Contact Us

Join Thousands of Auditors, CPAs, Executives, Managers and Their Teams Who Have Achieved Greater Professional Success

Managing Risks in Cost-Plus and Lump-Sum Contracts

Business organization leaders use third-party contractors for two reasons and with these two reasons comes lump-sum contracts and managing risks. 

The first reason is for things they don’t want to handle. For example, constructing a new regional office several time zones away from headquarters. This need would normally be best served by finding and engaging a qualified local construction contractor.

Second, for things they don’t have the knowledge or capacity to handle. Things like legal services, IT development, brand marketing or rail freight logistics.

And let’s face it. We would be hard-pressed to find any entity in business, government, education, or nonprofit circles where daily dependence on the work of dozens, hundreds, or thousands of contractors wasn’t just the way things got done.

Well, with that familiarity and dependence comes risk. Often risk that grows quietly from the early honeymoon-phase of any new business relationship until, over time something serious goes wrong. Poor performance, inadequate controls, conflicts of interest, and even kickback and other shadow deals all look terrible in the light of day. And when we missed it for far too long, leaders, regulators, and owners legitimately want to know: how did you let this happen on your watch

Contracting Basics

There are two primary parties in any contract: the owner and the contractor. And while there are a half dozen types of business contracts, most fall within two broad categories: Lump-sum (fixed price) or cost-plus. 

In a lump-sum (fixed price) agreement, the owner and contractor agree to a fixed payment amount in return for the delivery of specified goods, services, or other deliverables. In cost-plus deals, the parties spell out which contractor costs are allowable, and the contractor bills the owner for those costs plus an agreed-upon stated fee or percentage on top of the costs to cover the contractor’s overhead and profit. 

Pretty simple, right? And if it really is that simple, why are there thousands and thousands of war stories about how the contractor took advantage through shoddy work, shorting on quantities and/or quality of materials or services delivered, overstatement of costs, or inclusion of unallowable costs?

And yes, there are many stories indeed of owner organizations taking unfair advantage of contractors through unreasonable demands beyond the contract scope, delays in review and approval of legitimate contract change requests, slowing down payment, and even failing to make payments at all.

Plenty of risks. Plenty of stories. Plenty of things that can and often do go wrong. On both sides of business contract relationships.

But why is that?

Inherent Challenges in Contracting Relationships – Consider These Six Issues:

Inherent Procure-to-Pay Cycle Risks

Cash transferring from the owner to the contractor is implicit in the ‘procure-to-pay’ business cycle. To me and hopefully to you, cash flowing out to any unrelated third-party is a risk. Period. End of discussion.

Third-Party Reliance

Picking up on the theme of unrelated third-parties, never forget that even the most honest and ethical contractors – which is the vast majority – have their own goals, objectives, budgets, profit targets, payroll costs, and dozens of other day-to-day priorities that keep their doors open and the lights turned on. When we squeeze them to be the lowest bid compared to their equally qualified competitors, something has to give. There is a natural tension and related risk between the contractor’s best intention to balance their own objectives with their fiduciary responsibilities under the contract.

We Never Know Their Full Story

This one is easy to explain and hopefully understand. Despite the contractor’s efforts to be transparent in their business dealings with owners, we don’t know what it’s like to run their business. We don’t know their financing, labor, materials, and capital costs. We don’t know if their client list is growing or on the decline. And to top it off, the contractor has at least half of the records related to the relationship.

Keep it simple and keep it in mind: we never know their full story. Faith and trust are always present. And with faith and trust in any third-party business partnership comes risk.

Weak Deals

My use of the term ‘deals’ includes contracts, purchase commitments, engagement letters, sales agreements, joint venture agreements, leases, loans, and any other similar document that memorializes the responsibilities of two business parties. 

I have a rule when reviewing contract documents as a first step in my audits of contractors: whoever drafts the document tilts the terms to their advantage. And it’s incumbent upon the other party to make triple-certain that their interests are fairly represented before the ink dries on the approval signature page.

