Date post: | 14-Sep-2015 |
Category: |
Documents |
Upload: | rasyid-isa |
View: | 5 times |
Download: | 4 times |
Critical Review on COSO Enterprise Risk Management
Framework Based on Islamic Perspective
SKRIPSI
Diajukan Untuk Memenuhi Salah Satu Syarat Dalam Memperoleh Gelar Sarjana Pada Jurusan Akuntansi Fakultas Ekonomi Universitas
Padjadjaran
Disusun Oleh : RASYID ISA SAYUTI
B1A040075
FACULTY OF ECONOMICS DEPARTMENT OF ACCOUNTING
PADJADJARAN UNVERSITY BANDUNG
2011
Critical Review on COSO Enterprise Risk Management
Framework Based on Islamic Perspective
SKRIPSI
Diajukan Untuk Memenuhi Salah Satu Syarat Dalam Memperoleh Gelar
Sarjana Pada Fakultas Ekonomi Universitas Padjadjaran
Disusun Oleh :
RASYID ISA SAYUTI
B1A040075
Bandung, 10 Agustus 2011
Menyetujui, Pembimbing Utama,
Syaiful Rahman Soenaria, SE, MT,Ak., CSRS. CMA NIP. 197 106 190 995 031 001
Menyetujui,
Ketua Departemen Akuntansi,
Prof. Dr. Azhar Susanto, M.Buss,,Ak NIP. 196 106 251 989 021 002
Ketua Program Studi Akuntansi,
Dr. Hj. Nunuy Nur Afiah, SE, MSi,Ak NIP. 19610715 198701 2 001
PERNYATAAN KEASLIAN KARYA ILMIAH
Yang bertanda tangan dibawah ini : Nama : Rasyid Isa Sayuti NPM : B1A040075
1. Skripsi saya adalah asli dan belum pernah diajukan untuk mendapatkan gelar akademik (sarjana, magister, dan/ atau doktor), baik di Universitas Padjadjaran maupun di perguruan tinggi lainnya.
2. Skripsi ini murni gagasan, rumusan, dan penilaian saya sendiri, tanpa bantuan pihak lain, kecuali arahan dosen pembimbing.
3. Dalam skripsi ini tidak terdapat karya atau pendapat yang telah ditulis atau dipublikasikan orang lain, kecuali secara tertulis dengan jelas dicantumkan dalam daftar pustaka.
4. Pernyataan ini saya buat dengan sesungguhnya dan apabila dikemudian hari terdapat penyimpangan dan ketidakbenaran dalam pernyataan ini, maka saya bersedia menerima sanksi akademik berupa pencabutan gelar yang diperoleh karena karya tulis ini, serta sanksi lainnya sesuai dengan norma yang berlaku diperguruan tinggi ini.
Bandung, 10 Agustus 2011 Yang Membuat pernyataan
Rasyid Isa Sayuti NPM. B1A040075
i
ABSTRAK
Tinjauan Kritis Terhadap COSO Enterprise Risk Management Framework
Berdasarkan Perspektif Islam
Penelitian ini dimaksudkan untuk mengetahui kontribusi yang dapat disumbangkan dalam mengembangkan COSO Enterprise Risk Management Framework dari Perspektif Islam. Sedangkan obyek penelitian adalah mengenai standar yang diterbitkan oleh The Committee of Sponsoring Organization mengenai Enterprise Risk Management pada tahun 2004.
Metode penelitian yang digunakan adalah metode content analysis dikombinasikan dengan metode hukum Islam yang diterapkan dalam studi literatur atas teks-teks kanonik Islam, buku teks dan jurnal penelitian yang dikumpulkan dari sumber buku maupun sumber-sumber elektronik. Teks-teks ini mewakili perspektif Islam. Proses pengambilan sampel dilakukan pada teks
dengan metode relevance sampling sehingga hanya mengambil hukum-hukum yang relevan dari teks-teks tentang aspek-aspek yang terkandung dalam COSO
Enterprise Risk Management Framework. Data yang diambil dari teks-teks tersebut disusun sebagai Perspektif Islam tentang COSO Enterprise Risk Management.
Proses elaborasi menyimpulkan tinjauan kritis yang signifikan pada COSO Enterprise Risk Management Framework, dalam tiga aspek; konsep Event-Risk-Opportunity, tujuan dan komponen. Dihasilkannya tinjauan tersebut menunjukkan bahwa kontribusi penting untuk COSO Enterprise Risk Management Framework berdasarkan Perspektif Islam telah dapat dirumuskan.
Kata Kunci: COSO Enterprise Risk Management Framework, Enterprise Risk Management, Hukum Islam, Perspektif Islam, The Committee of Sponsoring Organization
ii
ABSTRACT
Critical Review on COSO Enterprise Risk Management Framework
Based on Islamic Perspective
This research intended to find out the possible contribution for improving COSO Enterprise Risk Management Framework from Islamic Perspective. The research object is the standard issued by The Committee of Sponsoring Organization regarding Enterprise Risk Management in 2004.
The research method used is content analysis method combined with the
Islamic methods applied in thorough literature study over Islamic canonical texts, scholar textbooks and research journal collected from both paper sources and electronic sources. These texts construct and represent the Islamic perspective. Sampling process performed on the texts by relevance sampling method which
only retrieves relevant jurisprudence from the texts regarding aspects contained in the COSO Enterprise Risk Management Framework. The retrieved data from the
texts arranged as Islamic Perspective on COSO Enterprise Risk Management. The elaboration process concluded significant critical reviews on COSO
Enterprise Risk Management Framework, within its three aspects; Event-Risk-
Opportunity concepts, objectives and components. The presence of these reviews shows that significant potential contributions to the COSO Enterprise Risk Management framework has been provided by viewing the framework based on
Islamic Perspective.
Keywords : COSO Enterprise Risk Management Framework, Enterprise Risk Management, Islamic Perspective, Islamic Jurisprudence, The Committee of Sponsoring Organization.
iii
PREFACE
!" $ !" '()
* !" +, -. /0" !" /0, -. .+$ 5 5
6 5 7,$ +$ " 9* ) .:+ (/; :()
iv
patience, and for invaluable knowledge and experience you share, and
also for the souvenir from Germany you gave to me.
3. Dr. Tettet Fitrijanti, SE. MSi. Ak. as my guardian lecturer, thank you
for advices, guidance and motivations you have provided for me.
4. Mrs. Selly Herdianti, S.E.,M.Si.,Ak. as my thesis examiner, thank you
for your high appreciation to my thesis and my comprehensive
examination.
5. My beloved parents, Harun Nur Rasyid and Susmijati, Thank you for
all the love and care that have been given to me, up until now, and for
all the patience, endurance, and nurture for the whole of my life, may
Allah grant forgiveness, guidance and salvation for you.
6. Mr. Sony Devano, the tireless and persistent redeemer for such a
troublesome student like me, thanks a lot for your indispensable help
especially during my final semester.
7. All the lecturers in Faculty of Economics Padjadjaran University,
thank you for all the beneficial knowledge and experiences you have
shared to me.
8. All the academic staff in Economic Faculty of Padjadjaran University,
and also librarians in CISRAL and FE UNPAD Library, thank you for
providing sincere helps for such a troublesome student like me.
9. My beloved brother, Muhammad Ashr Sayuti, and my beloved sister,
Ashri Rahmatia Salma whose reliability and supports have been
helping me a lot, May Allah sustain our cohesiveness, and grant us
v
forgiveness, guidance and salvation. Thank you for still becoming
jewels for our family while your big brother is having somewhat
bothersome life. It is very nice to remember the times when you both
backed me up when I did things badly.
10. My colleagues in The last men standing of Accounting 2004 crew,
Sofyan Marfu, Drian Putra, Masitah Iriani Hamzah, Yosef Yusrizal,
Sarie Puspayanti, and others, you all deserve my praise and gratitude
for the everlasting spirit and motivation we share each others, Thank
you.
11. Very special thanks addressed to my friends and lecturers who helped
me with direct material and immaterial supports for the completion of
this work; Mr. Kurniawan Saefullah, Nugroho Muhtarif, Arsitoadi
Widagdo, Nur Izzatunnafsi, Yasser Arafat, Asep Kurniawan, Chandra
Natadipurba, Tayana Nuraida, Dipha Aulia Midian, Febi Rahmi,
Miranty Januaresty, Siti Fatimah, Kaniawati, Aldila Ayudya Putri,
Drian Putra and Zara Sita Novebrianti.
