A board-grade fraud-readiness assessment, scoring, and reporting product, built around a deterministic, version-controlled scoring engine that MK owns and edits without a developer.
The MK Fraud Readiness Score is calculated by a rule engine that treats your methodology as configuration, not code. The score is a pure deterministic function of the active methodology version and the applicable answers, so the same answers always produce the same overall score, category scores, maturity band, exposure profile, and recommendations. No generative AI ever participates in the calculation. Every result carries a full trace showing the contribution of each answer, each weight, each critical-control check, and any maturity cap that fired. Questions, weights, maturity bands, critical-control rules, and recommendation content all live in an MK admin console as versioned, editable data, so your team changes the methodology without a developer and without a release. A scoring test pack proves expected equals actual before anything goes live. This is the heart of the product, and it is the first thing this proposal commits to.
You have an established, document-based Fraud Readiness Diagnostic across ten capability areas. You want it as a scalable digital product organisations complete online to get a structured, credible view of their fraud readiness, then act on it over a 30, 60, and 90-day horizon. It supports an Instant Snapshot, a Full Self-Assessment Report, and an MK-Validated Report, with the architecture ready for all three even though the validated level is a manual MK workflow at launch.
We recommend a custom web application built around a versioned scoring and rules engine and an MK admin console. The methodology lives as data, not code, so MK edits it without a developer. This is deliberately pragmatic engineering for an SME launch — a modular application and one primary database, not an enterprise microservices estate.
Board-grade, responsive MK-branded interface that loads on normal South African connections, with progress, save-and-return, and conditional logic.
One deployable with clear module seams: assessment, scoring, reporting, admin, payments, comms. Same language end to end keeps the team small and handover simple.
Deterministic, testable, traceable. Reads versioned configuration and emits a score plus a full trace. No black box, no model inference.
Relational integrity for the methodology and results, strong aggregation for the dashboard and the benchmarking dataset, fully portable, easy to export and hand over.
One template path drives both the on-screen report and the PDF, with full MK brand control of fonts, colours, charts, and layout.
Low operational overhead, scales predictably, every account under MK control. Optional AI assist sits off the scoring path, off by default.
Custom-built, owned by MK on payment: the scoring engine and its versioned configuration model, the assessment experience, the MK admin console, the report generator, the data model, the role-based access model, and the anonymised benchmarking structure. Third-party, configured, under MK-owned accounts: hosting, managed PostgreSQL, object storage, transactional email (Postmark / Amazon SES), a South-Africa-suitable payment gateway (PayFast, Yoco, or Peach Payments, with Stripe an option), privacy-respecting analytics, domain and TLS. Each third party is a commodity with a drop-in alternative, which keeps lock-in low.
Your brief requires at least two realistic approaches across thirteen evaluation areas. The honest alternative is a configured low-code assessment platform — faster and cheaper to start, but weaker where you weight highest. A hybrid is the third reference point. The recommended option is A.
