OJK Compliance Audit

Regulations Covered

• Banks: POJK 11/POJK.03/2022 — IT governance, architecture, risk management, cyber resilience, data management, internal audit
• BPR: POJK 34/2025 and PADK 43/2025 — IT governance, security, PPJTI cooperation, DRP
• Fintech innovation: POJK 3/POJK.03/2024 — risk management, consumer protection, data security
• Non-bank LJK: POJK 4/POJK.05/2021, POJK 46/2024 (including ISMS certification timelines)
• P2P lending: POJK 40/2024
• Consumer protection: POJK 22/POJK.03/2023 — privacy and fair treatment

Audit Scope (9 Areas)

1. IT governance and board oversight
2. Formal IT risk management
3. Electronic system security (CIA, 2FA, non-repudiation, availability)
4. Cyber resilience — asset identification, protection, detection, response, recovery
5. Data management and PDP Law alignment
6. Third-party IT providers (PPJTI) contracts and oversight
7. BCP and DRP including periodic testing
8. Audit trail and internal controls
9. Domestic placement of electronic systems and disaster recovery sites

Deliverables

Audit report with evidence, per-article gap analysis, remediation recommendations, corrective action plan, and digital maturity assessment where required by POJK 11/2022.