Prevent, identify and correct duplicate records and claims
Summary
Have processes in place to prevent, identify and correct duplicate records, identities, requests or claims.
Why this countermeasure matters
Duplicated records, identities, requests or claims can lead to:
- fraudulent payments made multiple times
- dual claiming of different payments or benefit types
- duplicate or ghost records being used to conceal activities or exploit processes
- incorrect and inconsistent reporting and decision-making
- other control weaknesses such as less effective fraud detection.
How to put this countermeasure in place
Some ways to implement this countermeasure include:
- identifying and denying duplicate claims
- flagging and reviewing potential duplicate vendor invoices
- requiring staff to undertake thorough searches of existing customer records to avoid creating duplicate records
- interrogating systems to identify, review and correct potential duplicate records.
How to measure this countermeasure's effectiveness
Measure the effectiveness of this countermeasure by using the following methods:
- Confirm that clear and consistent processes exist for preventing, identifying and correcting duplicates.
- Analyse data to confirm duplicates are being properly identified and corrected.
- Consult subject matter experts on processes.
- Conduct a system or process walkthrough by having staff show you the process for managing duplicates.
- Review a sample of documentation to confirm compliance with policies and processes.
- Review who has access to review and correct duplicates.
- Check if and how duplicates are reported.
Related countermeasures
Develop clear instructions and guidance for activities and processes, such as instructions for collecting the right information to verify eligibility or entitlements, procedures to help staff apply consistent and correct processes and guidance to help staff make correct and ethical decisions.
Make sure requests or claims use a specific form, process or system for consistency.
Make sure to confirm the identity (an attribute or set of attributes that uniquely describe a subject within a given context) of the person making the request or claim using evidence.
Authenticate client or third party identities during each interaction to confirm the person owns the record they are trying to access.
Make sure forms or system controls require mandatory information to support claims or requests.
Set up system prompts and alerts to warn users when information is inconsistent or irregular, which either requires acceptance or denies further actions.
Verify any requests or claim information you receive with an independent and credible source.
Escalate non-standard requests or claims for further review or scrutiny. Non-standard requests or claims might include those that are late, do not meet normal conditions, include evidence that is difficult to verify (such as from overseas) or are for amounts that are higher than normal.
Automatically match data with another internal or external source to obtain or verify relevant details or supporting evidence. This countermeasure is supported by the Office of the Australian Information Commissioner's Guidelines on data matching in Australian government administration.
Put protections in place to prevent data from being manipulated or misused.
Conduct system testing to identify vulnerabilities prior to release. Untested systems can allow vulnerabilities to be released into production environments.
Conduct quality assurance activities to confirm that processes are being followed correctly and to a high standard.
Establish exception reports to identify activities that are different from the standard, normal, or expected process and should be further investigated.