Confidential Proposal · For MK Fraud Insights
A board-grade fraud-readiness assessment, scoring, and reporting product, built around a deterministic, version-controlled scoring engine that MK owns and edits without a developer.
The MK Fraud Readiness Score is calculated by a rule engine that treats your methodology as configuration, not code. The score is a pure deterministic function of the active methodology version and the applicable answers, so the same answers always produce the same overall score, category scores, maturity band, exposure profile, and recommendations. No generative AI ever participates in the calculation. Every result carries a full trace showing the contribution of each answer, each weight, each critical-control check, and any maturity cap that fired. Questions, weights, maturity bands, critical-control rules, and recommendation content all live in an MK admin console as versioned, editable data, so your team changes the methodology without a developer and without a release. A scoring test pack proves expected equals actual before anything goes live. This is the heart of the product, and it is the first thing this proposal commits to.
You have an established, document-based Fraud Readiness Diagnostic across ten capability areas. You want it as a scalable digital product organisations complete online to get a structured, credible view of their fraud readiness, then act on it over a 30, 60, and 90-day horizon. It supports an Instant Snapshot, a Full Self-Assessment Report, and an MK-Validated Report, with the architecture ready for all three even though the validated level is a manual MK workflow at launch.
We recommend a custom web application built around a versioned scoring and rules engine and an MK admin console. The methodology lives as data, not code, so MK edits it without a developer. This is deliberately pragmatic engineering for an SME launch — a modular application and one primary database, not an enterprise microservices estate.
Board-grade, responsive MK-branded interface that loads on normal South African connections, with progress, save-and-return, and conditional logic.
One deployable with clear module seams: assessment, scoring, reporting, admin, payments, comms. Same language end to end keeps the team small and handover simple.
Deterministic, testable, traceable. Reads versioned configuration and emits a score plus a full trace. No black box, no model inference.
Relational integrity for the methodology and results, strong aggregation for the dashboard and the benchmarking dataset, fully portable, easy to export and hand over.
One template path drives both the on-screen report and the PDF, with full MK brand control of fonts, colours, charts, and layout.
Low operational overhead, scales predictably, every account under MK control. Optional AI assist sits off the scoring path, off by default.
Custom-built, owned by MK on payment: the scoring engine and its versioned configuration model, the assessment experience, the MK admin console, the report generator, the data model, the role-based access model, and the anonymised benchmarking structure. Third-party, configured, under MK-owned accounts: hosting, managed PostgreSQL, object storage, transactional email (Postmark / Amazon SES), a South-Africa-suitable payment gateway (PayFast, Yoco, or Peach Payments, with Stripe an option), privacy-respecting analytics, domain and TLS. Each third party is a commodity with a drop-in alternative, which keeps lock-in low.
The real decision is not custom versus no-code; it is how to host a deterministic, MK-editable scoring engine so it stays transparent, owned, and able to grow. We evaluated three genuine architectures, including the configured-platform option your brief invites. The recommended option is A.
| Evaluation area | A · Custom modular monolith + config engine (recommended) | B · Configured / low-code platform | C · Decoupled services (microservices) |
|---|---|---|---|
| Initial cost | Moderate, scoped to an SME MVP | Lowest to start | Highest: more services to build and wire |
| Recurring cost | Modest, predictable | Per-seat / per-response fees that grow | Higher: multiple services and more ops |
| User experience | Full board-grade MK brand | Constrained by platform templates | Full custom brand (same as A) |
| Scoring flexibility | Full: versioned config, caps/gates, dual model, traces | Limited; complex caps and gates hit a ceiling | Full (same engine, just separated) |
| Reporting | Full dynamic branded PDF, immutable finals | Templated, hard to make board-grade | Full, but cross-service data round-trips |
| Security | We control hosting, region, encryption, RBAC | Depends on the platform | Strong, but a larger inter-service surface |
| Data ownership | Total: your database, full export | Often partial, platform-shaped | Total (same as A) |
| Vendor lock-in | Lowest: open stack, portable schema | Highest: methodology trapped | Lowest (same open stack) |
| Maintainability | MK self-admins; one app any dev can run | Easy until platform limits | Harder: many services to run and monitor |
| Scalability | SME to thousands, no rebuild; seams ready to split | Scales, but cost scales too | Highest, but unnecessary at SME scale |
| Integration | Clean subdomain, open API, webhooks | Only platform connectors | Clean service APIs (same or better) |
| Benchmarking | Owns the anonymised dataset | Data lives in the platform | Owns it (same as A) |
| Handover | One codebase, schema, config, test pack | Platform-specific, tied to its life | Many services to document and run |
Why a modular monolith, not microservices or low-code. The product needs a deterministic, MK-editable scoring engine, board-grade reporting, total data ownership, and no lock-in, and it launches at SME scale (hundreds to low-thousands of assessments). A configured low-code platform (B) is the fastest, cheapest start, and your brief rightly asks us to weigh it, but it puts a ceiling on exactly what you rank highest: complex critical-control caps and gates, the dual readiness-versus-exposure model, full score traces, immutable board-grade reports, and ownership of your methodology and dataset. A decoupled microservices architecture (C) is the textbook enterprise answer and is genuinely better at very large scale, but at SME launch it multiplies infrastructure, operations, and handover cost for scale you do not have yet. That is over-engineering.
