Skripsi-COSO

Critical Review on COSO Enterprise Risk Management

Framework Based on Islamic Perspective

SKRIPSI

Diajukan Untuk Memenuhi Salah Satu Syarat Dalam Memperoleh Gelar Sarjana Pada Jurusan Akuntansi Fakultas Ekonomi Universitas

Padjadjaran

Disusun Oleh : RASYID ISA SAYUTI

B1A040075

FACULTY OF ECONOMICS DEPARTMENT OF ACCOUNTING

PADJADJARAN UNVERSITY BANDUNG

2011


Framework Based on Islamic Perspective

SKRIPSI

Diajukan Untuk Memenuhi Salah Satu Syarat Dalam Memperoleh Gelar

Sarjana Pada Fakultas Ekonomi Universitas Padjadjaran

Disusun Oleh :

RASYID ISA SAYUTI

B1A040075

Bandung, 10 Agustus 2011

Menyetujui, Pembimbing Utama,

Syaiful Rahman Soenaria, SE, MT,Ak., CSRS. CMA NIP. 197 106 190 995 031 001

Menyetujui,

Ketua Departemen Akuntansi,

Prof. Dr. Azhar Susanto, M.Buss,,Ak NIP. 196 106 251 989 021 002

Ketua Program Studi Akuntansi,

Dr. Hj. Nunuy Nur Afiah, SE, MSi,Ak NIP. 19610715 198701 2 001

PERNYATAAN KEASLIAN KARYA ILMIAH

Yang bertanda tangan dibawah ini : Nama : Rasyid Isa Sayuti NPM : B1A040075

1. Skripsi saya adalah asli dan belum pernah diajukan untuk mendapatkan gelar akademik (sarjana, magister, dan/ atau doktor), baik di Universitas Padjadjaran maupun di perguruan tinggi lainnya.

2. Skripsi ini murni gagasan, rumusan, dan penilaian saya sendiri, tanpa bantuan pihak lain, kecuali arahan dosen pembimbing.

3. Dalam skripsi ini tidak terdapat karya atau pendapat yang telah ditulis atau dipublikasikan orang lain, kecuali secara tertulis dengan jelas dicantumkan dalam daftar pustaka.

4. Pernyataan ini saya buat dengan sesungguhnya dan apabila dikemudian hari terdapat penyimpangan dan ketidakbenaran dalam pernyataan ini, maka saya bersedia menerima sanksi akademik berupa pencabutan gelar yang diperoleh karena karya tulis ini, serta sanksi lainnya sesuai dengan norma yang berlaku diperguruan tinggi ini.

Bandung, 10 Agustus 2011 Yang Membuat pernyataan

Rasyid Isa Sayuti NPM. B1A040075

i

ABSTRAK

Tinjauan Kritis Terhadap COSO Enterprise Risk Management Framework

Berdasarkan Perspektif Islam

Penelitian ini dimaksudkan untuk mengetahui kontribusi yang dapat disumbangkan dalam mengembangkan COSO Enterprise Risk Management Framework dari Perspektif Islam. Sedangkan obyek penelitian adalah mengenai standar yang diterbitkan oleh The Committee of Sponsoring Organization mengenai Enterprise Risk Management pada tahun 2004.

Metode penelitian yang digunakan adalah metode content analysis dikombinasikan dengan metode hukum Islam yang diterapkan dalam studi literatur atas teks-teks kanonik Islam, buku teks dan jurnal penelitian yang dikumpulkan dari sumber buku maupun sumber-sumber elektronik. Teks-teks ini mewakili perspektif Islam. Proses pengambilan sampel dilakukan pada teks

dengan metode relevance sampling sehingga hanya mengambil hukum-hukum yang relevan dari teks-teks tentang aspek-aspek yang terkandung dalam COSO

Enterprise Risk Management Framework. Data yang diambil dari teks-teks tersebut disusun sebagai Perspektif Islam tentang COSO Enterprise Risk Management.

Proses elaborasi menyimpulkan tinjauan kritis yang signifikan pada COSO Enterprise Risk Management Framework, dalam tiga aspek; konsep Event-Risk-Opportunity, tujuan dan komponen. Dihasilkannya tinjauan tersebut menunjukkan bahwa kontribusi penting untuk COSO Enterprise Risk Management Framework berdasarkan Perspektif Islam telah dapat dirumuskan.

Kata Kunci: COSO Enterprise Risk Management Framework, Enterprise Risk Management, Hukum Islam, Perspektif Islam, The Committee of Sponsoring Organization

ii

ABSTRACT

Critical Review on COSO Enterprise Risk Management Framework

Based on Islamic Perspective

This research intended to find out the possible contribution for improving COSO Enterprise Risk Management Framework from Islamic Perspective. The research object is the standard issued by The Committee of Sponsoring Organization regarding Enterprise Risk Management in 2004.

The research method used is content analysis method combined with the

Islamic methods applied in thorough literature study over Islamic canonical texts, scholar textbooks and research journal collected from both paper sources and electronic sources. These texts construct and represent the Islamic perspective. Sampling process performed on the texts by relevance sampling method which

only retrieves relevant jurisprudence from the texts regarding aspects contained in the COSO Enterprise Risk Management Framework. The retrieved data from the

texts arranged as Islamic Perspective on COSO Enterprise Risk Management. The elaboration process concluded significant critical reviews on COSO

Enterprise Risk Management Framework, within its three aspects; Event-Risk-

Opportunity concepts, objectives and components. The presence of these reviews shows that significant potential contributions to the COSO Enterprise Risk Management framework has been provided by viewing the framework based on

Islamic Perspective.

Keywords : COSO Enterprise Risk Management Framework, Enterprise Risk Management, Islamic Perspective, Islamic Jurisprudence, The Committee of Sponsoring Organization.

iii

PREFACE

!" $ !" '()

* !" +, -. /0" !" /0, -. .+$ 5 5

6 5 7,$ +$ " 9* ) .:+ (/; :()

iv

patience, and for invaluable knowledge and experience you share, and

also for the souvenir from Germany you gave to me.

3. Dr. Tettet Fitrijanti, SE. MSi. Ak. as my guardian lecturer, thank you

for advices, guidance and motivations you have provided for me.

4. Mrs. Selly Herdianti, S.E.,M.Si.,Ak. as my thesis examiner, thank you

for your high appreciation to my thesis and my comprehensive

examination.

5. My beloved parents, Harun Nur Rasyid and Susmijati, Thank you for

all the love and care that have been given to me, up until now, and for

all the patience, endurance, and nurture for the whole of my life, may

Allah grant forgiveness, guidance and salvation for you.

6. Mr. Sony Devano, the tireless and persistent redeemer for such a

troublesome student like me, thanks a lot for your indispensable help

especially during my final semester.

7. All the lecturers in Faculty of Economics Padjadjaran University,

thank you for all the beneficial knowledge and experiences you have

shared to me.

8. All the academic staff in Economic Faculty of Padjadjaran University,

and also librarians in CISRAL and FE UNPAD Library, thank you for

providing sincere helps for such a troublesome student like me.

9. My beloved brother, Muhammad Ashr Sayuti, and my beloved sister,

Ashri Rahmatia Salma whose reliability and supports have been

helping me a lot, May Allah sustain our cohesiveness, and grant us

v

forgiveness, guidance and salvation. Thank you for still becoming

jewels for our family while your big brother is having somewhat

bothersome life. It is very nice to remember the times when you both

backed me up when I did things badly.

10. My colleagues in The last men standing of Accounting 2004 crew,

Sofyan Marfu, Drian Putra, Masitah Iriani Hamzah, Yosef Yusrizal,

Sarie Puspayanti, and others, you all deserve my praise and gratitude

for the everlasting spirit and motivation we share each others, Thank

you.

11. Very special thanks addressed to my friends and lecturers who helped

me with direct material and immaterial supports for the completion of

this work; Mr. Kurniawan Saefullah, Nugroho Muhtarif, Arsitoadi

Widagdo, Nur Izzatunnafsi, Yasser Arafat, Asep Kurniawan, Chandra

Natadipurba, Tayana Nuraida, Dipha Aulia Midian, Febi Rahmi,

Miranty Januaresty, Siti Fatimah, Kaniawati, Aldila Ayudya Putri,

Drian Putra and Zara Sita Novebrianti.

