A company in Indonesia can be fully operational, paying its taxes on time, renewing permits on schedule, and still be carrying significant compliance risk without knowing it. The problem is rarely intentional. It is structural. Different teams handle different obligations, each convinced their piece is in order, while nobody is looking at how all the pieces connect.
A Compliance Risk Assessment is the process that changes that. For foreign-owned companies and joint ventures operating in Indonesia, it is one of the most practical tools available for identifying where exposure exists before regulators, auditors, or system flags find it first.
This article explains what a compliance risk assessment actually involves in the Indonesian context, why it is not the same as an annual audit, what triggers should prompt one, and what a well-structured engagement looks like.
What a Compliance Risk Assessment Is and Is Not
A compliance risk assessment is a structured evaluation of how well a company’s actual operations, documentation, and reporting align with the legal and regulatory obligations that apply to it. The output is not a pass or fail verdict. It is a risk-ranked map of where the gaps are, how significant each gap is, and what needs to be addressed first.
This is meaningfully different from a financial audit. A financial audit (Audit Laporan Keuangan) is a retrospective examination of financial statements conducted by a registered public accountant (Akuntan Publik Berdaftar). Its scope is defined by accounting standards and its purpose is to produce an opinion on the accuracy of financial records.
A compliance risk assessment is broader, more operational, and does not necessarily produce a formal opinion in the auditing sense. It looks across tax filings, employment records, immigration documentation, licensing status, corporate governance obligations, and data consistency across government systems. The question it answers is not “are your books accurate?” but “where does your company have exposure to regulatory action, penalty, or operational disruption?”
Indonesia’s regulatory environment makes this distinction particularly relevant. The Directorate General of Taxes (Direktorat Jenderal Pajak or DJP) now cross-references company data across payroll, withholding tax certificates, Value Added Tax (Pajak Pertambahan Nilai or PPN) invoices, and banking records in real time through the Coretax system. The Ministry of Manpower (Kementerian Ketenagakerjaan) monitors employment obligations. The Online Single Submission Risk Based Approach (OSS RBA) governs business licensing. Each of these systems operates on its own timeline and standards, but the data they hold increasingly talks to each other. A gap in one can create a cascade of flags in others.
The Four Risk Categories a Compliance Assessment Covers
A well-structured compliance risk assessment for a company operating in Indonesia will typically examine four distinct but interconnected categories.
Tax and financial compliance risk
This covers the accuracy and consistency of monthly and annual tax filings, withholding obligations, Value Added Tax reporting, transfer pricing documentation for companies with related-party transactions, and the alignment between declared revenue and data held by DJP. As described in our article on tax compliance services for PT PMA in Indonesia, the Coretax environment has made inconsistencies visible in real time, which fundamentally changes the risk profile of filing gaps that might previously have been resolved quietly at year-end.
Corporate and licensing compliance risk
This covers the validity and scope of the company’s Business Identification Number (Nomor Induk Berusaha or NIB), the accuracy of its Indonesian Standard Industrial Classification (Klasifikasi Baku Lapangan Usaha Indonesia or KBLI) codes relative to actual business activities, Investment Activity Report (Laporan Kegiatan Penanaman Modal or LKPM) quarterly filing status, and compliance with the annual financial statement submission obligations under Minister of Law Regulation (Peraturan Menteri Hukum or Permenkum) No. 49 of 2025 through the Legal Entity Administration System (Sistem Administrasi Badan Hukum or SABH). On the KBLI front, the Joint Circular Letter (Surat Edaran Bersama) issued on 25 March 2026 by BKPM, the Ministry of Law, and BPS clarifies that where a KBLI mismatch involves only a numerical code change without affecting the nature or scope of business activities, the OSS system will update the data automatically without requiring an amendment to the company’s Articles of Association. Where the mismatch is substantive, however, meaning the actual business activities have diverged from what is registered, all corporate data amendments in the OSS and Legal Entity Administration System (Sistem Administrasi Badan Hukum or SABH) will be blocked until the discrepancy is resolved. The distinction matters because the remediation path and urgency differ significantly between the two.
Employment and immigration compliance risk
This covers the accuracy of Social Security Agency (Badan Penyelenggara Jaminan Sosial or BPJS) registration and contribution records, Employment Report (Wajib Lapor Ketenagakerjaan Perusahaan or WLKP) filing status, and for companies with foreign staff, the validity and appropriate sponsorship of each Temporary Stay Permit (Kartu Izin Tinggal Terbatas or KITAS). As immigration enforcement has tightened since 2024 under Indonesia’s Smart Immigration Governance system, companies with foreign directors or expatriate employees face a more compressed window between a permit gap and a compliance violation than they did previously. The article on why dependent KITAS applications get rejected illustrates how quickly a documentation gap can create an operational disruption for the entire household.
Governance and internal control risk
This covers whether the company’s internal processes, authorization structures, and documentation practices are sufficient to support the compliance obligations listed above. A company that relies on one person to manage all tax reporting, payroll, and immigration coordination has a single-point-of-failure risk regardless of whether that person is currently performing well. Governance risk is often invisible until something goes wrong, at which point it becomes the explanation for how multiple failures happened at the same time.
Explore Our Services Risk Assessment in Indonesia
Why Indonesian Regulatory Data Integration Makes This More Urgent
Many companies that have operated in Indonesia for several years without incident assume their compliance posture is sound. In most cases, this assumption has not been tested. It reflects the fact that nothing has gone wrong, not that nothing is wrong.
