standards. Even then, he insisted Enten was the future.

Lessons for the Profession

For accounting professionals, these patterns translate into specific warning signs:

Gradual shifts in payment methods that move from standard to non-standard practices
Closed ecosystems where value can only be realized within the company’s control
Recruitment-based growth models dressed up as community building
Attacks on regulators rather than substantive responses to concerns
Appeals to revolution that discourage traditional due diligence
Impossible guaranteed returns justified by proprietary methods

Distinguishing between legitimate innovation and sophisticated fraud requires more than technical knowledge; it requires understanding the psychology of persuasion.

Real innovations might disrupt industries, but they don’t violate mathematical laws. A 36% guaranteed return isn’t innovation; it’s impossibility. A currency that only works in one company’s marketplace is company scrip, a practice outlawed in most developed nations for good reason.

As Caleb warns, “If someone promises you a 36% annual return, but that return comes back to you in tokens that are only good for bedsheets, fruits, and the occasional pressure cooker, you are not diversifying your portfolio. You are subsidizing a cult with slightly better stationery.”

Listen to the full Oh My Fraud episode to hear the complete breakdown of this bizarre case, including more details about the victims and the reasons smart people fall for obvious frauds. The episode offers insights that connect historical frauds to modern schemes and the psychological vulnerabilities that transcend cultures and currencies.

Whether it’s cryptocurrency, NFTs, or the next financial revolution, the pattern persists: charismatic leaders promising transformation, impossible returns dressed as innovation, and schemes that create confusion where clarity is desperately needed. Our role as accounting professionals is to ensure that when someone claims to be building the future, they’re working with real materials, not divine intervention.

Your Airline Miles Are Worth $74 Billion and Hackers Know It

Earmark Team · November 17, 2025 ·

Ever check your airline miles balance and think, “I should probably use those someday”? Well, fraudsters aren’t waiting. While you casually ignore those reward points, criminals are actively hunting for these digital treasures that have somehow become worth more than the companies that create them.

In this episode of Oh My Fraud, host Caleb Newquist explores the surprisingly vulnerable world of loyalty and rewards programs, revealing how the points flooding your inbox have become prime targets for fraud schemes that affect everyone from frequent fliers to wholesale club members.

The Accidental Billion-Dollar Asset Class

When United Airlines started tracking customers in the 1950s, it gave out plaques and promotional materials—basically corporate swag. Fast-forward to today, and rewards programs look entirely different. American Airlines generated $6.5 billion from its AAdvantage program in 2023 alone—not from selling tickets, but from selling miles.

The economics are almost absurd. As Newquist points out in the episode, airlines create miles for about half a cent each. They’re database entries. Then they turn around and sell these digital tokens to credit card partners for two to three cents per mile. That’s a 400% to 600% markup on something that costs virtually nothing.

“The hilarious thing is that these aren’t tangible,” Newquist observes. “They’re just made up. They’re just digital assets created out of thin air.”

The combined loyalty programs of United, American, and Delta are worth $73.8 billion. Think about that: these made-up points are sometimes worth more than the airlines themselves. And McKinsey estimates 30 trillion unredeemed miles sit in passenger accounts globally. That’s enough for every airline passenger on Earth to take a free one-way flight.

But here’s where things get dicey. Despite sitting on this massive pile of value, major airlines, including Southwest, American, Frontier, and Alaska, don’t offer two-factor authentication for account access. These companies spend millions on aircraft safety but can’t implement basic security that’s been standard in banking for over a decade.

When Your Miles Take an Unexpected Trip

The human cost of this security gap becomes painfully clear through recent victims’ stories. In July 2024, multiple Alaska Airlines customers woke up to drained accounts. One victim lost 150,000 miles, worth about $1,900. Another reported on Reddit that hackers stole over 200,000 miles. The points were being used to book luxury hotels in Abu Dhabi.