12. My directors in Cakrawala Capital; Mr. Azwan Martin and Mr. Dewi
Farida Cahyani, you have taught me a lot of useful and meaningful
things patiently and forbearingly.
13. My colleagues in Accounting Department, I have to thank you all
because of our unforgettable togetherness in this campus as classmates
and organizational activists. Honorably mentioned are, firstly for the
gentlemen of the katak crew then surely for other 2004ers, Indri my
vi
childhood friend, Erdin, Siti, Leni, QQ, and all the names I cannot
mention here. And also all my respectable seniors and juniors, thank
you for good togetherness especially for those who support me during
my final countdown.
14. My colleagues and mentors in Studio Komputer Akuntansi, thank you
for our togetherness and for providing the studio as a beautiful place to
share, to learn, and even to live.
15. My colleagues in Unit Catur Mahasiswa UNPAD (UCMU), thank you
for facilitating my desire of chess achievements, and also for being
nice adventuring partners.
16. My friends in MyQuran Community, especially MyQers Bandung,
thank you for our everlasting cohesiveness, for every single
unforgettable lesson taught to me, perhaps our togetherness lasts
forever.
17. My colleagues and mentors in Santri Tahfidz Quran Habiburrahman,
thank you for helping me to construct my spiritual foundation to make
me a better person than before.
18. The Crew of Masjid al Jihad UNPAD, thank you for giving me such a
comforting shelter, despite we are not really know closely each others.
Surely, from your hands I can feel Allahs mercy descended.
19. My colleagues in Economic Faculty, especially those who worked
together in BEM FE UNPAD, thank you for accompanying me to get
valuable experiences there.
vii
20. My special gratitude shall grant for the inspiring and helpful family,
Nugroho Muhtarif & Diana Rosida, and also for my best friends;
Dipha Aulia Midian, Miranty Januaresty and her husband Miftah
Ariffianto, Bobby Saiful Bilal, Sirodj Aja, Dandi Rusdani, Muhammad
Yunus, and all the FIKA DKM Al Ikhlas crew, Lidya & Hasyim,
Marshy & Tichy, Bezie Galih Manggala, Dewi Rosmala and her
husband Habibie Burhani, and also for my childhood friend, Indriyana
Adhi Dharma.
21. Last but not least, for other people who helped and prayed for me but I
cannot mention here, verily Allah recognizes all of your support and
verily, He is the best and swift in compensation.
May Allah grant everlasting salvation and guidance to you all, and
hopefully I will always remember to pray for your goodness for the rest of my
life. Insya Allah, Jazakumullahu Khayr.
Finally, hopefully this research will be useful for others, despite there are
many weaknesses and limitations exist. Critics and recommendations will be very
welcomed and appreciated for corrections and improvements.
2011M/1432H
Rasyid Isa Sayuti
viii
TABLE OF CONTENTS
ABSTRACT ---------------------------------------------------------------------------------------------------------- I
PREFACE -------------------------------------------------------------------------------------------------------- III
TABLE OF CONTENTS ------------------------------------------------------------------------------------- VIII
LIST OF FIGURES AND TABLES ------------------------------------------------------------------------- XI
INTRODUCTION ------------------------------------------------------------------------------------------------- 1
1.1. RESEARCH BACKGROUND----------------------------------------------------------------------------- 1
1.2. PROBLEM IDENTIFICATION ---------------------------------------------------------------------------- 8
1.3. RESEARCH OBJECTIVES ------------------------------------------------------------------------------- 8
1.4. RESEARCH SCOPE -------------------------------------------------------------------------------------- 8
1.5. RESEARCH BENEFIT------------------------------------------------------------------------------------ 9
1.6. CONCEPTUAL FRAMEWORK --------------------------------------------------------------------------- 9
THEORETICAL FOUNDATION----------------------------------------------------------------------------- 11
2.1. MANAGEMENT CONTROL SYSTEMS ---------------------------------------------------------------- 11
2.2. THE COSO ENTERPRISE RISK MANAGEMENT FRAMEWORK ----------------------------------- 14
2.2.1. Backgrounds ----------------------------------------------------------------------------------- 14
2.2.2. Definition --------------------------------------------------------------------------------------- 17
2.2.3. Objectives --------------------------------------------------------------------------------------- 19
2.2.4. Components ------------------------------------------------------------------------------------ 19
2.3. ISLAMIC PERSPECTIVE ------------------------------------------------------------------------------- 36
2.3.1. Islamic Beliefs ---------------------------------------------------------------------------------- 37
2.3.2. Islamic Jurisprudence (Fiqh) and Islamic Source (Dalil) of Knowledge--------------- 38
2.3.3. Economic Concepts Based on Islamic Perspective ---------------------------------------- 40
ix
2.3.4. Economic Entity Based on Islamic Perspective -------------------------------------------- 43
2.3.5. Fundamental of the Ethics in Economics Based on Islamic Perspective --------------- 45
RESEARCH METHODOLOGY ------------------------------------------------------------------------------ 47
3.1. RESEARCH OBJECT AND ANALYSIS UNIT. --------------------------------------------------------- 47
3.2. RESEARCH METHOD --------------------------------------------------------------------------------- 47
3.2.1. Qualitative Research Method ---------------------------------------------------------------- 48
3.2.2. Literature Study -------------------------------------------------------------------------------- 49
3.2.3. Content Analysis ------------------------------------------------------------------------------- 49
3.3. ISLAMIC METHODOLOGY OF KNOWLEDGE AND RESEARCH ------------------------------------ 56
3.3.1. The Islamic Jurisprudence Science (Ilmu Ushulul Fiqh) -------------------------------- 56
3.3.2. The Dalil (Islamic Sources) ------------------------------------------------------------------ 57
3.3.3. Understanding Quran as Dalil -------------------------------------------------------------- 58
3.3.4. Understanding Sunnah (Hadith) as Dalil -------------------------------------------------- 60
3.3.5. Ijma --------------------------------------------------------------------------------------------- 62
3.3.6. Qiyas -------------------------------------------------------------------------------------------- 63
3.4. DATA COLLECTION TECHNIQUE -------------------------------------------------------------------- 64
3.5. DATA ANALYSIS TECHNIQUE ----------------------------------------------------------------------- 66
RESEARCH ANALYSIS --------------------------------------------------------------------------------------- 68
4.1. COLLECTING AND SUMMARIZING ISLAMIC LITERATURE ---------------------------------------- 68
4.2. ISLAMIC PERSPECTIVE ON COSO ENTERPRISE RISK MANAGEMENT FRAMEWORK ---------- 70
4.2.1. The Islamic Perspective of Event, Risk and Opportunities ---------------------------- 70
4.2.3. The Islamic Perspective on COSO Enterprise Risk Management Framework
Objectives ---------------------------------------------------------------------------------------------- 76
4.2.4. The Islamic jurisprudence Perspective on COSO Enterprise Risk Management
Framework Components ----------------------------------------------------------------------------- 80
CONCLUSION AND RECOMMENDATION ------------------------------------------------------------- 91
x
5.1. RESEARCH SUMMARY ------------------------------------------------------------------------------- 91
5.1.1. Summary of the Critical Review on The Definition of Event, Risk and Opportunity in
COSO Enterprise Risk Management Framework ------------------------------------------------- 91
5.1.2. Summary of the Critical Review on COSO Enterprise Risk Management Objectives 92
5.1.3. Summary of the Critical Review on COSO Enterprise Risk Management Components
----------------------------------------------------------------------------------------------------------- 93
5.2. RECOMMENDATION FOR ENTERPRISE RISK MANAGEMENT PRACTITIONERS AND
ACADEMICIANS-------------------------------------------------------------------------------------------- 96
5.3. RECOMMENDATIONS FOR OTHER RESEARCHERS------------------------------------------------- 97
BIBLIOGRAPHY ------------------------------------------------------------------------------------------------ 98
xi
LIST OF FIGURES AND TABLES
Figure 1.1: Conceptual Framework------------------------------------------------------10
Figure 2.1: Elements of the control process--------------------------------------------12
Figure 2.2: Levers of Control Framework----------------------------------------------13
Figure 2.3: COSO Enterprise Risk Management Framework------------------------18
Figure 3.1: A framework for Content Analysis----------------------------------------50
Figure 3.2: Components of Content Analysis------------------------------------------51
Table 4.1: Collected Texts as the Source for Constructing Islamic
Perspective -------------------------------------------------------------------------------- 68
Table 5.1: The Summary of the Critical Review on COSO Enterprise Risk
Management Objectives-------------------------------------------------------------------92
Table 5.2: The Summary of the Critical Review on COSO Enterprise Risk
Management Components----------------------------------------------------------------93
1
CHAPTER I
INTRODUCTION
1.1. Research Background
The current business environment is characterized by fast changes in
customers, technologies and competition. Thus, organizations need to
continuously renew themselves to survive and prosper. In the light of the
financial/economic crisis 2008/09, (strategic) uncertainty and risk rose
enormously for many companies. Therefore, companies are in a continuous need
to adapt their Management Control Systems (MCS) (Asel ,2009).
