Bank Indonesia's It Audit Guidelines for Payment Service Providers in The SME Category: An Integrated ISO 27001:2022 Annex A, and Cloud-Based Solution Architecture Design
DOI:
10.29303/jppipa.v11i10.12899Published:
2025-10-25Downloads
Abstract
Small and Medium Enterprises (SMEs) in Indonesia face significant challenges in complying with Bank Indonesia's (BI) stringent Payment Service Provider (PJPP) licensing requirements, including cybersecurity mandates (BI 23/6/PBI/2021). This study addresses these challenges by designing a cost-effective, cloud-based solution architecture aligned with ISO 27001:2022 Annex A, simplifying compliance for resource-constrained SMEs. This framework helps SMEs prepare for IT audits with guidelines aligned with Bank Indonesia requirements and the ISO 27001:2022 Annex A standard, and replaces complex enterprise architectures with lightweight, cloud-centric models that leverage Indonesian cloud providers while still meeting Bank Indonesia requirements. Validation through a pilot study with SMEs demonstrated lower compliance costs compared to traditional approaches, achieved through open source tools and hybrid cloud deployments. The combination of IT audit guidelines and solution architecture impacted the results of the IT audit, with only a few findings identified by the external auditor and PT XYZ passing the IT audit. This suggests that the conclusions drawn from the results and discussion indicate that this framework has a significant impact on PSPs, particularly at the SME level. The novelty of this research contributes to practical implementation guidelines for SMEs and the design of cloud-based solution architectures that meet Bank Indonesia requirements.
Keywords:
Bank Indonesia Regulation, ISO/IEC 27001, 2022 annex A controls, Payment Service Providers (PSPs), Small-Medium Enterprises (SMEs), Solution architecture designReferences
Agote-Garrido, A., Martín-Gómez, A. M., & Lama-Ruiz, J. R. (2023). Manufacturing System Design in Industry 5.0: Incorporating Sociotechnical Systems and Social Metabolism for Human-Centered, Sustainable, and Resilient Production. Systems, 11(11), 537. https://doi.org/10.3390/systems11110537
Ajayi, F. A., & Udeh, C. A. (2024). Review of Workforce Upskilling Initiatives for Emerging Technologies in IT. International Journal of Management & Entrepreneurship Research, 6(4), 1119–1137. https://doi.org/10.51594/ijmer.v6i4.1003
Al-Okaily, M. (2021). Assessing the Effectiveness of Accounting Information Systems in the Era of Covid-19 Pandemic. Vine Journal of Information and Knowledge Management Systems, 54(1), 157–175. https://doi.org/10.1108/vjikms-08-2021-0148
Angganegara, M. A., Mukti, I. Y., & Fathinnuddin, M. (2025). Integration of Stride and Mitre Att&Ck Frameworks for Enhanced Cyber Threat Modeling: A Case Study of Digital Merchant Banking Application. 2025 International Conference on Advancement in Data Science, E-Learning and Information System (ICADEIS), 1–6. https://doi.org/10.1109/icadeis65852.2025.10933223
Antunes, M., Maximiano, M., & Gomes, R. (2022). A Client-Centered Information Security and Cybersecurity Auditing Framework. Applied Sciences, 12(9), 4102. https://doi.org/10.3390/app12094102
Aravik, H., Hamzani, A. I., & Khasanah, N. (2025). Women Entrepreneurship in Indonesia: Opportunities and Challenges. Islamic Banking: Jurnal Pemikiran dan Pengembangan Perbankan Syariah, 10(2), 327–348. https://doi.org/10.36908/isbank.v10i2.1422
Barati, M., & Rana, O. (2022). Tracking GDPR Compliance in Cloud-Based Service Delivery. IEEE Transactions on Services Computing, 15(3), 1498–1511. https://doi.org/10.1109/tsc.2020.2999559
Budisantoso, R. I. N., & Sumarwan, A. (2022). Entrepreneurial Modes Towards Information Technology Applications in Business During Pandemic Covid-19 Based on Indonesia SMEs’ Stories. Indonesian Journal of Information Systems, 4(2). https://doi.org/10.24002/ijis.v4i2.4840
Damanik, D. P. P., Hutagalung, G., & Ginting, R. R. (2021). Analysis of the Effect of Auditor Independence, and Auditor Ethics on Audit Quality at A Public Accounting Firm in Medan City with Auditor Experience as A Moderating Variable. Journal of Economics, Finance and Management Studies, 4(8), 1499–1508. https://doi.org/10.47191/jefms/v4-i8-28
Daousis, S., Peladarinos, N., Cheimaras, V., Papageorgas, P., Piromalis, D. D., & Munteanu, R. A. (2024). Overview of Protocols and Standards for Wireless Sensor Networks in Critical Infrastructures. Future Internet, 16(1), 33. https://doi.org/10.3390/fi16010033
Darmawan, A. P., Erlando, A., & Santoso, D. B. (2023). Examining an Islamic Financial Inclusivity and Its Impact on Fundamental Economic Variables in Indonesia (An Approach of Static Panel Data Analysis). Jurnal Ekonomi Syariah Teori dan Terapan, 10(4), 337–351. https://doi.org/10.20473/vol10iss20234pp337-351
Digital Payments - Worldwide | Statista Market Forecast. (2025). Retrieved from http://frontend.xmo.prod.aws.statista.com/outlook/fmo/payments/digital-payments/worldwide?
