This presentation, delivered in September 2022, provides an overview of IT Audit requirements for commercial banks under OJK Regulation No. 11/POJK.03/2022. It covers the rationale behind the regulation, potential sanctions for non-compliance, and the high-level scope of audit areas such as IT Governance, IT Risk Management, Cybersecurity and Resiliency, Vendor Management, Data Privacy, Digital Maturity, and Business Continuity. The deck also outlines the audit lifecycle, risk-based audit approach, and key considerations for effective internal audit practices. Designed for auditors, compliance officers, and IT leaders, it aims as a practical guide to ensuring strong governance and regulatory alignment in the banking sector.

1. ©2022 Grant Thornton Indonesia. All rights reserved.
Goutama Bachtiar
Director of IT Advisory
Audit terhadap
Penyelenggaraan TI Bank Umum
berdasarkan
POJK No. 11/POJK.03/2022

2. ©2022 Grant Thornton Indonesia. All rights reserved.
Background
2

3. ©2022 Grant Thornton Indonesia. All rights reserved.
3
Continuous support for Digital Transformation and Digital Banking
As the continuation for Banking Digital Transformation blueprint
Mitigating risk from cyber attack (cyber risk)
Enhancing the monitoring activities for operational resiliency
1
2
3
4
Rationale Behind
Effective from October 7th, 2022
5

4. ©2022 Grant Thornton Indonesia. All rights reserved.
4
Warning Letter
Deduction on Corporate Governance in relation with the bank
healtiness level
Prohibition of launching new product
Suspension on particular line of business
1
2
3
4
Various Sanctions

5. ©2022 Grant Thornton Indonesia. All rights reserved.
Coverage
5

6. ©2022 Grant Thornton Indonesia. All rights reserved.
High-Level View
6
IT Architecture (as part of Enterprise Architecture)
IT Governance
1
2
3 IT Risk Management
4 Cyber Security and Resiliency
5 IT Vendor Management

7. ©2022 Grant Thornton Indonesia. All rights reserved.
In High-Level (cont’d)
7
Protection for Data Privacy
Data Management
6
7
8 Internal Control and Internal Audit
9 Digital Maturity Level
10 Business Continuity and Disaster Recovery

8. ©2022 Grant Thornton Indonesia. All rights reserved.
To Audit – Where to Start?
8

9. ©2022 Grant Thornton Indonesia. All rights reserved.
Lifecycle
9
Planning
Initiation
1
2
3 Execution
4 Monitoring and Controling
5 Closing

10. ©2022 Grant Thornton Indonesia. All rights reserved.
Initiation
10
Determine Budget
Determine Scope/Universe
1
2
3 Determine Time

11. ©2022 Grant Thornton Indonesia. All rights reserved.
Planning
11
Review prior audit reports in related areas, if any
Identify approach, methodology, procedure/technique
1
2
3
Comprehend professional standard, framework and guideline
4
5
To Develop Audit Plan
Identify Resources (Human and Tools inclusive of CAAT and AMS)
Identify Milestone, Key Activities, Schedule

12. ©2022 Grant Thornton Indonesia. All rights reserved.
Planning (cont’d)
12
6
7
8
Identify and gather applicable policy and procedure
Prepare a audit program (inclusive of Risk Control Matrix)
Notify the auditee on upcoming audit

13. ©2022 Grant Thornton Indonesia. All rights reserved.
Execution, Monitoring, Controlling
13
Review by Team Lead and QC/QA
Opening Meeting
1
2
3
Management Response
4
5
Fieldwork
Report Drafting

14. ©2022 Grant Thornton Indonesia. All rights reserved.
Closing
14
Exit Meeting
1
2 Final Audit Report Distribution
3 Archiving
4 Retrospective

15. ©2022 Grant Thornton Indonesia. All rights reserved.
Things to Consider
15

16. ©2022 Grant Thornton Indonesia. All rights reserved.
If Risk-based Audit then (article 54 verse (4))
16
Gather the Risk Register (from Risk Management function)
1
2
3
Look for Processes/Assets with High and or Medium Risks
4
Identify the Controls
Test the Controls to ensure the design and operating effectiveness

17. ©2022 Grant Thornton Indonesia. All rights reserved.
17

18. ©2022 Grant Thornton Indonesia. All rights reserved.
Be Mindful of
18
Avoiding False Positive and False Negative
1
2
3
4
Effectiveness is ‘Doing the right thing’ - Is the control achieve its’
objective?
Ensuring these controls are in place (preventive, detective and corrective)
5 Type of control deficiency (missing control, inappropriate design, control
not implemented, control not operating as design)
Putting Design Effectiveness first then its’ Operating/Execution’s later

19. ©2022 Grant Thornton Indonesia. All rights reserved.
Be Mindful of (cont’d)
19
6
7
8
9
Unveil insightful and applicable recommendation for the finding
Get commitment from auditee for recommendation, action plan and
timeline
Follow-up the action plan
Reveal the impact of the finding to get the buy-in

