Hard, soft or situational controls? Bridging the gap between security, compliance and internal control


A historic focus on preventing losses from crime and a growing demand for compliance and internal control have placed the risk of employee crime and misconduct high on the corporate risk map. Its potential impact has become increasingly evident and operational management supported by various functional teams are being held accountable for establishing and implementing effective risk mitigating strategies and controls. The need for these teams to work together in a concerted manner is an obvious one, as a lack of alignment may result in inefficiencies and control deficiencies. In this paper it is argued that cross-functional collaboration can potentially be established or improved if practitioners come to realize that the measures and controls developed and introduced to mitigate the risk of employee crime and misconduct are very much alike. Following an exploratory review of the types of controls referred to in literature, it borrows from environmental criminology to demonstrate that similarity.

This is a preview of subscription content, log in to check access.


  1. 1.

    As Wall indicates, ‘43% of the 607 respondents to the 2011 Cyber Security Watch Survey reported that they had experienced an insider incident in the previous year’, and most of the respondents found this type of incidents to be more damaging that outsider attacks (CERT, cited in Wall 2013, p. 107).

  2. 2.

    Quite often, however, the same security measure can be considered both a preventive and a protective measure (IAEA 2008, p. 10).

  3. 3.

    Examples taken from the OECD’s Guidance on Internal Control, Ethics and Compliance (2010), the ICC Rules on Combating Corruption (2011), the U.S. Department of Justice and U.S. Securities and Exchange Commission’s Resource Guide to the Foreign Corrupt Practices Act (2012) and the U.K. Ministry of Justice’s Guidance on helping commercial organizations prevent bribery (2012).

  4. 4.

    COSO—the Committee of Sponsoring Organizations of the Treadway Commission—is a joint initiative of private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence. For more info, see www.coso.org.

  5. 5.

    Result controls are defined as indirect, preventive-type controls that have the potential to address each of the major categories of control problems; being a lack of direction, motivational problems and personal limitation problems (Merchant and Van der Stede 2007, pp. 8–12, 28). Action controls, as the most direct form of management control, ‘involve taking steps to ensure that employees act in the organization’s best interest by making their actions themselves the focus of control’ (Idem: 76). They include behavioral constraints (i.e. physical or administrative constraints that make it impossible or more difficult for employees to act against the interests of the organization), preaction reviews, action accountability (i.e. holding employees accountable for their actions) and redundancy (Idem: 76–79). Personnel controls, as a third type of controls referred to by Merchant and Van der Stede (Idem: 83), are aimed at clarifying expectations; at ensuring that employees are able, capable and sufficiently equipped to do a good job or at increasing the likelihood that employees will engage in self-monitoring. Cultural controls, finally, are designed to encourage mutual monitoring and to create and shape a strong organizational culture (Idem: 85).

  6. 6.

    As depicted in the so-called ‘integrity triangle’ or ‘fraud triangle’, frauds or integrity breaches are likely to result from a combination of three factors: opportunity, motivation (or pressure) and rationalization (de Kiewit 2011, p. 14; CIMA 2009, p. 13).

  7. 7.

    The model initially included seven factors and was later amended to include eight (Lückerath-Rovers 2011b, p. 79).

  8. 8.

    Please note that some techniques may fit more than one strategy.

  9. 9.

    Situational precipitators are events and influences that can supply or intensify the motivation for individuals to commit crime (Wortley 2008, p. 49). As Wortley points out, the immediate environment can actively encourage criminal responses. It can prompt individuals to commit crime by invoking feelings and desires that would normally not emerge (Wortley, 1997, p. 66; 2008, pp. 51–53). It can exert pressure on individuals to offend, to perform inappropriate behavior, to conform to group norms and standards of behavior, to obey the instructions of authority figures, to comply with requests, and to submerge their identity within the group (Wortley, 2008, pp. 53, 54). It can further help weaken moral prohibitions and permit individuals to engage in normally forbidden behavior (Idem: 55–56), or provoke a criminal or anti-social response by creating a high level of stress in the individual (Idem: 56–58). Finally, by limiting the availability or viability of alternative courses of action, situational precipitators may further interfere with offenders’ abilities to make decisions (Wortley, cited in Thompson and Leclerc 2014, p. 75).

  10. 10.