12. My directors in Cakrawala Capital; Mr. Azwan Martin and Mr. Dewi

Farida Cahyani, you have taught me a lot of useful and meaningful

things patiently and forbearingly.

13. My colleagues in Accounting Department, I have to thank you all

because of our unforgettable togetherness in this campus as classmates

and organizational activists. Honorably mentioned are, firstly for the

gentlemen of the katak crew then surely for other 2004ers, Indri my

vi

childhood friend, Erdin, Siti, Leni, QQ, and all the names I cannot

mention here. And also all my respectable seniors and juniors, thank

you for good togetherness especially for those who support me during

my final countdown.

14. My colleagues and mentors in Studio Komputer Akuntansi, thank you

for our togetherness and for providing the studio as a beautiful place to

share, to learn, and even to live.

15. My colleagues in Unit Catur Mahasiswa UNPAD (UCMU), thank you

for facilitating my desire of chess achievements, and also for being

nice adventuring partners.

16. My friends in MyQuran Community, especially MyQers Bandung,

thank you for our everlasting cohesiveness, for every single

unforgettable lesson taught to me, perhaps our togetherness lasts

forever.

17. My colleagues and mentors in Santri Tahfidz Quran Habiburrahman,

thank you for helping me to construct my spiritual foundation to make

me a better person than before.

18. The Crew of Masjid al Jihad UNPAD, thank you for giving me such a

comforting shelter, despite we are not really know closely each others.

Surely, from your hands I can feel Allahs mercy descended.

19. My colleagues in Economic Faculty, especially those who worked

together in BEM FE UNPAD, thank you for accompanying me to get

valuable experiences there.

vii

20. My special gratitude shall grant for the inspiring and helpful family,

Nugroho Muhtarif & Diana Rosida, and also for my best friends;

Dipha Aulia Midian, Miranty Januaresty and her husband Miftah

Ariffianto, Bobby Saiful Bilal, Sirodj Aja, Dandi Rusdani, Muhammad

Yunus, and all the FIKA DKM Al Ikhlas crew, Lidya & Hasyim,

Marshy & Tichy, Bezie Galih Manggala, Dewi Rosmala and her

husband Habibie Burhani, and also for my childhood friend, Indriyana

Adhi Dharma.

21. Last but not least, for other people who helped and prayed for me but I

cannot mention here, verily Allah recognizes all of your support and

verily, He is the best and swift in compensation.

May Allah grant everlasting salvation and guidance to you all, and

hopefully I will always remember to pray for your goodness for the rest of my

life. Insya Allah, Jazakumullahu Khayr.

Finally, hopefully this research will be useful for others, despite there are

many weaknesses and limitations exist. Critics and recommendations will be very

welcomed and appreciated for corrections and improvements.

2011M/1432H

Rasyid Isa Sayuti

viii

TABLE OF CONTENTS

ABSTRACT ---------------------------------------------------------------------------------------------------------- I

PREFACE -------------------------------------------------------------------------------------------------------- III

TABLE OF CONTENTS ------------------------------------------------------------------------------------- VIII

LIST OF FIGURES AND TABLES ------------------------------------------------------------------------- XI

INTRODUCTION ------------------------------------------------------------------------------------------------- 1

1.1. RESEARCH BACKGROUND----------------------------------------------------------------------------- 1

1.2. PROBLEM IDENTIFICATION ---------------------------------------------------------------------------- 8

1.3. RESEARCH OBJECTIVES ------------------------------------------------------------------------------- 8

1.4. RESEARCH SCOPE -------------------------------------------------------------------------------------- 8

1.5. RESEARCH BENEFIT------------------------------------------------------------------------------------ 9

1.6. CONCEPTUAL FRAMEWORK --------------------------------------------------------------------------- 9

THEORETICAL FOUNDATION----------------------------------------------------------------------------- 11

2.1. MANAGEMENT CONTROL SYSTEMS ---------------------------------------------------------------- 11

2.2. THE COSO ENTERPRISE RISK MANAGEMENT FRAMEWORK ----------------------------------- 14

2.2.1. Backgrounds ----------------------------------------------------------------------------------- 14

2.2.2. Definition --------------------------------------------------------------------------------------- 17

2.2.3. Objectives --------------------------------------------------------------------------------------- 19

2.2.4. Components ------------------------------------------------------------------------------------ 19

2.3. ISLAMIC PERSPECTIVE ------------------------------------------------------------------------------- 36

2.3.1. Islamic Beliefs ---------------------------------------------------------------------------------- 37

2.3.2. Islamic Jurisprudence (Fiqh) and Islamic Source (Dalil) of Knowledge--------------- 38

2.3.3. Economic Concepts Based on Islamic Perspective ---------------------------------------- 40

ix

2.3.4. Economic Entity Based on Islamic Perspective -------------------------------------------- 43

2.3.5. Fundamental of the Ethics in Economics Based on Islamic Perspective --------------- 45

RESEARCH METHODOLOGY ------------------------------------------------------------------------------ 47

3.1. RESEARCH OBJECT AND ANALYSIS UNIT. --------------------------------------------------------- 47

3.2. RESEARCH METHOD --------------------------------------------------------------------------------- 47

3.2.1. Qualitative Research Method ---------------------------------------------------------------- 48

3.2.2. Literature Study -------------------------------------------------------------------------------- 49

3.2.3. Content Analysis ------------------------------------------------------------------------------- 49

3.3. ISLAMIC METHODOLOGY OF KNOWLEDGE AND RESEARCH ------------------------------------ 56

3.3.1. The Islamic Jurisprudence Science (Ilmu Ushulul Fiqh) -------------------------------- 56

3.3.2. The Dalil (Islamic Sources) ------------------------------------------------------------------ 57

3.3.3. Understanding Quran as Dalil -------------------------------------------------------------- 58

3.3.4. Understanding Sunnah (Hadith) as Dalil -------------------------------------------------- 60

3.3.5. Ijma --------------------------------------------------------------------------------------------- 62

3.3.6. Qiyas -------------------------------------------------------------------------------------------- 63

3.4. DATA COLLECTION TECHNIQUE -------------------------------------------------------------------- 64

3.5. DATA ANALYSIS TECHNIQUE ----------------------------------------------------------------------- 66

RESEARCH ANALYSIS --------------------------------------------------------------------------------------- 68

4.1. COLLECTING AND SUMMARIZING ISLAMIC LITERATURE ---------------------------------------- 68

4.2. ISLAMIC PERSPECTIVE ON COSO ENTERPRISE RISK MANAGEMENT FRAMEWORK ---------- 70

4.2.1. The Islamic Perspective of Event, Risk and Opportunities ---------------------------- 70

4.2.3. The Islamic Perspective on COSO Enterprise Risk Management Framework

Objectives ---------------------------------------------------------------------------------------------- 76

4.2.4. The Islamic jurisprudence Perspective on COSO Enterprise Risk Management

Framework Components ----------------------------------------------------------------------------- 80

CONCLUSION AND RECOMMENDATION ------------------------------------------------------------- 91

x

5.1. RESEARCH SUMMARY ------------------------------------------------------------------------------- 91

5.1.1. Summary of the Critical Review on The Definition of Event, Risk and Opportunity in

COSO Enterprise Risk Management Framework ------------------------------------------------- 91

5.1.2. Summary of the Critical Review on COSO Enterprise Risk Management Objectives 92

5.1.3. Summary of the Critical Review on COSO Enterprise Risk Management Components

----------------------------------------------------------------------------------------------------------- 93

5.2. RECOMMENDATION FOR ENTERPRISE RISK MANAGEMENT PRACTITIONERS AND

ACADEMICIANS-------------------------------------------------------------------------------------------- 96

5.3. RECOMMENDATIONS FOR OTHER RESEARCHERS------------------------------------------------- 97

BIBLIOGRAPHY ------------------------------------------------------------------------------------------------ 98

xi

LIST OF FIGURES AND TABLES

Figure 1.1: Conceptual Framework------------------------------------------------------10

