JCSS — Delivering Transparency
ITGCUU PDPSOXCISACDPSEERPICFR

Internal Audit & ITGC / Cybersecurity

IT General Controls reviews, internal audit co-sourcing, and UU PDP data-protection compliance for Indonesian entities and international group requirements.

Direct Answer

ITGC (IT General Controls) audits verify access management, change control, operations, and data backup across ERP/financial systems. For PT PMAs, ITGC supports both group SOX requirements and Indonesian UU PDP data-protection compliance.

Who this is for

  • PT PMAs with group-level SOX, ICFR, or Internal Audit reporting requirements
  • Companies implementing or migrating ERP systems in Indonesia
  • Entities subject to OJK or BAPEPAM internal audit requirements
  • Companies processing personal data of Indonesian residents under UU PDP
  • Boards needing independent assurance over internal controls and IT risk
  • CFOs building internal audit capability for the first time in Indonesia

Problems we solve

  • Group auditors require ITGC review evidence for Indonesian entities that does not exist
  • ERP implementation has proceeded without controls documentation
  • UU PDP compliance posture has not been assessed or documented
  • Privileged access to financial systems is not reviewed or logged
  • Change management for ERP or financial systems lacks audit trail
  • No internal audit function exists and no budget to build one

Our approach

  1. 1

    Scope and risk assessment

    We define ITGC scope against your ERP landscape, financial reporting systems, and applicable frameworks (SOX, OJK, or UU PDP). We prioritize by risk and group audit requirements.

  2. 2

    Control domain walkthrough

    We conduct walkthroughs across four ITGC domains: logical access (user provisioning, privileged access, segregation of duties), change management, operations (job scheduling, backup/recovery), and third-party/vendor controls.

  3. 3

    Control testing

    We perform test of design (TOD) and test of operating effectiveness (TOE) for each in-scope control, using evidence sampling aligned to ISA/PCAOB standards.

  4. 4

    UU PDP gap assessment

    We map your personal data processing activities against UU No.27/2022 requirements — consent, purpose limitation, data subject rights, breach notification — and identify material gaps.

  5. 5

    Reporting and remediation

    We deliver a formal ITGC audit report with control deficiency ratings, root cause analysis, and a prioritized remediation roadmap. We present to management and, where required, to the audit committee.

Deliverables

ITGC scope and risk assessment memo
Control walkthroughs and narratives (all four domains)
Test of design (TOD) workpapers
Test of operating effectiveness (TOE) workpapers
Control deficiency register with severity ratings
ITGC audit report for group/board presentation
UU PDP gap assessment and data inventory
Remediation roadmap with prioritized action items
Management response and follow-up tracking template

Regulatory framework

UU No.27/2022 (UU PDP)OJK Regulation POJK No.11/2022COBIT 2019ISACA ITAF 3rd EditionSOX Section 302/404ISA 315 (Revised)NIST Cybersecurity FrameworkISO 27001:2022

Frequently asked questions

Get started

Ready to talk Indonesia compliance?

Partner-led response within one business day. NDA available on request.

Book a Consultation