Hard, soft or situational controls? Bridging the gap between security, compliance and internal control

  • Harald HaeltermanEmail author
Original Article


A historic focus on preventing losses from crime and a growing demand for compliance and internal control have placed the risk of employee crime and misconduct high on the corporate risk map. Its potential impact has become increasingly evident and operational management supported by various functional teams are being held accountable for establishing and implementing effective risk mitigating strategies and controls. The need for these teams to work together in a concerted manner is an obvious one, as a lack of alignment may result in inefficiencies and control deficiencies. In this paper it is argued that cross-functional collaboration can potentially be established or improved if practitioners come to realize that the measures and controls developed and introduced to mitigate the risk of employee crime and misconduct are very much alike. Following an exploratory review of the types of controls referred to in literature, it borrows from environmental criminology to demonstrate that similarity.


Employee crime and misconduct Cross-functional collaboration Hard controls Soft controls Situational measures 



  1. Aardema, H., and H. Puts. 2008. De harde werking van ‘soft controls’. Is een organisatie te beheersen met de CV-thermostaat? Tijdschrift voor public governance audit & control 6 (3): 2–6.Google Scholar
  2. Armitage, R., C. Joyce, and L. Monchuk. 2018. Crime Prevention Through Environmental Design (CPTED) and Retail Crime: Exploring Offender Perspectives on Risk and Protective Factors in the Design and Layout of Retail Environments. In Retail Crime. International Evidence and Prevention, ed. V. Ceccato and R. Armitage, 123–154. Cham: Palgrave Macmillan.CrossRefGoogle Scholar
  3. Basten, F., E. van Bekkum, and S. Kuilman. 2015. Soft Controls: IT General Controls 2.0. Compact 1: 14–20.Google Scholar
  4. Bleker-van Eyk, S.C. 2009. Hoe soft mogen soft controls zijn? Audit Magazine 4: 31.Google Scholar
  5. Bode, R. and Schijff, M. 2012. De kunst van het balanceren tussen soft en hard controls. Tijdschrift Controlling, pp. 20–24.Google Scholar
  6. Chtioui, T., and S. Thiéry-Dubuisson. 2011. Hard and Soft Controls: Mind the Gap! International Journal of Business 16 (3): 289–302.Google Scholar
  7. CIMA. 2009. Fraud Risk Management. A Guide to Good Practice. London: Chartered Institute of Management Accountants.Google Scholar
  8. Clarke, R.V. 1997. Introduction. In Situational Crime Prevention. Successful Case Studies, 2nd ed, ed. R.V. Clarke, 1–44. New York: Harrow and Heston.Google Scholar
  9. Clarke, R.V. 2005. Seven Misconceptions of Situational Crime Prevention. In Handbook of Crime Prevention and Community Safety, ed. N. Tilley, 39–70. Devon: Willan.Google Scholar
  10. Clarke, R.V. 2008. Situational Crime Prevention. In Environmental Criminology and Crime Analysis, ed. R. Wortley and L. Mazerolle, 178–194. Devon: Willan Publishing.Google Scholar
  11. Cornish, D.B. 1994. The Procedural Analysis of Offending and Its Relevance for Situational Prevention. In Crime Prevention Studies, vol. 3, ed. R.V. Clarke, 151–196. Monsey: Criminal Justice Press.Google Scholar
  12. COSO. 2016. Enterprise Risk Management. Aligning Risk with Strategy and Performance. June 2016 Edition.Google Scholar
  13. De Bie, J., and E. van Bekkum. 2012. Compliance Officer: Graag aandacht voor soft-controls! Tijdschrift voor Compliance 4: 234–238.Google Scholar
  14. De Groot, A.H.M., and N.J. den Hartigh. 2009. Hard Controls. Course Materials ‘Management van Compliance en Integriteit’ (5). Eindhoven: Euroforum Uitgeverij.Google Scholar
  15. De Kiewit, M.A. 2009. Soft Controls. Course Materials ‘Management van Compliance en Integriteit’ (6). Eindhoven: Euroforum Uitgeverij.Google Scholar
  16. De Kiewit, M. 2011. Auditen van integriteit vraagt om een juiste combinatie van hard en soft controls. Audit Magazine 2: 14–17.Google Scholar
  17. De Kort, J. (2014) Corporate Governance. De verhouding tussen ‘hard- en soft controls’ in de Nederlandse bestuurskamer. Master’s Thesis, Tilburg University, The Netherlands.Google Scholar
  18. Ekblom, P. 1992. Preventing Post Office Robberies in London: Effects and Side Effects. In Situational Crime Prevention Successful Case Studies, ed. R.V. Clarke, 66–74. New York: Harrow and Heston.Google Scholar