Fauzi, A. A., & Suryani, T. (2019). Measuring the Effects of Service Quality By Using Carter Model Towards Customer Satisfaction, Trust and Loyalty in Indonesian Islamic Banking. Journal of Islamic Marketing, 10(1), 269–289. https://doi.org/10.1108/jima-04-2017-0048
Francis, J. R. (2023). Going Big, Going Small: A Perspective on Strategies for Researching Audit Quality. The British Accounting Review, 55(2), 101167. https://doi.org/10.1016/j.bar.2022.101167
Gheorghe, M. (2010). Audit Methodology for IT Governance. Informatica Economica, 14(1), 32-42. Retrieved from https://www.researchgate.net/publication/43121541
Greuning, H. V., & Bratanovic, S. B. (2020). Analyzing Banking Risk: A Framework for Assessing Corporate Governance and Risk Management. World Bank Publications. https://doi.org/10.1016/j.jclepro.2018.10.120
Hadjarati, P. R. Y. P., Widodo, A. M., & Tjahjono, B. (2025). Comparative Analysis of Enterprise Architecture Frameworks Using Togaf ADM and SPBE Architecture Based on Presidential Regulation No. 132 of 2022. EDUVEST - Journal of Universal Studies, 5(3), 2766–2773. https://doi.org/10.59188/eduvest.v5i3.1772
Harmening, D. M. (2018). Modern Blood Banking & Transfusion Practices. Fa Davis.
Hasibovic, A. C., & Tanovic, A. (2024). Review of ISO 9001:2015 and ISO 27001:2013 Implementation in Financial Institution – Case Study. 2024 47th Mipro ICT and Electronics Convention (MIPRO), 1520–1525. https://doi.org/10.1109/mipro60963.2024.10569415
Hidayatullah, M. F., Irawan, B., Roziq, A., & Ma’mun, S. (2023). Enhancing Customer in Islamic Banking: A Case Study of Bank Syariah Indonesia’s Marketing Strategy. International Journal of Islamic Business and Economics (IJIBEC), 7(2), 128–138. https://doi.org/10.28918/ijibec.v7i2.1966
Hossain, S. T., Yigitcanlar, T., Nguyen, K., & Xu, Y. (2024). Local Government Cybersecurity Landscape: A Systematic Review and Conceptual Framework. Applied Sciences, 14(13), 5501. https://doi.org/10.3390/app14135501
Hubais, A. S. A., Kadir, M. R. A., Bilal, Z. O., & Alam, M. N. (2023). The Impact of Auditor Integrity to Audit Quality: An Exploratory Studies from the Middle East. International Journal of Professional Business Review, 8(1), E01254–E01254. https://doi.org/10.26668/businessreview/2023.v8i1.1254
Indonesia, B. (1953). Sejarah Bank Indonesia. Retrieved from https://www.bi.go.id/id/tentang-bi/sejarah-bi/default.aspx
Indonesia, B. (2021a). PBI_230621 Penyedia Jasa Pembayaran. Retrieved from https://www.bi.go.id/elicensing/helps/pbi_230621 penyedia jasa pembayaran.pdf
Indonesia, B. (2021b). Perizinan Penyelenggara Jasa Sistem Pembayaran. Retrieved from https://www.bi.go.id/id/fungsi-utama/sistem-pembayaran/perizinan/default.aspx
Indonesia, B. (2022). Dokumen Persyaratan Izin Penyedia Jasa Pembayaran (PJP) - Lembaga Selain Bank. Retrieved from https://www.bi.go.id/elicensing/helps/dokumen
Kusmayasari, D., Bilgies, A. F., Damayanti, D., & Suharsono, J. (2023). The Influence of Audit Fee, Independence, and Competency on Audit Quality. Journal of Governance, Taxation and Auditing, 1(4), 425–433. https://doi.org/10.38142/jogta.v1i4.653
Logie, J., & Maroun, W. (2021). Evaluating Audit Quality Using the Results of Inspection Processes Performed By An Independent Regulator. Australian Accounting Review, 31(2), 128–149. https://doi.org/10.1111/auar.12328
Naji, R. N. (2020). Auditing Vehicle Insurance Contracts Compensation Under Civil Liability Insurance; Applied Research In The National Insurance Company.