Gabrielle Bernardini, a writer for The Points Guy, discovered her Southwest account had been hacked when she received an email confirming a Hampton Inn reservation in Kalamazoo, Michigan—a booking she never made. The fraudster burned through 17,100 points, worth about $240.

Through persistence, Bernardini got her points back. But Southwest made it clear they were only doing it as a “gesture of goodwill” and a “one-time exception.” Their actual policy? “Southwest is not responsible for unauthorized access to a member’s account and will not replace stolen points.” Newquist confirmed that’s still the policy today.

Clint Henderson’s American Airlines nightmare went even further. Fraudsters drained hundreds of thousands of his AAdvantage miles for car rentals. Recovery meant jumping through incredible hoops. American required a new email address for his new account and demanded a PDF or screenshot of his police report. When Henderson went to file the police report, the NYPD’s online system was down. He had to visit a precinct physically, then was told that he couldn’t have a copy of his report until a detective intervened the next day.

Even with proof of fraud, the car rental company that accepted the stolen points simply refused to refund them. Henderson eventually got his miles back from American, but the whole ordeal revealed just how messy these situations can become.

From Sam’s Club to the Gas Pump

The problem isn’t limited to airlines. In May 2024, Sacramento County authorities arrested 38-year-old Inam Rasool after discovering he’d been systematically draining other customers’ Sam’s Club accounts. What started as an attempt to leave with $1,000 in unpaid merchandise turned into something bigger.

Store personnel began monitoring his return visits and uncovered a sophisticated operation. Rasool used stolen Sam’s Cash rewards to buy merchandise, resell it online. When police searched his home, they found over $25,000 worth of electronics, medications, pet food, hygiene products, supplements, and snacks. They also found shipping supplies, a computer, and a label printer for his online sales operation.

Meanwhile, in Peters Township, Pennsylvania, 18-year-old Paul Kostanich was hitting Giant Eagle fuel perks accounts. Video showed him visiting gas stations almost daily, holding his phone to barcode scanners to activate stolen points from different accounts. He admitted to hacking about 20 accounts and faced 58 charges, including identity theft.

One victim’s reaction captured the general disbelief, “I could never imagine someone hacking a Giant Eagle Perks card. I mean, really?”

Why This Keeps Happening

The problem is, rewards programs were never designed as financial assets—they’re marketing tools that accidentally became valuable. As Newquist explains, “They’re just a marketing gimmick developed by corporations that they hope will get us to spend more money with them. And it just so happens that they’re very, very good at doing that.”

From a corporate perspective, the math works out. If rewards fraud costs the industry $1 to $3 billion annually, but these programs generate over $70 billion for just the top airlines, that’s less than 5% lost to fraud. For many companies, it’s just a cost of doing business, especially when they can push losses onto consumers through terms of service that disclaim responsibility.

This creates what Newquist calls a perfect storm for fraudsters. You’ve got valuable assets with minimal protection, companies that won’t pursue prosecution, and victims left holding an empty bag while corporations point to fine print.

Protecting Your Points (Since No One Else Will)

So what can you do? Newquist offers practical advice with characteristic honesty.

First, change your passwords for rewards accounts. “I know you’d have to be a cerebral freak to generate a different password for virtually every account.” But at least make them different from your banking passwords.

Second, use two-factor authentication wherever it’s available. “Is it tedious? Yes. Does it save your bacon 99.9% of the time? Also, yes.”

Third, consider a password manager. Yes, the big ones have been hacked, but the benefits of managing unique passwords outweigh the risks.

Finally, actually check your accounts occasionally. Don’t be obsessive, but treat them with the same attention you’d give a bank balance.

The Bottom Line

Those rewards points you’ve accumulated aren’t just marketing fluff; they’re real value with real vulnerabilities. Companies have created a $74 billion economy from thin air, then washed their hands of responsibility when that value gets stolen.