| Evaluation area | A · Custom + config (recommended) | B · Low-code platform | C · Hybrid |
|---|---|---|---|
| Initial cost | Higher up front, scoped to an SME MVP | Lowest to start | Middle; two surfaces to wire |
| Recurring cost | Modest, predictable | Per-seat / per-response fees that grow | Platform fees plus our infra |
| User experience | Full board-grade MK brand | Constrained by platform templates | Good front, seams in reporting |
| Scoring flexibility | Full: versioned config, caps/gates, dual model, traces | Limited; often hits a ceiling | Full in core; intake constrained |
| Reporting | Full dynamic branded PDF, immutable finals | Templated, harder to make board-grade | Strong report, data round-trip risk |
| Security | We control hosting, region, encryption, RBAC | Depends on the platform | Mixed; data crosses a boundary |
| Data ownership | Total: your database, full export | Often partial, platform-shaped | Split across two systems |
| Vendor lock-in | Lowest: open stack, portable schema | Highest: methodology trapped | Medium; lock-in on intake half |
| Maintainability | MK self-admins; any dev can take over | Easy until platform limits | Two skill sets, messier handover |
| Scalability | SME to thousands, no rebuild | Scales, but cost scales too | Scales unevenly |
| Integration | Clean subdomain, open API, webhooks | Only platform connectors | Custom integrates, platform constrains |
| Benchmarking | Owns the anonymised dataset | Data lives in the platform | Split data complicates it |
| Handover | Open code, schema, config, test pack | Platform-specific, tied to its life | Two handovers; weakest link wins |
Why custom and configurable wins. Your heaviest, repeated requirements — deterministic traceable scoring with critical-control gating and the readiness-vs-exposure separation, MK self-editing without code, total data ownership with no lock-in, board-grade reporting with immutable finals, and an owned dataset for benchmarking — all favour the custom option. A low-code platform is cheaper to start but loses on exactly the axes you weight highest, and it traps your confidential methodology and client data inside a third party. Your brief states the lowest-priced proposal will not necessarily be selected, and this is why.
The scoring engine is the heart of the product and the reason a generic web shop cannot deliver this brief. It is a pure deterministic function of the active methodology version and the applicable answers — the same answers always produce the same result, with no randomness, no time dependence, and no AI in the path.
Fraud Readiness (capability across ten domains) and Fraud Exposure (inherent opportunity from your operating model, channels, third parties, geography) are scored by two distinct passes and shown side by side — never averaged into one unexplained number.
Critical-control questions are flagged; maturity caps and gates are explicit rules. A failed critical control caps the maturity band regardless of a healthy average, force-lists the gap, and pushes it up the priority ranking.
Every run shows each answer's value and weight, its contribution to the category, the overall roll-up, the critical-control evaluation, the maturity decision before and after caps, and which questions were excluded as N/A and why. MK views and exports it.
Each methodology set is a version (draft / active / retired). A completed assessment permanently stores the version it was scored under, so old reports never silently change when the methodology evolves.
Named sample response sets with MK-approved expected results run through the real engine and produce an expected-vs-actual difference report. The launch gate: no production launch until scoring reconciles against the approved test cases.
Approved methodology changes can recompute historical assessments to show movement over time, without ever overwriting an originally issued result.
Reports are assembled from MK-approved material only, generated deterministically from the scoring result, the trace, and the organisation profile. There is no unrestricted AI making risk decisions or inventing recommendations.
Your maintainability requirement is that non-technical MK staff manage ordinary changes without continuous developer dependency. We draw the line explicitly and put it in the admin guide at handover.
The Protection of Personal Information Act is the relevant frame, and the platform is designed to it.
Reassessment & benchmarking (Q12). Each assessment stores its methodology version, so organisations reassess and compare progress fairly over time. On completion we write an anonymised benchmark record (sector, size band, scores, maturity, exposure, critical-control summary — no organisation name or respondent identity), kept separate from client-identifying data. It is the substrate for a future South African Fraud Readiness Index: industry and size comparisons, distributions, percentiles, longitudinal trends — switched on only when MK judges the sample credible. The first release presents no peer benchmark as factual industry data.
Multiple respondents (Q14). Respondent is a first-class entity from day one, designed to scale from one to many even though the MVP uses one. A later section-assignment layer maps domains to contributors (risk, information security, procurement, internal audit, a project owner who submits). Because responses are already keyed per question with a recorded respondent, adding per-section ownership is an additive change, not a rebuild.
Analytics (7.13). The platform captures funnel analytics for MK — assessment starts, completion rates, drop-off points, time per section, report purchases and downloads, conversion to consultation enquiries, and reassessments — always in aggregate and never exposing one client's data to another.
