Feeds

Corruption cops warn on old-school project management

NSW's Independent Commission Against Corruption issues procurement guidance

Top three mobile application threats

The New South Wales Independent Commission Against Corruption (ICAC) has cast its eye over the IT sector, and suspects that there's a gap between project management practise and the real world that opens the door to corruption.

The issue the ICAC is trying to address is the way that a shift from staff to contractors can open the door to cost-blowouts and even outright corruption.

Contractors are an inevitable part of the modern IT project, the corruption watchdog notes, driven by both the supply side and the customer side. Someone with saleable skills rarely wants to stagnate into system maintenance after a project is completed. On the other side, the customer organisation usually doesn't have all the skills on hand to implement a major project, and probably lacks the time to build those skills from within.

However, the ICAC states, reliance on contract specialists to deliver projects also renders obsolete traditional project controls that are taught to any professional manager: “budget, specifications, timeframe, cost and measurement of deliverables become elastic and are rendered less effective,” the commission writes. “As these controls weaken, the ICAC has seen opportunities for profiteering and corruption increase; contractors can over-service, over-price and under-deliver.”

The customer-side manager is also confronted with a dizzying array of small and micro-businesses offering specialist services, the ICAC notes: most of the country's 20,000 IT businesses have fewer than five staff, and only 500 firms have more than 20 staff. That's in addition to two thousand recruitment firms, many of which are contractor-owned.

Hence its information paper, Managing IT Contractors, Improving Outcomes, compiled after interviews with CEOs, COOs, IT managers and auditors from public and private sector organisations.

The high points of its advice are that customers should:

  • The project's business case should be linked to the controls that apply throughout the project;
  • Design and build should be kept separate – the ICAC suggests rejecting low bids that indicate an undisclosed interest (such as a low design price that the contractor hopes to recover at build time). Informal contact between contractors and internal staff should be limited during the bid, and the ICAC suggests engaging separate contractors to act as reviewers;
  • Gateway control – managing who is allowed into contracts sounds obvious, but clearly the ICAC has seen evidence of organisations engaging contractors without the proper due diligence, so it recommends background checks of contractors, as well as using recruitment firms in contest with each other.
  • Managing project managers – PMs should not be too close to contractors, the ICAC writes, and their “span of control” should be limited; and
  • Exit strategy – every project needs one, and it should include enforcing fixed limits on tenure, so that a contractor doesn't have an incentive to string-out a project to keep the money flowing.

Certainly, none of these controls would have hurt Queensland Health, whose failed payroll system rollout ended in tears, an independent inquiry, and a final bill likely to reach $AUD1.2 billion for a system that's going to be replaced anyhow. ®

SANS - Survey on application security programs

More from The Register

next story
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Whoever you vote for, Google gets in
Report uncovers giant octopus squid of lobbying influence
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Banks slap Olympus with £160 MEEELLION lawsuit
Scandal hit camera maker just can't shake off its past
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.