According to the standards of the new External Audit Act, many listed companies will gradually become subject to the application of the Internal Accounting Control System starting in 2023.

Within the “Internal Accounting Control System,” the IT General Control (hereafter ITGC) area, which falls under IT control, refers to general controls over IT and the establishment of controls across overall processes related to IT operations. The ITGC domain includes activities such as program development, program changes, access security for programs and data, and computer operations.

[Figure 1. IT General Control Areas]

Due to these market requirements, more and more customers are adopting STEG’s ITSM solution (E-GENE) to strengthen their ability to meet IT internal control requirements.

E-GENE ITSM complies with ITIL standards for IT service management, enabling control activities and management of evidence according to procedures in the IT service domain.

In this article, I will explain a case where we established an ITGC response foundation during the ITSM system implementation for Kolmar BNH, which I was responsible for.

The main business processes of the Kolmar BNH ITSM system are as follows:

[Figure 2. ITSM System Process Chain]

Depending on the IT tasks requested, items that cannot be processed within service requests are transferred to the change management process for handling. All change tasks are either transferred from service requests or registered directly within each change management process.

The change management process implemented at Kolmar BNH is divided into three main types, with the most representative being the information system change management process. Its detailed flow is as follows:

[Figure 3. Information System Change Management Flow]

In the above process flow, you can see several steps that correspond to ITGC requirements. Information system changes originate from requests in service requests, incidents, or problems. Each system manager establishes a plan for the change, and from development to testing and deployment, tasks are handled according to procedures with roles separated by responsibility. Each task owner must obtain approval from their team leader before proceeding.

Through E-GENE ITSM’s History Map feature, all processing histories for each step can be viewed at a glance, and the approval module records evidence of internal approvals.

Some implemented features include:

- Data Creation and Change History Menu: From service request (SR) items to actual information system changes, all registered data creation/changes can be queried and extracted. It also allows viewing related service requests and associated information systems linked to the change target.

 

[Figure 4. Data Creation and Change History Menu]

- Error Monitoring Report Menu: Provides information on failed tests during the information system change process, including related service requests and extractable lists. 

[Figure 5. Error Monitoring Report Menu]

- SR Report Management Menu: Enables querying and extracting service request data across various IT work processes based on desired criteria. It can also serve as evidence that tasks were processed according to proper procedures.

 

[Figure 6. SR Report Management Menu]

Through the process flow and implemented feature examples described above, we examined practical response methods and cases for ITGC.

The utilization of our E-GENE solution is increasing significantly to reduce IT operational risks and respond effectively to ITGC and internal audits, and many customers are currently adopting our system.

In the next article, we will cover more cases of ITGC response and improvements in actual operational environments using our solution.

Yoo Da-Hyung, PS1 Team, STEG Inc.