For accounting professionals, this is a masterclass in risk transfer. For everyone else, it’s a wake-up call. In a world where teenagers systematically drain fuel perks and hackers book Abu Dhabi hotels with your miles, ignorance is an invitation.
Listen to the full episode above for Newquist’s complete investigation, including more cases and why he thinks these programs are essentially “legal money laundering” schemes. And maybe check your rewards balances while you’re at it. Just in case someone in Abu Dhabi isn’t already enjoying them.

When Hackers Come Knocking: Protecting Your QuickBooks Practice from Modern Security Threats

Earmark Team · November 16, 2025 ·

Here’s something that might keep you up at night: A hacker breaks into a Comcast email account and immediately creates a new Outlook.com account with an almost identical username. When they send emails through the compromised account, they set the reply-to address to redirect responses to their fake Outlook account. Most people never notice the domain switch. They see a familiar name, hit reply, and hand over sensitive information directly to the fraudster.

This real-world example comes from security expert Jamie Pollock, who joined his wife and business partner, Alicia Katz Pollock, and co-host Dan DeLong for episode 104 of The Unofficial QuickBooks Accountants Podcast. The episode, titled “Insecurity about Security,” couldn’t be more timely. As Dan noted, accountants and ProAdvisors across various Facebook groups report compromised logins with increasing frequency, raising urgent questions about the security of the QuickBooks ecosystem.

“We as accountants are the gateway to security for our clients because we have our hands in our clients’ sensitive data,” Alicia explained. With real money movement now possible through QuickBooks Bill Pay, payments, and payroll, a single compromised accountant login can expose dozens or even hundreds of client accounts. That’s why Dan suggested bringing in Jamie, who teaches internet security courses. As Dan put it, “we need someone smarter than both of us combined.”

Passkeys: Your New Best Friend (Once You Understand Them)

Remember when accountants and clients just shared login credentials? Dan does. Back in 2013, when he worked at Intuit, this practice was so common that the company built the QuickBooks Online Accountant portal specifically to stop it. “People would get into their clients’ QuickBooks Online with their clients’ login,” Dan recalled. “And Intuit was like, that can’t be a best practice.”

Fast forward to today, and we’re on the verge of an even bigger change: replacing passwords entirely with something called passkeys.

Jamie explained this complex technology in simple terms. “A passkey is an encryption key. It’s a physical token,” he explained. “You go to the server—Intuit or Google or whoever—and say I’d like a passkey. It generates this passkey and downloads it onto your device.”

Think of it like those old war movies Dan referenced, where two people need to turn keys simultaneously to launch missiles. Your device has one key, the server has the other. When you log in, they work together to verify your identity without transmitting anything that could be stolen.

To help explain how this works, Jamie offered a comparison everyone already knows: secure websites. “If a website doesn’t have security, it’s HTTP, and if it has an SSL certificate, it’s HTTPS,” he said. When you visit a secure site, it downloads an encryption key to your browser. Any information you submit gets encrypted with that key, and only the server can unlock it. Passkeys work the same way, but for your identity instead of your data.

The technology depends on two things: password vaults that sync your passkeys across devices, and biometric authentication like fingerprints or facial recognition. “Nobody has my face or my finger,” Jamie pointed out, explaining why passkeys are so secure.

But here’s the catch: we’re in an awkward transition period. “Passkeys are meant to replace passwords,” Jamie explained. “But every company, every app, every website implements it differently.” Not everyone has biometric devices or password vaults yet, so companies like Intuit keep both systems running in parallel. Alicia estimates we’re “five or maybe ten years away” from passwords disappearing completely, since everyone needs biometric-capable devices first.

The Fraud Tactics Hitting QuickBooks Users Right Now

Integrating payment features into QuickBooks has transformed accountant credentials into what Dan calls “one point of access” for bad actors. With bill pay, QuickBooks payments, and payroll all accessible through a single login, fraudsters have shifted their focus from individual businesses to the accountants who hold the master keys.

