Five tips to avoid corrupt IT contractors

Australian organisations are heavily dependent on contractors for complex IT projects. But due to poor project planning and management, these contracts are often in a position to deliberately over-service, over-price and under-deliver.

New South Wales' Independent Commission Against Corruption (ICAC) has issued a report (PDF download) detailing the steps some companies have taken to manage contractor corruption and improve IT outcomes.

The report notes that Australia is served by a massive pool of specialised smaller IT firms. There are an estimated 20,000 IT providers operating in the country and 85% of these have fewer than five employees.

This complex industry structure, coupled with the tendency of IT specialists to prefer to work on a contract basis, has resulted in a heavy reliance on contract IT services for large Australian projects.

But as projects become more innovative and more dependent on outside contractors, it becomes increasingly hard to predict the outcomes, budget effectively and work out what deliverables are needed.

This environment affords unscrupulous contractors with numerous opportunities for profiteering and corruption.

“Contractors can over-service, over-price and under-deliver. They may over-specify the needs of the organisation to increase the price. They may bid low for standard work and then mire the organisation in a long and complex implementation,” the report states.

“Contractors may engage additional subcontractors of lower skill, but bill them to the organisation at full price. Contractors and employees may own recruitment firms in secret through which contractors are sourced, or may have associates in the industry to whom work is directed.”

For the report, ICAC spoke to executives, IT managers and auditors from a range of public and private organisations. Interviewees detailed the steps they had taken to control contractors and ensure IT projects deliver on their goals.

While a wide range of approaches have been taken, the report notes that their efforts have centred on five key areas. Companies exposed to contractor corruption have typically neglected at least one of these categories.

1. Linking of business case to project controls

The report states that a well-designed business case should be the touchstone that guides any IT project to completion. Most organisations ICAC spoke to cited the business case as the single most important source of control throughout a project.

“A business case will address governance and management of the project. This includes audits of progress, project management approaches, reporting requirements, methods for verification of deliverables and management of the engagement, performance and exiting of contractors,” ICAC said.

Scope controls can help limit contractor manipulation of the project in their favour, and the risks of becoming dependent on one contractor can be managed by including contractor exit strategies and planning for post-project servicing at the design stage.

Organisations interviewed for the report often develop performance measures that link the business case with deliverables. Many follow the SMART framework for setting metrics. Under this model, deliverables should be specific, measurable, attainable, relevant and time-based.

2. Separating design and build

The second tenant is keeping the design and build of IT projects separate. For complicated projects where management lacks the knowledge to conduct the planning themselves, the opportunity for contractors to manipulate projects in their favour is high.

“Design proposals from consultants may include specification of equipment for which the consultants receive a benefit or a program of work for which the consultants hold a competitive advantage, at the expense of the organisation,” the report states.

In most cases of alleged corruption ICAC investigates, management recognises the need to award the design and build phase deals to different contractors but often fail to consider the complex nature of relationships between various Australian IT companies.

Strategies to mitigate this risk, used by the companies ICAC spoke to, include using a second consultant to review specifications or project tenders, rejecting or at least questioning very low bids and conducting independent market research to evaluate technology options.

3. Guarding the ‘gateway’ through which contractors enter the organisation

Organisations the commission spoke to typically have a single, well-guarded gateway dedicated to contractor engagement. This involves evaluating potential contractors with formal and informal background checks. Candidates are selected by senior staff rather than the direct project manager.

Well-guarded organisations also often compile a panel of candidates to choose from and engage multiple reputable firms to assist with the recruitment process.

By contrast, the report states, “an organisation’s defences are weakened in instances when ... project managers directly engage contractors, recruitment and IT service agencies select and provide contractors ... or long-term current contractors recommend other contractors for work”.

The report cites one example of an IT contractor who was able to use his position as a project manager to bring five associates on the project, ultimately defrauding the agency involved of more than $400,000.

4. Managing the project management

Managing the processes and arrangements surrounding project management are as important as managing the budget, timelines and outcomes of an IT project.

This can involve having senior management set key parameters around this metric and taking steps to ensure project managers are competent, can be trusted and have the ability to do their job.

It may also be worth setting limits on the size of project teams, the ratio of contractors to staff and scope changes during the project.

“As the project manager’s span of control grows and the proportion of contractors to be supervised grows, the capacity of the project manager to control the project team and the contractors in the team is diminished,” the report explains. “IT projects are frequently seen as hard to control.”

5. Ensuring a clear exit strategy is in place

Many organisations quizzed for the report believe that once an IT specialist brought in for a particular project has completed his work, there is no reason for him to remain on the books. They have put in place systems to ensure that there is no drift into long-term contractor engagement.

Examples include non-negotiable deadlines for exit, having decisions on contract extensions reviewed at high levels and setting a predetermined time after which a contractor must decide to either stop working for the company or to take on a permanent role.

One issue with this plan is knowledge transfer, the report states. “The knowledge developed and held by the contractor can only be moved to an in-house capability over time and it is not in the interest of the contractor to facilitate such a transfer.”

One company has addressed this by allowing companies to be hired for post-project work as needed, but putting a one-year limit on this arrangement.

Image courtesy of TangibleArts under CC