COSO

In 2013, the Committee of Sponsoring Organizations of the Tread-way Commission (COSO)

issued a comprehensive update to its original 1992 Internal Control - Integrated Framework. This COSO
framework is the de facto framework used by more than 99 percent of the organizations required to comply
with Section 404 - Internal Controls over Financial Reporting (ICFR) requirement of the Sarbanes-Oxley
Public Company Accounting Reform and Investor Protection Act (SOX).

COSO broadly defines enterprise risk management (ERM) as “The culture, capabilities and
practices integrated with strategy-setting and its execution, that organizations rely on to manage risk in
creating, preserving and realizing value. The original 2004 framework encompasses, but does not replace,
the Internal Control - Integrated Framework published by COSO in 1992. The 2004 framework was also
updated in 2013 to address the struggles companies were facing in implementation, mainly due to the
distraction of complying with the Sarbanes-Oxley Act (SOX).

Like its internal control counterpart, the ERM framework is presented in the form of a three-
dimensional matrix. The matrix includes four categories of objectives across the top—strategic, operations,
reporting and compliance. There are eight components of enterprise risk management, which are further
explained below.

Finally, the entity, its divisions and business units are depicted as the third dimension of the
matrix for applying the framework. According to COSO, the new framework:

• Provides greater insights into strategy and the role of ERM in setting and executing strategy;

• Enhances alignment between organizational performance and ERM;

• Accommodates expectations for governance and oversight;
• Recognizes the continued globalization of markets and operations and the need to apply a
common, albeit tailored, approach across geographies;
• Presents fresh ways to view risk in the context of greater business complexity;
• Expands risk reporting to address expectations for greater stakeholder transparency; and
• Accommodates evolving technologies and the growth of data analytics in supporting decision-
making.

As outlined by COSO, the framework provides five components for use when evaluating ERM:

1. Control Environment
 Environment is the set of standards, processes, and structures that provide the basis for carrying
out internal control across the organization. The board of directors and senior management establish the
tone at the top regarding the importance of internal control and expected standards of conduct.

2. Risk Assessment

Risk assessment involves a dynamic and iterative process for identifying and analyzing risks
to achieving the entity’s objectives, forming a basis for determining how risks should be managed.
Management considers possible changes in the external environment and within its own business model
that may impede its ability to achieve its objectives.

3. Control Activities

Control activities are the actions established by the police and procedures to help ensure that
management directives to mitigate risks to the achievement of objectives are carried out.Control Activities
are performed at all levels of the entity, at various stages within business processes, and over the technology
environment.They may be preventive or detective in nature and may encompass a range of manual and
automated activities such as authorizations and approvals, verifications, reconciliations, and business
performance reviews. Segregation of duty is typically built into the selection and development of
control activities. Where segregation of duties is not practical, management selects and develops alternative
control activities.

4. Information and Communication

Relevant information is identified, captured and communicated in a form and timeframe that
enable people to carry out their responsibilities. Effective communication also occurs in a broader sense,
flowing down, across and up the entity.Information systems play a key role in internal control systems as
they produce reports, including operational, financial and compliance-related information, that make it
possible to run and control the business. In a broader sense, effective communication must ensure
information flows down, across and up the organization. For example, formalized procedures exist for
people to report suspected fraud. Effective communication should also be ensured with external parties,
such as customers, suppliers, regulators and shareholders about related policy positions.

5. Monitoring Activities

The entire ERM process is monitored, and modifications made as necessary. Monitoring is
accomplished through ongoing management activities, separate evaluations or both. Internal control
systems need to be monitored—a process that assesses the quality of the system's performance over time.
This is accomplished through ongoing monitoring activities or separate evaluations. Internal control
deficiencies detected through these monitoring activities should be reported upstream and corrective actions
should be taken to ensure continuous improvement of the system.

Identify Problem

Control environment
Ministry of Religious Affairs performs a series of standards and processes in the implementation of
internal control in the ranks of religious government through financial analysis with economists especially
accounting. Inside the organization, the fraudster itself is the minister of religious affairs which is the top
director of this organization who take control towards the process inside the organization including the
money flow or financing

Risk Assessment
Because the hajj pilgrimage is too big then it will be possible corruption that comes from within the
ministry of religion and outside like a fake travel.

Control Activities
From those articles, we know that the information about the fraud makes the jamaah knows where their
money’s gone also the reasons why they got difference place to stay when they were in mecca. The
committees of “Menteri Agama” must be transparent where is the money of Jemaah has been used. So,
that will avoid the fraud. For importance of Hajj, not for the utilities of “Menteri Agama”.

Information and Communication

From those article we know that the one who has more responsibilities is suryadharma ali, because he is
the one who has the highest position on “Menteri Agama”. However, as the person that had a highest
position supposed to make his position meaningful, which is not doing fraud for his personal advantages.

Monitoring Activities
In the ministry of religion there is already a body that oversees internal finances such as PPATK and
external such as KPK. However, it can be deceived because if the corruption is the leader of the ministry
itself.