    Primary soft controls, according to Bode and Schijff (2012, p. 24), are established on an organizational level while secondary soft controls are to be considered the actual control measures that influence culture and behavior on a process level.

  11. 11.

    In an interview for Audit Magazine (see Mulders and Zevenhuizen 2009, p. 6), James Roth refers to soft controls as ‘elements of the corporate culture’.


  1. Aardema, H., and H. Puts. 2008. De harde werking van ‘soft controls’. Is een organisatie te beheersen met de CV-thermostaat? Tijdschrift voor public governance audit & control 6 (3): 2–6.

    Google Scholar 

  2. Armitage, R., C. Joyce, and L. Monchuk. 2018. Crime Prevention Through Environmental Design (CPTED) and Retail Crime: Exploring Offender Perspectives on Risk and Protective Factors in the Design and Layout of Retail Environments. In Retail Crime. International Evidence and Prevention, ed. V. Ceccato and R. Armitage, 123–154. Cham: Palgrave Macmillan.

    Google Scholar 

  3. Basten, F., E. van Bekkum, and S. Kuilman. 2015. Soft Controls: IT General Controls 2.0. Compact 1: 14–20.

    Google Scholar 

  4. Bleker-van Eyk, S.C. 2009. Hoe soft mogen soft controls zijn? Audit Magazine 4: 31.

    Google Scholar 

  5. Bode, R. and Schijff, M. 2012. De kunst van het balanceren tussen soft en hard controls. Tijdschrift Controlling, pp. 20–24.

  6. Chtioui, T., and S. Thiéry-Dubuisson. 2011. Hard and Soft Controls: Mind the Gap! International Journal of Business 16 (3): 289–302.

    Google Scholar 

  7. CIMA. 2009. Fraud Risk Management. A Guide to Good Practice. London: Chartered Institute of Management Accountants.

    Google Scholar 

  8. Clarke, R.V. 1997. Introduction. In Situational Crime Prevention. Successful Case Studies, 2nd ed, ed. R.V. Clarke, 1–44. New York: Harrow and Heston.

    Google Scholar 

  9. Clarke, R.V. 2005. Seven Misconceptions of Situational Crime Prevention. In Handbook of Crime Prevention and Community Safety, ed. N. Tilley, 39–70. Devon: Willan.

    Google Scholar 

  10. Clarke, R.V. 2008. Situational Crime Prevention. In Environmental Criminology and Crime Analysis, ed. R. Wortley and L. Mazerolle, 178–194. Devon: Willan Publishing.

    Google Scholar 

  11. Cornish, D.B. 1994. The Procedural Analysis of Offending and Its Relevance for Situational Prevention. In Crime Prevention Studies, vol. 3, ed. R.V. Clarke, 151–196. Monsey: Criminal Justice Press.

    Google Scholar 

  12. COSO. 2016. Enterprise Risk Management. Aligning Risk with Strategy and Performance. June 2016 Edition.

  13. Deloitte. 2015. The Changing Role of Compliance. https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Financial-Services/gx-financial-changing-role-compliance.pdf. Accessed 1 Jun 2019.

  14. De Bie, J., and E. van Bekkum. 2012. Compliance Officer: Graag aandacht voor soft-controls! Tijdschrift voor Compliance 4: 234–238.

    Google Scholar 

  15. De Groot, A.H.M., and N.J. den Hartigh. 2009. Hard Controls. Course Materials ‘Management van Compliance en Integriteit’ (5). Eindhoven: Euroforum Uitgeverij.

    Google Scholar 

  16. De Kiewit, M.A. 2009. Soft Controls. Course Materials ‘Management van Compliance en Integriteit’ (6). Eindhoven: Euroforum Uitgeverij.

    Google Scholar 

  17. De Kiewit, M. 2011. Auditen van integriteit vraagt om een juiste combinatie van hard en soft controls. Audit Magazine 2: 14–17.

    Google Scholar 

  18. De Kort, J. (2014) Corporate Governance. De verhouding tussen ‘hard- en soft controls’ in de Nederlandse bestuurskamer. Master’s Thesis, Tilburg University, The Netherlands.

  19. Ekblom, P. 1992. Preventing Post Office Robberies in London: Effects and Side Effects. In Situational Crime Prevention Successful Case Studies, ed. R.V. Clarke, 66–74. New York: Harrow and Heston.

