Abstract
A historic focus on preventing losses from crime and a growing demand for compliance and internal control have placed the risk of employee crime and misconduct high on the corporate risk map. Its potential impact has become increasingly evident and operational management supported by various functional teams are being held accountable for establishing and implementing effective risk mitigating strategies and controls. The need for these teams to work together in a concerted manner is an obvious one, as a lack of alignment may result in inefficiencies and control deficiencies. In this paper it is argued that cross-functional collaboration can potentially be established or improved if practitioners come to realize that the measures and controls developed and introduced to mitigate the risk of employee crime and misconduct are very much alike. Following an exploratory review of the types of controls referred to in literature, it borrows from environmental criminology to demonstrate that similarity.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
As Wall indicates, ‘43% of the 607 respondents to the 2011 Cyber Security Watch Survey reported that they had experienced an insider incident in the previous year’, and most of the respondents found this type of incidents to be more damaging that outsider attacks (CERT, cited in Wall 2013, p. 107).
Quite often, however, the same security measure can be considered both a preventive and a protective measure (IAEA 2008, p. 10).
Examples taken from the OECD’s Guidance on Internal Control, Ethics and Compliance (2010), the ICC Rules on Combating Corruption (2011), the U.S. Department of Justice and U.S. Securities and Exchange Commission’s Resource Guide to the Foreign Corrupt Practices Act (2012) and the U.K. Ministry of Justice’s Guidance on helping commercial organizations prevent bribery (2012).
COSO—the Committee of Sponsoring Organizations of the Treadway Commission—is a joint initiative of private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence. For more info, see www.coso.org.
Result controls are defined as indirect, preventive-type controls that have the potential to address each of the major categories of control problems; being a lack of direction, motivational problems and personal limitation problems (Merchant and Van der Stede 2007, pp. 8–12, 28). Action controls, as the most direct form of management control, ‘involve taking steps to ensure that employees act in the organization’s best interest by making their actions themselves the focus of control’ (Idem: 76). They include behavioral constraints (i.e. physical or administrative constraints that make it impossible or more difficult for employees to act against the interests of the organization), preaction reviews, action accountability (i.e. holding employees accountable for their actions) and redundancy (Idem: 76–79). Personnel controls, as a third type of controls referred to by Merchant and Van der Stede (Idem: 83), are aimed at clarifying expectations; at ensuring that employees are able, capable and sufficiently equipped to do a good job or at increasing the likelihood that employees will engage in self-monitoring. Cultural controls, finally, are designed to encourage mutual monitoring and to create and shape a strong organizational culture (Idem: 85).
The model initially included seven factors and was later amended to include eight (Lückerath-Rovers 2011b, p. 79).
Please note that some techniques may fit more than one strategy.
Situational precipitators are events and influences that can supply or intensify the motivation for individuals to commit crime (Wortley 2008, p. 49). As Wortley points out, the immediate environment can actively encourage criminal responses. It can prompt individuals to commit crime by invoking feelings and desires that would normally not emerge (Wortley, 1997, p. 66; 2008, pp. 51–53). It can exert pressure on individuals to offend, to perform inappropriate behavior, to conform to group norms and standards of behavior, to obey the instructions of authority figures, to comply with requests, and to submerge their identity within the group (Wortley, 2008, pp. 53, 54). It can further help weaken moral prohibitions and permit individuals to engage in normally forbidden behavior (Idem: 55–56), or provoke a criminal or anti-social response by creating a high level of stress in the individual (Idem: 56–58). Finally, by limiting the availability or viability of alternative courses of action, situational precipitators may further interfere with offenders’ abilities to make decisions (Wortley, cited in Thompson and Leclerc 2014, p. 75).
Primary soft controls, according to Bode and Schijff (2012, p. 24), are established on an organizational level while secondary soft controls are to be considered the actual control measures that influence culture and behavior on a process level.
In an interview for Audit Magazine (see Mulders and Zevenhuizen 2009, p. 6), James Roth refers to soft controls as ‘elements of the corporate culture’.
References
Aardema, H., and H. Puts. 2008. De harde werking van ‘soft controls’. Is een organisatie te beheersen met de CV-thermostaat? Tijdschrift voor public governance audit & control 6 (3): 2–6.
Armitage, R., C. Joyce, and L. Monchuk. 2018. Crime Prevention Through Environmental Design (CPTED) and Retail Crime: Exploring Offender Perspectives on Risk and Protective Factors in the Design and Layout of Retail Environments. In Retail Crime. International Evidence and Prevention, ed. V. Ceccato and R. Armitage, 123–154. Cham: Palgrave Macmillan.
Basten, F., E. van Bekkum, and S. Kuilman. 2015. Soft Controls: IT General Controls 2.0. Compact 1: 14–20.
