Académique Documents
Professionnel Documents
Culture Documents
COSO broadly defines enterprise risk management (ERM) as “The culture, capabilities and
practices integrated with strategy-setting and its execution, that organizations rely on to manage risk in
creating, preserving and realizing value. The original 2004 framework encompasses, but does not replace,
the Internal Control - Integrated Framework published by COSO in 1992. The 2004 framework was also
updated in 2013 to address the struggles companies were facing in implementation, mainly due to the
distraction of complying with the Sarbanes-Oxley Act (SOX).
Like its internal control counterpart, the ERM framework is presented in the form of a three-
dimensional matrix. The matrix includes four categories of objectives across the top—strategic, operations,
reporting and compliance. There are eight components of enterprise risk management, which are further
explained below.
Finally, the entity, its divisions and business units are depicted as the third dimension of the
matrix for applying the framework. According to COSO, the new framework:
• Provides greater insights into strategy and the role of ERM in setting and executing strategy;
As outlined by COSO, the framework provides five components for use when evaluating ERM:
1. Control Environment
Environment is the set of standards, processes, and structures that provide the basis for carrying
out internal control across the organization. The board of directors and senior management establish the
tone at the top regarding the importance of internal control and expected standards of conduct.
2. Risk Assessment
Risk assessment involves a dynamic and iterative process for identifying and analyzing risks
to achieving the entity’s objectives, forming a basis for determining how risks should be managed.
Management considers possible changes in the external environment and within its own business model
that may impede its ability to achieve its objectives.
3. Control Activities
Control activities are the actions established by the police and procedures to help ensure that
management directives to mitigate risks to the achievement of objectives are carried out.Control Activities
are performed at all levels of the entity, at various stages within business processes, and over the technology
environment.They may be preventive or detective in nature and may encompass a range of manual and
automated activities such as authorizations and approvals, verifications, reconciliations, and business
performance reviews. Segregation of duty is typically built into the selection and development of
control activities. Where segregation of duties is not practical, management selects and develops alternative
control activities.
Relevant information is identified, captured and communicated in a form and timeframe that
enable people to carry out their responsibilities. Effective communication also occurs in a broader sense,
flowing down, across and up the entity.Information systems play a key role in internal control systems as
they produce reports, including operational, financial and compliance-related information, that make it
possible to run and control the business. In a broader sense, effective communication must ensure
information flows down, across and up the organization. For example, formalized procedures exist for
people to report suspected fraud. Effective communication should also be ensured with external parties,
such as customers, suppliers, regulators and shareholders about related policy positions.
5. Monitoring Activities
The entire ERM process is monitored, and modifications made as necessary. Monitoring is
accomplished through ongoing management activities, separate evaluations or both. Internal control
systems need to be monitored—a process that assesses the quality of the system's performance over time.
This is accomplished through ongoing monitoring activities or separate evaluations. Internal control
deficiencies detected through these monitoring activities should be reported upstream and corrective actions
should be taken to ensure continuous improvement of the system.
Identify Problem
Control environment
Ministry of Religious Affairs performs a series of standards and processes in the implementation of
internal control in the ranks of religious government through financial analysis with economists especially
accounting. Inside the organization, the fraudster itself is the minister of religious affairs which is the top
director of this organization who take control towards the process inside the organization including the
money flow or financing
Risk Assessment
Because the hajj pilgrimage is too big then it will be possible corruption that comes from within the
ministry of religion and outside like a fake travel.
Control Activities
From those articles, we know that the information about the fraud makes the jamaah knows where their
money’s gone also the reasons why they got difference place to stay when they were in mecca. The
committees of “Menteri Agama” must be transparent where is the money of Jemaah has been used. So,
that will avoid the fraud. For importance of Hajj, not for the utilities of “Menteri Agama”.
Monitoring Activities
In the ministry of religion there is already a body that oversees internal finances such as PPATK and
external such as KPK. However, it can be deceived because if the corruption is the leader of the ministry
itself.