Our recommendation (A) gives you everything C gives you on flexibility, ownership, and reporting at a fraction of the running and handover cost, and we keep clean internal module seams (scoring, reporting, admin) so the scoring engine can be peeled out into its own service later if real volume ever justifies it. We also considered a hybrid (a low-code intake feeding a custom scoring service) and rejected it: it inherits the platform's lock-in on the intake half while still paying for custom on the other, the worst of both. And we build the deterministic engine in-house rather than embed a third-party rules engine, so the calculation stays fully transparent, traceable, and owned by MK, with no external runtime in the scoring path.
The scoring engine is the heart of the product and the reason a generic web shop cannot deliver this brief. It is a pure deterministic function of the active methodology version and the applicable answers — the same answers always produce the same result, with no randomness, no time dependence, and no AI in the path.
Fraud Readiness (capability across ten domains) and Fraud Exposure (inherent opportunity from your operating model, channels, third parties, geography) are scored by two distinct passes and shown side by side — never averaged into one unexplained number.
Critical-control questions are flagged; maturity caps and gates are explicit rules. A failed critical control caps the maturity band regardless of a healthy average, force-lists the gap, and pushes it up the priority ranking.
Every run shows each answer's value and weight, its contribution to the category, the overall roll-up, the critical-control evaluation, the maturity decision before and after caps, and which questions were excluded as N/A and why. MK views and exports it.
Each methodology set is a version (draft / active / retired). A completed assessment permanently stores the version it was scored under, so old reports never silently change when the methodology evolves.
Named sample response sets with MK-approved expected results run through the real engine and produce an expected-vs-actual difference report. The launch gate: no production launch until scoring reconciles against the approved test cases.
Approved methodology changes can recompute historical assessments to show movement over time, without ever overwriting an originally issued result.
Reports are assembled from MK-approved material only, generated deterministically from the scoring result, the trace, and the organisation profile. There is no unrestricted AI making risk decisions or inventing recommendations.
Your maintainability requirement is that non-technical MK staff manage ordinary changes without continuous developer dependency. We draw the line explicitly and put it in the admin guide at handover.
The Protection of Personal Information Act is the relevant frame, and the platform is designed to it.
Reassessment & benchmarking (Q12). Each assessment stores its methodology version, so organisations reassess and compare progress fairly over time. On completion we write an anonymised benchmark record (sector, size band, scores, maturity, exposure, critical-control summary — no organisation name or respondent identity), kept separate from client-identifying data. It is the substrate for a future South African Fraud Readiness Index: industry and size comparisons, distributions, percentiles, longitudinal trends — switched on only when MK judges the sample credible. The first release presents no peer benchmark as factual industry data.
Multiple respondents (Q14). Respondent is a first-class entity from day one, designed to scale from one to many even though the MVP uses one. A later section-assignment layer maps domains to contributors (risk, information security, procurement, internal audit, a project owner who submits). Because responses are already keyed per question with a recorded respondent, adding per-section ownership is an additive change, not a rebuild.