According to Merchant and Otely (2007),
a MCS is designed to help an organization adapt to the environment in which it is set and to deliver the key results desired by stakeholder groups.
MCS have the purpose of providing information useful in decision-
making, planning and evaluation. The focus of MCS is not only on one form of
control like performance measures but on multiple control systems working
together. Simons (2000) posits in his levers of control (LOC) framework that
MCS consists of four interrelated control systems: beliefs (e.g. mission
statement), boundary (e.g. code of conduct), diagnostic (e.g. budgets) and
interactive (e.g. management involvement) systems. The LOC framework asserts
that strategic uncertainty and risk drive the choice and use of control systems.
Berry (2009) call for further research with regards to risk and MCS. Moreover,
2
2
the knowledge about alignment between a firms strategy and a firms
MCS is limited (Widener, 2007).
In recent years, the relationship between controls and risk management has
also become a key concern (Carroll, 2009). Power (2007) argues that there has
been an explosion of risk discourse and of related practices. Organizations have
re-envisioned their processes around the idea of risk. Internal controls and
governance have been re-invented in terms of capabilities for effective risk
management embodied in a multiplicity of standards and guidelines which
provide legitimized templates for organizations to represent and account for
themselves as well controlled and governed.
In 2004, a worldwide organization named Committee of Sponsoring
Organizations (COSO) developed COSO Enterprise Risk Management
Framework. This framework was brought up to the enterprise world with an
expectation to gear in achieving an entitys objectives, set forth in four categories:
Strategic high-level goals, aligned with and supporting its mission
Operations effective and efficient use of its resources
Reporting reliability of reporting
Compliance compliance with applicable laws and regulations
For these objectives, Enterprise risk management can provide reasonable
assurance that management, and the board in its oversight role, are made aware, in
a timely manner, of the extent to which the entity is moving toward achievement
of the objectives that should assure sustainability and maintain entitys value
creation process either in long and short term.
3
3
As the time goes, the framework then gain popularity and used widely in
business practices all over the world. Today, after six years after the ERM
Framework given birth -we are now facing doubts against the framework.
Especially after the fall of Lehman Brothers which systematically drags the entire
world into a financial crisis.
On September 15, 2008, Lehman Brothers filed for bankruptcy. With $639
billion in assets and $619 billion in debt, Lehman's bankruptcy filing was the
largest in history, as its assets far surpassed those of previous bankrupt giants such
as WorldCom and Enron. Lehman was the fourth-largest U.S. investment bank at
the time of its collapse, with 25,000 employees worldwide. Lehman's demise also
made it the largest victim, of the U.S. subprime mortgage-induced financial crisis
that swept through global financial markets in 2008. Lehman's collapse was a
seminal event that greatly intensified the 2008 crisis and contributed to the erosion
of close to $10 trillion in market capitalization from global equity markets in
October 2008, the biggest monthly decline on record at the time.
In April 2009, in a speech, Robert P. Hartwig, president of the Insurance
Information Institute in New York, declared that "the financial crisis is the result
of a failure of risk management in the banking and securities markets on a
colossal scale." He added that "very fundamental and tough questions about the
practice of risk management worldwide must he asked and answered." Among
them:
"How did so many major, allegedly sophisticated financial players
miss or overlook such huge, systemic exposures?
4
4
"What other shoes might yet be left to drop?
"How can we prevent this from ever happening again?"
However, others are rushing to the defense of ERM. Carol Fox, former
chair of the RIMS Enterprise Risk Management Development Committee,
defended ERM during a RIMS webinar on: "The 2008 Financial CrisisA
Wakeup Call for Enterprise Risk Management."
COSO ERM Framework as widely used concept of risk management is
now being criticized and defended. The defenders generally blame the way COSO
ERM Framework implemented and practiced while the criticizers attack the
current COSO ERM Framework concept generally. Actually, both of them were
generally showing the same intention: to improve the current enterprise risk
management concept and/or practices in order to preventing such crisis ever
happened again. So, although they choose different way, the final objective should
be the same, and their synergy should make the objective achievement process
more meaningful and dynamic.
However, the most thought developed in enterprise risk management
practices (and in the most economic & finance thought development) developed
based on Western perspective with its Liberal, Capitalism and profit oriented
approach. Thus, there should be other perspectives involved to broaden the
viewpoint in order to enrich the process of enterprise risk management
development and make it even more dynamic. For the sake of this enrichment
intention, it is quite reasonable to bring the Islamic perspective as a new
viewpoint in formulating concepts for the enterprise risk management.
5
5
Islamic perspective is a perspective built on the foundation of Islam
religion represented in Al Quran and As Sunnah or Hadith with comprehensive
guide regarding whole life aspects, therefore ruling either relationship between
human with both The Creator (God or Rabb ) and the creatures. The guide brought
by Islam also came as a solution to human problems regarding those aspects. The
guide also assured (or acclaimed) to be eternally relevant and reliable until the
Day of Resurrection. Naturally, Islam intends to bring goodness for the whole
universe, as stated in Surah 21: Al Anbiya verse 107:
And We have sent you not but as a mercy for the `Alamin (the whole universe)
In Adz Dzariyat verse 56, also stated that the humans (and jinns genies)
for nothing but worshipping Allah ,
And I created not the Jinn and mankind except that they should worship Me
The meaning of worship in the verse is not limited to spiritual deeds
only but also in a daily life while they are interacting each others, and interacting
with their environment.
By referring to the two verses, we can conclude that the value of the Islam
Religion is to perform the best effort in worshipping the God for the sake of
goodness to universe. Therefore, the essential objective of the Islam is compliance
to the God. And God is The All Knower to everything, including about what is
good for human. As stated in Surah 2 : Al Baqarah (The Cow) verse 216 :
and it may be that you dislike a thing which is good for you and that you like a thing which is bad for you. Allah knows but you do not know
6
6
Thus, due to the verse, the divine verses from the God, as revealed to Holy
Prophet Muhammad (p.b.u.h), should stand above all the disciplined knowledge
resulted from mans cognitive explorations. Moreover, all the kind of knowledge
and science should be developed in purpose of worshipping Allah alone, which
leads to goodness for human civilization.
The process of integrating all the knowledge disciplines with religious
basis knowledge referred to Al Quran and As Sunnah or Hadith usually called as
Islamization of knowledge. The final objective of the Islamization of
Knowledge is to understand how the needs of man can be fulfilled by Islam.
The objective of knowledge islamization or, Islamic value adoption is not
only aimed for the goodness for Muslims, but also for the humanity and
environment, as stated in the mentioned verse, Al Anbiya verse 107. Integrating
Islamic values to various disciplines of knowledge expected to produce more
value to the knowledge. More value means more benefit for humanity and the
environment, and the benefit should distributed justly and fairly.
This kind of justice can be found in the reign of Prophet Muhammad
(p.b.u.h) leadership over Medina and Arabian Peninsula, and followed by the
leadership of four guided caliphate. As quoted by Tamir Abu Suood (2001)
during the reign of second rightly guided caliph, Umar Ibnu al Khaththab:
Umar capably and powerfully struck the balance of justice since day one of his caliphate. Drawing mainly on the tolerance and justice of Islam, yet leaning is also on his own laudable character, the praiseworthy traits he inherit from his ancestors as well as his own past experience, Umar was a memorable example of unblemished justice. In the eyes of Umar, all people were equal, be they rich or poor, powerful or weak, related or distant. His
7
7
justice even extended to include non-Muslims, whom he treated with exceptional nobleness.