Figure 2.1: Elements of the control process--------------------------------------------12

Figure 2.2: Levers of Control Framework----------------------------------------------13

Figure 2.3: COSO Enterprise Risk Management Framework------------------------18

Figure 3.1: A framework for Content Analysis----------------------------------------50

Figure 3.2: Components of Content Analysis------------------------------------------51

Table 4.1: Collected Texts as the Source for Constructing Islamic

Perspective -------------------------------------------------------------------------------- 68

Table 5.1: The Summary of the Critical Review on COSO Enterprise Risk

Management Objectives-------------------------------------------------------------------92

Table 5.2: The Summary of the Critical Review on COSO Enterprise Risk

Management Components----------------------------------------------------------------93

1

CHAPTER I

INTRODUCTION

1.1. Research Background

The current business environment is characterized by fast changes in

customers, technologies and competition. Thus, organizations need to

continuously renew themselves to survive and prosper. In the light of the

financial/economic crisis 2008/09, (strategic) uncertainty and risk rose

enormously for many companies. Therefore, companies are in a continuous need

to adapt their Management Control Systems (MCS) (Asel ,2009).

According to Merchant and Otely (2007),

a MCS is designed to help an organization adapt to the environment in which it is set and to deliver the key results desired by stakeholder groups.

MCS have the purpose of providing information useful in decision-

making, planning and evaluation. The focus of MCS is not only on one form of

control like performance measures but on multiple control systems working

together. Simons (2000) posits in his levers of control (LOC) framework that

MCS consists of four interrelated control systems: beliefs (e.g. mission

statement), boundary (e.g. code of conduct), diagnostic (e.g. budgets) and

interactive (e.g. management involvement) systems. The LOC framework asserts

that strategic uncertainty and risk drive the choice and use of control systems.

Berry (2009) call for further research with regards to risk and MCS. Moreover,

2

2

the knowledge about alignment between a firms strategy and a firms

MCS is limited (Widener, 2007).

In recent years, the relationship between controls and risk management has

also become a key concern (Carroll, 2009). Power (2007) argues that there has

been an explosion of risk discourse and of related practices. Organizations have

re-envisioned their processes around the idea of risk. Internal controls and

governance have been re-invented in terms of capabilities for effective risk

management embodied in a multiplicity of standards and guidelines which

provide legitimized templates for organizations to represent and account for

themselves as well controlled and governed.

In 2004, a worldwide organization named Committee of Sponsoring

Organizations (COSO) developed COSO Enterprise Risk Management

Framework. This framework was brought up to the enterprise world with an

expectation to gear in achieving an entitys objectives, set forth in four categories:

Strategic high-level goals, aligned with and supporting its mission

Operations effective and efficient use of its resources

Reporting reliability of reporting

Compliance compliance with applicable laws and regulations

For these objectives, Enterprise risk management can provide reasonable

assurance that management, and the board in its oversight role, are made aware, in

a timely manner, of the extent to which the entity is moving toward achievement

of the objectives that should assure sustainability and maintain entitys value

creation process either in long and short term.

3

3

As the time goes, the framework then gain popularity and used widely in

business practices all over the world. Today, after six years after the ERM

Framework given birth -we are now facing doubts against the framework.

Especially after the fall of Lehman Brothers which systematically drags the entire

world into a financial crisis.

On September 15, 2008, Lehman Brothers filed for bankruptcy. With $639

billion in assets and $619 billion in debt, Lehman's bankruptcy filing was the

largest in history, as its assets far surpassed those of previous bankrupt giants such

as WorldCom and Enron. Lehman was the fourth-largest U.S. investment bank at

the time of its collapse, with 25,000 employees worldwide. Lehman's demise also

made it the largest victim, of the U.S. subprime mortgage-induced financial crisis

that swept through global financial markets in 2008. Lehman's collapse was a

seminal event that greatly intensified the 2008 crisis and contributed to the erosion

of close to $10 trillion in market capitalization from global equity markets in

October 2008, the biggest monthly decline on record at the time.

In April 2009, in a speech, Robert P. Hartwig, president of the Insurance

Information Institute in New York, declared that "the financial crisis is the result

of a failure of risk management in the banking and securities markets on a

colossal scale." He added that "very fundamental and tough questions about the

practice of risk management worldwide must he asked and answered." Among

them:

"How did so many major, allegedly sophisticated financial players

miss or overlook such huge, systemic exposures?

4

4

"What other shoes might yet be left to drop?

"How can we prevent this from ever happening again?"

However, others are rushing to the defense of ERM. Carol Fox, former

chair of the RIMS Enterprise Risk Management Development Committee,

defended ERM during a RIMS webinar on: "The 2008 Financial CrisisA

Wakeup Call for Enterprise Risk Management."

COSO ERM Framework as widely used concept of risk management is

now being criticized and defended. The defenders generally blame the way COSO

ERM Framework implemented and practiced while the criticizers attack the

current COSO ERM Framework concept generally. Actually, both of them were

generally showing the same intention: to improve the current enterprise risk

management concept and/or practices in order to preventing such crisis ever

happened again. So, although they choose different way, the final objective should

be the same, and their synergy should make the objective achievement process

more meaningful and dynamic.

However, the most thought developed in enterprise risk management

practices (and in the most economic & finance thought development) developed

based on Western perspective with its Liberal, Capitalism and profit oriented

approach. Thus, there should be other perspectives involved to broaden the

viewpoint in order to enrich the process of enterprise risk management

development and make it even more dynamic. For the sake of this enrichment

intention, it is quite reasonable to bring the Islamic perspective as a new

viewpoint in formulating concepts for the enterprise risk management.

5

5

Islamic perspective is a perspective built on the foundation of Islam

religion represented in Al Quran and As Sunnah or Hadith with comprehensive

guide regarding whole life aspects, therefore ruling either relationship between

human with both The Creator (God or Rabb ) and the creatures. The guide brought

by Islam also came as a solution to human problems regarding those aspects. The

guide also assured (or acclaimed) to be eternally relevant and reliable until the

Day of Resurrection. Naturally, Islam intends to bring goodness for the whole

universe, as stated in Surah 21: Al Anbiya verse 107:

And We have sent you not but as a mercy for the `Alamin (the whole universe)

In Adz Dzariyat verse 56, also stated that the humans (and jinns genies)

for nothing but worshipping Allah ,

And I created not the Jinn and mankind except that they should worship Me

The meaning of worship in the verse is not limited to spiritual deeds

only but also in a daily life while they are interacting each others, and interacting

with their environment.

By referring to the two verses, we can conclude that the value of the Islam

Religion is to perform the best effort in worshipping the God for the sake of

goodness to universe. Therefore, the essential objective of the Islam is compliance

to the God. And God is The All Knower to everything, including about what is

good for human. As stated in Surah 2 : Al Baqarah (The Cow) verse 216 :

and it may be that you dislike a thing which is good for you and that you like a thing which is bad for you. Allah knows but you do not know

6

6

Thus, due to the verse, the divine verses from the God, as revealed to Holy

Prophet Muhammad (p.b.u.h), should stand above all the disciplined knowledge

resulted from mans cognitive explorations. Moreover, all the kind of knowledge

and science should be developed in purpose of worshipping Allah alone, which

leads to goodness for human civilization.

The process of integrating all the knowledge disciplines with religious

basis knowledge referred to Al Quran and As Sunnah or Hadith usually called as

Islamization of knowledge. The final objective of the Islamization of

Knowledge is to understand how the needs of man can be fulfilled by Islam.

The objective of knowledge islamization or, Islamic value adoption is not

only aimed for the goodness for Muslims, but also for the humanity and

environment, as stated in the mentioned verse, Al Anbiya verse 107. Integrating

Islamic values to various disciplines of knowledge expected to produce more

value to the knowledge. More value means more benefit for humanity and the

environment, and the benefit should distributed justly and fairly.