    Google Scholar 

  20. Fennelly, L.J. (ed.). 1999. Handbook of Loss Prevention and Crime Prevention, 3rd ed. Boston: Butterworth-Heinemann.

    Google Scholar 

  21. Fischer, R.J., and G. Green. 1998. Introduction to Security, 6th ed. Boston: Butterworth-Heinemann.

    Google Scholar 

  22. Haelterman, H. 2001. Criminology, Information Technology and (Employee) Computer Crime. In A Decade of Research @ the Crossroads of Law and ICT, ed. J. Dumortier, F. Robben, and M. Taeymans, 119–126. Larcier: Brussel.

    Google Scholar 

  23. Haelterman, H. 2009. Situational Crime Prevention and Supply Chain Security: An ‘Ex Ante’ Consideration of Preventive Measures. Journal of Applied Security Research 4: 483–500.

    Article  Google Scholar 

  24. Haelterman, H. 2011. Re-thinking the Cost of Supply Chain Security. Crime, Law and Social Change 56 (4): 389–405.

    Article  Google Scholar 

  25. Haelterman, H., M. Callens, and T. Vander Beken. 2012. Controlling Access to Pick-up and Delivery Vans: the Cost of Alternative Measures. European Journal on Criminal Policy and Research 18 (2): 163–182.

    Article  Google Scholar 

  26. Haelterman, H. 2013. Situational Crime Prevention and Supply Chain Security. Theory for Best Practice. Alexandria: ASIS Foundation Research Council. CRISP Report.

    Google Scholar 

  27. Haelterman, H. 2019. Criminals: Suggestions to Improve Security Procedures. In Encyclopedia of Security and Emergency Management, ed. L. Shapiro and M.H. Maras. Cham: Springer.

    Google Scholar 

  28. Haelterman, H., and P. Van Troyen. 1999. Beveiliging van informatiesystemen: Een geïntegreerde aanpak. In Security Consultancy. Het actieterrein van de beveiligingsadviseur in België en Nederland, ed. M. Cools and H. Haelterman, 139–166. Kluwer Editorial: Diegem.

    Google Scholar 

  29. Hamilton-Smith, N. 2002. Anticipated Consequences: Developing a Strategy for the Targeted Measurement of Displacement and Diffusion Of Benefits. In Crime Prevention Studies Volume 14. Evaluation for Crime Prevention, ed. N. Tilley, 11–52. Monsey: Criminal Justice Press.

    Google Scholar 

  30. Herman, M. and Hrubey, P. 2016. Using Cross-Functional Collaboration for More Effective and Efficient Risk Assessment. https://www.crowe.com/-/media/Crowe/LLP/folio-pdf/Cross-Functional-Collaboration-For-Effective-Risk-Management-Article-RISK-17030-000A.ashx?la=en-US&hash=483A8534CE590E9DEB6FFE50D34C77FB5FE57B8B. Accessed 12 May 2019.

  31. Hunter, J., L. Garius, P. Hamilton, and A. Wahidin. 2018. Who Steals from Shops, and Why? A Case Study of Prolific Shop Theft Offenders. In Retail Crime. International Evidence and Prevention, ed. V. Ceccato and R. Armitage, 71–97. Cham: Palgrave Macmillan.

    Google Scholar 

  32. IAEA. 2008. Preventive and Protective Measures Against Insider Threats, IAEA Nuclear Security Series (8). https://www.iaea.org/publications/7969/preventive-and-protective-measures-against-insider-threats. Accessed 15 Jun 2019.

  33. ICA. n.d. What are the Five Key Functions of a Compliance Department? https://www.int-comp.org/careers/a-career-in-compliance/what-is-compliance/. Accessed 3 June 2019.

  34. ICC. 2011. ICC Rules on Combating Corruption. https://cdn.iccwbo.org/content/uploads/sites/3/2011/10/ICC-Rules-on-Combating-Corruption-2011.pdf. Accessed 3 Mar 2019.

  35. IIA. 2011. Soft and Strong: A Best-Practice Paradox, https://global.theiia.org/knowledge/public%20documents/tat_march_2011.pdf. Accessed 22 Sept 2017.