And also during the fifth rightly guided caliph, Umar bin Abdul Aziz :
Umar ibn Usayd is reported to have said that during Umar's reign, peuple would bring them loads of money and put it at their disposal (as Infaq or Zakat), but we would tell them to take their money as 'Umar had made all rich
The needs of Islamic value to contribute in science development in general
also stated by Masood (2009) :
Did science need Islam, as a faith, in order to progress? And if it did, should we be encouraging more of the peoples of the Islamic world to become better and more observant Muslims, as a way of improving science in OIC countries? This is an argument that is sometimes put forward, particularly by those who believe that the world as a whole is in the grip of moral decay, and that a return to faith will help to make things better. This is also the view of those political leaders who want to see religion and politics in the Islamic world more closely aligned. They argue that, as the golden age of science and learning took place at a time when states were organized and governed under Islamic laws, a return to such ruling systems is what is needed to move science ahead into the future.
Thus, the Islamic Perspective should be able to give some significant
contributions to the improvements of Enterprise Risk Management concepts and
practices. The contribution expected to add more value to the Enterprise Risk
Management and can be started by critically reviewing the Enterprise Risk
Management Framework based on Islamic perspective. Therefore the researcher
proposed a research with topic:
Critical Review on COSO Enterprise Risk Management
Framework 2004 Based on Islamic Perspective
8
8
1.2. Problem Identification
Based on the research background mentioned above, the researcher
identifies the problems as follow:
1. What kind of improvement that possible to be taken for COSO
Enterprise Risk Management framework?
2. How the Islamic perspective can critically contribute to the
improvement of the COSO Enterprise Risk Management?
1.3. Research Objectives
The objective of this research is to explore the possible critical
contributions for improving the COSO Enterprise Risk Management framework
based on the Islamic perspective.
1.4. Research Scope
The researcher defines several limitations on scope of the research. These
limitations formulated to arrange a clear focus point and systematize the research
structure. The limitations are:
1. The research object is focused on COSO Enterprise Risk Management
Framework 2004 Objectives and Components.
2. The research focuses on critically contributing new ideas to improve the
COSO Enterprise Risk Management Framework 2004 Objectives and
Components based on Islamic perspective.
9
9
1.5. Research Benefit
1. For other college students and researchers, the research expected to be able
to contribute new ideas about research topics, methods, and paradigms, on
the improvements of COSO Enterprise Risk Management framework.
2. For the Muslim world, this research expected to encourage Islamic
Perspective integration into scientific and social reality, and thus, the
whole aspect of life.
3. For practitioners, this research expected to inspire a new way in viewing
problems and finding problem solutions.
1.6. Conceptual Framework
The continuously strengthening relationship between control and risk
management highlights the importance of the risk management itself in
Management Control Systems and especially in the development of control
processes.
For the purpose of risk management, The Committee of Sponsoring
Organization (COSO) has established a framework called COSO Enterprise Risk
Management Framework which was published in 2004. This framework consists
with four objectives and eight components and establishes some perspective on
risks and uncertainties. However, it is commonly recognized that the framework is
still in need of improvement.
Islamic Perspective consists with valid Islamic sources (Dalil) and Islamic
Jurisprudence Science (Ilmu Ushulul Fiqh). Wahhab Khallaf (2000) describe
that the valid Islamic sources and agreed by most Islamic Scholars are Al Quran,
10
10
Hadith or Sunnah, Ijma and Qiyas. And The Islamic religion built on the sources
consists with not only the ritual aspect but also the whole life aspects, e.g.
economics, ethics, politics, law, history and so on (Qardhawi 1997).
Regarding the completeness of the Islamic Religion, the researcher intends
to explore the Islamic Perspective on COSO Enterprise Risk Management
Framework for the purpose of attempting some critical contributions to the
Enterprise Risk Management.
Figure 1.1: Conceptual Framework
11
11
CHAPTER II
THEORETICAL FOUNDATION
2.1. Management Control Systems
A control system is a set of formal and informal systems to assist the
management in steering the organization towards its goals. Controls help in
guiding employees effectively towards the accomplishment of the organizations
goals. Establishing a control system in an environment of distributed
accountability, reengineered processes, and local autonomy and empowerment is a
challenging task (Anthony, 2006).
The control process in any organization can be undertaken at three levels.
These are: the strategic level, the management level, and the operational level.
Each type of control occurs primarily at one of the three distinct levels of the
organizational hierarchy. Strategic control deals primarily with the broad
questions of domain definition, direction setting, expression of the organizations
purpose, and other issues that impact the organization's long-term survival.
Strategic control overlaps to some extent with the process of strategy formulation.
Strategic control also deals with issues relating to general company objectives and
the implementation and monitoring of progress. Management control deals with
effective resource utilization, the state of competitiveness of the unit, and the
translation of corporate goals into business unit objectives. Operational control is
primarily concerned with efficiency issues. Occurring at very specific functional
or sub-departmental levels of the organizational hierarchy, this mode of control
12
generally conforms to traditional control models. The time horizon of control is
very short, the benchmarks are known and well defined, and the outcomes are
tangible and easily measurable (ICFAI, 2006).
Increased control in an organization will result in reduced creativity and
entrepreneurship. Hence it is important for organizations to establish the tradeoff
between the amount of control and the level of freedom for employees, and to
choose the right mix of controls (ICFAI, 2006).
Any control system has four important elements. They are a detector or
sensor, an assessor, an effector and a communications network, as can be seen in
Figure 2.1. The detector analyzes the situation that is being controlled. An
assessor helps in comparing the actual results with the standard or expected
results. An effector is used to reduce the gap between the actual and the standard
result. The communication network transmits information between the detector,
the assessor and the effector (ICFAI, 2006).
Figure 2.1: Elements of the control process Source: ICFAI
Simons (1995)
Control Systems consists of four interrelated control systems: beliefs (e.g. mission
statement), boundary (e.g. code of conduct), diagnostic (e.g. budgets) and
interactive (e.g. management involvement) s
strategic uncertainty and strategic risk play a central role in his (LOC) framework.
The role of the management is to organize, plan, integrate and inter
organizational activities to achieve organizational objectives. The achievement of
these activities is facilitated by management control systems. A management
control system is designed to assist managers in planning and controlling the
activities of the organization. A management control system is the means by
Figure 2.2: Levers of Control FrameworkSource: Simons (1995)
described that the Levers of Controls in Management
consists of four interrelated control systems: beliefs (e.g. mission
statement), boundary (e.g. code of conduct), diagnostic (e.g. budgets) and
interactive (e.g. management involvement) systems. Moreover, he argues that
strategic uncertainty and strategic risk play a central role in his (LOC) framework.
The role of the management is to organize, plan, integrate and inter
organizational activities to achieve organizational objectives. The achievement of
these activities is facilitated by management control systems. A management
control system is designed to assist managers in planning and controlling the
f the organization. A management control system is the means by
: Levers of Control Framework : Simons (1995)
13
described that the Levers of Controls in Management
consists of four interrelated control systems: beliefs (e.g. mission
statement), boundary (e.g. code of conduct), diagnostic (e.g. budgets) and
ystems. Moreover, he argues that
strategic uncertainty and strategic risk play a central role in his (LOC) framework.
The role of the management is to organize, plan, integrate and interrelate
organizational activities to achieve organizational objectives. The achievement of
these activities is facilitated by management control systems. A management
control system is designed to assist managers in planning and controlling the
f the organization. A management control system is the means by
14
which senior managers ensure that subordinate managers, efficiently and
effectively, strive to attain the company's objectives. According to Anthony,
Dearden and Govindarajan (1992), management control is the process by
which managers ensure that resources are used effectively and efficiently in the
accomplishment of the organization's objectives.