This kind of justice can be found in the reign of Prophet Muhammad

(p.b.u.h) leadership over Medina and Arabian Peninsula, and followed by the

leadership of four guided caliphate. As quoted by Tamir Abu Suood (2001)

during the reign of second rightly guided caliph, Umar Ibnu al Khaththab:

Umar capably and powerfully struck the balance of justice since day one of his caliphate. Drawing mainly on the tolerance and justice of Islam, yet leaning is also on his own laudable character, the praiseworthy traits he inherit from his ancestors as well as his own past experience, Umar was a memorable example of unblemished justice. In the eyes of Umar, all people were equal, be they rich or poor, powerful or weak, related or distant. His

7

7

justice even extended to include non-Muslims, whom he treated with exceptional nobleness.

And also during the fifth rightly guided caliph, Umar bin Abdul Aziz :

Umar ibn Usayd is reported to have said that during Umar's reign, peuple would bring them loads of money and put it at their disposal (as Infaq or Zakat), but we would tell them to take their money as 'Umar had made all rich

The needs of Islamic value to contribute in science development in general

also stated by Masood (2009) :

Did science need Islam, as a faith, in order to progress? And if it did, should we be encouraging more of the peoples of the Islamic world to become better and more observant Muslims, as a way of improving science in OIC countries? This is an argument that is sometimes put forward, particularly by those who believe that the world as a whole is in the grip of moral decay, and that a return to faith will help to make things better. This is also the view of those political leaders who want to see religion and politics in the Islamic world more closely aligned. They argue that, as the golden age of science and learning took place at a time when states were organized and governed under Islamic laws, a return to such ruling systems is what is needed to move science ahead into the future.

Thus, the Islamic Perspective should be able to give some significant

contributions to the improvements of Enterprise Risk Management concepts and

practices. The contribution expected to add more value to the Enterprise Risk

Management and can be started by critically reviewing the Enterprise Risk

Management Framework based on Islamic perspective. Therefore the researcher

proposed a research with topic:


Framework 2004 Based on Islamic Perspective

8

8

1.2. Problem Identification

Based on the research background mentioned above, the researcher

identifies the problems as follow:

1. What kind of improvement that possible to be taken for COSO

Enterprise Risk Management framework?

2. How the Islamic perspective can critically contribute to the

improvement of the COSO Enterprise Risk Management?

1.3. Research Objectives

The objective of this research is to explore the possible critical

contributions for improving the COSO Enterprise Risk Management framework

based on the Islamic perspective.

1.4. Research Scope

The researcher defines several limitations on scope of the research. These

limitations formulated to arrange a clear focus point and systematize the research

structure. The limitations are:

1. The research object is focused on COSO Enterprise Risk Management

Framework 2004 Objectives and Components.

2. The research focuses on critically contributing new ideas to improve the

COSO Enterprise Risk Management Framework 2004 Objectives and

Components based on Islamic perspective.

9

9

1.5. Research Benefit

1. For other college students and researchers, the research expected to be able

to contribute new ideas about research topics, methods, and paradigms, on

the improvements of COSO Enterprise Risk Management framework.

2. For the Muslim world, this research expected to encourage Islamic

Perspective integration into scientific and social reality, and thus, the

whole aspect of life.

3. For practitioners, this research expected to inspire a new way in viewing

problems and finding problem solutions.

1.6. Conceptual Framework

The continuously strengthening relationship between control and risk

management highlights the importance of the risk management itself in

Management Control Systems and especially in the development of control

processes.

For the purpose of risk management, The Committee of Sponsoring

Organization (COSO) has established a framework called COSO Enterprise Risk

Management Framework which was published in 2004. This framework consists

with four objectives and eight components and establishes some perspective on

risks and uncertainties. However, it is commonly recognized that the framework is

still in need of improvement.

Islamic Perspective consists with valid Islamic sources (Dalil) and Islamic

Jurisprudence Science (Ilmu Ushulul Fiqh). Wahhab Khallaf (2000) describe

that the valid Islamic sources and agreed by most Islamic Scholars are Al Quran,

10

10

Hadith or Sunnah, Ijma and Qiyas. And The Islamic religion built on the sources

consists with not only the ritual aspect but also the whole life aspects, e.g.

economics, ethics, politics, law, history and so on (Qardhawi 1997).

Regarding the completeness of the Islamic Religion, the researcher intends

to explore the Islamic Perspective on COSO Enterprise Risk Management

Framework for the purpose of attempting some critical contributions to the

Enterprise Risk Management.

Figure 1.1: Conceptual Framework

11

11

CHAPTER II

THEORETICAL FOUNDATION

2.1. Management Control Systems

A control system is a set of formal and informal systems to assist the

management in steering the organization towards its goals. Controls help in

guiding employees effectively towards the accomplishment of the organizations

goals. Establishing a control system in an environment of distributed

accountability, reengineered processes, and local autonomy and empowerment is a

challenging task (Anthony, 2006).

The control process in any organization can be undertaken at three levels.

These are: the strategic level, the management level, and the operational level.

Each type of control occurs primarily at one of the three distinct levels of the

organizational hierarchy. Strategic control deals primarily with the broad

questions of domain definition, direction setting, expression of the organizations

purpose, and other issues that impact the organization's long-term survival.

Strategic control overlaps to some extent with the process of strategy formulation.

Strategic control also deals with issues relating to general company objectives and

the implementation and monitoring of progress. Management control deals with

effective resource utilization, the state of competitiveness of the unit, and the

translation of corporate goals into business unit objectives. Operational control is

primarily concerned with efficiency issues. Occurring at very specific functional

or sub-departmental levels of the organizational hierarchy, this mode of control

12

generally conforms to traditional control models. The time horizon of control is

very short, the benchmarks are known and well defined, and the outcomes are

tangible and easily measurable (ICFAI, 2006).

Increased control in an organization will result in reduced creativity and

entrepreneurship. Hence it is important for organizations to establish the tradeoff

between the amount of control and the level of freedom for employees, and to

choose the right mix of controls (ICFAI, 2006).

Any control system has four important elements. They are a detector or

sensor, an assessor, an effector and a communications network, as can be seen in

Figure 2.1. The detector analyzes the situation that is being controlled. An

assessor helps in comparing the actual results with the standard or expected

results. An effector is used to reduce the gap between the actual and the standard

result. The communication network transmits information between the detector,

the assessor and the effector (ICFAI, 2006).

Figure 2.1: Elements of the control process Source: ICFAI

Simons (1995)

Control Systems consists of four interrelated control systems: beliefs (e.g. mission


interactive (e.g. management involvement) s

strategic uncertainty and strategic risk play a central role in his (LOC) framework.

The role of the management is to organize, plan, integrate and inter

organizational activities to achieve organizational objectives. The achievement of

these activities is facilitated by management control systems. A management

control system is designed to assist managers in planning and controlling the

activities of the organization. A management control system is the means by

Figure 2.2: Levers of Control FrameworkSource: Simons (1995)

described that the Levers of Controls in Management

consists of four interrelated control systems: beliefs (e.g. mission


interactive (e.g. management involvement) systems. Moreover, he argues that


The role of the management is to organize, plan, integrate and inter




f the organization. A management control system is the means by

: Levers of Control Framework : Simons (1995)

13

described that the Levers of Controls in Management

consists of four interrelated control systems: beliefs (e.g. mission


ystems. Moreover, he argues that


The role of the management is to organize, plan, integrate and interrelate




f the organization. A management control system is the means by

14

which senior managers ensure that subordinate managers, efficiently and

effectively, strive to attain the company's objectives. According to Anthony,

Dearden and Govindarajan (1992), management control is the process by

which managers ensure that resources are used effectively and efficiently in the

accomplishment of the organization's objectives.

2.2. The COSO Enterprise Risk Management Framework

2.2.1. Backgrounds

2.2.1.1. The Committee of Sponsoring Organization (COSO)

COSO was formed in 1985 to sponsor the National Commission on

Fraudulent Financial Reporting, an independent private-sector initiative which

studied the causal factors that can lead to fraudulent financial reporting. It also

developed recommendations for public companies and their independent auditors,

for the SEC and other regulators, and for educational institutions.