  36. IIA. 2013. The Three Lines of Defense in Effective Risk Management and Control. IIA Position Paper. https://na.theiia.org/standards-guidance/Public%20Documents/PP%20The%20Three%20Lines%20of%20Defense%20in%20Effective%20Risk%20Management%20and%20Control.pdf. Accessed 21 May 2019.

  37. IIA Netherlands. 2015. Discussion Paper Soft Controls. What are the Starting Points for the Internal Auditor? https://www.nba.nl/Documents/Publicaties-downloads/2016/IIA_Bro_A4_Soft_Controls_03.pdf. Accessed 29 Jan 2017.

  38. IIA Norge. 2015. Guidelines for the Compliance Function, https://iia.no/wp-content/uploads/2017/04/2017-Guidance-for-the-Compliance-function-FINAL.pdf. Accessed 8 May 2019.

  39. In’t Veld, C. 2014. Soft Controls (Position Paper). http://www.focusopverbeteren.nl/wp-content/uploads/pdf/Soft-controls.pdf. Accessed 4 Feb 2017.

  40. Jönsson, E. 2019. Risky Business: Corporate Risk Regulation When Managing Allegations of Crime. Crime, Law and Social Change 71: 483–501.

    Article  Google Scholar 

  41. Kaptein, M. 2008. The Living Code. Embedding Ethics into the Corporate DNA. Sheffield: Greenleaf Publishing.

    Google Scholar 

  42. Kaptein, S.M., and V.H.M. Kerklaan. 2003. Controlling the ‘Soft Controls’”. Management Control & Accounting 7 (6): 8–13.

    Google Scholar 

  43. Kaptein, M. and Vink, H-J. 2014. The Soft Side of Hard Controls: A Control Coding Theory. https://ssrn.com/abstract=2378437. Accessed 30 Mar 2019.

  44. KPMG Advisory. 2016 Acht basis soft controls. Tijd voor next level compliance. https://assets.kpmg.com/content/dam/kpmg/pdf/2016/04/20160218-acht-basis-soft-controls.pdf. Accessed 22 Sept 2017.

  45. Lückerath-Rovers, M. 2011a. Mores Leren. Soft Controls in Corporate Governance. Inaugural Speech 8 June 2011. http://www.mluckerath.nl/uploads/oratiefinaleversie.pdf. Accessed 5 Apr 2017.

  46. Lückerath-Rovers, M. 2011b. Soft Controls in Corporate Governance. In: Jaarboek Compliance 2011. Capelle a/d Ijssel: Nederlands Compliance Instituut, pp. 77–88.

  47. Mayhew, P., and M. Hough. 2012. Situational Crime Prevention. The Home Office origins. In The Reasoning Criminologist: Essays in honour of Ronald V. Clarke, ed. N. Tilley and G. Farrell, 15–29. Abingdon: Routledge.

    Google Scholar 

  48. Merchant, K.A., and W.A. Van der Stede. 2007. Management Control Systems. Performance Measurement, Evaluation and Incentives, 2nd ed. London: Pearson Education Ltd.

    Google Scholar 

  49. Mulders, H.A., and H.P. Zevenhuizen. 2009. Soft Controls in the Netherlands: More Recognised Than Anywhere Else (Interview with James Roth). Audit Magazine 4: 6–8.

    Google Scholar 

  50. NBA. 2010. Meer Aandacht Interne Accountant voor Soft Controls. https://www.accountant.nl/nieuws/2010/2/meer-aandacht-interne-accountant-voor-soft-controls/#. Accessed 12 Aug 2017.

  51. Newman, G.R., and J.D. Freilich. 2012. Extending the Reach of Situational Crime Prevention. In The Reasoning Criminologist. Essays in honour of Ronald V. Clarke, ed. N. Tilley and G. Farrell, 212–225. Abingdon: Routledge.

    Google Scholar 

  52. OECD. 2010. Good Practice Guidance on Internal Controls, Ethics, and Compliance. http://www.oecd.org/daf/anti-bribery/44884389.pdf. Accessed 3 Jun 2019.

