In this six-part series, MorganFranklin’s GCAS team examines key considerations for government contractors as they navigate compliance with federal contracting regulations and DFARS business systems. We also focus on establishing, evaluating, and enhancing internal controls within the confines of maintaining compliance.

In Part 1 of this series, we examined the GovCon hire-to-retire lifecycle from a wider lens. In Part 2, we will examine this process from a different angle. Specifically, we will take a deep dive into two vital sub-processes within the hire-to-retire infrastructure: payroll and bonus compensation. 

The GovCon hire-to-retire lifecycle covers recruiting, hiring, paying, and offboarding employees. Both large and small businesses need an effective payroll management process to gather and store employee records, manage compensation budgets, track hours, and distribute pay. Payroll management must be efficient and timely to ensure employees are paid accurately and on time.

Variable (bonus) compensation is another aspect of employee pay that is subject to government regulations and needs to be closely monitored to ensure compliance. Government regulations cap the amount of total compensation that can be paid to executives and employees, and it is vital for contractors to ensure they are applying these limits correctly.

Key Consideration #1: Payroll system and related controls

Labor costs, including base pay, bonuses and fringe benefits, are often one of the largest expenses in any government contract. Because these costs are inherently connected to payroll, both the payroll process and system are closely scrutinized in business systems and incurred cost audits. 

Protecting the access and integrity of the payroll system is essential for every organization. A lack of sound internal controls can compromise the accuracy and protection of not only the payroll information itself, but also employees’ data. A vulnerable payroll system could be subject to unauthorized modifications to pay rates, compensation information, benefits data, and banking account and routing numbers. There is also the risk of this information being retrieved by unauthorized parties. 

Some issues occur at the point of record entry, while others happen after the records have been created and are being stored. The consequences of these records being breached, altered or retrieved via unauthorized activity can mean significant additional costs for a company and puts it at risk of both civil and criminal liability. 

For example, the McNamara-O’Hara Service Contract Act requires contractors and subcontractors to pay most non-professional service employees either the designated minimum wage rates and fringe benefits prevailing in the locality or the rates contained in a preceding contractor’s collective bargaining agreement. Repercussions of violations to the SCA include but are not limited to: contract payment withholdings, contract terminations, legal actions, and a three-year debarment from future contracts. 

Another example of potential risk, particularly within a remote working environment, is noncompliance with tax jurisdiction and state tax laws based on work location. This occurs when employers fail to set up state tax withholdings properly and/or fail to instruct employees to correctly record their time worked in particular states. These issues can create a hardship for employees as they may receive a larger-than-expected tax bill at the end of the year. 

How can potential risks be mitigated?

To protect the payroll system, contractors need to implement sound internal controls that improve the processes and reliability of the data in the system. Standardizing and automating payroll processes reduces the risks of errors, misstatements, and fraud schemes.

An essential way to protect sensitive payroll information is to establish and maintain strict IT controls. As organizations grow, it’s often necessary to invest in technology that maintains these internal controls when recording, preparing, and distributing payroll information. 

Mitigating risks to payroll systems requires companies to develop and implement policies and procedures, provide training to impacted parties, institute continuous monitoring and make necessary upgrades and program improvements to maintain efficient operations.

The following internal controls can help mitigate potential risks in the payroll process:

  • Automated Exception Reports vs. Manual Reviews – Creating bi-weekly or monthly reports which compare previous payroll runs to the current one can enable reviewers to quickly identify variances and irregularities. Manual reviews, on the other hand, can be tedious, time-consuming and vulnerable to human error. 
  • Segregation of Duties – It is important to establish internal controls over payroll system access and to require approval for any employee additions or deletions from payroll records. These controls reduce the risk of unauthorized manipulation of sensitive employee data. Restriction of system access, via password protections and tiered user permissions, can also prevent unauthorized changes to records, i.e. modifications to pay rates or payment redirections. 
  • Adequate Reviews – Conducting timely regular reviews of payroll records can help identify red flags such as:
    • Names of terminated employees
    • Duplicate names, mailing addresses or social security numbers
    • Drastic changes to rate of pay

It is also important to match the addresses on any mailed checks to the address on record for the specified employee.