The National Commission was sponsored jointly by five major

professional associations headquartered in the United States: the American

Accounting Association (AAA), the American Institute of Certified Public

Accountants (AICPA), Financial Executives International (FEI), The Institute of

Internal Auditors (IIA), and the National Association of Accountants (now the

Institute of Management Accountants [IMA]). Wholly independent of each of the

sponsoring organizations, the Commission contained representatives from

industry, public accounting, investment firms, and the New York Stock Exchange.

COSOs mission is to provide thought leadership through the development

of comprehensive frameworks and guidance on enterprise risk management,

15

internal control and fraud deterrence designed to improve organizational

performance and governance and to reduce the extent of fraud in organizations.

2.2.1.2. Enterprise Risk Management

The background history of Enterprise Risk Management Framework can

be seen in the Foreword of the Report. Over a decade ago, the Committee of

Sponsoring Organizations of the Treadway Commission (COSO) issued Internal

Control Integrated Framework to help businesses and other entities assess and

enhance their internal control systems. That framework has since been

incorporated into policy, rule, and regulation, and used by thousands of

enterprises to better control their activities in moving toward achievement of their

established objectives.

Recent years have seen heightened concern and focus on risk management,

and it became increasingly clear that a need exists for a robust framework to

effectively identify, assess, and manage risk. In 2001, COSO initiated a project,

and engaged PricewaterhouseCoopers, to develop a framework that would be

readily usable by managements to evaluate and improve their organizations

enterprise risk management.

The period of the frameworks development was marked by a series of

high-profile business scandals and failures where investors, company personnel,

and other stakeholders suffered tremendous loss. In the aftermath were calls for

enhanced corporate governance and risk management, with new law, regulation,

and listing standards. The need for an enterprise risk management framework,

providing key principles and concepts, a common language, and clear direction

16

and guidance, became even more compelling. COSO believes this Enterprise Risk

Management Integrated Framework fills this need, and expects it will become

widely accepted by companies and other organizations and indeed all stakeholders

and interested parties.

Among the outgrowths in the United States is the Sarbanes-Oxley Act of

2002, and similar legislation has been enacted or is being considered in other

countries. This law extends the long-standing requirement for public companies to

maintain systems of internal control, requiring management to certify and the

independent auditor to attest to the effectiveness of those systems. Internal

Control Integrated Framework, which continues to stand the test of time, serves

as the broadly accepted standard for satisfying those reporting requirements.

This Enterprise Risk Management Integrated Framework expands on

internal control, providing a more robust and extensive focus on the broader

subject of enterprise risk management. While it is not intended to and does not

replace the internal control framework, but rather incorporates the internal control

framework within it, companies may decide to look to this enterprise risk

management framework both to satisfy their internal control needs and to move

toward a fuller risk management process.

Among the most critical challenges for managements is determining how

much risk the entity is prepared to and does accept as it strives to create value.

This report will better enable them to meet this challenge.

17

2.2.2. Definition

Enterprise Risk Management (ERM) defined as:

a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

The definition can be extracted to the following fundamental concepts:

A process, ongoing and flowing through an entity

Effected by people at every level of an organization

Applied in strategy setting

Applied across the enterprise, at every level and unit, and includes taking

an entity-level portfolio view of risk

Designed to identify potential events affecting the entity and manage risk

within its risk appetite

Able to provide reasonable assurance to an entitys management and board

Geared to the achievement of objectives in one or more separate but

overlapping categories it is a means to an end, not an end in itself

The Enterprise Risk Management framework established on the basis of two

principles:

Every entity exists to realize value for its shareholders

Every entity has to deal with uncertainty

Events Risks and Opportunities

An event is an incident or occurrence from internal or external sources that

affects achievement of objectives. Events can have negative impact, positive

impact, or both. Events with negative impact represent risks. Accordingly, risk is

defined as follows:

Risk is the possibility that an event will occur and adversely affectachievement of objectives.

Events with adverse impact prevent value creation or erode existing value.

Examples include plant machinery breakdowns, fire, and credit losses. Events

with an adverse impact can derive from seemingly positive conditions, such as

where customer demand for product exceeds production capacity, causing failure

to meet buyer demand, eroded customer loyalty, and decline in future orders.

Events with positive impact may offset negative impacts or represent

opportunities. Opportunity is

Opportunity is the possibility that an event will occur and positively affect the achievement of objectives.

Opportunities support value creation or preservation. Management

channels opportunities back to its strategy or objective

actions can be formulated to seize the opportunities.


ffects achievement of objectives. Events can have negative impact, positive


Risk is the possibility that an event will occur and adversely affecthievement of objectives.







opportunities. Opportunity is defined as follows:

Opportunity is the possibility that an event will occur and positively affect the achievement of objectives.


channels opportunities back to its strategy or objective-setting processes, so that

actions can be formulated to seize the opportunities.

18


ffects achievement of objectives. Events can have negative impact, positive


Risk is the possibility that an event will occur and adversely affect the







Opportunity is the possibility that an event will occur and positively


setting processes, so that

19

2.2.3. Objectives

Objectives are set at the strategic level, establishing a basis for operations,

reporting, and compliance objectives. Objectives are aligned with the entitys risk

appetite, which drives risk tolerance levels for the entity.

COSO (2004) establishes four categories of entity objectives along with their brief

definition:

Strategic

Having to do with high-level goals that are aligned with and support the

entitys mission (or vision).

Operations

Having to do with the effectiveness and efficiency of an entitys activities,

including performance and profitability goals, and safeguarding resources against

loss.

Reporting

Having to do with the reliability of the entitys reporting, including both

internal and external reporting of financial and non-financial information

Compliance

Having to do with conforming with laws and regulations applicable to an

entity.

2.2.4. Components

2.2.4.1. Internal Environment

The internal environment encompasses the tone of an organization, and sets the

basis for how risk is viewed and addressed by an entitys people, including risk

20

management philosophy and risk appetite, integrity and ethical values, and the

environment in which they operate.

The Risk Management Philosophy

An entitys risk management philosophy is the set of shared beliefs and

attitudes characterizing how the entity considers risk in everything it does, from

strategy development and implementation to its day-to-day activities. Its risk

management philosophy reflects the entitys values, influencing its culture and

operating style, and affects how enterprise risk management components are

applied, including how risks are identified, the kinds of risks accepted, and how

they are managed.

Risk Appetite

Risk appetite is the amount of risk, on a broad level, an entity is willing to

accept in pursuit of value. It reflects the enterprises risk management philosophy,

and in turn influences the entitys culture and operating style.

Risk appetite is considered in strategy setting, where the desired return

from a strategy should be aligned with the entitys risk appetite. Different

strategies will expose the entity to different levels of risk, and enterprise risk

management, applied in strategy setting, helps management select a strategy

consistent with the entitys risk appetite.

Entities consider risk appetite qualitatively, with such categories as high,

moderate, or low, or take a quantitative approach, reflecting and balancing goals

for growth and return with risk.

Board of Directors

21

An active and involved board of directors, board of trustees, or comparable

body should possess an appropriate degree of management, technical, and other

expertise, coupled with the mind-set necessary to perform its oversight

responsibilities. This is critical to an effective enterprise risk management

environment. And, because the board must be prepared to question and scrutinize

managements activities, present alternative views, and act in the face of

wrongdoing, the board must include outside directors.

Integrity and Ethical Values

Management integrity is a prerequisite for ethical behavior in all aspects of

an entitys activities. The effectiveness of enterprise risk management cannot rise

above the integrity and ethical values of the people who create, administer, and

monitor entity activities. Integrity and ethical values are essential elements of an

entitys internal environment, affecting the design, administration, and monitoring

of other enterprise risk management components.

Commitment to Competence

Competence reflects the knowledge and skills needed to perform assigned

tasks. Management decides how well these tasks need to be accomplished,

weighing the entitys strategy and objectives against plans for their

implementation and achievement.

