Payroll Fraud and Compliance: Lessons from the Wisconsin Back Wages Case

Payroll Fraud and Compliance: Lessons from the Wisconsin Back Wages Case

Hook: If your organization relies on manual timesheets, scattered approvals, or weak audit trails, you are one missed reconciliation away from a Department of Labor investigation — and real damage to employees, budgets, and reputation. The Dec. 4, 2025 consent judgment against North Central Health Care (NCHC) for unpaid wages and overtime is a timely wake-up call for security, payroll, and IT teams.

Quick summary (most important first)

In late 2025, a U.S. District Court ordered North Central Health Care to pay $162,486 in back wages and liquidated damages to 68 case managers after a U.S. Department of Labor (DOL) Wage and Hour Division investigation found employees worked unrecorded hours between June 17, 2021 and June 16, 2023. The DOL concluded NCHC violated the Fair Labor Standards Act by failing to record and pay for off-the-clock time and overtime. For security and IT leaders, the case exposes predictable technical and control failures that allow wage theft — deliberate or accidental — to happen and persist.

Why this case matters to security and IT teams

Most technical teams assume payroll is an HR problem. The NCHC outcome demonstrates that payroll compliance is a cross-functional security issue. When timekeeping, payroll calculation engines, and approval workflows can be manipulated — intentionally or via error — organizations face legal exposure, loss of trust, and cascading operational risk. The issues in the DOL finding are common across healthcare, government, and service organizations that use hybrid work models and distributed case management.

Core findings and what they imply

• Unrecorded hours and off-the-clock work: Case managers were performing work that was not captured by timekeeping systems. That implies weak user-facing capture, poor offline/remote support, or policy gaps that tolerated after-hours work without records.
• Overtime not calculated or paid: The DOL found overtime underpayments — indication of incorrect payroll rules, missing regular-rate computations, or round-down errors in aggregation.
• Recordkeeping failures: The employer failed to maintain accurate records as required by the FLSA, pointing to gaps in audit logs, retention, or reconciliations.

Technical root causes behind payroll exposure

Most incidents trace back to a small set of technical and process weaknesses. Below are the categories that most commonly lead to wage theft and payroll non-compliance.

1. Incomplete / tamperable timekeeping

Timekeeping that depends on manual entry, spreadsheet uploads, or easily altered records creates opportunity for missing hours. Common issues include:

• Local spreadsheets or email attachments used as the primary source of truth.
• Absence of secure, persistent timestamps and device identifiers for clock-ins/outs.
• Mobile or offline workflows that fail to reliably sync or store proof of work.

2. Incorrect overtime and regular-rate logic

Payroll engines often use complex rules for overtime calculation. Errors occur when:

• Different pay elements (bonuses, shift premiums) are excluded or mis-assigned in the regular rate calculation.
• Rounding and aggregation logic is inconsistent across systems (timekeeping vs payroll engine).
• Manual overrides or one-off adjustments bypass automated checks without reconciliation.

3. Weak access controls and privileged-user risk

When a handful of users can modify time entries, approve exceptions, or run payroll without separation of duties, the system is vulnerable. Specific risks include:

• Broad AD or SSO privileges granted to HR and payroll clerks.
• Shared service accounts with no MFA and no individualized logging.
• No approvals gating for retroactive edits or bulk imports.

4. Poor auditability and incomplete logs

If a DOL investigator requests source records and the organization cannot produce tamper-evident audit trails, liability increases. Problems frequently seen:

• Timekeeping system logs that do not capture who made edits, when, or from what IP/device.
• No immutable storage or cryptographic signing of original time records.
• Logs retained for weeks rather than years, contrary to regulatory needs.

5. Process gaps and cultural drivers

Technology can only do so much. Cultural norms — expecting workers to log after-hours work informally, supervisors approving off-the-clock labor as a practice, or pressure to underreport overtime — all contribute.