  19. Fennelly, L.J. (ed.). 1999. Handbook of Loss Prevention and Crime Prevention, 3rd ed. Boston: Butterworth-Heinemann.Google Scholar
  20. Fischer, R.J., and G. Green. 1998. Introduction to Security, 6th ed. Boston: Butterworth-Heinemann.Google Scholar
  21. Haelterman, H. 2001. Criminology, Information Technology and (Employee) Computer Crime. In A Decade of Research @ the Crossroads of Law and ICT, ed. J. Dumortier, F. Robben, and M. Taeymans, 119–126. Larcier: Brussel.Google Scholar
  22. Haelterman, H. 2009. Situational Crime Prevention and Supply Chain Security: An ‘Ex Ante’ Consideration of Preventive Measures. Journal of Applied Security Research 4: 483–500.CrossRefGoogle Scholar
  23. Haelterman, H. 2011. Re-thinking the Cost of Supply Chain Security. Crime, Law and Social Change 56 (4): 389–405.CrossRefGoogle Scholar
  24. Haelterman, H., M. Callens, and T. Vander Beken. 2012. Controlling Access to Pick-up and Delivery Vans: the Cost of Alternative Measures. European Journal on Criminal Policy and Research 18 (2): 163–182.CrossRefGoogle Scholar
  25. Haelterman, H. 2013. Situational Crime Prevention and Supply Chain Security. Theory for Best Practice. Alexandria: ASIS Foundation Research Council. CRISP Report.Google Scholar
  26. Haelterman, H. 2019. Criminals: Suggestions to Improve Security Procedures. In Encyclopedia of Security and Emergency Management, ed. L. Shapiro and M.H. Maras. Cham: Springer.Google Scholar
  27. Haelterman, H., and P. Van Troyen. 1999. Beveiliging van informatiesystemen: Een geïntegreerde aanpak. In Security Consultancy. Het actieterrein van de beveiligingsadviseur in België en Nederland, ed. M. Cools and H. Haelterman, 139–166. Kluwer Editorial: Diegem.Google Scholar
  28. Hamilton-Smith, N. 2002. Anticipated Consequences: Developing a Strategy for the Targeted Measurement of Displacement and Diffusion Of Benefits. In Crime Prevention Studies Volume 14. Evaluation for Crime Prevention, ed. N. Tilley, 11–52. Monsey: Criminal Justice Press.Google Scholar
  29. Herman, M. and Hrubey, P. 2016. Using Cross-Functional Collaboration for More Effective and Efficient Risk Assessment. Accessed 12 May 2019.
  30. Hunter, J., L. Garius, P. Hamilton, and A. Wahidin. 2018. Who Steals from Shops, and Why? A Case Study of Prolific Shop Theft Offenders. In Retail Crime. International Evidence and Prevention, ed. V. Ceccato and R. Armitage, 71–97. Cham: Palgrave Macmillan.CrossRefGoogle Scholar
  31. IAEA. 2008. Preventive and Protective Measures Against Insider Threats, IAEA Nuclear Security Series (8). Accessed 15 Jun 2019.
  32. ICA. n.d. What are the Five Key Functions of a Compliance Department? Accessed 3 June 2019.
  33. ICC. 2011. ICC Rules on Combating Corruption. Accessed 3 Mar 2019.
  34. IIA. 2011. Soft and Strong: A Best-Practice Paradox, Accessed 22 Sept 2017.
  35. IIA. 2013. The Three Lines of Defense in Effective Risk Management and Control. IIA Position Paper. Accessed 21 May 2019.
  36. IIA Netherlands. 2015. Discussion Paper Soft Controls. What are the Starting Points for the Internal Auditor? Accessed 29 Jan 2017.
  37. IIA Norge. 2015. Guidelines for the Compliance Function, Accessed 8 May 2019.
  38. In’t Veld, C. 2014. Soft Controls (Position Paper). Accessed 4 Feb 2017.
  39. Jönsson, E. 2019. Risky Business: Corporate Risk Regulation When Managing Allegations of Crime. Crime, Law and Social Change 71: 483–501.CrossRefGoogle Scholar
  40. Kaptein, M. 2008. The Living Code. Embedding Ethics into the Corporate DNA. Sheffield: Greenleaf Publishing.Google Scholar
  41. Kaptein, S.M., and V.H.M. Kerklaan. 2003. Controlling the ‘Soft Controls’”. Management Control & Accounting 7 (6): 8–13.Google Scholar
  42. Kaptein, M. and Vink, H-J. 2014. The Soft Side of Hard Controls: A Control Coding Theory. Accessed 30 Mar 2019.
  43. KPMG Advisory. 2016 Acht basis soft controls. Tijd voor next level compliance. Accessed 22 Sept 2017.
  44. Lückerath-Rovers, M. 2011a. Mores Leren. Soft Controls in Corporate Governance. Inaugural Speech 8 June 2011. Accessed 5 Apr 2017.
  45. Lückerath-Rovers, M. 2011b. Soft Controls in Corporate Governance. In: Jaarboek Compliance 2011. Capelle a/d Ijssel: Nederlands Compliance Instituut, pp. 77–88.Google Scholar