Alicia shared a disturbing story that shows just how sophisticated these attacks have become. Someone contacted her through Facebook, asking for help with a locked QuickBooks account. She emailed the person to verify their identity, and they confirmed it was really them. But Alicia had a bad feeling, and her instincts were right. “I realized it was actually the hacker inside the email account.” The fraudster had compromised both the QuickBooks account and the email, turning normal verification into a trap.

Jamie explained how these email compromises typically work. Hackers break in and immediately create a new free account on Outlook or Gmail with a similar username. They set up forwarding rules and reply-to addresses that redirect responses to their controlled accounts. “Most people don’t notice and they answer the message,” Jamie said. “Next thing you know, they’re in the hands of the hacker.”

The recovery process itself has become a vulnerability. Dan highlighted a concerning issue: if you can’t access your phone or email, Intuit offers a third option involving photo ID submission. “It doesn’t take a whole lot. It’s not that far of a stretch to say that these bad actors can forge your documents,” Dan warned. Unlike banks that require account numbers or debit card information, Intuit’s recovery relies primarily on information that’s often publicly available.

Not all fraud stories end badly, though. Alicia shared how Intuit called one of her clients after detecting multiple unauthorized login attempts from Georgia and Florida. The investigation revealed fake invoices for $900 and $24,000 in the client’s system. While Alicia joked that creating invoices instead of expenses showed “the hacker used the software wrong,” it demonstrated both the scale of potential fraud and Intuit’s active monitoring.

A newer concern involves QuickBooks’ invoice forwarding system. The system now uses a standardized email format (companyname+expenses@assist.intuit.com) that vendors can use to submit invoices directly. “If that email address gets out, people can send you bills,” Alicia warned. “If you’re not paying attention, you might pay somebody that isn’t actually a supplier.”

Your Security Toolkit: Practical Steps You Can Take Today

The good news? You don’t need a computer science degree to protect yourself and your clients. The hosts shared several strategies any accountant can implement immediately.

First up is what Dan and Alicia call the “backdoor login” strategy. “You add yourself as a team member in your QBO using a different email address,” Alicia explained. Create a completely separate Gmail account just for this purpose, add yourself with full access to QuickBooks and all clients, and store those credentials securely. If your primary login gets compromised, you can still access everything while resolving the breach.

Password management is crucial, and Alicia shared how her firm uses 1Password. “Every employee has their own personal private vault,” she explained. “But then we have group vaults that are only by permission.” Administrative passwords stay separate from general team access, bookkeeping credentials remain isolated from other systems, and everything requires biometric authentication. “I can sit down at any of my computers and have instant access to the things that I need,” she said. “But nobody else can get in because it’s either under my personal password or literally my fingerprint.”

Jamie shared his rules of internet security. Rule one: “Know your source.” Click on the sender’s name in any email to reveal the actual address. “They can fake the name, but they can’t fake the email address,” Jamie emphasized. If something claims to be from Intuit but shows @gmail.com, you’ve spotted a fake.

Another powerful rule: “Don’t do anything. Don’t react, don’t click the link, don’t call the number, don’t reply to the text.” Most scams create artificial urgency to provoke immediate action. “If there’s urgency on their part, you should just stop,” Jamie advised. His reassuring logic? “If you owe somebody $500 through PayPal, they’ll get back to you. I guarantee it.”

Additional quick tips from the episode:

Hover over links before clicking to see the actual destination
Forward suspicious emails to fraud@intuit.com
Check security.intuit.com for current security alerts
Watch for deceptive URLs using dashes (like intuit-quickbooks-dash-fake.com)
Enable two-factor authentication despite the inconvenience

Speaking of two-factor authentication, Jamie reframed the hassle as a feature. “It’s a little bit of a hassle for you. But getting hacked and having $24,000 move around that you didn’t see? That’s a little bit more of a hassle.” Plus, unexpected authentication requests alert you to breach attempts, letting you change passwords before damage occurs.