  • Approvals – The initial creation, modification and purging of employees’ personnel data or records should be reviewed and approved by a manager who has the appropriate level of authority within the enterprise. This will help avoid potential collusion.

Key Consideration #2: Variable compensation policies and executive compensation

As part of their overall compensation packages, most contractors provide their executives and employees with some form of variable compensation. Much of this variable compensation (up to a certain cap set by the government) is an allowable cost that can be billed back to the government. As a result, these bonuses are typically claimed as direct costs on a government contract or in an Indirect Cost Pool, i.e. Fringe or G&A. 

An effective annual review can help ensure that a company’s variable compensation policy is correctly applied to employment contracts and is updated in accordance with changing company policies and government guidelines. These reviews are also essential in making sure variable pay for executives and other high ranking team members is in compliance with company policies and government salary caps. 

An increased risk of control breakdowns is introduced when the variable compensation policy is not reviewed in a timely manner or applied correctly to individual employment contracts. This can result in disputes between companies and their employees and introduces the risk of incorrect application of government limits on overall compensation. When this happens, the government may challenge labor-related charges, reject invoices, and delay payment for completed work. It also introduces considerations on the need for an accrual for questioned or disallowed costs in the incurred cost submission. 

How can potential risks be mitigated?

We have identified several internal controls that will help combat these increased risks regarding variable compensation. 

Companies should have a documented and management-approved compensation plan. 

Establishing an annual review of the company’s variable compensation policy will allow management to re-evaluate the compensation packages they are offering their employees. This review should focus on the forms of variable compensation offered, the amounts per level, and the schedule by which bonuses are paid throughout the fiscal year. 

Additionally, when a new employee is hired, management should perform a detailed review of the employment contract to ensure it aligns with company-wide policies, including the overall compensation plan and variable compensation policy. If the new hire is an executive or high-level employee, the review should include a review of government salary caps to confirm that the employee’s compensation is within those limits. 

A strongly written and reviewed company compensation plan, along with an effective annual review of policies and employment contracts upon hire, reduces the risk of contradiction between the various documents. It also ensures adherence to government regulations regarding salary limits.


Ensuring payroll processes run smoothly and employees are compensated correctly and on time is critical for an organization’s success. 

With the recent changes to work environments, payroll system access should be constantly monitored to ensure appropriate segregation of permissions and to prevent unauthorized access by individuals who have left the company. 

Government contractors are subject to constantly changing government regulations. Annual reviews of company policies and processes are vital to ensure these regulations are urgently and effectively built into company practices.

 The compliance self-assessment below can be used to consider your own organization’s internal controls around payroll and bonus compensation. It can also help determine any areas that need strengthened controls or refreshed training.

 Compliance Self-Assessment

    1. Are labor cost reviews/trend analyses being performed in a timely manner and payroll policies adequately documented to cover monitoring and segregation of duties guidelines?
    2. Are the necessary system access controls in place to prevent manipulation of employee data?
    3. Does the company have a documented and management-reviewed compensation plan? Has this plan been reviewed and updated as necessary within the last year?
    4. Is an annual review of variable compensation policy in effect?
    5. Does your annual review of variable compensation include a detailed look at executive compensation with respect to the latest government salary cap on executive pay?

How MorganFranklin Can Help

We work with our clients to provide guidance to successfully contract with the Federal Government. 

We provide comprehensive and customized solutions, including identification of the government contract risk profile, audit readiness assessments and ongoing audit support, DFARS business system compliance reviews, and implementation of system transformation compliance controls. Our solutions help businesses efficiently and effectively execute government contracts. To learn more about MorganFranklin’s Government Contracting Advisory Services, contact our experts below.