Everything here applies to IT Outsourcing industry in 2018 and most likely in 2019 (in other words: you don’t need to worry about reading out of date information).
Not all IT outsourcing companies are the same. Really.
This guide will help you to understand:
- What kind of fraud schemes you can face when you start outsourcing your IT and Software Development
- Which dirty techniques some IT Outsourcing companies use to squeeze money from their existing customers
- This is a feedback from 50+ people. This guide contains real life examples
- Also you will learn how to protect yourself from these manipulations
- No chatter, only real cases and useful tips based on 15+ years of experience in Software and IT Outsourcing
So without further bla-bla, let’s get started…
List of common fraud techniques in IT Outsourcing (Do not step on these rakes)
Here is the general list of fraud categories (each one is described in more details below, just click on the link or scroll down):
- Faking developer’s CV, profile, skills, experience, etc.
- Selling “Junior developer” for the price of “Senior developer”
- Ghost Employees, which don’t work for you and maybe even don’t exist
- Talking head
- Wrong location
- Faking the number of work or outsourcing services done
- Tracking a bigger number of hours
- Additional works which were done faster or not done at all
- Adding to monthly invoice +10%-25% hours on top. From nowhere
- Overtimes which didn’t happen
- Fraud in reporting of the developer’s salary (in outstaffing)
- Dirty up-sale techniques in outsourcing
- Up-Sale of not needed managers and HRs
- Additional services/costs which were not in the contract
- Second 80% of the project after first 80% is ready
- Additional not needed services
- Money for nothing …
- Misuse of company sensitive data by the outsourcing company’s employees
Disclaimer: Most of the IT Outsourcing companies we know are doing a fair business, but unfortunately there are companies which play dirty. We don’t give real names here just to avoid legal risks.
But first, a short story
At the beginning of my developer career I worked for a great IT Outsourcing company. They had very nice clients and interesting projects from the central Europe. We did software development and support for our clients.
Unfortunately (or fortunately) in several years (after leaving the company) I learned that management of that company actually cheated. They used some of the tricks described below. After that case this outsourcing company didn’t look that great.
I decided to write an article on this topic.
To extend my knowledge and to cover more live cases I collected:
- a feedback from my friends from IT outsourcing management
- a feedback from developers online (see the sources section at the end)
And now about the fraud techniques in more details…
Faking developer’s CV, profile, skills, experience, etc.
Selling “Junior developer” for the price of “Senior developer”
If a headhuner or a recruiter asks candidates for software engineer position to send a CV in MS Word format, that could be a bad sign. That might mean that they are going to adjust developer’s CV to feat the outsourcing customer’s request. E.g. they can add several years of experience and some skills (which the candidate doesn’t actually have).
Why would they do this?
- To faster bring new people to the project and start getting money from the customer
- To have a better margin. Customer will pay the price of Senior developer, but the outsourcing company will pay a salary or a hourly rate of the Junior developer
Real life case 1: Some IT outsourcing companies during the interview with the candidate to the software developer position may agree with them to 1) slightly change their CV (e.g. add 2-3 years of experience); 2) slightly increase salary (e.g. new salary = Junior developer’s salary plus 200-300 EUR on top); 3) to name the developer’s new position “Senior Software Engineer” (or similar senior role).
Now customer pays Senior developer rates, but unfortunately the quality of the code of this developer stays on the same Junior level.
Real life case 2: We have information about companies that developed a special software for CV generation. Depending on the requirements from the outsourcing customer they can use a drug’n’drop tool to generate a perfect CV with the list of needed experience, skills, technologies, etc.
Ghost Employees, which don’t work for you and maybe even don’t exist
Kind of the previous one but with changes.
These ghost employees are just fake names, fake CVs and fake accounts (e.g. Email, GIT, Slack, etc.) which communicate with customers. On the other side of the world a remote customer has a feeling that he/she speaks to a real person.
Real life case: The customer has a team of 10 developers. One developer decides to leave the outsourcing company. He/she doesn’t work there anymore, but other team members use his/her account to answer E-Mails, push code to GIT (source code repository), write time reports, etc. At the end of the month customer receives an invoice for the whole team of 10 people, but actually only 9 developers worked this month.
Kind of the previous fraud scheme but with changes.
Usual case: a senior and a very good developer is sold to several customers for full time work. Outsourcing company calls this “100% dedicated resource”. But her work is actually done by some Junior developer(s). The senior developer only attends meetings with the customer, so customer can see her sometimes, e.g. 1-2 times per month.
Real life case: There was an outsourcing company in which they had a “talking head” set up. One fine day customers decided to visit that company’s office. Management of the outsourcing company had to walk through the office and instruct the developers: “Alex, please don’t forget, you work on Project X. Anton, you work on Project Y. If customers ask too many questions, just tell them that your English is not good enough, please ask the manager. Understood?”