The Road Ahead: Staying Secure in an Evolving Landscape

The transition to better security won’t happen overnight. Alicia compares computer aging to “double dog years.” By the time a computer is five years old, it’s like a 70-year-old person, and at seven years, it’s 94. Until everyone upgrades to biometric-capable devices, we’ll be managing both old and new security methods.

Security in QuickBooks is only as strong as its weakest link, which is often the recovery process. “The passkey or the way to sign in can only be as secure as the recovery process,” Dan observed. Unlike banks that require separate credentials like account numbers, Intuit’s recovery relies primarily on email and phone verification—both potentially vulnerable to compromise.

This vulnerability matters because of scale. One compromised accountant login doesn’t just expose one business; it potentially unlocks financial data for tens or hundreds of client accounts. As Dan put it, accountants have become “one point of access that a bad actor could access.”

The profession must also stay informed about evolving threats. Many accountants don’t know about resources like security.intuit.com for current alerts or that forwarding suspicious emails to fraud@intuit.com helps track fraudulent campaigns. As Alicia noted near the episode’s end, “They’re always finding new backdoors. I’m sure a year from now we’re going to have this conversation again.”

Jamie also mentioned his own services, including email cleanup and password management training. “My favorite is unread messages that are more than two years old,” he said. “You never read them two years ago, you’re not going to read them now.”

The episode ended with exciting news about Intuit actively seeking feedback. They’ve launched a new board specifically for ProAdvisors to provide actionable suggestions about banking feeds. “The developers are reading it,” Alicia emphasized. “You can have conversations with other people, we can upvote suggestions, and the developers actually join the conversation.”

Take Action: Your Security Starts Now

Security in the QuickBooks ecosystem isn’t just about protecting passwords; it’s about protecting livelihoods. Every compromised login is a potential breach of trust with clients who depend on you to safeguard their financial data.

The tools and threats will continue evolving, but your responsibility to protect client data remains constant. As Jamie’s simple rules demonstrate, effective security requires consistency and awareness. Know your source. Don’t react to urgency. Use the backdoor login strategy. Enable two-factor authentication even though it’s annoying.

Listen to the full episode for additional examples, detailed technical explanations, and Jamie’s complete security framework. The conversation includes specific guidance that could save your practice from becoming the next cautionary tale. Because in today’s digital accounting landscape, vigilance isn’t paranoia; it’s professionalism.

Alicia Katz Pollock’s Royalwise OWLS (On-Demand Web-based Learning Solutions) is the industry’s premier portal for top-notch QuickBooks Online training with CPE for accounting firms, bookkeepers, and small business owners. Visit Royalwise OWLS, where learning QBO is a HOOT!

When Auditors Become Robots: The Hidden Cost of Mechanical Box-Checking

Earmark Team · November 3, 2025 ·

For four to five straight years, an audit team meticulously completed their control testing checklists, dutifully checking every box and signing off on every procedure. Their work papers looked pristine. Their compliance documentation was flawless. And all the while, an employee was systematically committing fraud right under their noses.

When questioned about the controls they’d supposedly tested year after year, these auditors couldn’t explain how a single one actually worked. They had fallen into what CPA Sam Mansour calls “the checklist trap”—a dangerous mindset where the very tools designed to ensure audit quality become the biggest threats to it.

This eye-opening example comes from a recent Audit Smarter podcast episode where host Sam Mansour digs into the mechanical box-checking that passes for diligent auditing in too many firms today. While audit checklists are useful tools for quality control, they become dangerous crutches when auditors stop thinking beyond the boxes they’re checking.

When Good Tools Become Dangerous Crutches

Checklists start life as helpful guides. They’re designed by experienced professionals who’ve seen common audit problems and want to prevent them. They’re meant to be guardrails, keeping auditors on track while still allowing room for professional judgment and client-specific thinking. But somewhere along the way, these helpful tools can become dangerous.