For example, does the owner have audit access to the contractor’s people, records, and work? Are important terms, conditions, change orders, and monthly pricing and billing methods adequately defined? And in cost-plus arrangements, is even the core concept of ‘cost’ defined – or subject to interpretation?

Shifting Management Support

As a career internal auditor, I have consistently come up against manager resistance to responsibility when things go wrong. Not every day and not every manager. But often enough that the pattern became clear years ago.

Imagine you are the manager or executive who signed the contract. You make that commitment based on what you knew that day, what you expect to happen over the term of the contract, and more than a little bit of trust and faith in the contractor. 

A year or two later, some pesky auditor like me comes to you and points out all of the mistakes you made in authorizing and managing the contract. Wouldn’t it be natural for you – or any human! – to react with resistance? The ‘who are you to tell me…’ reaction has been launched in my direction dozens of times over my 45-year auditing career. And it’s a fair response.

It takes a very strong manager or executive to acknowledge we could have done this better. Managers have pride in their work and the business relationships they oversee. That initial resistance you or I encounter when pointing out contract performance or billing issues may just be the normal way any human reacts to criticism. So don’t be surprised when you feel that support for after-the-fact audit and compliance reviews shifts.

5 Lessons on for Managing Risks in Cost-Plus and Lump-Sum Contracts

To be fair, most contract relationships occur without conflict or gamesmanship. In the end, both parties benefit. It’s in these positive experiences that the lessons are found on how to manage risks in cost-plus and lump-sum contracts. Here are five of those lessons.

Lesson Number One – Brainstorm ‘What Can Go Wrong’

This lesson has two steps.

First, before signatures are applied to contracts, qualified leaders must invest the time, energy, and focus on looking hard at the contract docs and deliverables. From their side of the deal and from the point of view of the other parties. Asking and answering “What Could Go Wrong?” – WCGW for short – is the first step in any meaningful risk assessment and management effort.

The second step right on its tail is to ask, “What would it look like if it happened?” – WWILL. Not the best acronym, but a reminder that matching risks with early-warning red flags, indicators and other symptoms of issues allows managers to react immediately.

Lesson Two – Measurable Deliverables and Benchmarks

In both lump-sum and cost-plus contract arrangements, up-front definition of deliverables and progress benchmarks is critical. Simply put, how else will owner representatives even know when and how much to pay the contractor?

Lesson Number Three – Competent Verification of Contractor Work

Owners should have steps in place to verify all aspects of contractor performance in real-time. Ideally, before invoices are paid, and the contract is closed-out. Quantity, quality, timeliness, functionality, user satisfaction and dozens and dozens of other performance deliverables and benchmark variables in Lesson two, above. Be mindful of the temptation to rely solely on contractor certifications. Ask: How do I know this is correct? Answer: get out there and see for yourself – at least at critical contract moments.

Lesson Four – Meaningful Review of Contractor Submissions – Especially Invoices

Contracts are a business relationship. The contractor performs. The contractor invoices. The owner reviews. The owner pays. Lesson Three covered the need for field verification of the contractor’s work. Lesson Four reminds us of the importance of timely, competent scrutiny of contractor documentation, and billing submissions is required as well. Ideally, before payment is made.

Lesson Five – Skills Training

I say with confidence that the single greatest risk in contracting relationships that I’ve encountered in four decades of audit work is a lack of skills in owner teams. Great field engineers and project managers who do not have accounting skills. Headquarters accounting staff who do not know enough about contract fieldwork and performance. New managers are assigned mid-way through a long-term contract without the knowledge of performance decisions reached in day-to-day discussions but not covered specifically in the contract documents. And just plain new managers overseeing new contract relationships without the knowledge and experience to do so effectively.


Clearly, this brief article only touches the surface on the many risks in cost-plus and lump-sum contracts. A much deeper analysis of your specific risks can only be performed by you and your team. But the risk lessons discussed here will hopefully nudge you further along your own path of contract risk management.

For further guidance, ask for help from others who devote full-time efforts to this topic. Expert contracting auditors, advisors, and consultants are there for the asking. Measure your skills, note the gaps, and say the word when help is needed.