Bleker-van Eyk, S.C. 2009. Hoe soft mogen soft controls zijn? Audit Magazine 4: 31.
Bode, R. and Schijff, M. 2012. De kunst van het balanceren tussen soft en hard controls. Tijdschrift Controlling, pp. 20–24.
Chtioui, T., and S. Thiéry-Dubuisson. 2011. Hard and Soft Controls: Mind the Gap! International Journal of Business 16 (3): 289–302.
CIMA. 2009. Fraud Risk Management. A Guide to Good Practice. London: Chartered Institute of Management Accountants.
Clarke, R.V. 1997. Introduction. In Situational Crime Prevention. Successful Case Studies, 2nd ed, ed. R.V. Clarke, 1–44. New York: Harrow and Heston.
Clarke, R.V. 2005. Seven Misconceptions of Situational Crime Prevention. In Handbook of Crime Prevention and Community Safety, ed. N. Tilley, 39–70. Devon: Willan.
Clarke, R.V. 2008. Situational Crime Prevention. In Environmental Criminology and Crime Analysis, ed. R. Wortley and L. Mazerolle, 178–194. Devon: Willan Publishing.
Cornish, D.B. 1994. The Procedural Analysis of Offending and Its Relevance for Situational Prevention. In Crime Prevention Studies, vol. 3, ed. R.V. Clarke, 151–196. Monsey: Criminal Justice Press.
COSO. 2016. Enterprise Risk Management. Aligning Risk with Strategy and Performance. June 2016 Edition.
Deloitte. 2015. The Changing Role of Compliance. https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Financial-Services/gx-financial-changing-role-compliance.pdf. Accessed 1 Jun 2019.
De Bie, J., and E. van Bekkum. 2012. Compliance Officer: Graag aandacht voor soft-controls! Tijdschrift voor Compliance 4: 234–238.
De Groot, A.H.M., and N.J. den Hartigh. 2009. Hard Controls. Course Materials ‘Management van Compliance en Integriteit’ (5). Eindhoven: Euroforum Uitgeverij.
De Kiewit, M.A. 2009. Soft Controls. Course Materials ‘Management van Compliance en Integriteit’ (6). Eindhoven: Euroforum Uitgeverij.
De Kiewit, M. 2011. Auditen van integriteit vraagt om een juiste combinatie van hard en soft controls. Audit Magazine 2: 14–17.
De Kort, J. (2014) Corporate Governance. De verhouding tussen ‘hard- en soft controls’ in de Nederlandse bestuurskamer. Master’s Thesis, Tilburg University, The Netherlands.
Ekblom, P. 1992. Preventing Post Office Robberies in London: Effects and Side Effects. In Situational Crime Prevention Successful Case Studies, ed. R.V. Clarke, 66–74. New York: Harrow and Heston.
Fennelly, L.J. (ed.). 1999. Handbook of Loss Prevention and Crime Prevention, 3rd ed. Boston: Butterworth-Heinemann.
Fischer, R.J., and G. Green. 1998. Introduction to Security, 6th ed. Boston: Butterworth-Heinemann.
Haelterman, H. 2001. Criminology, Information Technology and (Employee) Computer Crime. In A Decade of Research @ the Crossroads of Law and ICT, ed. J. Dumortier, F. Robben, and M. Taeymans, 119–126. Larcier: Brussel.
Haelterman, H. 2009. Situational Crime Prevention and Supply Chain Security: An ‘Ex Ante’ Consideration of Preventive Measures. Journal of Applied Security Research 4: 483–500.
Haelterman, H. 2011. Re-thinking the Cost of Supply Chain Security. Crime, Law and Social Change 56 (4): 389–405.
Haelterman, H., M. Callens, and T. Vander Beken. 2012. Controlling Access to Pick-up and Delivery Vans: the Cost of Alternative Measures. European Journal on Criminal Policy and Research 18 (2): 163–182.
Haelterman, H. 2013. Situational Crime Prevention and Supply Chain Security. Theory for Best Practice. Alexandria: ASIS Foundation Research Council. CRISP Report.
Haelterman, H. 2019. Criminals: Suggestions to Improve Security Procedures. In Encyclopedia of Security and Emergency Management, ed. L. Shapiro and M.H. Maras. Cham: Springer.
Haelterman, H., and P. Van Troyen. 1999. Beveiliging van informatiesystemen: Een geïntegreerde aanpak. In Security Consultancy. Het actieterrein van de beveiligingsadviseur in België en Nederland, ed. M. Cools and H. Haelterman, 139–166. Kluwer Editorial: Diegem.
Hamilton-Smith, N. 2002. Anticipated Consequences: Developing a Strategy for the Targeted Measurement of Displacement and Diffusion Of Benefits. In Crime Prevention Studies Volume 14. Evaluation for Crime Prevention, ed. N. Tilley, 11–52. Monsey: Criminal Justice Press.