Analytics (7.13). The platform captures funnel analytics for MK — assessment starts, completion rates, drop-off points, time per section, report purchases and downloads, conversion to consultation enquiries, and reassessments — always in aggregate and never exposing one client's data to another.
Rough monthly estimates in USD for an SME launch, confirmed during Phase 1. Every line is under MK-controlled billing — these are MK's direct costs, not pass-through markups. The custom architecture carries no mandatory per-seat or per-assessment platform licence.
| Line | Provider examples | Monthly (USD est.) |
|---|---|---|
| App + database hosting | Managed app host + managed PostgreSQL | 25 – 60 |
| Object / file storage | S3-compatible | 5 – 15 |
| Transactional email | Postmark / Amazon SES | 10 – 25 |
| Report generation | Runs in our application tier | 0 – 20 |
| Analytics | Privacy-respecting analytics | 0 – 20 |
| Domain, DNS, TLS | MK registrar + managed TLS | 1 – 5 |
| Backups + monitoring | Automated backups, uptime monitoring | 5 – 20 |
| Indicative total at launch | working figure ~$75 – 120 | ~$50 – 165 / mo |
Annual licences are near zero with open-source-leaning choices. Payment fees are per-transaction through MK's own gateway. The platform supports free assessments, paid reports, promo/invitation codes, corporate licences, invoiced enterprise customers, report packages, and future subscriptions without a rebuild (7.10). Vendor lock-in (Q7) is low by design: open standard stack (React, Node, PostgreSQL, HTML-to-PDF), no proprietary runtime holding your methodology or data, every third party swappable behind a thin adapter, and full data export means MK can leave any provider or hand the whole system to another competent developer with the code, schema, scoring config, report templates, and test pack in hand.
From MK (Q15): the methodology pack (questions, response options and scale, profiling fields, weights, maturity bands, critical-control rules, exposure variables, recommendation library, report outline and sample wording, disclaimers), brand assets and website references, sample organisational profiles with expected scoring outcomes for the test pack, a preferred SA payment approach, the deployment preference and DNS or hosting access, and a single MK point of contact. We are ready to sign a confidentiality arrangement before receiving the full methodology pack, and we protect confidential material in access-restricted, MK-controlled storage on a need-to-know basis, never in public repositories or public AI tools (Section 17).
Some materials may be refined during the design phase, making scope and scoring a moving target. Mitigation: hold the methodology as versioned, externalised configuration so changes never need code edits; lock a baseline version for the prototype; written change control re-tests and re-versions any post-acceptance change.
A silent calculation error or untraceable score would destroy the credibility that is the product's value. Mitigation: an expected-vs-actual reconciliation harness from an MK-approved test pack, a per-answer trace, fully deterministic calculation, and a hard launch gate — no launch until scoring reconciles against the approved test cases.
If a failed control does not cap maturity, a weakness hides behind a healthy average. Mitigation: model flags and caps as explicit configurable rules, verified by dedicated test-pack scenarios where each failure must demonstrably cap maturity.
A lapse is both a POPIA exposure and a trust failure. Mitigation: the POPIA-aligned approach above, MK ownership and export of all data, all accounts under MK credentials, and an absolute rule that no client or methodology data trains any public AI and no AI sits in the scoring path.
Phase 1 is standalone and MK may appoint a different supplier afterward, while a feature-rich Phase 3 backlog invites MVP inflation. Mitigation: scope and price Phase 1 as a complete, handover-ready deliverable usable by any supplier; restate the out-of-scope list; confirm the MVP automates only the Snapshot and Self-Assessment Report; written change control prices additions separately.
Requirements validation, assumptions and risk register, customer-journey and workflow design, two implementation options and the recommended architecture with diagrams and database structure, security / recurring-cost / vendor-lock-in assessments, implementation roadmap, the fixed-price build proposal, a clickable prototype, and a demonstrated sample score and report.
Assessment interface, organisation profile, conditional logic, save-and-return, the scoring engine with category and maturity rules, exposure profile, critical-control logic, the admin console, snapshot results, full report generation, email workflows, basic payment / access control, data export, subdomain deployment, analytics, testing, documentation, training, production launch.
