ABSTRACT
This document discusses compliance oversight on IT audits in Indonesia, particularly in banking and non-bank financial institutions. Regulations from OJK and BI mandate periodic IT audits to ensure information system security. Supervision is conducted through periodic and ad hoc inspections, with administrative sanctions for non-compliance. The regulations cover IT risk management, internal audits, and auditor independence requirements. Implementing these compliance measures aims to enhance cyber resilience and the reliability of information systems in the financial sector.
Companies whose businesses are directly related to banking products and financial institutions in Indonesia are under the supervision of the Financial Services Authority (OJK) as the regulator. The use of technology and information systems in the business processes of these companies also garners attention from regulators, as reflected in the regulations they issue.
Several regulations mandate the implementation of Information Technology Audits (IT Audits) for the utilization of technology in information systems. IT Audits are independently conducted by management, and regulators monitor compliance with these audits. Generally, regulators such as OJK or Bank Indonesia (BI) do not have a fixed or periodic schedule to monitor the implementation of IT Audits by companies.
Regular inspections usually depend on the internal policies of the regulator and can be triggered by factors such as reports of violations, significant changes in the company, or security incidents. However, regulators can conduct ad hoc inspections or compliance tests as needed or if there are indications of significant risks.
The following are some regulations related to monitoring compliance with IT Audits:
- Bank Indonesia Regulation No. 23/6/PBI/2021 “Payment Service Providers”
Subject: Payment Service Providers (PJP), including Banks or Non-Bank Institutions providing payment transaction facilitation services.
- Information System Security and Reliability:
Article 44: Mandates PJPs to adhere to general principles in conducting payment systems with information system security standards.
- Periodic IT Audits:
Article 71: Requires PJPs to perform IT audits by independent IT auditors at least once a year.
- Supervision by Bank Indonesia:
Article 231: Grants Bank Indonesia authority to conduct periodic or ad hoc inspections to ensure compliance, including in information system aspects.
- Financial Services Authority Regulation No. 4/POJK.03/2022 “Implementation of Risk Management in the Use of Information Technology by Non-Bank Financial Institutions (LJKNB)”
Subject: Non-Bank Financial Institutions (LJKNB) operating in sectors such as insurance, pension funds, financing institutions, and other financial services.
- Information System Security and Reliability:
Article 3: Requires LJKNBs to implement effective risk management, including adequate processes for identifying, measuring, controlling, and monitoring risks in the use of IT, as well as internal controls.
- Periodic IT Audits:
Articles 19 and 20: Require LJKNBs to conduct periodic internal audits on all aspects of IT implementation and usage and to periodically review the internal audit function concerning IT usage.
- Supervision by OJK:
Article 34: Allows OJK to impose administrative sanctions on LJKNBs for violations of the provisions in this regulation.
- Financial Services Authority Regulation No. 11/POJK.03/2022 “Implementation of Information Technology by Commercial Banks”
Subject: All commercial banks, including branches of foreign banks, as well as Sharia Commercial Banks and Sharia Business Units.
- Information System Security and Reliability:
Article 21: Requires banks to maintain cyber resilience supported by adequate cyber resilience information systems.
- Periodic IT Audits:
Articles 54 and 55: Mandate banks to perform internal audits on IT implementation based on needs, priorities, and risk analysis, at least once a year, and to review the internal audit function in IT implementation at least once every three years using independent external parties.
- Supervision by OJK:
Articles 9, 14, 20, 27, 33, 42, 46, 51, 56, 62-64, and 66: Authorize OJK to impose administrative sanctions on banks for violations of the provisions in this regulation.