Herman, M. and Hrubey, P. 2016. Using Cross-Functional Collaboration for More Effective and Efficient Risk Assessment. https://www.crowe.com/-/media/Crowe/LLP/folio-pdf/Cross-Functional-Collaboration-For-Effective-Risk-Management-Article-RISK-17030-000A.ashx?la=en-US&hash=483A8534CE590E9DEB6FFE50D34C77FB5FE57B8B. Accessed 12 May 2019.
Hunter, J., L. Garius, P. Hamilton, and A. Wahidin. 2018. Who Steals from Shops, and Why? A Case Study of Prolific Shop Theft Offenders. In Retail Crime. International Evidence and Prevention, ed. V. Ceccato and R. Armitage, 71–97. Cham: Palgrave Macmillan.
IAEA. 2008. Preventive and Protective Measures Against Insider Threats, IAEA Nuclear Security Series (8). https://www.iaea.org/publications/7969/preventive-and-protective-measures-against-insider-threats. Accessed 15 Jun 2019.
ICA. n.d. What are the Five Key Functions of a Compliance Department? https://www.int-comp.org/careers/a-career-in-compliance/what-is-compliance/. Accessed 3 June 2019.
ICC. 2011. ICC Rules on Combating Corruption. https://cdn.iccwbo.org/content/uploads/sites/3/2011/10/ICC-Rules-on-Combating-Corruption-2011.pdf. Accessed 3 Mar 2019.
IIA. 2011. Soft and Strong: A Best-Practice Paradox, https://global.theiia.org/knowledge/public%20documents/tat_march_2011.pdf. Accessed 22 Sept 2017.
IIA. 2013. The Three Lines of Defense in Effective Risk Management and Control. IIA Position Paper. https://na.theiia.org/standards-guidance/Public%20Documents/PP%20The%20Three%20Lines%20of%20Defense%20in%20Effective%20Risk%20Management%20and%20Control.pdf. Accessed 21 May 2019.
IIA Netherlands. 2015. Discussion Paper Soft Controls. What are the Starting Points for the Internal Auditor? https://www.nba.nl/Documents/Publicaties-downloads/2016/IIA_Bro_A4_Soft_Controls_03.pdf. Accessed 29 Jan 2017.
IIA Norge. 2015. Guidelines for the Compliance Function, https://iia.no/wp-content/uploads/2017/04/2017-Guidance-for-the-Compliance-function-FINAL.pdf. Accessed 8 May 2019.
In’t Veld, C. 2014. Soft Controls (Position Paper). http://www.focusopverbeteren.nl/wp-content/uploads/pdf/Soft-controls.pdf. Accessed 4 Feb 2017.
Jönsson, E. 2019. Risky Business: Corporate Risk Regulation When Managing Allegations of Crime. Crime, Law and Social Change 71: 483–501.
Kaptein, M. 2008. The Living Code. Embedding Ethics into the Corporate DNA. Sheffield: Greenleaf Publishing.
Kaptein, S.M., and V.H.M. Kerklaan. 2003. Controlling the ‘Soft Controls’”. Management Control & Accounting 7 (6): 8–13.
Kaptein, M. and Vink, H-J. 2014. The Soft Side of Hard Controls: A Control Coding Theory. https://ssrn.com/abstract=2378437. Accessed 30 Mar 2019.
KPMG Advisory. 2016 Acht basis soft controls. Tijd voor next level compliance. https://assets.kpmg.com/content/dam/kpmg/pdf/2016/04/20160218-acht-basis-soft-controls.pdf. Accessed 22 Sept 2017.
Lückerath-Rovers, M. 2011a. Mores Leren. Soft Controls in Corporate Governance. Inaugural Speech 8 June 2011. http://www.mluckerath.nl/uploads/oratiefinaleversie.pdf. Accessed 5 Apr 2017.
Lückerath-Rovers, M. 2011b. Soft Controls in Corporate Governance. In: Jaarboek Compliance 2011. Capelle a/d Ijssel: Nederlands Compliance Instituut, pp. 77–88.
Mayhew, P., and M. Hough. 2012. Situational Crime Prevention. The Home Office origins. In The Reasoning Criminologist: Essays in honour of Ronald V. Clarke, ed. N. Tilley and G. Farrell, 15–29. Abingdon: Routledge.
Merchant, K.A., and W.A. Van der Stede. 2007. Management Control Systems. Performance Measurement, Evaluation and Incentives, 2nd ed. London: Pearson Education Ltd.
Mulders, H.A., and H.P. Zevenhuizen. 2009. Soft Controls in the Netherlands: More Recognised Than Anywhere Else (Interview with James Roth). Audit Magazine 4: 6–8.