Kind of the previous ones but with changes.
Some customers are ready to pay for developers in more expensive location (e.g. in Germany, US, UK, etc.). They order developers from these locations, but actually people from the cheaper locations are doing the job (e.g. from India).
This might look like a simple subcontracting and there is nothing wrong here.
Really? At the end of the day outsourcing customers have their own reasons for having developers in that more expensive location (e.g. because of security or legal reasons), but they don’t receive the service they pay for.
Faking the number of work or outsourcing services done
Tracking a bigger number of hours
This is related to the hourly based outsourcing contracts. Some companies cheat with the time reporting hardly.
Real life case: In one company there was a time-tracking rule set by the management: every developer has to track minimum 8.5 hours per day. Outsourcing company was paid on hourly basis. Management didn’t care that:
- Developers spent in the office only around 8 hours per day
- During the day people had pauses, educational meetings or other kind of meetings not related to the customer’s project
Additional works which were done faster or not done at all
Another way to cheat with the time reporting is to report:
- “over-tracking” time per work done. E.g. developer has to set up a local development environment and it takes him 5 hours; customer receives an invoice for 10 hours for the “local development environment set up”
- work which was not done at all. Here the type of work and the number of hours are limited only by the outsourcing company management’s imagination. Examples of such works: research on a new technology – 10 hours, code refactoring – 25 hours, database performance optimisation – 30 hours, etc.
Unfortunately it’s hard to identify such cheating from the outsourcing customer’s side, especially if the customer has no technical background or experience with IT.
Adding to monthly invoice +10%-25% hours on top. From nowhere
Some companies add to the monthly invoice +10%-25% (or even more) hours on top. From nowhere. Just because.
Usually this is done on the bigger projects where separate tasks are not reported in the invoice but only number of total hours spent.
Overtimes which didn’t happen
Another opportunity to cheat with the time reporting is to cheat with the overtimes. Especially this might sound attractive since overtimes are usually paid based on the higher rates (e.g. 150% or 200% from the normal hours price).
Real life case: One outsourcing customer was very surprised to see that one of the developers in outsourcing company worked more than 500 hours per month. You can easily guess that most of these hours were charged based on the higher “overtimes rate” (in that case 150% from normal rate). The management of the outsourcing company could not clearly explain this phenomenon to the customer.
Fraud in reporting of the developer’s salary (in outstaffing)
This is related to the outstaffing model only. In outstaffing model customer usually pays for developer’s salary plus a fixed monthly service fee. In order to increase margins, outsourcing company may report to the customer a higher developer salary but still pay a actual lower salary.
Dirty upsell techniques in outsourcing
Upsell of not needed managers and HRs
Often outsourcing companies in addition to the technical team also sell a mandatory Manager(s) and/or HR(s). The price for this role is based on the amount of work done by the team, e.g. usual price for such manager is 10-20% of the price of work done by the whole team.
In some cases it’s a good idea, especially when customer has no experience in software development. Manager should help to organize resources, manage the customer’s project, communicate and report. But sometimes a manager on the outsourcing company side can make the communication with the team more complex. Especially when customer communicates only with the manager and doesn’t talk to the team.
On the other hand there are following questions:
- Why manager costs 10-20% of the whole team?
- Does he/she also work 10-20% of the total team hours?
- Is he/she worth the money?
- Is he/she actually needed? Especially on the projects where most of the management is done by the outsourcing customer.
Additional services/costs which were not in the contract
Customer may be surprised because of the additional costs which were added to the invoice. These costs were not included to the contract, but customer assumed that this part is covered by the outsourcing provider.
For example this might be: price of the hardware and software on which developers write code. The customer assumes this is covered by the outsourcing company and is included into the hourly developer rates, but actually this was not. Also none notified the customer about that before signing the contract.
Second 80% of the project after first 80% is ready
This fraud mostly related to the fixed price model. This is the model where at the beginning customer receives an estimate for the project (time & money), based on that estimate customer pays to the company.
Real life case: At the beginning of the project the outsourcing company promises to implement customer’s project for €X money (usually a pretty low bid only to win the tender). But when project is 80% ready, it appears that they have forgotten something very important… which will take additional budget, e.g. “50-100% * €X” more. Most of companies know how it’s hard to change the outsourcing provider at the middle of the project, so customer decides to pay additional price just to finish the project faster. After that part is ready, outsourcing company may find something else forgotten …
This is mostly related to the fixed price model.