Octaviani, D., & Ekasari, K. (2021). The Effect of Due Professional Care, Integrity, Confidentiality, and Independence on Audit Quality. 2nd Annual Management, Business and Economic Conference (AMBEC 2020), 106–110. https://doi.org/10.2991/aebmr.k.210717.022
Panjaitan, V. O., Tambuna, J., & Sirait, E. (2023). Pengaruh Model Pembelajaran Somatic, Auditory, Visualization, Intellectually (SAVI) Terhadap Hasil Belajar Siswa Kelas V Pada Subtema 1 Organ Gerak Hewan SD Negeri 095552 Pematang Siantar. Innovative: Journal of Social Science Research, 3(6), 7601–7610. https://doi.org/10.31004/innovative.v3i6.5826
Pimentel, E., Lesage, C., & Ali, S. B. H. (2023). Auditor Independence in Kinship Economies: A Macintyrian Perspective. Journal of Business Ethics, 183(2), 365–381. https://doi.org/10.1007/s10551-022-05073-6
Rahi, S., Ghani, M. A., & Ngah, A. H. (2020). Factors Propelling the Adoption of Internet Banking: The Role of E-Customer Service, Website Design, Brand Image and Customer Satisfaction. International Journal of Business Information Systems, 33(4), 549. https://doi.org/10.1504/ijbis.2020.105870
Rijal, S., & Bakri, A. A. (2023). Effect of Auditor Specialization, Auditor Characteristics, Board Independence on Audit Quality Through Intellectual Capital: Study on Service Companies. The Es Accounting and Finance, 1(02), 95–103. org/https://doi.org/10.58812/esaf.v1i02.66
Roghanian, P., Rasli, A., & Gheysari, H. (2012). Productivity Through Effectiveness and Efficiency in the Banking Industry. Procedia - Social and Behavioral Sciences, 40, 550–556. https://doi.org/10.1016/j.sbspro.2012.03.229
Setyoso, F. A. A., Mulyana, R., & Nugraha, R. A. (2024). Utilizing ISO 27001:2022 in Information Security Design for BPRCCO SME Digital Transformation. Ranah Research: Journal of Multidisciplinary Research and Development, 6(6), 2544–2553. https://doi.org/10.38035/rrj.v6i6.1121
Sulaiman, N. A. (2023). External Audit Quality: Its Meaning, Representations and Potential Conflict in Practice. Accounting, Auditing & Accountability Journal, 36(5), 1417–1440. https://doi.org/10.1108/aaaj-02-2020-4443
Ton, K. (2023). Do Shared Auditors Improve Audit Quality? Evidence from Banking Relationships. The Accounting Review, 98(1), 423–451. https://doi.org/10.2308/tar-2017-0179
Tumwebaze, Z., Bananuka, J., Kaawaase, T. K., Bonareri, C. T., & Mutesasira, F. (2022). Audit Committee Effectiveness, Internal Audit Function and Sustainability Reporting Practices. Asian Journal of Accounting Research, 7(2), 163–181. https://doi.org/10.1108/ajar-03-2021-0036
License
Copyright (c) 2025 Suarjan, Moh. A. Amin Soetomo, Heru Purnomo Ipung
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with Jurnal Penelitian Pendidikan IPA, agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution 4.0 International License (CC-BY License). This license allows authors to use all articles, data sets, graphics, and appendices in data mining applications, search engines, web sites, blogs, and other platforms by providing an appropriate reference. The journal allows the author(s) to hold the copyright without restrictions and will retain publishing rights without restrictions.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgment of its initial publication in Jurnal Penelitian Pendidikan IPA.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).