20. ©2022 Grant Thornton Indonesia. All rights reserved.
“Internal auditors have to
provide insight and
foresight, not just hindsight”
~ Richard Chambers, President and CEO,
Global Institute of Internal Auditors (IIA),
2017
20

21. ©2022 Grant Thornton Indonesia. All rights reserved.
21

22. ©2022 Grant Thornton Indonesia. All rights reserved.
Coverage – In Details
22

23. ©2022 Grant Thornton Indonesia. All rights reserved.
IT Governance
23
IT: Strategic Plan vs Development Plan
IT and Business Alignment: Business Goals and IT Goals
1
2
4
IT Development: Plan vs Execution
5
Chapter II
IT Steering Committee
IT and Business Alignment: Business Plan (RBB) and IT Strategic Plan (RSTI)
3
Part of Corporate Governance
“Leadership, organizational structures and processes to
ensure the organization's IT sustains and extends the
organization's strategies and objectives” ~ ISACA

24. ©2022 Grant Thornton Indonesia. All rights reserved.
IT Governance (cont’d)
24
IT Human Resources Management
IT Problem Management
7
8
9
IT Performance Management
IT: Benefit or Value vs Cost
6
Notable Standard and Framework: COBIT and ISO 38500

25. ©2022 Grant Thornton Indonesia. All rights reserved.
IT Architecture
25
Implementation
Design
1
2
3
Control
4
Chapter III
Planning
Notable Standard and Framework: ITABoK, TOGAF, SABSA, Zachman
▪ To ensure the link between strategy
and execution
▪ In wider context which is Enterprise
Architecture, it starts with Business,
Information System (Data and
Application) and Technology
Architecture

26. ©2022 Grant Thornton Indonesia. All rights reserved.
IT Risk Management
26
Monitoring Risk
Risk Assessment
1
2
3
Controlling Risk
4
Chapter IV
Risk Identification
Notable Standard and Framework: RiskIT, NIST RMF, ISO 27001, ISO 31000

27. ©2022 Grant Thornton Indonesia. All rights reserved.
Information Security
27
Classification of Information is important (Sensitive, Confidential, Private,
Public)
Based on Information Security Risk
1
2
3
Covers Communication Network (Confidentiality, Integrity and Availability)
4
Chapter IV
Entails of People, Process, Technology and Environment
Notable Standard and Framework: COBIT, NIST CSF, OWASP, AICPA SOC 2, ISO 27001

28. ©2022 Grant Thornton Indonesia. All rights reserved.
Business Continuity and Disaster Recovery
28
The test is based on Business Impact Analysis
Annual test for critical system involving end-user
1
2
3
Annual review for BCP and DRP
4
Chapter IV
Mandatory to have BCP and DRP
Notable Standard and Framework: BCI GPG, ISO 22301

29. ©2022 Grant Thornton Indonesia. All rights reserved.
Cyber Security and Resiliency
29
1
Chapter V
Cyber Security Maturity Level
▪ Self-Assessment
▪ Annually as of December
▪ Ad-hoc update
▪ Report to OJK

30. ©2022 Grant Thornton Indonesia. All rights reserved.
Cyber Security and Resiliency (cont’d)
30
2 Test for Cyber Security
▪ Vulnerability Assessment
▪ Regularly performed
▪ Report to OJK
▪ Scenario
▪ Annually performed
▪ Report to OJK (10 days after the test)
▪ Executive Summary, Test Result, Remediation Plan and or its
Action

31. ©2022 Grant Thornton Indonesia. All rights reserved.
Cyber Security and Resiliency (cont’d)
31
3 Specific Function/Unit
▪ Intended for Cyber Security and Resilience
▪ Separated from IT Operational
Notable Standard and Framework: COBIT, NIST CSF, OWASP, AICPA SOC 2, ISO 27000

32. ©2022 Grant Thornton Indonesia. All rights reserved.
Vendor Management
32
Data and Information Security
Proven and Adequate DRP
1
2
3
Chapter VI
Risk Management for IT Service Provider
To mitigate third-party risk

33. ©2022 Grant Thornton Indonesia. All rights reserved.
Data Privacy
33
Agreement and channel for data exchange activities
Rights and Obligations for data exchange activities
1
2
3
Protection of Personal Data
4
Chapter VIII
Definition of Personal Data
Notable Standard and Framework: NIST Privacy Framework and ISO 27701

34. ©2022 Grant Thornton Indonesia. All rights reserved.
Digital Maturity
34
Annually
Covers entire IT aspects
1
2
3
Report to OJK
4
Chapter XII
Self-Assessment
To ensure the fulfilment of all IT aspects and the readiness to support digital
transformation

35. ©2022 Grant Thornton Indonesia. All rights reserved.
Question and Answer
35