Management of the outsourcing company receives a project time estimate from developers “X months”, but manager informs customer about “2*X months”. If customer agrees, then he/she will receive the work done only after 2*X months. Not earlier. Even if it’s done after X months. Also customer will receive an invoice for 2*X months of work.
Additional not needed services
Kind of the previous ones but with some changes.
IT Outsourcing company can up-sell customer that they also need additional outsourcing services, like full refactoring, performance optimisation, database optimisation, UX research, etc. But most likely customer actually doesn’t need that.
Real life case: Outsourcing company was developing a B2B website for their clients. This website would have maximum 100-200 visits per month. At the same time management of the outsourcing company was able to up-sale to the customer a website performance optimisation. While customer was not too technical person and he trusted to the manager from that company, he just agreed to this not needed and expensive additional service.
Money for nothing …
Customer pays for additional services or benefits for the development team, but developers don’t receive them. E.g. customer pays for:
- Expensive licensed software (Windows, Microsoft Office), but developers use similar free software (Linux, Open Office)
- The same with the hardware (e.g. Laptops: customer pays for Macbooks for the whole team, but developers work on old HP and Dell; customer pays for two 21” monitors but developers work on one 19” monitor
- Additional courses and tranings paid by customer that developers didn’t actually attend
Misuse of company sensitive data by the outsourcing company’s employees
This is actually a bit different type of the problem. This is done mostly by the outsourcing company’s employees, especially by those that have access to sensitive data.
Here are some of the examples:
- Identity theft (e.g. stealing all the customer information including the scans of personal ID and other documents)
- Credit card fraud (e.g. stealing credit card number, other info and CVV)
- Selling of customer’s database to competitors (e.g. on the black market or directly)
- Stealing user access codes and personal data (e.g. internet banking IDs and PINs)
- Refund fraud
- … etc.
Tips for risk mitigation
Now you know some of the dirty tricks they use. What’s next?
First: forewarned is forearmed.
Second: below you will find some general tips on how you can mitigate the risks. There are two sections:
- “Before starting”: useful for IT outsourcing newbies, that right now are thinking about outsourcing
- “Operational phase”: useful for companies which already have a working outsourcing set up
- Participate in recruitment process, be there (at list virtually), observe, ask questions, double check.
- Participate in technical interviews. Each CV should be double checked if this is a real CV and if it correspond to the real skills. If customer doesn’t have technical people in the team, it’s possible to hire IT consultants (in the related technology).
- Incorporate HR-related issues in the contract.
- Clearly define expected security controls in the outsourcing contract and develop appropriate performance measures to monitor consistent application of those controls.
- Involve internal and/or external audit in the entire outsourcing process.
- Ensure that contingency plans are formulated and viable in the event of non-performance by the service provider
- Involve IT consultants with the main focus on outsourcing
- If it’s fixed project, then set the milestones (the best would be weekly or bi-weekly) and control them
- Audit / Assessment. Even if you already have outsourcing team you can ask for audit or an assessment. You can ask developers to be tested. In Internet you can find several free and paid tests for almost each technology.
- Monitor the relationship actively, respond to problems and issues aggressively, employ escalation procedures promptly, and engage in conflict resolution.
- Identify objective and quantifiable performance measures that are well specified, relevant for the supported business units, mutually agreed to, and are readily comparable with established criteria.
- Periodically review, renegotiate, and renew the contract. Reset target service levels annually.
A double-edged sword
Not all outsourcing customers are the same. Really.
I hope everyone understands that we don’t live in a perfect world where all outsourcing customers are saint. There are also outsourcing customers that cheat. But this is the topic of our next article.
About “SITO: Software and IT Outsourcing”
The best way to prevent outsourcing fraud is to avoid dealing with unscrupulous service providers in the first place.
Our project “SITO: Software and IT Outsourcing” is a platform where your company can find a reliable and fair outsourcing providers. This is a big network of outsourcing, outstaffing and IT consulting companies.
We care of the quality of the services provided by all of our partners. Our team constantly monitors a feedback from the outsourcing clients. If we see that one of our partner plays dirty, then we stop working with such providers.
If you are interested in a free consulting from our top outsourcing experts, then leave your request in this form below (just click the link and fill in the form):
Also we 100% guarantee the quality of our services.
To prepare this article we used the following resources:
- Ukrainian developers forum dou.ua/forums/topic/24778/ (it’s in Russian and Ukrainian, but you can use a google translate link to read in english: goo.gl/C43GWP)
- A presentation by Fernando Cancino, CFE, CIA: “Managing the Risk of Fraud in Outsourcing”
- “Fraud Finds New Way to Infect Outsourcing Relationships” by Nearshore Americas
Please share & like!
Please share this article. Just click on the button below. More people should know about the fraud.
Remember: forewarned is forearmed!