Management specifies the competency levels for particular jobs and

translates those levels into requisite knowledge and skills. The necessary

knowledge and skills in turn may depend on individuals intelligence, training,

and experience. Factors considered in developing knowledge and skill levels

22

include the nature and degree of judgment to be applied to a specific job. Often a

trade-off can be made between the extent of supervision and the requisite

competence level of the individual.

Organizational Structure

An entitys organizational structure provides the framework to plan,

execute, control, and monitor its activities. A relevant organizational structure

includes defining key areas of authority and responsibility and establishing

appropriate lines of reporting. For example, an internal audit function should be

structured in a manner that achieves organizational objectivity and permits

unrestricted access to top management and the audit committee of the board, and

the chief audit executive should report to a level within the organization that

allows the internal audit activity to fulfill its responsibilities.

Assignment of Authority and Responsibility

Assignment of authority and responsibility involves the degree to which

individuals and teams are authorized and encouraged to use initiative to address

issues and solve problems, as well as limits to their authority. It includes

establishing reporting relationships and authorization protocols, as well as policies

that describe appropriate business practices, knowledge and experience of key

personnel, and resources provided for carrying out duties.

Human Resource Standards

Human resource practices pertaining to hiring, orientation, training,

evaluating, counseling, promoting, compensating, and taking remedial actions

send messages to employees regarding expected levels of integrity, ethical

23

behavior, and competence. For example, standards for hiring the most qualified

individuals, with emphasis on educational background, prior work experience,

past accomplishments, and evidence of integrity and ethical behavior, demonstrate

an entitys commitment to competent and trustworthy people. The same is true

when recruiting practices include formal, in-depth employment interviews and

training in the entitys history, culture, and operating style.

2.2.4.2. Objective Settings

Objective setting is a precondition to event identification, risk assessment,

and risk response. There must first be objectives before management can identify

and assess risks to their achievement and take necessary actions to manage the

risks. The general level of objectives has been explained in the previous

discussion about the ERM Objectives.

Strategic Objectives

An entitys mission sets out in broad terms what the entity aspires to

achieve. Whatever term is used, such as mission, vision, or purpose, it is

important that management with board oversight explicitly establish the

entitys broad-based reason for being. From this, management sets strategic

objectives, formulates strategy, and establishes related operations, compliance,

and reporting objectives for the organization. While an entitys mission and

strategic objectives are generally stable, its strategy and many related objectives

are more dynamic and adjusted for changing internal and external conditions. As

they change, strategy and related objectives are realigned with strategic

objectives.

24

Strategic objectives are high-level goals, aligned with and supporting the

entitys mission/vision. Strategic objectives reflect managements choice as to

how the entity will seek to create value for its stakeholders.

In considering alternative ways to achieve its strategic objectives,

management identifies risks associated with a range of strategy choices and

considers their implications. Various event identification and risk assessment can

be used in the strategy-setting process. In this way, enterprise risk management

techniques are used in setting strategy and objectives.

Related Objectives

Establishing the right objectives that support and are aligned with the

selected strategy, relative to all entity activities, is critical to success. By focusing

first on strategic objectives and strategy, an entity is positioned to develop related

objectives at an entity level, achievement of which will create and preserve value.

Entity-level objectives are linked to and integrated with more specific objectives

that cascade through the organization to subobjectives established for various

activities, such as sales, production, and engineering, and infrastructure functions.

By setting objectives at the entity and activity levels, an entity can identify

critical success factors. These are key things that must go right if goals are to be

attained. Critical success factors exist for an entity, a business unit, a function, a

department, or an individual. By setting objectives, management can identify

measurement criteria for performance, with a focus on critical success factors.

Where objectives are consistent with prior practice and performance, the

linkage among activities is known. However, where objectives depart from an

25

entitys past practices, management must address the linkages or run increased

risks. In such cases, there is an even greater need for business unit objectives or

sub-objectives that are consistent with the new direction.

Objectives need to be readily understood and measurable. Enterprise risk

management requires that personnel at all levels have a requisite understanding of

the entitys objectives as they relate to the individuals sphere of influence. All

employees must have a mutual understanding of what is to be accomplished and a

means of measuring what is being accomplished.

Categories of Related Objectives

Despite the diversity of objectives across entities, certain broad categories

are established:

Operations Objectives These pertain to the effectiveness and efficiency

of the entitys operations, including performance and profitability goals

and safeguarding resources against loss. They vary based on

managements choices about structure and performance.

Reporting Objectives These pertain to the reliability of reporting. They

include internal and external reporting and may involve financial and non-

financial information.

Compliance Objectives These pertain to adherence to relevant laws and

regulations. They are dependent on external factors and tend to be similar

across all entities in some cases and across an industry in others.

26

2.2.4.3. Event Identification

An event is an incident or occurrence emanating from internal or external

sources that affects implementation of strategy or achievement of objectives.

Events may have positive or negative impact, or both. Events range from the

obvious to the obscure, and the effects from the inconsequential to the highly

significant

The event identification process started with considering range of potential

events stemming both from internal and external sources, without necessarily

consider whether the impact is positive or negative. External factor events include

economic, natural environment, political, social, and technological. Internal factor

events include infrastructure, personnel, process, and technology.

Events often do not occur in isolation. One event can trigger another, and

events can occur concurrently. In event identification, management should

understand how events relate to one another. By assessing the relationships, one

can determine where risk management efforts are best directed.

Events, if they occur, have a negative impact, a positive impact, or both.

Events with a negative impact represent risks, which require managements

assessment and response. Accordingly, risk is the possibility that an event will

occur and adversely affect the achievement of objectives.

Events with a positive impact represent opportunities, or offset the

negative impact of risks. Opportunity is the possibility that an event will occur

and positively affect the achievement of objectives and creation of value. Events

representing opportunities are channeled back to managements strategy or

27

objective-setting processes, so that actions can be formulated to seize the

opportunities. Events offsetting the negative impact of risks are considered in

managements risk assessment and response.

Event Identification Techniques

An entitys event identification methodology may comprise a combination

of techniques, together with supporting tools. Event identification techniques look

to both the past and the future. Techniques vary widely in level of sophistication.

While many of the more sophisticated techniques are industry-specific, most are

derived from a common approach. Techniques also vary in where they are used

within an entity. Some focus on detailed data analysis and create a bottom-up

view of events, while others focus top down.

It is usually useful to group potential events into categories. By

aggregating events horizontally across an entity and vertically within operating

units, management expects to develop an understanding of relationships between

events, gaining enhanced information as a basis for risk assessment, and

determine opportunities and risks better. Event categorization also allows

management to consider the completeness of its event identification efforts.

2.2.4.4. Risk Assessment

Risk assessment is a process where the management considers the mix of

potential future events relevant to the entity and its activities in the context of

matters that shape the entitys risk profile, such as entity size, complexity of

operations, and degree of regulation over its activities. Risk Assessment is applied

28

first to inherent risks. Once risk responses have been developed, management then

considers residual risk.

In assessing risk, management considers expected and unexpected events.

Many events are routine and recurring, and are already addressed in management

programs and operating budgets, while others are unexpected. Management

assesses the risk of unexpected potential events and, if it has not already done so,

expected events that can have a significant impact on the entity.

In the context of enterprise risk management, the risk assessment

component is a continuous and iterative interplay of actions that take place

throughout the entity.

Assessment Techniques

An entitys risk assessment methodology comprises a combination of

qualitative and quantitative techniques. Management often uses qualitative

assessment techniques where risks do not lend themselves to quantification or

when either sufficient credible data required for quantitative assessments is not

practically available or obtaining or analyzing data is not cost-effective.

Quantitative techniques typically bring more precision and are used in more

complex and sophisticated activities to supplement qualitative techniques.

2.2.4.5. Risk Response

Risk responses fall within the following categories:

Avoidance Exiting the activities giving rise to risk.

Reduction Action is taken to reduce risk likelihood or impact, or both.

This typically involves any of a myriad of everyday business decisions.