Rough monthly estimates in USD for an SME launch, confirmed during Phase 1. Every line is under MK-controlled billing — these are MK's direct costs, not pass-through markups. The custom architecture carries no mandatory per-seat or per-assessment platform licence.
| Line | Provider examples | Monthly (USD est.) |
|---|---|---|
| App + database hosting | Managed app host + managed PostgreSQL | 25 – 60 |
| Object / file storage | S3-compatible | 5 – 15 |
| Transactional email | Postmark / Amazon SES | 10 – 25 |
| Report generation | Runs in our application tier | 0 – 20 |
| Analytics | Privacy-respecting analytics | 0 – 20 |
| Domain, DNS, TLS | MK registrar + managed TLS | 1 – 5 |
| Backups + monitoring | Automated backups, uptime monitoring | 5 – 20 |
| Indicative total at launch | working figure ~$75 – 120 | ~$50 – 165 / mo |
Annual licences are near zero with open-source-leaning choices. Payment fees are per-transaction through MK's own gateway. The platform supports free assessments, paid reports, promo/invitation codes, corporate licences, invoiced enterprise customers, report packages, and future subscriptions without a rebuild (7.10). Vendor lock-in (Q7) is low by design: open standard stack (React, Node, PostgreSQL, HTML-to-PDF), no proprietary runtime holding your methodology or data, every third party swappable behind a thin adapter, and full data export means MK can leave any provider or hand the whole system to another competent developer with the code, schema, scoring config, report templates, and test pack in hand.
From MK (Q15): the methodology pack (questions, response options and scale, profiling fields, weights, maturity bands, critical-control rules, exposure variables, recommendation library, report outline and sample wording, disclaimers), brand assets and website references, sample organisational profiles with expected scoring outcomes for the test pack, a preferred SA payment approach, the deployment preference and DNS or hosting access, and a single MK point of contact. We are ready to sign a confidentiality arrangement before receiving the full methodology pack, and we protect confidential material in access-restricted, MK-controlled storage on a need-to-know basis, never in public repositories or public AI tools (Section 17).
Some materials may be refined during the design phase, making scope and scoring a moving target. Mitigation: hold the methodology as versioned, externalised configuration so changes never need code edits; lock a baseline version for the prototype; written change control re-tests and re-versions any post-acceptance change.
A silent calculation error or untraceable score would destroy the credibility that is the product's value. Mitigation: an expected-vs-actual reconciliation harness from an MK-approved test pack, a per-answer trace, fully deterministic calculation, and a hard launch gate — no launch until scoring reconciles against the approved test cases.
If a failed control does not cap maturity, a weakness hides behind a healthy average. Mitigation: model flags and caps as explicit configurable rules, verified by dedicated test-pack scenarios where each failure must demonstrably cap maturity.
A lapse is both a POPIA exposure and a trust failure. Mitigation: the POPIA-aligned approach above, MK ownership and export of all data, all accounts under MK credentials, and an absolute rule that no client or methodology data trains any public AI and no AI sits in the scoring path.
Phase 1 is standalone and MK may appoint a different supplier afterward, while a feature-rich Phase 3 backlog invites MVP inflation. Mitigation: scope and price Phase 1 as a complete, handover-ready deliverable usable by any supplier; restate the out-of-scope list; confirm the MVP automates only the Snapshot and Self-Assessment Report; written change control prices additions separately.
Requirements validation, assumptions and risk register, customer-journey and workflow design, two implementation options and the recommended architecture with diagrams and database structure, security / recurring-cost / vendor-lock-in assessments, implementation roadmap, the fixed-price build proposal, a clickable prototype, and a demonstrated sample score and report.
Assessment interface, organisation profile, conditional logic, save-and-return, the scoring engine with category and maturity rules, exposure profile, critical-control logic, the admin console, snapshot results, full report generation, email workflows, basic payment / access control, data export, subdomain deployment, analytics, testing, documentation, training, production launch.
