Companies are accelerating efforts to comply with the audit standards under the new external audit law. Analysis comparing U.S. ICFR (Internal Control over Financial Reporting) audit practices and non-compliance cases with Korea shows that even inadequate internal control environments can lead to unfavorable audit opinions, underscoring the need for thorough preparation. Korea’s internal accounting management system audit standards were introduced based on ICFR, so insufficient internal control environments will inevitably result in audit findings.

Common audit issues include:

- Weak process-level controls

- Insufficient internal control environment

Examples of deficiencies:

- Lack of history tracking for user account creation and permission assignment

- Missing approval procedures for requests and program changes

- No evidence of access revocation for terminated employees

- Inadequate program change history management

- Lack of segregation between developers and deployment personnel

- Missing deployment activity logs

- No records or approvals for account creation/access rights requests

These examples show why building an internal control environment is a major concern for companies. 

While identified deficiencies can be addressed over time, organizations want to proactively identify and mitigate risks before audits.

So, how can companies prepare effectively?

Rather than inventing new methods, the solution can be found in ITSM frameworks and systems that support IT operations management. This article explores how ITSM can help address ITGC requirements.

ITSM: The Solution for ITGC Compliance

One effective way to mitigate audit risks caused by missing internal control systems is to adopt and leverage ITSM as a support system for internal controls.

Key ITGC control areas include:

- Program Development

- Program Change

- Access to Programs and Data

- Computer Operations

IT organizations are critical resources, so requirements include segregation of developers and deployers, mandatory testing before deployment, reference to test results, and strengthened approval and activity tracking—all essential for stable operations.

How can ITSM meet these numerous control requirements?

[Figure 1: IT General Controls (ITGC)]

It’s not difficult. As shown above, ITSM management standards already incorporate internal control requirements. By using STEG’s E-GENE ITSM solution, which was developed to include these conditions, companies can easily comply with ITGC requirements.

Additionally, E-GENE ITSM supports agile-based iterative prototyping to accelerate development and innovation, low-code customization, and a flexible workflow engine to quickly adapt to internal process changes and external technical frameworks. This adaptability has been proven through multiple enterprise implementations.

[Figure 2: Low-Code-Based E-GENE ITSM]

With these features, companies can visualize IT workflows, assign tasks, standardize processes, enforce approval controls, and manage execution—all while meeting ITGC requirements under internal accounting regulations. It also ensures stability during approval and deployment processes.

ITSM-Driven IT Management Innovation and ITGC Compliance

Many of our clients demonstrate real-world success in this area.

Recent examples include GC Pharma, Heungkuk Life/Fire, VNTG, and BNK Busan Bank, which adopted E-GENE ITSM to modernize IT management, improve work culture, and strengthen compliance with ITGC requirements. Clients emphasize that ITSM enables continuous efficiency improvements through the PDCA cycle (Plan-Do-Check-Act).

Choose an ITSM System That Meets Digital Transformation Needs

Companies seek flexible solutions that can quickly adapt to internal process changes and external environmental shifts. Traditional ITIL-focused ITSM systems can feel heavy and rigid, but ITSM solutions are evolving rapidly.

E-GENE ITSM stands at the center of this evolution, offering flexibility and continuous R&D to meet technological changes and user needs. It is recognized as a best practice across industries, improving IT culture and serving as a solution for ITGC compliance.

Organizations no longer need to fear rapid changes. By choosing an ITSM system with a flexible workflow platform, they can adapt quickly and embed these processes internally.

In summary, our ITSM platform integrates best practices, experience, and know-how into a low-code workflow foundation that can be tailored to diverse environments and cultures. It is a truly evolved ITSM system that meets the demands of digital transformation.

As 2022 approaches, our ITSM solution is preparing for another leap forward.

Choose it, use it flexibly, and transform your IT culture while ensuring ITGC compliance with E-GENE ITSM.

STEG Solution Service Division – PSP Team

**Tip: External Audit Law and New External Audit Law

With the new external audit law, listed companies now face stricter requirements: internal accounting management systems must undergo audits instead of simple reviews, and ITGC compliance is mandatory. This requirement is expanding from large corporations to mid-sized and small companies—by 2022 for firms with assets over KRW 100 billion, and by 2023 for those below.

Terms like “external audit law,” “external audit,” and “IT internal control” are becoming increasingly common. We are receiving numerous inquiries about solutions for ITGC compliance, and by 2023, these topics will be even more critical.

The external audit law requires companies to undergo audits by independent certified public accountants and disclose audit reports to protect stakeholders and ensure corporate soundness. While it cannot completely prevent accounting fraud, it serves as a vital safeguard.

Since 2018, the revised law (New External Audit Law) mandates external audits of internal accounting management systems. One key principle is addressing ITGC risks. Failure to implement ITGC-compliant systems can result in unfavorable audit opinions and even delisting.

*ITGC (IT General Controls): The foundation of IT governance, ensuring reliability of information generated by IT systems. Its core purpose is to control risks that could lead to financial statement errors or fraud due to IT system issues.