This is kind of a taboo topic in my industry, especially considering that I’m a consultant… freelance at that. But… here we go!
I ask my clients this all the time, but not with regards to my work, but to that of other consulting companies that I have to work with. When it comes to the circle of trust between clients and consultants, it’s never the same. Night and day differences for different clients and different consultants.
The answer to this question should always be, never. You should always have checks in place to verify your consultants work. This can either be employees, a third party consultant, logging software, or even documentation reviews.
Now, I’m not saying that all your consultants are lying to you, generally they’re trustworthy people, but most people forget that this is business, and there’s a lot of time and money on the line. I like taking someone at their word as much as the next guy, but when all hell breaks loose, all you’ll have is a, “But you said…” And that’s not something you can take to your board with.
If your consultants are on the up-and-up then they will have no problem with one of your own sitting with them, or asking them for documentation outlining all the steps taken for you to verify in a separate environment. Checks and balances exist for a reason.
Very rarely do I take anyones word on anything completely. Nine times out of ten, when I learn something new, I verify it through a second source. It doesn’t mean that I don’t believe the person or piece of information that I’m reading, but it’s a cold hard fact that people lie, forget parts, or exaggerate all the time. It’s nothing personal, but it happens.
I worked with one client where they had outsourced a huge chunk of development to a very large consulting company. They hired me to check their work. Think of it like an ongoing development assessment. It wasn’t that they had no faith in the large consulting company, it’s just that they knew that they had no clue what was technically going on and they wanted someone on their side to verify this multi-million dollar project instead of just taking their word that “it works”. By me being there, and my reputation of being a no bullshit kind of guy that only cares about my client and will easily chew out a third party when they’re caught lying to my client, their work improved greatly while I was there, and it even tightened up. No more sloppy code that’ll get the code working… barely. No more crappy documentation that’s virtually unreadable and definitely not useable. No more useless meetings that were wasting tens of thousands of dollars. And most importantly, the consulting company was being held to their word with a paper trail. All of this happened just because I sat in on a few meetings and reviewed their environments. As they say, “You can’t bullshit a bullshitter.” And I’ve seen it all, so I was the companies ace in the hole that wound up saving them a ton of cash, and even better, getting the project in on time.
At another client in a similar situation, the consulting company kept telling them that “no changes were made”, and they didn’t have a large IT staff knowledgeable to check into this. After some checking some history loggers I had setup on the servers, I was able to send them a transcript of all the commands issued, files updated, and in some cases differences in code (I had the previous versions saved elsewhere). This was especially important as it was relevant to a milestone that required payment.
Again, a lot of this comes down to standard business practices, but a lot of the time, in the niche field of Identity Management, most companies don’t have anyone on staff that knows this type of work well enough to do these checks properly.
I know that most people won’t read this and agree, but do nothing about it. I hope that it gets at least one person to follow through and save them a ton of headache down the road.