  53. Oliver, E., and J. Wilson. 1972. Practical Security in Commerce and Industry, 2nd ed. New York: Wiley.

    Google Scholar 

  54. Power, M. 2007. Organized Uncertainty. Designing a World of Risk Management. Oxford: Oxford University Press.

    Google Scholar 

  55. Sennewald, C.A. 2003. Effective Security Management, 4th ed. Boston: Butterworth-Heinemann.

    Google Scholar 

  56. Sidebottom, A. 2010. Enriching Corruption: Some Suggestions on how Situational Crime Prevention Can Inform the Analysis and Prevention of Corruption. http://corruptionresearchnetwork.org/marketplace/resources/Sidebottom%202010%20Enriching%20Corruption%20in%20the%20Health%20Sector.pdf/. Accessed 22 Sept 2017.

  57. Simons, R. 1995. Control in an age of empowerment. Harvard Business Review, March–April 1995.

  58. Smith, M.J., and R.V. Clarke. 2012. Situational Crime Prevention: Classifying Techniques Using ‘Good Enough’ Theory. In The Oxford Handbook of Crime Prevention, ed. B.C. Welsh and D.P. Farrington, 291–315. New York: Oxford University Press.

    Google Scholar 

  59. Summerfield, R. 2019. The Evolution of Compliance. Financier Worldwide Magazine. https://www.financierworldwide.com/the-evolution-of-compliance#.XPTsYhYzbDc. Accessed 3 Jun 2019.

  60. Thompson, C.M., and B. Leclerc. 2014. The Rational Choice Perspective and the Phenomenon of Stalking. In Cognition and Crime. Offender Decision Making and Script Analyses, ed. B. Leclerc and R. Wortley, 70–100. New York: Routledge.

    Google Scholar 

  61. UAE IAA. 2017. Are Soft Controls Better Than Hard Controls? Internal Auditor Middle East. http://www.internalauditor.me/article/are-soft-controls-better-than-hard-controls/. Accessed 18 Apr 2017.

  62. UK Ministry of Justice. 2012 Bribery Act 2010: Guidance About Procedures Which Relevant Commercial Organisations Can Put into Place to Prevent Persons Associated with Them From Bribing. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/181762/bribery-act-2010-guidance.pdf. Accessed 20 Mar 2019.

  63. United States Department of Justice and United States Securities and Exchange Commission. 2012. A Resource Guide to the U.S. Foreign Corrupt Practices Act. https://www.sec.gov/spotlight/fcpa/fcpa-resource-guide.pdf. Accessed 27 Feb, 2019.

  64. Van der Meulen, I., and J. Otten. 2013. Behavioural Auditing: Het Onderzoeken van Gedrag in Organisaties. Audit Magazine 1: 33–35.

    Google Scholar 

  65. Verkooy, C.M., and B.J.A. van Loon. 2008. Soft Controls ALS Auditobject. Audit Magazine 4: 18–22.

    Google Scholar 

  66. Vink, H.J.A. 2009. Wetenschappelijk onderzoek naar de werking van soft controls? Audit Magazine 4: 19–21.

    Google Scholar 

  67. Wall, D.S. 2013. Enemies Within: Redefining the Insider Threat in Organizational Security Policy. Security Journal 26 (2): 107–124.

    Article  Google Scholar 

  68. Willison, R. 2006. Understanding the Perpetration of Employee Computer Crime in the Organizational Context. Information and Organization 16: 304–324.

    Article  Google Scholar 

  69. Willison, R., and M. Siponen. 2009. Overcoming the Insider: Reducing Employee Crime Through Situational Crime Prevention. Communications of the ACM 52 (9): 133–137.

    Article  Google Scholar 

  70. Wortley, R. 1997. Reconsidering the Role of Opportunity in Situational Crime Prevention. In Rational Choice and Situational Crime Prevention. Theoretical Foundations, ed. G. Newman, R.V. Clarke, and S.G. Shoham, 65–81. Aldershot: Ashgate Dartmouth.

    Google Scholar 

  71. Wortley, R. 2008. Situational precipitators of crime. In Environmental Criminology and Crime Analysis, ed. R. Wortley and L. Mazerolle, 48–69. Devon: Willan.

    Google Scholar 

Download references

Author information



Corresponding author

Correspondence to Harald Haelterman.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Haelterman, H. Hard, soft or situational controls? Bridging the gap between security, compliance and internal control. Secur J (2019). https://doi.org/10.1057/s41284-019-00208-3

Download citation


  • Employee crime and misconduct
  • Cross-functional collaboration
  • Hard controls
  • Soft controls
  • Situational measures