29

Sharing Reducing risk likelihood or impact by transferring or otherwise

sharing a portion of the risk.

Acceptance No action is taken to affect risk likelihood or impact.

In determining risk response, management should consider such things as:

Effects of potential responses on risk likelihood and impact and which

response options align with the entitys risk tolerances

Costs versus benefits of potential responses

Possible opportunities to achieve entity objectives going beyond dealing

with the specific risk

Assessing Costs versus Benefits is important in risk response because

resources always have constraints, and entities must consider the relative costs

and benefits of alternative risk response options. Cost and benefit measurements

for implementing risk responses are made with varying levels of precision.

Generally, it is easier to deal with the cost side of the equation, which, in many

cases, can be quantified fairly precisely. All direct costs associated with instituting

a response, and indirect costs where practically measurable, usually are

considered. Some entities also include opportunity costs associated with use of

resources. But it is very notable that to quantify costs of risk response sometimes

can be very difficult.

2.2.4.6. Control Activities

Control activities are policies and procedures, which are the actions of

people to implement the policies, directly or through application of technology, to

help ensure that managements risk responses are carried out. Control activities

30

can be categorized based on the nature of the entitys objectives to which they

relate: strategic, operations, reporting, and compliance.

Although some control activities relate solely to one category, there often

is overlap. Depending on circumstances, a particular control activity could help

satisfy entity objectives in more than one of the categories.

While control activities generally are established to ensure risk responses

are appropriately carried out, with respect to certain objectives, control activities

themselves are the risk response. For instance, for an objective to ensure specified

transactions are properly authorized, the response will likely be control activities

such as segregation of duties and approvals by supervisory personnel.

Control activities usually involve two elements: a policy establishing what

should be done and procedures to affect the policy. Many times, policies are

communicated orally. Unwritten policies can be effective where the policy is a

long-standing and well-understood practice, and in smaller organizations where

communications channels involve few management layers and close interaction

with and supervision of personnel.

2.2.4.7. Information and Communication

Information

Information is needed at all levels of an organization to identify, assess,

and respond to risks, and to otherwise run the entity and achieve its objectives. An

array of information is used, relevant to one or more objectives categories.

Operating information from internal and external sources, both financial

and non-financial, is relevant to multiple business objectives. Financial

31

information, for instance, is used in developing financial statements for reporting

purposes, and also for operating decisions, such as monitoring performance and

allocating resources. Reliable financial information is fundamental to planning,

budgeting, pricing, evaluating vendor performance, assessing joint ventures and

alliances, and a range of other management activities.

Similarly, operating information is essential for developing financial and

other reports. This includes the routine purchases, sales, and other transactions

as well as information on competitors product releases or economic conditions,

which can affect inventory and receivables valuations. And information needed

for compliance purposes, such as information on airborne particle emissions or

personnel data, also may serve financial reporting objectives.

With increasing dependence on sophisticated information systems and

data-driven automated decision systems and processes, data reliability is critical.

Inaccurate data can result in unidentified risks or poor assessments and bad

management decisions. The quality of information includes ascertaining whether:

Content is appropriate Is it at the right level of detail?

Information is timely Is it there when required?

Information is current Is it the latest available?

Information is accurate Is the data correct?

Information is accessible Is it easy to obtain by those who need it?

Communication

Communication is inherent in information systems. As discussed above,

information systems must provide information to appropriate personnel so that

32

they can carry out their operating, reporting, and compliance responsibilities. But

communication also must take place in a broader sense, dealing with expectations,

responsibilities of individuals and groups, and other important matters.

Management provides specific and directed communication that addresses

behavioral expectations and the responsibilities of personnel. This includes a clear

statement of the entitys risk management philosophy and approach and a clear

delegation of authority. Communication about processes and procedures should

align with, and underpin, the desired culture. Communication should effectively

convey:

The importance and relevance of effective enterprise risk management

The entitys objectives

The entitys risk appetite and risk tolerances

A common risk language

The roles and responsibilities of personnel in effecting and supporting the

components of enterprise risk management

All personnel, particularly those with important operating or financial

management responsibilities, need to receive a clear message from top

management that enterprise risk management must be taken seriously. Both the

clarity of the message and effectiveness with which it is communicated are

important.

There needs to be appropriate communication not only within the entity,

but with the outside as well. With open external communications channels,

customers and suppliers can provide highly significant input on the design or

33

quality of products or services, enabling a company to address evolving customer

demands or preferences. For example, customer or supplier complaints or

inquiries about shipments, receipts, billings, or other activities often point to

operating problems, and possibly to fraudulent or other improper practices.

Management should be ready to recognize implications of such circumstances and

investigate and take necessary corrective actions, focusing on the impact on

financial reporting and compliance as well as operations objectives.

Open communication about the entitys risk appetite and risk tolerances is

important, particularly for entities linked with others in supply chains or e-

business enterprises. In such instances, management considers how its risk

appetite and risk tolerances align with those of its business partners, ensuring it

does not inadvertently accept too much risk through its partners.

2.2.4.8. Monitoring

Monitoring, in ERM term is assessing the presence and functioning of its

components over time. This is accomplished through ongoing monitoring

activities, separate evaluations, or a combination of the two. Ongoing monitoring

occurs in the normal course of management activities. The scope and frequency of

separate evaluations will depend primarily on an assessment of risks and the

effectiveness of ongoing monitoring procedures. Enterprise risk management

deficiencies are reported upstream, with serious matters reported to top

management and the board.

The ongoing monitoring activities serve to monitor the effectiveness of

enterprise risk management in the ordinary course of running the business. These

34

stem from regular management activities, which might involve variance analysis,

comparisons of information from disparate sources, and dealing with unexpected

occurrences.

Ongoing monitoring activities generally are performed by line operating or

functional support managers, giving thoughtful consideration to implications of

information they receive. By focusing on relationships, inconsistencies, or other

relevant implications, they raise issues and follow up with other personnel as

necessary to determine whether corrective or other action is called for. Ongoing

monitoring activities are differentiated from activities performed as required by

policy in business processes.

Separate Evaluation

While ongoing monitoring procedures usually provide important feedback

on the effectiveness of other enterprise risk management components, it may be

useful to take a fresh look from time to time, focusing directly on enterprise risk

management effectiveness. This also provides an opportunity to consider the

continued effectiveness of the ongoing monitoring procedures.

Evaluations of enterprise risk management vary in scope and frequency,

depending on the significance of risks and importance of the risk responses and

related controls in managing the risks. Higher-priority risk areas and responses

tend to be evaluated more often.

Often, evaluations take the form of self-assessments, where persons

responsible for a particular unit or function determine the effectiveness of

enterprise risk management for their activities.

35

Internal auditors normally perform evaluations as part of their regular

duties, or at the specific request of senior management, the board, or subsidiary or

divisional executives. Similarly, management may utilize input from external

auditors in considering the effectiveness of enterprise risk management. A

combination of efforts may be used in conducting whatever evaluative procedures

management deems necessary

Evaluating enterprise risk management is a process in itself. While

approaches or techniques vary, a discipline should be brought to the process, with

certain basics inherent in it. The evaluator must understand each of the entitys

activities and each of the components of enterprise risk management being

addressed. It may be useful to focus first on how enterprise risk management

purportedly functions sometimes referred to as the system or process design.

The evaluator must determine how the system actually works. Procedures

designed to operate in a particular way may be modified over time to operate

differently or may no longer be performed. Sometimes new procedures are

established but are not known to those who described the process and are not

included in available documentation. A determination as to actual functioning can

be accomplished by holding discussions with personnel who perform or are

affected by enterprise risk management, by examining records on performance, or

a combination of procedures.

The evaluator analyzes the enterprise risk management process design and

the results of tests performed. The analysis is conducted against the backdrop of

managements established standards for each component, with the ultimate goal of

36

determining whether the process provides reasonable assurance with respect to the

stated objectives.

Methodology

A variety of evaluation methodologies and tools are available, including

checklists, questionnaires, and flowcharting techniques. As part of their evaluation

methodology, some companies compare or benchmark their enterprise risk

management process against those of other entities.