2.2. The COSO Enterprise Risk Management Framework
2.2.1. Backgrounds
2.2.1.1. The Committee of Sponsoring Organization (COSO)
COSO was formed in 1985 to sponsor the National Commission on
Fraudulent Financial Reporting, an independent private-sector initiative which
studied the causal factors that can lead to fraudulent financial reporting. It also
developed recommendations for public companies and their independent auditors,
for the SEC and other regulators, and for educational institutions.
The National Commission was sponsored jointly by five major
professional associations headquartered in the United States: the American
Accounting Association (AAA), the American Institute of Certified Public
Accountants (AICPA), Financial Executives International (FEI), The Institute of
Internal Auditors (IIA), and the National Association of Accountants (now the
Institute of Management Accountants [IMA]). Wholly independent of each of the
sponsoring organizations, the Commission contained representatives from
industry, public accounting, investment firms, and the New York Stock Exchange.
COSOs mission is to provide thought leadership through the development
of comprehensive frameworks and guidance on enterprise risk management,
15
internal control and fraud deterrence designed to improve organizational
performance and governance and to reduce the extent of fraud in organizations.
2.2.1.2. Enterprise Risk Management
The background history of Enterprise Risk Management Framework can
be seen in the Foreword of the Report. Over a decade ago, the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) issued Internal
Control Integrated Framework to help businesses and other entities assess and
enhance their internal control systems. That framework has since been
incorporated into policy, rule, and regulation, and used by thousands of
enterprises to better control their activities in moving toward achievement of their
established objectives.
Recent years have seen heightened concern and focus on risk management,
and it became increasingly clear that a need exists for a robust framework to
effectively identify, assess, and manage risk. In 2001, COSO initiated a project,
and engaged PricewaterhouseCoopers, to develop a framework that would be
readily usable by managements to evaluate and improve their organizations
enterprise risk management.
The period of the frameworks development was marked by a series of
high-profile business scandals and failures where investors, company personnel,
and other stakeholders suffered tremendous loss. In the aftermath were calls for
enhanced corporate governance and risk management, with new law, regulation,
and listing standards. The need for an enterprise risk management framework,
providing key principles and concepts, a common language, and clear direction
16
and guidance, became even more compelling. COSO believes this Enterprise Risk
Management Integrated Framework fills this need, and expects it will become
widely accepted by companies and other organizations and indeed all stakeholders
and interested parties.
Among the outgrowths in the United States is the Sarbanes-Oxley Act of
2002, and similar legislation has been enacted or is being considered in other
countries. This law extends the long-standing requirement for public companies to
maintain systems of internal control, requiring management to certify and the
independent auditor to attest to the effectiveness of those systems. Internal
Control Integrated Framework, which continues to stand the test of time, serves
as the broadly accepted standard for satisfying those reporting requirements.
This Enterprise Risk Management Integrated Framework expands on
internal control, providing a more robust and extensive focus on the broader
subject of enterprise risk management. While it is not intended to and does not
replace the internal control framework, but rather incorporates the internal control
framework within it, companies may decide to look to this enterprise risk
management framework both to satisfy their internal control needs and to move
toward a fuller risk management process.
Among the most critical challenges for managements is determining how
much risk the entity is prepared to and does accept as it strives to create value.
This report will better enable them to meet this challenge.
17
2.2.2. Definition
Enterprise Risk Management (ERM) defined as:
a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
The definition can be extracted to the following fundamental concepts:
A process, ongoing and flowing through an entity
Effected by people at every level of an organization
Applied in strategy setting
Applied across the enterprise, at every level and unit, and includes taking
an entity-level portfolio view of risk
Designed to identify potential events affecting the entity and manage risk
within its risk appetite
Able to provide reasonable assurance to an entitys management and board
Geared to the achievement of objectives in one or more separate but
overlapping categories it is a means to an end, not an end in itself
The Enterprise Risk Management framework established on the basis of two
principles:
Every entity exists to realize value for its shareholders
Every entity has to deal with uncertainty
Events Risks and Opportunities
An event is an incident or occurrence from internal or external sources that
affects achievement of objectives. Events can have negative impact, positive
impact, or both. Events with negative impact represent risks. Accordingly, risk is
defined as follows:
Risk is the possibility that an event will occur and adversely affectachievement of objectives.
Events with adverse impact prevent value creation or erode existing value.
Examples include plant machinery breakdowns, fire, and credit losses. Events
with an adverse impact can derive from seemingly positive conditions, such as
where customer demand for product exceeds production capacity, causing failure
to meet buyer demand, eroded customer loyalty, and decline in future orders.
Events with positive impact may offset negative impacts or represent
opportunities. Opportunity is
Opportunity is the possibility that an event will occur and positively affect the achievement of objectives.
Opportunities support value creation or preservation. Management
channels opportunities back to its strategy or objective
actions can be formulated to seize the opportunities.
An event is an incident or occurrence from internal or external sources that
ffects achievement of objectives. Events can have negative impact, positive
impact, or both. Events with negative impact represent risks. Accordingly, risk is
Risk is the possibility that an event will occur and adversely affecthievement of objectives.
Events with adverse impact prevent value creation or erode existing value.
Examples include plant machinery breakdowns, fire, and credit losses. Events
with an adverse impact can derive from seemingly positive conditions, such as
where customer demand for product exceeds production capacity, causing failure
to meet buyer demand, eroded customer loyalty, and decline in future orders.
Events with positive impact may offset negative impacts or represent
opportunities. Opportunity is defined as follows:
Opportunity is the possibility that an event will occur and positively affect the achievement of objectives.
Opportunities support value creation or preservation. Management
channels opportunities back to its strategy or objective-setting processes, so that
actions can be formulated to seize the opportunities.
18
An event is an incident or occurrence from internal or external sources that
ffects achievement of objectives. Events can have negative impact, positive
impact, or both. Events with negative impact represent risks. Accordingly, risk is
Risk is the possibility that an event will occur and adversely affect the
Events with adverse impact prevent value creation or erode existing value.
Examples include plant machinery breakdowns, fire, and credit losses. Events
with an adverse impact can derive from seemingly positive conditions, such as
where customer demand for product exceeds production capacity, causing failure
to meet buyer demand, eroded customer loyalty, and decline in future orders.
Events with positive impact may offset negative impacts or represent
Opportunity is the possibility that an event will occur and positively
Opportunities support value creation or preservation. Management
setting processes, so that
19
2.2.3. Objectives
Objectives are set at the strategic level, establishing a basis for operations,
reporting, and compliance objectives. Objectives are aligned with the entitys risk
appetite, which drives risk tolerance levels for the entity.
COSO (2004) establishes four categories of entity objectives along with their brief
definition:
Strategic
Having to do with high-level goals that are aligned with and support the
entitys mission (or vision).
Operations
Having to do with the effectiveness and efficiency of an entitys activities,
including performance and profitability goals, and safeguarding resources against
loss.
Reporting
Having to do with the reliability of the entitys reporting, including both
internal and external reporting of financial and non-financial information
Compliance
Having to do with conforming with laws and regulations applicable to an
entity.
2.2.4. Components
2.2.4.1. Internal Environment
The internal environment encompasses the tone of an organization, and sets the
basis for how risk is viewed and addressed by an entitys people, including risk
20
management philosophy and risk appetite, integrity and ethical values, and the
environment in which they operate.
The Risk Management Philosophy
An entitys risk management philosophy is the set of shared beliefs and
attitudes characterizing how the entity considers risk in everything it does, from
strategy development and implementation to its day-to-day activities. Its risk
management philosophy reflects the entitys values, influencing its culture and
operating style, and affects how enterprise risk management components are
applied, including how risks are identified, the kinds of risks accepted, and how
they are managed.
Risk Appetite
Risk appetite is the amount of risk, on a broad level, an entity is willing to
accept in pursuit of value. It reflects the enterprises risk management philosophy,
and in turn influences the entitys culture and operating style.
Risk appetite is considered in strategy setting, where the desired return
from a strategy should be aligned with the entitys risk appetite. Different
strategies will expose the entity to different levels of risk, and enterprise risk
management, applied in strategy setting, helps management select a strategy
consistent with the entitys risk appetite.
Entities consider risk appetite qualitatively, with such categories as high,
moderate, or low, or take a quantitative approach, reflecting and balancing goals
for growth and return with risk.