The transformation happens gradually. As Mansour explains, “If the checklists say to go look at an area, you go look at that area. If they’re silent on a specific area, then you just don’t even consider going in there. So basically, instead of it being a helpful guide, it becomes a literal crutch.”

What starts as a helpful framework eventually limits an auditor’s perspective to what’s written on forms.

The checklist mentality is particularly dangerous because it feels so professional. Auditors complete every step, sign off on every procedure, and produce work papers that look thorough. The documentation appears complete and compliant. But underneath the surface, there’s no critical thinking.

Consider the real-world example from the podcast: auditors who marked controls as “tested” year after year, checking all the right boxes and completing all the required procedures. Their checklists were perfect. Their sign-offs were current. But when questioned about how these controls actually worked, they couldn’t provide a single coherent explanation.

“There were severe control issues at the client which allowed for fraud to occur,” Mansour explains. “And it just wasn’t discovered by the audit team. The person committed fraud for four or five years. And I think the auditors just kept coming in and checking that box.”

The consequences were predictable and severe. The fraud continued undetected, not because the checklists were inadequate, but because no one was thinking beyond them.

This creates blind spots where fraud and errors can flourish. As Mansour notes, “Checklists are designed kind of as a textbook solution. The checklists don’t necessarily catch everything..”

The Hidden Forces That Kill Critical Thinking

The checklist trap isn’t the result of lazy auditors or character flaws; it’s the predictable outcome of systemic problems that even dedicated professionals can’t overcome through willpower alone. When we look beneath the surface of mechanical box-checking, we discover forces that make thoughtful auditing nearly impossible.

The most damaging culprit is budget pressure created by systematic underbidding. As Mansour explains: “Some firms tend to price engagements very low. And so let’s say, for example, your budget is $5,000 for an engagement, when really it should be $15,000.”

The math is brutal. If your firm targets $150 per hour but you’re forced to complete work in one-third the appropriate time, you’re effectively working for $50 per hour while still being held to $150-per-hour quality standards. This creates an impossible situation where taking time to truly understand complex checklists is financially unsustainable.

The cultural reinforcement runs deep. In many firms, the message from leadership focuses on completion rather than understanding: “Make sure you fill out these checklists, make sure they’re done correctly, make sure every box is checked.” This message, coupled with crushing deadlines and impossible budgets, transforms checklists from investigative tools into speed tests.

“A lot of times, unfortunately, in public accounting, that kind of curiosity, that dialog is seen as a waste of time because it takes up billable hours,” Mansour observes. The system rewards speed over understanding and punishes the curiosity that leads to quality work.

The training gap makes things worse, particularly for new auditors who find themselves drowning in technical terms they never learned in school. Mansour recalls his own experience: “I actually remember sitting there, looking at my computer, looking at my screen, and thinking, oh my gosh, I had no freaking clue what I’m doing.”

When new auditors are handed complex checklists filled with unfamiliar concepts but given no time to learn, mechanical completion becomes their only survival strategy. The system even punishes the behaviors it claims to want. Mansour describes being criticized early in his career: “The criticism that I used to get is look at this person next to you, how quick they are.”

While his colleague was flying through checklists, Mansour was taking time to understand the work and feeling “so far behind” and “so dumb” as a result. The irony? Years later, Mansour had surpassed his speedy colleague in seniority, proving that thoroughness ultimately beats speed. But how many talented auditors give up or develop bad habits before they can prove this point?

This creates a cycle where underbidding forces rushed work, rushed work requires increased checklist dependency, and checklist dependency reduces the quality that justifies higher fees. Breaking free requires systematic change.

Breaking Free: The Strategic Approach to Better Auditing

The path out of the checklist trap isn’t about abandoning structure or telling auditors to simply “think more.” It requires systematic changes that address the root causes we’ve identified. Forward-thinking firms are implementing coordinated solutions that transform their economic models, training approaches, and cultural expectations.

