After the financial crisis in 2008, Corporate Governance became more important than ever before. Governments imposed regulations to enhance transparency and ethical culture in organizations. However, most of the regulations focused on enhancing hard controls rather than soft controls. Let us first understand the difference between soft
controls and hard controls.

While soft controls are intangible controls like morale, integrity, ethical climate, empowerment, competencies, openness and shared values, hard controls include organizational structure, assignment of authority and responsibility and human resources policies. Soft controls lead to efficient hard controls and help in strengthening hard controls.

The following table explains the differences between hard controls and soft controls:

Hard Controls vs. Soft Controls

On the one hand, the explicit controls (hard controls) can guide employee behavior through defined policies and procedures while on the other, soft controls can influence the behavior of the employees and ensure compliance with procedures. Therefore, soft controls can be viewed as the foundation of efficient hard controls.They directly affect the behavior of organizations by fostering tone at the top and have positive influence on the moral behavior of employees when they are doing their work. Soft controls are part of the culture within the organization which is affected by social and cultural background of the employees.Even when the code of conduct in the organization expects employees to comply with its ethical values, employees have their own personal culture and ethical behavior which can be changed gradually.

For several years, internal auditors have played significant role in evaluating the effectiveness of control systems, but internal auditors today perform traditional audits which focus exclusively on hard controls which ensure that organizations achieve their objectives. The role of internal auditors should not be limited to hard controls but must also extend to soft controls. This role is not easy. The main reason being that hard controls can be measured and evaluated, but it is difficult for internal auditors to test soft controls and obtain evidence of non-compliance with soft controls.

COSO internal control framework divided control components into hard and soft controls. Control environment factors include the integrity, ethical values and competence of the entity’s people; management’s philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors. However, when internal auditors have to evaluate soft controls in control environment according to COSO evaluation tools, they can only evaluate the design of internal control system.They have difficulty in evaluating the effectiveness of soft controls. For example one can evaluate the ethical culture of the organization by asking this question “Is there a code of conduct in your organization and is it comprehensive, addressing conflicts of interest, illegal or other improper payments and is it published to employees?” But it is not easy to evaluate the effectiveness of code of conduct, in other words, how can one know if code of conduct is implemented or not? Another important issue is that soft controls defined as intangible controls cannot be audited by reviewing documentation. So the question is “Do we need psychological auditor in internal audit department?”

Finally, despite of the importance of soft controls in achieving organization objectives, internal auditor is still unable to assess the effectiveness of these controls. However, awareness program to top
management about the differences between soft controls and hard controls before any assessment can help the internal auditor to obtain management support for his evaluation. Also, a separate annual report about the design of soft controls in organization can support any conclusion about effectiveness of soft controls.