Q. (cont.) Since the ID number is used sometimes for reimbursement to employees, it causes a problem because we will not issue checks without an address, and we can't verify persons with the same name if we don't have the full SSN. I know addresses and SSNs are confidential, but this is causing a problem in the accounting department.
A. We recommend that you sit down with HR to discuss their concerns and yours, and you might want IT’s participation because system and vendor file security are an important aspect of this.
Ask HR to lay out their concerns about that information being in there. Why do they want to eliminate addresses and SSNs? What are the issues they are trying to solve? Then lay out AP’s need for that information or something like it—explain how you use it, why you need it. Get IT’s input on security; perhaps HR has concerns that IT can address.
Staff addresses are necessary if AP is issuing reimbursement checks to them. On the other hand, could reimbursement be done through payroll instead, or via ACH/direct deposit? With regard to an ID number for matching, is there another unique number identifier that you could use, such as a student ID number? Perhaps you could keep the last four digits (only) of the SSNs in the file, so that the combination of name and four digits confirms the identity for you.
Try to get all parties working together first to identify the root issues/concerns, and then to come up with a solution. Make sure you have good controls on that crucial file, with limited, authorized access, and manager review of file changes (see TAPN’s content on vendor master file management and internal controls).