Board of Directors
21
An active and involved board of directors, board of trustees, or comparable
body should possess an appropriate degree of management, technical, and other
expertise, coupled with the mind-set necessary to perform its oversight
responsibilities. This is critical to an effective enterprise risk management
environment. And, because the board must be prepared to question and scrutinize
managements activities, present alternative views, and act in the face of
wrongdoing, the board must include outside directors.
Integrity and Ethical Values
Management integrity is a prerequisite for ethical behavior in all aspects of
an entitys activities. The effectiveness of enterprise risk management cannot rise
above the integrity and ethical values of the people who create, administer, and
monitor entity activities. Integrity and ethical values are essential elements of an
entitys internal environment, affecting the design, administration, and monitoring
of other enterprise risk management components.
Commitment to Competence
Competence reflects the knowledge and skills needed to perform assigned
tasks. Management decides how well these tasks need to be accomplished,
weighing the entitys strategy and objectives against plans for their
implementation and achievement.
Management specifies the competency levels for particular jobs and
translates those levels into requisite knowledge and skills. The necessary
knowledge and skills in turn may depend on individuals intelligence, training,
and experience. Factors considered in developing knowledge and skill levels
22
include the nature and degree of judgment to be applied to a specific job. Often a
trade-off can be made between the extent of supervision and the requisite
competence level of the individual.
Organizational Structure
An entitys organizational structure provides the framework to plan,
execute, control, and monitor its activities. A relevant organizational structure
includes defining key areas of authority and responsibility and establishing
appropriate lines of reporting. For example, an internal audit function should be
structured in a manner that achieves organizational objectivity and permits
unrestricted access to top management and the audit committee of the board, and
the chief audit executive should report to a level within the organization that
allows the internal audit activity to fulfill its responsibilities.
Assignment of Authority and Responsibility
Assignment of authority and responsibility involves the degree to which
individuals and teams are authorized and encouraged to use initiative to address
issues and solve problems, as well as limits to their authority. It includes
establishing reporting relationships and authorization protocols, as well as policies
that describe appropriate business practices, knowledge and experience of key
personnel, and resources provided for carrying out duties.
Human Resource Standards
Human resource practices pertaining to hiring, orientation, training,
evaluating, counseling, promoting, compensating, and taking remedial actions
send messages to employees regarding expected levels of integrity, ethical
23
behavior, and competence. For example, standards for hiring the most qualified
individuals, with emphasis on educational background, prior work experience,
past accomplishments, and evidence of integrity and ethical behavior, demonstrate
an entitys commitment to competent and trustworthy people. The same is true
when recruiting practices include formal, in-depth employment interviews and
training in the entitys history, culture, and operating style.
2.2.4.2. Objective Settings
Objective setting is a precondition to event identification, risk assessment,
and risk response. There must first be objectives before management can identify
and assess risks to their achievement and take necessary actions to manage the
risks. The general level of objectives has been explained in the previous
discussion about the ERM Objectives.
Strategic Objectives
An entitys mission sets out in broad terms what the entity aspires to
achieve. Whatever term is used, such as mission, vision, or purpose, it is
important that management with board oversight explicitly establish the
entitys broad-based reason for being. From this, management sets strategic
objectives, formulates strategy, and establishes related operations, compliance,
and reporting objectives for the organization. While an entitys mission and
strategic objectives are generally stable, its strategy and many related objectives
are more dynamic and adjusted for changing internal and external conditions. As
they change, strategy and related objectives are realigned with strategic
objectives.
24
Strategic objectives are high-level goals, aligned with and supporting the
entitys mission/vision. Strategic objectives reflect managements choice as to
how the entity will seek to create value for its stakeholders.
In considering alternative ways to achieve its strategic objectives,
management identifies risks associated with a range of strategy choices and
considers their implications. Various event identification and risk assessment can
be used in the strategy-setting process. In this way, enterprise risk management
techniques are used in setting strategy and objectives.
Related Objectives
Establishing the right objectives that support and are aligned with the
selected strategy, relative to all entity activities, is critical to success. By focusing
first on strategic objectives and strategy, an entity is positioned to develop related
objectives at an entity level, achievement of which will create and preserve value.
Entity-level objectives are linked to and integrated with more specific objectives
that cascade through the organization to subobjectives established for various
activities, such as sales, production, and engineering, and infrastructure functions.
By setting objectives at the entity and activity levels, an entity can identify
critical success factors. These are key things that must go right if goals are to be
attained. Critical success factors exist for an entity, a business unit, a function, a
department, or an individual. By setting objectives, management can identify
measurement criteria for performance, with a focus on critical success factors.
Where objectives are consistent with prior practice and performance, the
linkage among activities is known. However, where objectives depart from an
25
entitys past practices, management must address the linkages or run increased
risks. In such cases, there is an even greater need for business unit objectives or
sub-objectives that are consistent with the new direction.
Objectives need to be readily understood and measurable. Enterprise risk
management requires that personnel at all levels have a requisite understanding of
the entitys objectives as they relate to the individuals sphere of influence. All
employees must have a mutual understanding of what is to be accomplished and a
means of measuring what is being accomplished.
Categories of Related Objectives
Despite the diversity of objectives across entities, certain broad categories
are established:
Operations Objectives These pertain to the effectiveness and efficiency
of the entitys operations, including performance and profitability goals
and safeguarding resources against loss. They vary based on
managements choices about structure and performance.
Reporting Objectives These pertain to the reliability of reporting. They
include internal and external reporting and may involve financial and non-
financial information.
Compliance Objectives These pertain to adherence to relevant laws and
regulations. They are dependent on external factors and tend to be similar
across all entities in some cases and across an industry in others.
26
2.2.4.3. Event Identification
An event is an incident or occurrence emanating from internal or external
sources that affects implementation of strategy or achievement of objectives.
Events may have positive or negative impact, or both. Events range from the
obvious to the obscure, and the effects from the inconsequential to the highly
significant
The event identification process started with considering range of potential
events stemming both from internal and external sources, without necessarily
consider whether the impact is positive or negative. External factor events include
economic, natural environment, political, social, and technological. Internal factor
events include infrastructure, personnel, process, and technology.
Events often do not occur in isolation. One event can trigger another, and
events can occur concurrently. In event identification, management should
understand how events relate to one another. By assessing the relationships, one
can determine where risk management efforts are best directed.
Events, if they occur, have a negative impact, a positive impact, or both.
Events with a negative impact represent risks, which require managements
assessment and response. Accordingly, risk is the possibility that an event will
occur and adversely affect the achievement of objectives.
Events with a positive impact represent opportunities, or offset the
negative impact of risks. Opportunity is the possibility that an event will occur
and positively affect the achievement of objectives and creation of value. Events
representing opportunities are channeled back to managements strategy or
27
objective-setting processes, so that actions can be formulated to seize the
opportunities. Events offsetting the negative impact of risks are considered in
managements risk assessment and response.
Event Identification Techniques
An entitys event identification methodology may comprise a combination
of techniques, together with supporting tools. Event identification techniques look
to both the past and the future. Techniques vary widely in level of sophistication.
While many of the more sophisticated techniques are industry-specific, most are
derived from a common approach. Techniques also vary in where they are used
within an entity. Some focus on detailed data analysis and create a bottom-up
view of events, while others focus top down.
It is usually useful to group potential events into categories. By
aggregating events horizontally across an entity and vertically within operating
units, management expects to develop an understanding of relationships between
events, gaining enhanced information as a basis for risk assessment, and
determine opportunities and risks better. Event categorization also allows
management to consider the completeness of its event identification efforts.
2.2.4.4. Risk Assessment
Risk assessment is a process where the management considers the mix of
potential future events relevant to the entity and its activities in the context of
matters that shape the entitys risk profile, such as entity size, complexity of
operations, and degree of regulation over its activities. Risk Assessment is applied
28
first to inherent risks. Once risk responses have been developed, management then
considers residual risk.
In assessing risk, management considers expected and unexpected events.
Many events are routine and recurring, and are already addressed in management
programs and operating budgets, while others are unexpected. Management
assesses the risk of unexpected potential events and, if it has not already done so,
expected events that can have a significant impact on the entity.
In the context of enterprise risk management, the risk assessment
component is a continuous and iterative interplay of actions that take place
throughout the entity.