The foundation starts with honest pricing. Firms must have the courage to move their fees to industry-standard levels, even if it means difficult conversations with clients. As Mansour explains, when firms properly price their engagements and explain the increases, the client, a lot of times, will stay. Because if they ask around, they’ll find those fees are industry standard, and what they were getting with you was really an unreasonable deal.

Adequate pricing creates the breathing room necessary for thoughtful analysis rather than mechanical box-checking. With realistic budgets in place, firms can modernize their training by focusing on the “why” behind procedures rather than just the “what.”

Effective training requires creating psychological safety for new auditors to admit knowledge gaps. Mansour offers this advice to entry-level staff: “Look, if you don’t know it, you’re better asking the questions now. Because if I hear you asking in 12 months or 24 months those questions you should have asked in the first two, three, four months, I’m going to be very concerned.”

The shift requires moving beyond speed-focused metrics to value-based evaluation. Instead of comparing new auditors to experienced colleagues on time alone, managers should emphasize quality development first. As Mansour learned through experience, “You’re better off going slow and then picking up the speed later. Whereas if you start out with the speed to impress people, it’s difficult, I found, to pick up the quality.”

Practical implementation involves several concrete tools. Firms should customize audit programs for each engagement rather than using generic templates. Modern audit software can generate tailored checklists based on client-specific risk assessments. Adding professional judgment prompts throughout checklists helps auditors think beyond simple completion.

Mansour suggests incorporating “memory joggers,” brief explanations of how conclusions were reached. For example, when testing missing check numbers in a sequence, document not just what was done, but why. “We decided to test missing check numbers because we noticed irregularities in the sequence that could indicate control weaknesses or potential fraud.”

Successful firms also restructure their wrap-up meetings to discuss what was done and why it mattered. “We could say that we audited a specific area. But why did we choose to audit that area, especially if it’s not something we typically do?” Mansour asks.

The red flags that indicate continued checklist dependency are easy to spot. Work papers that remain essentially identical year over year signal mechanical copying rather than thoughtful analysis. Missing documentation of key discussions suggests auditors are focused on completion rather than understanding. Outdated information, like wrong contact names scattered throughout documents, reveals the copy-paste mentality that characterizes checklist traps.

Teams that successfully break free demonstrate clear evolution in their work. Their audit programs adapt as clients change and grow. They identify new risks and modify procedures accordingly. Most importantly, they can articulate the reasoning behind their decisions.

As Mansour’s technical reviewer wisely noted: “When the peer reviewers come in, they have a checklist, and their checklist is checking in on your checklist.” Understanding that audits exist within layers of professional oversight reinforces why thoughtful checklist use serves everyone’s interests better.

The Choice Between Clerks and Professionals

When auditors become mechanical box-checkers rather than analytical investigators, the tools that promise consistency and quality destroy the very thinking that makes work professional in the first place. Clients deserve better.

This isn’t about individual auditors lacking motivation or intelligence. It’s about good professionals working within systems that punish the curiosity and analytical rigor their profession demands. When firms underbid engagements, create crushing time pressures, and reward speed over understanding, they train their staff to stop thinking.

On the other hand, firms that properly price their services, invest in real training, and create cultures that reward analytical thinking avoid the checklist trap and position themselves as the strategic partners their clients need.

The goal is to use checklists as launching points for professional judgment rather than substitutes for it. The firms that learn to balance structure with thinking will build stronger relationships, deliver higher value, and attract the talent that drives long-term success.

The complete roadmap for avoiding checklist dependency is available in the full Audit Smarter podcast episode, where Mansour provides detailed implementation strategies, specific examples of cultural transformation, and the exact frameworks successful firms use to turn checklist-dependent teams into strategic thinking powerhouses.

Because in the end, the choice is simple: Continue training clerks who check boxes, or develop professionals who think, analyze, and protect the interests they’re hired to serve.