  46. Mayhew, P., and M. Hough. 2012. Situational Crime Prevention. The Home Office origins. In The Reasoning Criminologist: Essays in honour of Ronald V. Clarke, ed. N. Tilley and G. Farrell, 15–29. Abingdon: Routledge.Google Scholar
  47. Merchant, K.A., and W.A. Van der Stede. 2007. Management Control Systems. Performance Measurement, Evaluation and Incentives, 2nd ed. London: Pearson Education Ltd.Google Scholar
  48. Mulders, H.A., and H.P. Zevenhuizen. 2009. Soft Controls in the Netherlands: More Recognised Than Anywhere Else (Interview with James Roth). Audit Magazine 4: 6–8.Google Scholar
  49. NBA. 2010. Meer Aandacht Interne Accountant voor Soft Controls. Accessed 12 Aug 2017.
  50. Newman, G.R., and J.D. Freilich. 2012. Extending the Reach of Situational Crime Prevention. In The Reasoning Criminologist. Essays in honour of Ronald V. Clarke, ed. N. Tilley and G. Farrell, 212–225. Abingdon: Routledge.Google Scholar
  51. OECD. 2010. Good Practice Guidance on Internal Controls, Ethics, and Compliance. Accessed 3 Jun 2019.
  52. Oliver, E., and J. Wilson. 1972. Practical Security in Commerce and Industry, 2nd ed. New York: Wiley.Google Scholar
  53. Power, M. 2007. Organized Uncertainty. Designing a World of Risk Management. Oxford: Oxford University Press.Google Scholar
  54. Sennewald, C.A. 2003. Effective Security Management, 4th ed. Boston: Butterworth-Heinemann.Google Scholar
  55. Sidebottom, A. 2010. Enriching Corruption: Some Suggestions on how Situational Crime Prevention Can Inform the Analysis and Prevention of Corruption. Accessed 22 Sept 2017.
  56. Simons, R. 1995. Control in an age of empowerment. Harvard Business Review, March–April 1995.Google Scholar
  57. Smith, M.J., and R.V. Clarke. 2012. Situational Crime Prevention: Classifying Techniques Using ‘Good Enough’ Theory. In The Oxford Handbook of Crime Prevention, ed. B.C. Welsh and D.P. Farrington, 291–315. New York: Oxford University Press.Google Scholar
  58. Summerfield, R. 2019. The Evolution of Compliance. Financier Worldwide Magazine. Accessed 3 Jun 2019.
  59. Thompson, C.M., and B. Leclerc. 2014. The Rational Choice Perspective and the Phenomenon of Stalking. In Cognition and Crime. Offender Decision Making and Script Analyses, ed. B. Leclerc and R. Wortley, 70–100. New York: Routledge.Google Scholar
  60. UAE IAA. 2017. Are Soft Controls Better Than Hard Controls? Internal Auditor Middle East. Accessed 18 Apr 2017.
  61. UK Ministry of Justice. 2012 Bribery Act 2010: Guidance About Procedures Which Relevant Commercial Organisations Can Put into Place to Prevent Persons Associated with Them From Bribing. Accessed 20 Mar 2019.
  62. United States Department of Justice and United States Securities and Exchange Commission. 2012. A Resource Guide to the U.S. Foreign Corrupt Practices Act. Accessed 27 Feb, 2019.
  63. Van der Meulen, I., and J. Otten. 2013. Behavioural Auditing: Het Onderzoeken van Gedrag in Organisaties. Audit Magazine 1: 33–35.Google Scholar
  64. Verkooy, C.M., and B.J.A. van Loon. 2008. Soft Controls ALS Auditobject. Audit Magazine 4: 18–22.Google Scholar
  65. Vink, H.J.A. 2009. Wetenschappelijk onderzoek naar de werking van soft controls? Audit Magazine 4: 19–21.Google Scholar
  66. Wall, D.S. 2013. Enemies Within: Redefining the Insider Threat in Organizational Security Policy. Security Journal 26 (2): 107–124.CrossRefGoogle Scholar
  67. Willison, R. 2006. Understanding the Perpetration of Employee Computer Crime in the Organizational Context. Information and Organization 16: 304–324.CrossRefGoogle Scholar
  68. Willison, R., and M. Siponen. 2009. Overcoming the Insider: Reducing Employee Crime Through Situational Crime Prevention. Communications of the ACM 52 (9): 133–137.CrossRefGoogle Scholar
  69. Wortley, R. 1997. Reconsidering the Role of Opportunity in Situational Crime Prevention. In Rational Choice and Situational Crime Prevention. Theoretical Foundations, ed. G. Newman, R.V. Clarke, and S.G. Shoham, 65–81. Aldershot: Ashgate Dartmouth.Google Scholar
  70. Wortley, R. 2008. Situational precipitators of crime. In Environmental Criminology and Crime Analysis, ed. R. Wortley and L. Mazerolle, 48–69. Devon: Willan.Google Scholar

Copyright information

© Springer Nature Limited 2019

Authors and Affiliations

  1. 1.Department of Criminology, Criminal Law and Social Law, Faculty of Law and CriminologyGhent UniversityGhentBelgium

Personalised recommendations