The shift that changes this calculation is data integration. Prior to the Coretax implementation in January 2025, Indonesia’s tax and compliance system was fragmented enough that a gap in one area rarely surfaced automatically in another. Companies could reconcile discrepancies retrospectively, often without formal consequence, because the government’s visibility into cross-system inconsistencies was limited.
The current architecture is different. The DJP now holds real-time data from employer payroll records, withholding tax certificates issued to employees and vendors, VAT invoice data from both buyer and seller, banking transaction records from Indonesian financial institutions, and BPJS contribution data from the social security agencies. When a company files its SPT Tahunan PPh Badan, the system immediately compares that declaration against twelve months of accumulated data from these sources. Any material inconsistency is visible the moment the submission is made.
The OSS RBA system has introduced a parallel dynamic on the licensing side. Business licenses issued under this framework are tied to risk classifications that determine the intensity of regulatory oversight. A company classified in the medium-high or high-risk category is subject to more frequent monitoring than one in the low-risk category. Crucially, the KBLI code assigned at incorporation determines that risk classification. A company that incorporated using an incorrect or outdated KBLI code may be operating under a different risk regime than it realizes, with compliance obligations it has not been accounting for.
When a Compliance Risk Assessment Is Warranted
There is no single universal trigger. Different companies will face different circumstances that make a formal assessment appropriate. The following situations consistently indicate that a structured review is overdue.
Before the first full year of operations is complete
The first twelve months after incorporation are the period in which compliance infrastructure is established and compliance habits are formed. Companies that get this period right tend to carry manageable risk. Companies that spend the first year catching up with obligations they did not anticipate tend to carry forward gaps that compound over time. A compliance risk assessment conducted at the six to nine month mark identifies structural issues while there is still time to address them cleanly.
When the company is expanding its activities or headcount significantly
A company that doubles its workforce, adds new business activities, or begins operating in new regions in Indonesia takes on proportionally larger compliance obligations across employment, licensing, and tax. The compliance infrastructure adequate for a ten-person operation may not be adequate for a fifty-person operation. This is also the point at which KBLI codes most commonly need to be updated, and a mismatch between actual activities and registered codes creates licensing exposure for every new obligation that is being added.
Before a significant corporate transaction
Any acquisition, joint venture formation, capital restructuring, or change of ownership that involves a company operating in Indonesia should be preceded by a compliance risk assessment. The purpose is to establish the target company’s actual compliance position so that risks are priced into the transaction and remediation obligations are allocated appropriately. This is also the baseline against which post-transaction compliance can be measured. Our guide on due diligence services in Indonesia explains how this intersects with broader transaction risk management.
When a regulatory change has materially altered the compliance landscape
The introduction of Coretax in January 2025, the KBLI 2025 transition deadline of June 2026, the Permenkum 49/2025 SABH submission requirements, and the tightened immigration enforcement framework of 2024 to 2025 each represent material changes to the compliance obligations of companies operating in Indonesia. Each of these changes created a cohort of companies that were previously compliant and are no longer compliant without having taken any affirmative action to change anything. A compliance risk assessment after a regulatory shift of this magnitude identifies the specific adjustments required.
When there has been a personnel change in a compliance-critical role
When the person who has been managing tax filings, payroll, or immigration coordination leaves, the institutional knowledge about what has and has not been done leaves with them. The incoming person inherits an undocumented compliance position. A structured assessment at this point establishes the baseline and prevents the new role-holder from inheriting undisclosed gaps.
When the company has never conducted one
For foreign-owned companies that have been operating in Indonesia for several years without a formal compliance review, the case for conducting one is straightforward. The regulatory environment has changed substantially since 2024. Assumptions that held under the previous system may not hold under the current one. The cost of discovering this during a regulatory examination or system flag is significantly higher than the cost of discovering it proactively.
What the Assessment Process Involves
A compliance risk assessment is typically structured in three phases.
The first phase is document and data collection. This involves gathering current tax filings, payroll records, BPJS registration documentation, KITAS and work permit records for foreign staff, LKPM filings, KBLI registrations, corporate governance documentation, and any correspondence with regulatory agencies. The purpose is to establish a factual baseline, not to make judgments at this stage.
The second phase is gap analysis. Each category of obligation is mapped against the documentation collected in the first phase. Discrepancies are identified and classified by risk level: how likely is this gap to trigger regulatory action, and what is the potential consequence? A gap in a secondary KBLI code is a different level of risk from a gap in tax withholding certificates. Both need to be addressed, but not with equal urgency.
The third phase is remediation planning. The output of the assessment is a prioritized list of actions, the timeline within which each should be addressed, and the responsible party for each item. For some gaps, remediation is a simple administrative correction. For others, it requires a formal interaction with a regulatory agency, an amendment to corporate documents, or a restructuring of internal processes.
The total timeline for a standard compliance risk assessment for a mid-sized foreign-owned company in Indonesia is typically four to six weeks from data collection to final report.
How XPND Approaches Compliance Risk Assessment
XPND conducts compliance risk assessments as part of its Strategic Advisory services, with a team that covers tax compliance, corporate governance, immigration, and licensing obligations. The assessment framework is structured around the four risk categories described above, with findings mapped to the specific regulatory frameworks that apply to each client’s entity type, industry classification, and operational profile.
For newly incorporated companies, XPND offers a compliance onboarding assessment that establishes the risk baseline within the first six months of operations. For established companies approaching a significant transaction or regulatory transition, the assessment scope is calibrated to the specific risk exposure relevant to that context.
If your company has not conducted a formal compliance risk assessment, or if the last one was conducted before the regulatory changes of 2024 and 2025, our team is available to discuss your specific situation in a free initial consultation.