Controls that failed in the NCHC finding — and their technical fixes

Below we map the DOL-observed failures to concrete controls and remediation steps security and IT teams can implement immediately.

Control failure: Inadequate time capture

Why it failed: Manual or decentralized time capture allowed unrecorded hours. Remote case managers likely worked outside office systems without enforced capture.

Technical fixes:

• Deploy a centralized, enterprise-grade timekeeping system with secure mobile clients that produce signed timestamps and device metadata.
• Use offline-first mobile SDKs that record time locally with cryptographic seals, then sync with a server-side ledger once networked.
• Implement mandatory clock-in/out policies enforced by the client (no manual entry of start/end by admin except through audited exception workflows).

Control failure: Broken overtime calculation

Why it failed: Regular-rate and overtime rules were incorrectly applied or bypassed by manual edits.

Technical fixes:

• Standardize payroll rule definitions in a single, authoritative rules engine with versioning and test coverage.
• Automate regular-rate calculations and separate wage elements (bonuses, differentials) with documented mapping.
• Require automated reconciliation between timekeeping totals and payroll inputs before payroll runs; block runs with mismatches until investigated.

Control failure: Insufficient segregation of duties

Why it failed: Individuals could alter time records and approve payroll adjustments without independent oversight.

Technical fixes:

• Implement Role-Based Access Control (RBAC) with least privilege and enforce multifactor authentication for payroll or HR admin actions.
• Introduce a two-person approval for retroactive time edits and bulk imports; record approver identities and timestamps in immutable logs.
• Integrate payroll systems with IAM and SIEM for continuous monitoring of privileged activity.

Control failure: Weak logging & record retention

Why it failed: Investigators require durable records; short retention and modifiable logs create compliance risk.

Technical fixes:

• Adopt tamper-evident logging (append-only storage, WORM or blockchain-backed ledgers) for timekeeping and payroll transactions.
• Define retention policies meeting or exceeding FLSA guidance and store logs off-site with integrity checks.
• Enable rich audit trails: before/after values, user IDs, device IDs, geolocation when appropriate, and reason codes for edits.

Advanced strategies for 2026 and beyond

Late 2025 and early 2026 saw three trends relevant to payroll security: accelerated adoption of AI in HR automation, rise of remote/hybrid caseworker roles, and increased regulatory scrutiny from agencies like the DOL. Attackers and negligent processes can now exploit automation. Below are advanced mitigations aligned with those trends.

1. Cryptographic time attestation

Use cryptographic signing of time entries at the client before sync. This creates non-repudiable evidence of when and where an entry originated and is a powerful defense against after-the-fact edits.

2. Integrity monitoring powered by ML

Deploy anomaly detection that flags unusual patterns: clusters of retroactive edits, late-night approvals, or repeated overrides by the same user. Integrate with SOAR playbooks to require investigation before payroll runs.

3. Zero Trust for payroll systems

Treat payroll and timekeeping as critical assets. Require device posture checks, continuous authentication, and network micro-segmentation for access to payroll administration interfaces.

4. AI-assisted audit assistants

Leverage 2026-grade AI tools to pre-run compliance checks across millions of rows, highlight probable regular-rate miscalculations, and auto-generate DOL-ready evidence packages. Ensure AI itself is auditable and that deterministic rules are preserved for legal review.

5. Secure integrations and API governance

Many organizations use multiple vendors (EHR, case management, scheduling). Ensure APIs between scheduling, EHR, timekeeping, and payroll use strong auth (mutual TLS), enforce rate limits, and include schema validation to prevent silent data loss or mismatches that cause underpayment.

Operational checklist: Immediate steps for security & IT teams

Start here — prioritized, practical steps you can implement in 30–90 days.