Assessment Techniques
An entitys risk assessment methodology comprises a combination of
qualitative and quantitative techniques. Management often uses qualitative
assessment techniques where risks do not lend themselves to quantification or
when either sufficient credible data required for quantitative assessments is not
practically available or obtaining or analyzing data is not cost-effective.
Quantitative techniques typically bring more precision and are used in more
complex and sophisticated activities to supplement qualitative techniques.
2.2.4.5. Risk Response
Risk responses fall within the following categories:
Avoidance Exiting the activities giving rise to risk.
Reduction Action is taken to reduce risk likelihood or impact, or both.
This typically involves any of a myriad of everyday business decisions.
29
Sharing Reducing risk likelihood or impact by transferring or otherwise
sharing a portion of the risk.
Acceptance No action is taken to affect risk likelihood or impact.
In determining risk response, management should consider such things as:
Effects of potential responses on risk likelihood and impact and which
response options align with the entitys risk tolerances
Costs versus benefits of potential responses
Possible opportunities to achieve entity objectives going beyond dealing
with the specific risk
Assessing Costs versus Benefits is important in risk response because
resources always have constraints, and entities must consider the relative costs
and benefits of alternative risk response options. Cost and benefit measurements
for implementing risk responses are made with varying levels of precision.
Generally, it is easier to deal with the cost side of the equation, which, in many
cases, can be quantified fairly precisely. All direct costs associated with instituting
a response, and indirect costs where practically measurable, usually are
considered. Some entities also include opportunity costs associated with use of
resources. But it is very notable that to quantify costs of risk response sometimes
can be very difficult.
2.2.4.6. Control Activities
Control activities are policies and procedures, which are the actions of
people to implement the policies, directly or through application of technology, to
help ensure that managements risk responses are carried out. Control activities
30
can be categorized based on the nature of the entitys objectives to which they
relate: strategic, operations, reporting, and compliance.
Although some control activities relate solely to one category, there often
is overlap. Depending on circumstances, a particular control activity could help
satisfy entity objectives in more than one of the categories.
While control activities generally are established to ensure risk responses
are appropriately carried out, with respect to certain objectives, control activities
themselves are the risk response. For instance, for an objective to ensure specified
transactions are properly authorized, the response will likely be control activities
such as segregation of duties and approvals by supervisory personnel.
Control activities usually involve two elements: a policy establishing what
should be done and procedures to affect the policy. Many times, policies are
communicated orally. Unwritten policies can be effective where the policy is a
long-standing and well-understood practice, and in smaller organizations where
communications channels involve few management layers and close interaction
with and supervision of personnel.
2.2.4.7. Information and Communication
Information
Information is needed at all levels of an organization to identify, assess,
and respond to risks, and to otherwise run the entity and achieve its objectives. An
array of information is used, relevant to one or more objectives categories.
Operating information from internal and external sources, both financial
and non-financial, is relevant to multiple business objectives. Financial
31
information, for instance, is used in developing financial statements for reporting
purposes, and also for operating decisions, such as monitoring performance and
allocating resources. Reliable financial information is fundamental to planning,
budgeting, pricing, evaluating vendor performance, assessing joint ventures and
alliances, and a range of other management activities.
Similarly, operating information is essential for developing financial and
other reports. This includes the routine purchases, sales, and other transactions
as well as information on competitors product releases or economic conditions,
which can affect inventory and receivables valuations. And information needed
for compliance purposes, such as information on airborne particle emissions or
personnel data, also may serve financial reporting objectives.
With increasing dependence on sophisticated information systems and
data-driven automated decision systems and processes, data reliability is critical.
Inaccurate data can result in unidentified risks or poor assessments and bad
management decisions. The quality of information includes ascertaining whether:
Content is appropriate Is it at the right level of detail?
Information is timely Is it there when required?
Information is current Is it the latest available?
Information is accurate Is the data correct?
Information is accessible Is it easy to obtain by those who need it?
Communication
Communication is inherent in information systems. As discussed above,
information systems must provide information to appropriate personnel so that
32
they can carry out their operating, reporting, and compliance responsibilities. But
communication also must take place in a broader sense, dealing with expectations,
responsibilities of individuals and groups, and other important matters.
Management provides specific and directed communication that addresses
behavioral expectations and the responsibilities of personnel. This includes a clear
statement of the entitys risk management philosophy and approach and a clear
delegation of authority. Communication about processes and procedures should
align with, and underpin, the desired culture. Communication should effectively
convey:
The importance and relevance of effective enterprise risk management
The entitys objectives
The entitys risk appetite and risk tolerances
A common risk language
The roles and responsibilities of personnel in effecting and supporting the
components of enterprise risk management
All personnel, particularly those with important operating or financial
management responsibilities, need to receive a clear message from top
management that enterprise risk management must be taken seriously. Both the
clarity of the message and effectiveness with which it is communicated are
important.
There needs to be appropriate communication not only within the entity,
but with the outside as well. With open external communications channels,
customers and suppliers can provide highly significant input on the design or
33
quality of products or services, enabling a company to address evolving customer
demands or preferences. For example, customer or supplier complaints or
inquiries about shipments, receipts, billings, or other activities often point to
operating problems, and possibly to fraudulent or other improper practices.
Management should be ready to recognize implications of such circumstances and
investigate and take necessary corrective actions, focusing on the impact on
financial reporting and compliance as well as operations objectives.
Open communication about the entitys risk appetite and risk tolerances is
important, particularly for entities linked with others in supply chains or e-
business enterprises. In such instances, management considers how its risk
appetite and risk tolerances align with those of its business partners, ensuring it
does not inadvertently accept too much risk through its partners.
2.2.4.8. Monitoring
Monitoring, in ERM term is assessing the presence and functioning of its
components over time. This is accomplished through ongoing monitoring
activities, separate evaluations, or a combination of the two. Ongoing monitoring
occurs in the normal course of management activities. The scope and frequency of
separate evaluations will depend primarily on an assessment of risks and the
effectiveness of ongoing monitoring procedures. Enterprise risk management
deficiencies are reported upstream, with serious matters reported to top
management and the board.
The ongoing monitoring activities serve to monitor the effectiveness of
enterprise risk management in the ordinary course of running the business. These
34
stem from regular management activities, which might involve variance analysis,
comparisons of information from disparate sources, and dealing with unexpected
occurrences.
Ongoing monitoring activities generally are performed by line operating or
functional support managers, giving thoughtful consideration to implications of
information they receive. By focusing on relationships, inconsistencies, or other
relevant implications, they raise issues and follow up with other personnel as
necessary to determine whether corrective or other action is called for. Ongoing
monitoring activities are differentiated from activities performed as required by
policy in business processes.
Separate Evaluation
While ongoing monitoring procedures usually provide important feedback
on the effectiveness of other enterprise risk management components, it may be
useful to take a fresh look from time to time, focusing directly on enterprise risk
management effectiveness. This also provides an opportunity to consider the
continued effectiveness of the ongoing monitoring procedures.
Evaluations of enterprise risk management vary in scope and frequency,
depending on the significance of risks and importance of the risk responses and
related controls in managing the risks. Higher-priority risk areas and responses
tend to be evaluated more often.
Often, evaluations take the form of self-assessments, where persons
responsible for a particular unit or function determine the effectiveness of
enterprise risk management for their activities.
35
Internal auditors normally perform evaluations as part of their regular
duties, or at the specific request of senior management, the board, or subsidiary or
divisional executives. Similarly, management may utilize input from external
auditors in considering the effectiveness of enterprise risk management. A
combination of efforts may be used in conducting whatever evaluative procedures
management deems necessary
Evaluating enterprise risk management is a process in itself. While
approaches or techniques vary, a discipline should be brought to the process, with
certain basics inherent in it. The evaluator must understand each of the entitys
activities and each of the components of enterprise risk management being
addressed. It may be useful to focus first on how enterprise risk management
purportedly functions sometimes referred to as the system or process design.
The evaluator must determine how the system actually works. Procedures
designed to operate in a particular way may be modified over time to operate
differently or may no longer be performed. Sometimes new procedures are
established but are not known to those who described the process and are not
included in available documentation. A determination as to actual functioning can
be accomplished by holding discussions with personnel who perform or are
affected by enterprise risk management, by examining records on performance, or
a combination of procedures.