NO COSO Analysis COSO Present activities Recommendation

. Evaluation objective
1 Control Commitment to Kementrian agama harus
Environment integrity and ethics menyusun dan membuat
nilai etika perusahaan.

2 Internal control Ministry of Religious

oversight by the board Affairs performs a
of directors, series of standards and
independent of processes in the
management implementation of
internal control in the
ranks of religious
government through
financial analysis with
economists especially
accounting

3 Structures, reporting Inside the organization, The management of Hajj

lines, and appropriate the fraudster itself is the should be separated from
responsibilities in minister of religious Ministry of Religious and
pursuit of objectives affairs which is the top Affairs, to strict and make
established by director of this controlling Hajj
management and organization who take management become
overseen by the board control towards the easier.
process inside the
organization including
the money flow or
financing

4 A commitment to Auditor internal

attract, develop, and mengevaluasi orang yang
retain competent memiliki jabatan atau
individuals in posisi di kementrian
alignment with agama sehingga dapat
objectives menilai apakah posisi
tersebut diduduki oleh
orang yang tepat.

5 Holding individuals the fraud makes the The committees of

accountable for their jamaah knows where Ministry of Religious
internal control their money’s gone also Affairs must be
responsibilities in the reasons why they transparent where is the
pursuit of objectives got difference place to money of Jemaah has
stay when they were in been used. So, that will
mecca. avoid the fraud. For
importance of Hajj, not
for the utilities of Ministry
of Religious Affairs
6 Risk Assessment Specifying objectives Mengadakan evaluasi
clearly enough for kinerja perusahaan dalam
risks to be identified satu periode untuk
and assessed menghindari resiko yang
sama di kemudian hari
seperti resiko penipuan
penggunaan hotel

7 Identifying and Membuat kebijikan sesuai

analyzing risks to dengan laporan kinerja
determine how they kementrian pengelola haji
should be managed seperti baiknya layann
yang diterima oleh jamaah
haji

8 Considering the Because the hajj Perlunya perkembangan

potential of fraud pilgrimage is too big teknologi dalam bidang
then it will be possible auditing untuk mengetahui
corruption that comes potensi terjadinya
from within the penipuan seperti tidak
ministry of religion and sesuainya jumlah jamaah
outside like a fake haji
travel

9 Identifying and Membuat laporan keungan

assessing changes that apakah sesuai dengan
could significantly anggaran dan pelayanan
impact the system of jamaah haji sesuai
internal control

Selecting and The leader of Ministry The management of Hajj

developing stages Religious and Affairs should be separated from
10 Activities control that help directly doing fraud and Ministry of Religious and
Control mitigate risk to the an corruption during his Affairs, to strict and make
acceptable level job as minister of controlling Hajj
religious and affairs. management become
easier.
 Government should make
Management of Hajj by new business unit (like
Selecting and Ministry of religious BUMN) to make the
developing general and affairs in Indonesia management of hajj more
control activities over still not use good efficient and increasing of
11 technology system, not transparent, quality of management of
and full of uncertainty. hajj. Those business unit
also should make a good
system, easy to track, to
decrease the uncertainty
and got trust of the
customer back.

Developing control The job distribution in MoRa or the one that

activities as specified managing hajj each managing hajj should
in policies a relevant division is not optimal reshape or remake the
12 procedures even though each division with the
division already got professional and integrity
specified job one to increase the service
quality of hajj
management

The coordination inside

Obtaining or organization still not Make a good coordination
Information and generating relevant, good for example in between divisions in
13 communication high-quality deciding Hotel in Saudi MoRA that managing Hajj
information to support Arabia for jamaah hajj, in Indonesia and in Saudi
internal control MoRA often to used Arabia to increasing the
bad hotel and far from quality service of hajj.
masjidil haram.

Internally Adanya keakuratan data

communication informasi seperti
information, including sesuainya cocoknya
14 objective and jumlah hotel yang dipakai,
responsibilities, informasi yang selalu
necessary to support update dan akses
other component of informasi yang mudah
internal control bagi pihak auditor
kementrian pengelola haji

There’s no good Make a divisions filled by

Communication coordination in professional and
relevant internal managing jamaah hajj competent person to
15 control matter to needs during the hajj organize all of jamaah hajj
external parties rituals between MoRA during hajj rituals in Saudi
and the thirds parties Arabia, and to make good
coordination between
thirds parties to provides
all of that things.
 Selecting, developing, There is no Department Government should have
and performing that directly monitoring independent department to
ongoing or separate Ministry of religious watching MoRA in
16 Monitoring evaluation of the and affairs in managing managing hajj, or asked
components of Hajj. ministry of finance to
internal control monitoring the financing
of hajj.

Evaluation and Pengawasan dan evaluasi

communication atas kinerja seperti
deficiencies to those pelayanan yang diterima
responsible for oleh calon jemaah haji
corrective action, yang dilakukan secara
17 including senior periodik
management and
board of director,
where appropriate.