1. Inventory: Catalogue all timekeeping systems, integrations, and data flows. Identify who can edit time entries and run payroll.
2. Access hardening: Enforce MFA, RBAC, and eliminate shared accounts for payroll and HR systems.
3. Deploy immutable logging: Configure append-only logs with off-site retention aligned to FLSA guidance.
4. Two-person controls: Require independent approval for retroactive edits and bulk imports. Automate approval capture.
5. Reconciliation: Implement daily reconciliations between timekeeping and payroll inputs; block payroll export if discrepancies exist.
6. Change management: Any payroll rule change requires documented test cases, version control, and sign-off from HR, legal, and finance.
7. Employee education: Train case managers to use official timekeeping channels and report pressure to work off-the-clock confidentially.
8. Incident plan: Create a DOL-response playbook that contains required data extracts, contacts, and a forensic-ready copy of logs.

Case study — how NCHC’s failure could have been prevented

Apply the above checklist to the facts in the DOL case:

• If NCHC had enforced centrally-managed mobile time capture with cryptographic timestamps and enforced offline sync, unrecorded hours would have been minimized.
• An authoritative payroll rules engine with automatic regular-rate calculations and automated reconciliation would have flagged unpaid overtime before payroll distribution.
• Segregation of duties and immutable audit trails would have allowed a faster internal remediation and produced cleaner evidence during the DOL review, likely reducing penalties and liquidated damages.

Policy & compliance alignment

Ensure technical measures align with legal obligations:

• FLSA requirements: Nonexempt employees must be paid time-and-one-half for hours over 40 in a workweek. Regular-rate calculations must include applicable pay elements. Keep records per DOL guidance.
• State laws: Some states have stricter recordkeeping or wage payment rules — coordinate payroll rule updates with legal counsel.
• Privacy and data protection: Timekeeping data includes PII; ensure encryption in transit and at rest and limit retention by purpose.

Preparing for DOL scrutiny in 2026

DOL activity around wage theft and recordkeeping has been steady into late 2025 and into 2026. Investigations increasingly probe systems and logs. Security teams should:

• Run readiness audits: Produce a sample DOL request and time how quickly you can assemble a compliant data package.
• Work with HR & legal: Pre-align on defensible positions for common disputes (e.g., on-call, travel time, client visits).
• Maintain an evidence repository: Store immutable snapshots of payroll runs, rule versions, and reconciliations for at least the statutory retention period.

“A DOL investigation is as much a data integrity audit as a wage audit.” — Recommended operating principle for payroll security teams in 2026.

What to tell leadership — concise talking points

• Unchecked timekeeping and manual payroll edits expose the organization to wage theft claims, penalties, and reputational harm.
• Fixing the technology stack and controls reduces legal risk and saves money: automated reconciliation and robust logs prevent class-size back-pay liabilities.
• Investment priorities: secure timekeeping clients, immutable logs, RBAC/MFA, and a payroll rules engine with test coverage.

Final takeaways

The North Central Health Care judgment is not an isolated HR mistake — it is a failure of systems, controls, and culture that security and IT can materially prevent. In 2026, adversaries and compliance auditors alike will focus on data integrity, automation, and auditability. Treat payroll as a security-critical application: harden access, make records immutable, automate reconciliations, and ensure separation of duties. Those steps will reduce exposure to wage theft claims, simplify regulatory responses, and protect both employees and the organization.

Call to action

Start your payroll security remediation today. Download our Payroll Security & Compliance Checklist for 2026 and run a 30-day readiness audit: inventory timekeeping systems, audit privileged access, and configure immutable logs. If you need help modeling a payroll rules engine or implementing cryptographic time attestation, contact our team of security and payroll compliance experts for a rapid assessment.

Related Reading

• Indie Film Road Trip: Catch EO Media’s New Slate at Regional Screens and Micro-Festivals
• Micro-Apps for Micro-Mobility: Build a Scooter/Kickshare Tool Your City Will Actually Use
• Design a Strategic Plan vs. Business Plan Workshop for Nonprofit Students
• Price-Alert Playbook: How to Set Smart Alerts for Power Stations, E-bikes and TCG Drops
• Smart Lighting to Boost Team Mood: Evidence, Use Cases, and Vendor Picks