Documentation

The extent of documentation of an entitys enterprise risk management

varies with the entitys size, complexity, and similar factors.

What should be reported? Although a universal answer is not possible,

certain parameters can be drawn. All identified enterprise risk management

deficiencies that affect an entitys ability to develop and implement its strategy

and to set and achieve its objectives should be reported to those positioned to take

necessary action. The nature of matters to be communicated will vary depending

on individuals authority to deal with circumstances that arise and on the oversight

activities of superiors. In considering what needs to be communicated, it is

necessary to look at the implications of findings. It is essential not only that a

particular transaction or event be reported, but also that related potentially faulty

procedures be reevaluate

2.3. Islamic Perspective

In Islam, Allah alone is the source of all true knowledge. He releases it to

those who seek and toil to learn bit by bit so that pride may not overtake human

37

beings. If the objective of economics is to find the truth i.e. economic truth, then

such truth cannot be found with reason alone; that is without guidance being

sought from Gods Final Revelation the Holy Quran and the Purified Sunnah.

Thus, in methodology of economics we have to integrate and unify

together the three broad sources of knowledge: Reality, Reason and Revelation.

The first to come is the filter of Revelation, then the filter of Reason and lastly

that of Reality. These three facets are interrelated and should invariably underpin

any future discussion on methodological issues in economics secular or Islamic.

(Addas, 2008)

2.3.1. Islamic Beliefs

Qardhawi (1997) explained that Aqidah Islamiyyah (Islamic Belief) is

built on the following foundations:

1. Faith to the God, the Most Highly, who created, fashioned with perfection, measured, then showed guidance. 2. Humans are not only physical creatures, and also not only skeletons composed by bones, muscles, and bloodvessels. Humans are also spiritual creatures in low physical forms. Humans deserve to be Allah's Khalifah honoured by Him, and also deserve to build the wealth on the earth with truth and justice. 3. All the humans are Allah's servant, not obliged to obey others than Him, has the same place of gathering. There is no group or race or a single person which higher than the others. 4. Allah doesn't let the humans in vain and confusion, but He sends messengers who show guidance to the right path. (Quran 4:105) 5. The guidance brought by the messengers has been finalized with a guidance which is eternal and general brought by the final and last messenger Muhammad (p.b.u.h.). Thus with that guidance, Allah finalized His rules, build the good characteristics of human, build the guidances to the truth, justice and goodness. Life will not good without it and no happiness with believing the others than it. 6. The aspiration of humans in this life is not limited to eat and have fun like animals but to worship Allah alone, doing good deeds for Allah's pleasure, to destroy evils, badness, and injustices.

38

2.3.2. Islamic Jurisprudence (Fiqh) and Islamic Source (Dalil) of Knowledge

Islamic Jurisprudence defined as knowledge about Islamic law extracted

from detailed Islamic sources (Hasbullah, 2003). The rules of fiqh are derived

from the Qur'an and Sunnah in conformity with a body of principles and methods

which are collectively known as usul al-fiqh or Principles of Islamic

Jurisprudence. It expounds the indications and methods by which the rules of fiqh

are deduced from their sources (dalil) (Kamali, 1996).

Dalil, in Arabic etymology means guide for anything khissi (material) and

manawi (spiritual), either it is good or bad. In terminological view, Dalil means

anything that are positioned as reasons, according to a correct jurisprudence, on a

Sharia perspective about human deeds, in a certain way (qathiy) or assumption

way (zhanni) (Wahhab Khallaf, 1947).

About the Dalil, Kamali (1996) further explained as the following,

There are a number of ayat in the Quran which identify the sources of Shariah and the order of priority between them. But one passage in which all the principal sources are indicated occurs in Sura al-Nisa' (4: 58-59) which is as follows: 'O you believers! Obey Allah and obey the Messenger and those of you who are in charge of affairs. If you have a dispute concerning any matter, refer it to God and to the Messenger,' 'Obey Allah' in this ayah refers to the Quran, and 'Obey the Messenger' refers to the Sunnah. Obedience to 'those who are in charge of affairs' is held to be a reference to ijma', and the last portion of the ayah which requires the referral of disputes to God and to the Messenger authorizes qiyas. For qiyas is essentially an extension of the injunctions of the Quran and Sunnah.

According to Addas (2008), it becomes imperative to bring in a minimal

of fiqh and ushul while discussing the methodological issues for Islamic

39

economics. The central jurisprudence principles for building the foundations of

value selection in Islamic economics are three,

1. la darar wa la dirar ( harm may neither be inflicted nor reciprocated )

2. dar-ul-mafasid muqaddam ala talab al-masalih ( preventing harm has

better priority than obtaining goodness )

3. yutahammal aldarar alkhas li-rafi aldarar al-aam (A specific harm is

tolerated in order to prevent a more general one).

2.3.2.1. Al Quran (the Koran)

Utsaimin (2001) described the definition of Al Quran as:

Kalamullah (Allahs Words) revealed to Prophet Muhammad shalallahu alaihi wassalam in Arabic language and transmitted in multiline of transmission, started from Al Fatihah to An Nas. Reading the Al Quran is recognized as worship deed.

The validity of Al Quran is proven by some arguments. Such as, the scope

of its verses which is very broad due to its fundamental teachings about Aqidah

(Belief), Sharia (Jurisprudence), Akhlaq (deeds in interaction with others), social

science, scientific knowledge, and so on. Its content also appropriate with well

proved modern knowledge and it also reveals things that unthinkable or

undiscoverable by human, such as things happened in the past, things that will be

happened in the future, and ghayb (things that human sense cannot percept).

Hasbullah (2003).

2.3.2.2. As Sunnah or Al Hadith

As Sunnah, or also oftenly called as Al Hadith, is the second jurisprudence

source of Islam. Putting faith to As Sunnah is the manifestation and consequence

40

of the faith to Allahs Messenger and the willingness to stick to his way. Wahhab

Khalaf (2001) defines Hadith as:

Everything those come from Prophet Muhammad Shalallahu alayhi wassalam. It can be his sayings, his deeds or his taqrir (his agreement or permission related to one or more actions).

2.3.2.3. Al Ijma and Al Qiyas

Wahhab Khallaf (2001) defines al Ijma as:

The consensus of muslim scholars after the death of Prophet Muhammad Shalallahu 'alayhi wassalam about a particular Sharia matter

Wahhab Khallaf (2001) defined Al Qiyas as:

To correspondence an undecided derivative matter to the decided and congruent fundamental matter

2.3.3. Economic Concepts Based on Islamic Perspective

Qardhawi (1997) states about the relationship between Islam and

Economics as follows:

Islam is a complete system for the entire life, including personal life, community life, and the life with all its aspects such as thought, soul and ethics and also economics, social and politics. Economics is the dynamic and crucial part of Islam, but not the principle and foundation for the construct of Islamic values, not the main point of its preaching, not the objective for its messages, not the characteristic of its civilization and also not the intention of its fellows. Economics, in Islamic perspective, is not the final objective. Rather, it is required for human being and acts as an instrument to continue living and working to achieve the higher objective. Thus, economics is supporting instrument for human being, and serving their belief and meaning.

The role of humans on the earth related with economics also pointed in the

Quran,

"But seek, with that which Allah has bestowed on you, the home of the Hereafter, and forget not your portion of lawful enjoyment in this world; and be generous as Allah has been generous to you, and seek not

41

mischief in the land. Verily, Allah likes not the mischief-makers.'' (Al Qashash 28: 77)

Ibn Kathir explained the meanings of the verse as follow:

Use this great wealth and immense blessing Allah has given you to worship your Lord and draw closer to Him by doing a variety of good deeds which will earn you reward in this world and the Hereafter.

That which Allah has permitted of food, drink, clothing, dwelling places and women, your Lord has rights over you, your self has rights over you, your family has

Date post:	14-Sep-2015
Category:	Documents
Upload:	rasyid-isa
View:	5 times
Download:	4 times

Skripsi-COSO

Documents