Multi-respondent assessments, client accounts and portals, evidence uploads, MK validation workflow, reassessment comparison, benchmarking, dashboards, subscriptions, additional sector modules, API integrations, and the annual Fraud Readiness Index.
| Phase 2 milestone (Section 14) | Acceptance basis | Share |
|---|---|---|
| M1 Requirements & architecture | MK approval of the validated build spec | 5% |
| M2 Prototype & scoring PoC | Agreed test responses produce expected scores | 10% |
| M3 Assessment & administration build | Agreed functional test cases pass | 30% |
| M4 Reporting & commercial workflow | Reports match approved content and calculations | 25% |
| M5 Deployment & testing | End-to-end customer journey completes | 15% |
| M6 Documentation & handover | Successful handover, training, credential transfer | 15% |
Accountable for delivery, communication, and acceptance. Aveosoft is an AI-first engineering company (established 2016, 200+ projects, 50+ engineers) on fixed-price, milestone-based terms.
Owns the scoring-engine design, the data model, and code review on the critical paths. A full-stack engineer carries the assessment journey, admin console, and report generation; QA owns the scoring test pack.
The same senior people who design the scoring engine in Phase 1 build it in Phase 2 — the strongest continuity guarantee we can offer.
| Support (Q22) | Included | Indicative (USD est.) |
|---|---|---|
| Warranty | 30 days from acceptance; defects fixed at no extra dev fee; optional 60–90 day extension | included |
| Tier 0 · Care | Monitoring, backup verification, security/dependency patching, defect triage, small content/config pool | ~250 – 400 / mo |
| Tier 1 · Managed | Tier 0 + capped enhancement pool, monthly health review, priority response, methodology-change support | ~500 – 900 / mo |
| Tier 2 · Partner | Tier 1 + larger pool and scheduled Phase 3 roadmap work under a quarterly plan | ~1,000+ / mo |
Your brief is explicit that generic website-design portfolios are not sufficient. We lead with capability that maps directly to this product, and we prove it with a working prototype and scoring demonstration rather than a logo wall.
A clickable, MK-branded prototype that walks the full respondent journey, produces an instant snapshot with readiness and exposure kept separate, flags a critical-control gap, and renders a board-grade report with a 30/60/90-day action plan, alongside an MK admin view showing no-code question and weight configuration. The exact pattern your product needs, demonstrated.
▶ Open the live prototypeA 30-plus module CRM and operations platform delivered by a dedicated team of 15, with requirement-to-test traceability, structured change control, configurable modules, administration interfaces, and dashboards. The configurable-platform, admin-console, and QA-traceability discipline the MK scoring engine, admin console, and scoring test pack depend on.
| Project | Domain | Relevance to the MK Fraud Readiness Score |
|---|---|---|
| Bridge Monitoring | Inspection / scoring | Component-level inspection workflows with rated criteria and generated condition reports — the assessment-to-score-to-report pattern this product requires. |
| R&B STROBES | Oversight dashboard | Operational oversight dashboards with financial controls and exportable reporting across 3,500+ works, analogous to the MK admin dashboard and data management at scale. |
| E-Sarkar | Workflow / audit trail | Multi-tier approval workflows with full audit trails and versioned records, analogous to report versioning, validation status, and change history. |
Full client references available on request.
Phase 1 requires no production software development — it is a senior solution-design engagement, priced as an accessible, low-risk fixed discovery fee. The commercial weight sits in the Phase 2 build, which Phase 1 de-risks by producing a fixed-price build proposal. Billing in USD via Upwork escrow; payable as one milestone or split 50% on commencement / 50% on acceptance.
At the fixed fee of USD 2,655 as a standalone paid milestone.
We are ready to sign so MK can share the full methodology pack.
30 to 45 minutes to confirm the open questions, methodology format and readiness, sector-module count, deployment and payment preferences, and the Phase 1 review cadence.
By the end of Phase 1 MK holds validated requirements, a recommended architecture with diagrams and database structure, recurring-cost and vendor-lock-in assessments, an implementation roadmap, a fixed-price build proposal, a clickable prototype, and a demonstrated sample score and report. That pack is valuable on its own, and it is the strongest possible basis for the Phase 2 build.