The evaluator analyzes the enterprise risk management process design and
the results of tests performed. The analysis is conducted against the backdrop of
managements established standards for each component, with the ultimate goal of
36
determining whether the process provides reasonable assurance with respect to the
stated objectives.
Methodology
A variety of evaluation methodologies and tools are available, including
checklists, questionnaires, and flowcharting techniques. As part of their evaluation
methodology, some companies compare or benchmark their enterprise risk
management process against those of other entities.
Documentation
The extent of documentation of an entitys enterprise risk management
varies with the entitys size, complexity, and similar factors.
What should be reported? Although a universal answer is not possible,
certain parameters can be drawn. All identified enterprise risk management
deficiencies that affect an entitys ability to develop and implement its strategy
and to set and achieve its objectives should be reported to those positioned to take
necessary action. The nature of matters to be communicated will vary depending
on individuals authority to deal with circumstances that arise and on the oversight
activities of superiors. In considering what needs to be communicated, it is
necessary to look at the implications of findings. It is essential not only that a
particular transaction or event be reported, but also that related potentially faulty
procedures be reevaluate
2.3. Islamic Perspective
In Islam, Allah alone is the source of all true knowledge. He releases it to
those who seek and toil to learn bit by bit so that pride may not overtake human
37
beings. If the objective of economics is to find the truth i.e. economic truth, then
such truth cannot be found with reason alone; that is without guidance being
sought from Gods Final Revelation the Holy Quran and the Purified Sunnah.
Thus, in methodology of economics we have to integrate and unify
together the three broad sources of knowledge: Reality, Reason and Revelation.
The first to come is the filter of Revelation, then the filter of Reason and lastly
that of Reality. These three facets are interrelated and should invariably underpin
any future discussion on methodological issues in economics secular or Islamic.
(Addas, 2008)
2.3.1. Islamic Beliefs
Qardhawi (1997) explained that Aqidah Islamiyyah (Islamic Belief) is
built on the following foundations:
1. Faith to the God, the Most Highly, who created, fashioned with perfection, measured, then showed guidance. 2. Humans are not only physical creatures, and also not only skeletons composed by bones, muscles, and bloodvessels. Humans are also spiritual creatures in low physical forms. Humans deserve to be Allah's Khalifah honoured by Him, and also deserve to build the wealth on the earth with truth and justice. 3. All the humans are Allah's servant, not obliged to obey others than Him, has the same place of gathering. There is no group or race or a single person which higher than the others. 4. Allah doesn't let the humans in vain and confusion, but He sends messengers who show guidance to the right path. (Quran 4:105) 5. The guidance brought by the messengers has been finalized with a guidance which is eternal and general brought by the final and last messenger Muhammad (p.b.u.h.). Thus with that guidance, Allah finalized His rules, build the good characteristics of human, build the guidances to the truth, justice and goodness. Life will not good without it and no happiness with believing the others than it. 6. The aspiration of humans in this life is not limited to eat and have fun like animals but to worship Allah alone, doing good deeds for Allah's pleasure, to destroy evils, badness, and injustices.
38
2.3.2. Islamic Jurisprudence (Fiqh) and Islamic Source (Dalil) of Knowledge
Islamic Jurisprudence defined as knowledge about Islamic law extracted
from detailed Islamic sources (Hasbullah, 2003). The rules of fiqh are derived
from the Qur'an and Sunnah in conformity with a body of principles and methods
which are collectively known as usul al-fiqh or Principles of Islamic
Jurisprudence. It expounds the indications and methods by which the rules of fiqh
are deduced from their sources (dalil) (Kamali, 1996).
Dalil, in Arabic etymology means guide for anything khissi (material) and
manawi (spiritual), either it is good or bad. In terminological view, Dalil means
anything that are positioned as reasons, according to a correct jurisprudence, on a
Sharia perspective about human deeds, in a certain way (qathiy) or assumption
way (zhanni) (Wahhab Khallaf, 1947).
About the Dalil, Kamali (1996) further explained as the following,
There are a number of ayat in the Quran which identify the sources of Shariah and the order of priority between them. But one passage in which all the principal sources are indicated occurs in Sura al-Nisa' (4: 58-59) which is as follows: 'O you believers! Obey Allah and obey the Messenger and those of you who are in charge of affairs. If you have a dispute concerning any matter, refer it to God and to the Messenger,' 'Obey Allah' in this ayah refers to the Quran, and 'Obey the Messenger' refers to the Sunnah. Obedience to 'those who are in charge of affairs' is held to be a reference to ijma', and the last portion of the ayah which requires the referral of disputes to God and to the Messenger authorizes qiyas. For qiyas is essentially an extension of the injunctions of the Quran and Sunnah.
According to Addas (2008), it becomes imperative to bring in a minimal
of fiqh and ushul while discussing the methodological issues for Islamic
39
economics. The central jurisprudence principles for building the foundations of
value selection in Islamic economics are three,
1. la darar wa la dirar ( harm may neither be inflicted nor reciprocated )
2. dar-ul-mafasid muqaddam ala talab al-masalih ( preventing harm has
better priority than obtaining goodness )
3. yutahammal aldarar alkhas li-rafi aldarar al-aam (A specific harm is
tolerated in order to prevent a more general one).
2.3.2.1. Al Quran (the Koran)
Utsaimin (2001) described the definition of Al Quran as:
Kalamullah (Allahs Words) revealed to Prophet Muhammad shalallahu alaihi wassalam in Arabic language and transmitted in multiline of transmission, started from Al Fatihah to An Nas. Reading the Al Quran is recognized as worship deed.
The validity of Al Quran is proven by some arguments. Such as, the scope
of its verses which is very broad due to its fundamental teachings about Aqidah
(Belief), Sharia (Jurisprudence), Akhlaq (deeds in interaction with others), social
science, scientific knowledge, and so on. Its content also appropriate with well
proved modern knowledge and it also reveals things that unthinkable or
undiscoverable by human, such as things happened in the past, things that will be
happened in the future, and ghayb (things that human sense cannot percept).
Hasbullah (2003).
2.3.2.2. As Sunnah or Al Hadith
As Sunnah, or also oftenly called as Al Hadith, is the second jurisprudence
source of Islam. Putting faith to As Sunnah is the manifestation and consequence
40
of the faith to Allahs Messenger and the willingness to stick to his way. Wahhab
Khalaf (2001) defines Hadith as:
Everything those come from Prophet Muhammad Shalallahu alayhi wassalam. It can be his sayings, his deeds or his taqrir (his agreement or permission related to one or more actions).
2.3.2.3. Al Ijma and Al Qiyas
Wahhab Khallaf (2001) defines al Ijma as:
The consensus of muslim scholars after the death of Prophet Muhammad Shalallahu 'alayhi wassalam about a particular Sharia matter
Wahhab Khallaf (2001) defined Al Qiyas as:
To correspondence an undecided derivative matter to the decided and congruent fundamental matter
2.3.3. Economic Concepts Based on Islamic Perspective
Qardhawi (1997) states about the relationship between Islam and
Economics as follows:
Islam is a complete system for the entire life, including personal life, community life, and the life with all its aspects such as thought, soul and ethics and also economics, social and politics. Economics is the dynamic and crucial part of Islam, but not the principle and foundation for the construct of Islamic values, not the main point of its preaching, not the objective for its messages, not the characteristic of its civilization and also not the intention of its fellows. Economics, in Islamic perspective, is not the final objective. Rather, it is required for human being and acts as an instrument to continue living and working to achieve the higher objective. Thus, economics is supporting instrument for human being, and serving their belief and meaning.
The role of humans on the earth related with economics also pointed in the
Quran,
"But seek, with that which Allah has bestowed on you, the home of the Hereafter, and forget not your portion of lawful enjoyment in this world; and be generous as Allah has been generous to you, and seek not
41
mischief in the land. Verily, Allah likes not the mischief-makers.'' (Al Qashash 28: 77)
Ibn Kathir explained the meanings of the verse as follow:
Use this great wealth and immense blessing Allah has given you to worship your Lord and draw closer to Him by doing a variety of good deeds which will earn you reward in this world and the Hereafter.
That which Allah has permitted of food, drink, clothing, dwelling places and women, your Lord has rights over you, your self has rights over you, your family has