NBA. 2010. Meer Aandacht Interne Accountant voor Soft Controls. https://www.accountant.nl/nieuws/2010/2/meer-aandacht-interne-accountant-voor-soft-controls/#. Accessed 12 Aug 2017.
Newman, G.R., and J.D. Freilich. 2012. Extending the Reach of Situational Crime Prevention. In The Reasoning Criminologist. Essays in honour of Ronald V. Clarke, ed. N. Tilley and G. Farrell, 212–225. Abingdon: Routledge.
OECD. 2010. Good Practice Guidance on Internal Controls, Ethics, and Compliance. http://www.oecd.org/daf/anti-bribery/44884389.pdf. Accessed 3 Jun 2019.
Oliver, E., and J. Wilson. 1972. Practical Security in Commerce and Industry, 2nd ed. New York: Wiley.
Power, M. 2007. Organized Uncertainty. Designing a World of Risk Management. Oxford: Oxford University Press.
Sennewald, C.A. 2003. Effective Security Management, 4th ed. Boston: Butterworth-Heinemann.
Sidebottom, A. 2010. Enriching Corruption: Some Suggestions on how Situational Crime Prevention Can Inform the Analysis and Prevention of Corruption. http://corruptionresearchnetwork.org/marketplace/resources/Sidebottom%202010%20Enriching%20Corruption%20in%20the%20Health%20Sector.pdf/. Accessed 22 Sept 2017.
Simons, R. 1995. Control in an age of empowerment. Harvard Business Review, March–April 1995.
Smith, M.J., and R.V. Clarke. 2012. Situational Crime Prevention: Classifying Techniques Using ‘Good Enough’ Theory. In The Oxford Handbook of Crime Prevention, ed. B.C. Welsh and D.P. Farrington, 291–315. New York: Oxford University Press.
Summerfield, R. 2019. The Evolution of Compliance. Financier Worldwide Magazine. https://www.financierworldwide.com/the-evolution-of-compliance#.XPTsYhYzbDc. Accessed 3 Jun 2019.
Thompson, C.M., and B. Leclerc. 2014. The Rational Choice Perspective and the Phenomenon of Stalking. In Cognition and Crime. Offender Decision Making and Script Analyses, ed. B. Leclerc and R. Wortley, 70–100. New York: Routledge.
UAE IAA. 2017. Are Soft Controls Better Than Hard Controls? Internal Auditor Middle East. http://www.internalauditor.me/article/are-soft-controls-better-than-hard-controls/. Accessed 18 Apr 2017.
UK Ministry of Justice. 2012 Bribery Act 2010: Guidance About Procedures Which Relevant Commercial Organisations Can Put into Place to Prevent Persons Associated with Them From Bribing. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/181762/bribery-act-2010-guidance.pdf. Accessed 20 Mar 2019.
United States Department of Justice and United States Securities and Exchange Commission. 2012. A Resource Guide to the U.S. Foreign Corrupt Practices Act. https://www.sec.gov/spotlight/fcpa/fcpa-resource-guide.pdf. Accessed 27 Feb, 2019.
Van der Meulen, I., and J. Otten. 2013. Behavioural Auditing: Het Onderzoeken van Gedrag in Organisaties. Audit Magazine 1: 33–35.
Verkooy, C.M., and B.J.A. van Loon. 2008. Soft Controls ALS Auditobject. Audit Magazine 4: 18–22.
Vink, H.J.A. 2009. Wetenschappelijk onderzoek naar de werking van soft controls? Audit Magazine 4: 19–21.
Wall, D.S. 2013. Enemies Within: Redefining the Insider Threat in Organizational Security Policy. Security Journal 26 (2): 107–124.
Willison, R. 2006. Understanding the Perpetration of Employee Computer Crime in the Organizational Context. Information and Organization 16: 304–324.
Willison, R., and M. Siponen. 2009. Overcoming the Insider: Reducing Employee Crime Through Situational Crime Prevention. Communications of the ACM 52 (9): 133–137.
Wortley, R. 1997. Reconsidering the Role of Opportunity in Situational Crime Prevention. In Rational Choice and Situational Crime Prevention. Theoretical Foundations, ed. G. Newman, R.V. Clarke, and S.G. Shoham, 65–81. Aldershot: Ashgate Dartmouth.
Wortley, R. 2008. Situational precipitators of crime. In Environmental Criminology and Crime Analysis, ed. R. Wortley and L. Mazerolle, 48–69. Devon: Willan.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Haelterman, H. Hard, soft or situational controls? Bridging the gap between security, compliance and internal control. Secur J 33, 636–656 (2020). https://doi.org/10.1057/s41284-019-00208-3
Published:
Issue Date:
DOI: https://doi.org/10.1057/s41284-019-00208-3