The internal accounting control system is an internal control framework for financial reporting that companies must establish and maintain to ensure the reliability of financial information preparation and disclosure. It refers to an internal control system that manages and monitors company operations related to financial reporting to prevent errors, fraud, and misconduct in financial statements.

This system is designed and operated to provide reasonable assurance that the company’s financial statements are prepared and disclosed in accordance with generally accepted accounting principles. It represents a continuous process executed by all organizational members, including the board of directors and management.

Building and operating an internal accounting control system begins with identifying entity-level controls and IT general controls that broadly impact the company’s financial statement preparation process,

and then implementing controls within business processes that significantly affect accounts with material amounts on the financial statements, reducing the risk of material misstatement during operations.

In short, the internal accounting control system was introduced under the Corporate Restructuring Promotion Act to prevent accounting fraud and is now managed under the Act on External Audit of Stock Companies.

Since November 2019, amendments to the Act on External Audit of Stock Companies have strengthened the effectiveness of internal accounting control systems. Among its key principles is Information Technology General Control (ITGC).

The law states:

“Companies shall select and implement IT general controls that support the achievement of internal accounting control objectives.”

ITGC refers to the foundation of IT governance, ensuring the reliability of information generated by IT systems through appropriate controls.

ITSM and ITGC

As mentioned above, Information Technology General Control (ITGC) means “the foundation of IT governance that enables control to ensure the reliability of information generated by IT systems.”

So, what is the most efficient way to achieve this goal? The answer lies in ITSM, which is widely implemented and utilized by most IT organizations today.

IT has become a business utility, and reliability cannot be guaranteed by technology alone. Professional, proactive, and value-driven service management is essential for delivering quality services to the business. ITIL, the foundation of ITSM, defines IT as a competitive capability integrated into business operations, providing value through specialized organizational competencies.

Here:

- Service means delivering value to customers by facilitating desired outcomes without ownership of specific costs and risks.

- Value combines utility (fitness for purpose) and warranty (fitness for use).

- Capability refers to the ability to coordinate, manage, and apply resources to produce value.

Thus, all activities related to IT-based production and consumption are IT services, and managing these services constitutes ITSM. Today, ITSM is an essential tool for transparent IT operations, providing the foundation for IT governance required by ITGC.

How ITSM Ensures ITGC Compliance

To achieve ITGC objectives, companies must address key risk factors and implement critical control considerations:

Key Risk Factors

- Incorrect data processing or reliance on systems handling inaccurate data

- Unauthorized access leading to improper data changes

- Inadequate segregation of duties within IT teams

- Unauthorized modification of master files

- Improper system or program changes

- Excessive manual intervention

- Risk of data loss

Critical Control Considerations

Determine dependency between business processes and ITGC

- IT general controls for system implementation and development provide assurance that automated controls function properly when the system is initially developed. Furthermore, ITGC ensures ongoing confidence in the proper operation of information systems after implementation.

Establish IT infrastructure control activities

- IT requires infrastructure such as internal networks, various application systems, and supporting components like power units.

- Companies must establish and apply policies, procedures, and control activities to achieve completeness, accuracy, and availability of IT processing.

Implement security management processes

- Security management includes processes and control activities related to who has access rights to the company’s IT resources and at what level, including authority to process transactions in application systems.

- User access to IT is generally controlled through authentication activities based on approved user accounts.

Define controls for IT acquisition, development, and maintenance processes

- ITGC supports activities related to IT acquisition, development, and maintenance. IT development methodologies provide structure for control activities related to system design and implementation, including overviews of specific development phases, documentation requirements, approval frameworks, and review checkpoints.

ITIL Lifecycle and ITGC

ITIL-based ITSM focuses on a service lifecycle:

- Service Strategy

- Service Design

- Service Transition

- Service Operation

- Continual Service Improvement

This lifecycle and its processes cover all IT activities, enabling comprehensive control as required by ITGC. ITSM systems define and implement processes, technologies, and organizational structures to manage and control IT across all stages—planning, acquisition/development, operation, maintenance, monitoring, and improvement.

ITSM ensures clear definitions of IT services and their components, optimized configurations, controlled changes, and full lifecycle management. Continuous feedback across lifecycle stages enables proactive adjustments to business changes, ensuring service optimization and compliance.

Figure 1. Selection and Implementation of ITGC Based on ITSM

To effectively achieve ITGC compliance within internal accounting control systems, the most efficient approach is leveraging ITIL-based ITSM. By integrating ITSM with optimized point solutions (e.g., monitoring tools, configuration management systems, identity management systems), companies can successfully implement ITGC with balanced processes and technology.