Multi-respondent assessments, client accounts and portals, evidence uploads, MK validation workflow, reassessment comparison, benchmarking, dashboards, subscriptions, additional sector modules, API integrations, and the annual Fraud Readiness Index.
| Phase 2 milestone (Section 14) | Acceptance basis | Share |
|---|---|---|
| M1 Requirements & architecture | MK approval of the validated build spec | 5% |
| M2 Prototype & scoring PoC | Agreed test responses produce expected scores | 10% |
| M3 Assessment & administration build | Agreed functional test cases pass | 30% |
| M4 Reporting & commercial workflow | Reports match approved content and calculations | 25% |
| M5 Deployment & testing | End-to-end customer journey completes | 15% |
| M6 Documentation & handover | Successful handover, training, credential transfer | 15% |
Accountable for delivery, communication, and acceptance. Aveosoft is an AI-first engineering company (established 2016, 200+ projects, 50+ engineers) on fixed-price, milestone-based terms.
Owns the scoring-engine design, the data model, and code review on the critical paths. A full-stack engineer carries the assessment journey, admin console, and report generation; QA owns the scoring test pack.
The same senior people who design the scoring engine in Phase 1 build it in Phase 2 — the strongest continuity guarantee we can offer.
| Support (Q22) | Included | Indicative (USD est.) |
|---|---|---|
| Warranty | 30 days from acceptance; defects fixed at no extra dev fee; optional 60–90 day extension | included |
| Tier 0 · Care | Monitoring, backup verification, security/dependency patching, defect triage, small content/config pool | ~250 – 400 / mo |
| Tier 1 · Managed | Tier 0 + capped enhancement pool, monthly health review, priority response, methodology-change support | ~500 – 900 / mo |
| Tier 2 · Partner | Tier 1 + larger pool and scheduled Phase 3 roadmap work under a quarterly plan | ~1,000+ / mo |
Your brief is explicit that generic website-design portfolios are not sufficient. We lead with capability that maps directly to this product, and we prove it with a working prototype and scoring demonstration rather than a logo wall.
A clickable, MK-branded prototype that walks the full respondent journey, produces an instant snapshot with readiness and exposure kept separate, flags a critical-control gap, and renders a board-grade report with a 30/60/90-day action plan, alongside an MK admin view showing no-code question and weight configuration. The exact pattern your product needs, demonstrated.
▶ Open the live prototypeA 30-plus module CRM and operations platform delivered by a dedicated team of 15, with requirement-to-test traceability, structured change control, configurable modules, administration interfaces, and dashboards. The configurable-platform, admin-console, and QA-traceability discipline the MK scoring engine, admin console, and scoring test pack depend on.
| Project | Domain | Relevance to the MK Fraud Readiness Score |
|---|---|---|
| Bridge Monitoring | Inspection / scoring | Component-level inspection workflows with rated criteria and generated condition reports — the assessment-to-score-to-report pattern this product requires. |
| R&B STROBES | Oversight dashboard | Operational oversight dashboards with financial controls and exportable reporting across 3,500+ works, analogous to the MK admin dashboard and data management at scale. |
| E-Sarkar | Workflow / audit trail | Multi-tier approval workflows with full audit trails and versioned records, analogous to report versioning, validation status, and change history. |
Full client references available on request.
Phase 1 requires no production software development; it is a senior solution-design engagement, priced as an accessible, low-risk fixed discovery fee. The Phase 2 build is delivered by an AI-native senior team, which keeps it faster and leaner than a traditional quote, and Phase 1 de-risks it by producing a fixed-price build proposal. Billing in USD via Upwork escrow; payable as one milestone or split 50% on commencement / 50% on acceptance.
At the fixed fee of USD 1,475 as a standalone paid milestone.
We are ready to sign so MK can share the full methodology pack.
30 to 45 minutes to confirm the open questions, methodology format and readiness, sector-module count, deployment and payment preferences, and the Phase 1 review cadence.
By the end of Phase 1 MK holds validated requirements, a recommended architecture with diagrams and database structure, recurring-cost and vendor-lock-in assessments, an implementation roadmap, a fixed-price build proposal, a clickable prototype, and a demonstrated sample score and report. That pack is valuable on its own, and it is the strongest possible basis for the Phase 2 build.