Systems & Process Audit

Redesigning How
Controls Work

Across IT audit, internal controls, and governance,
we build audit environments where data speaks for itself
and systems prove their own integrity.

Start a Conversation
Global Big 4
US · Australia · Korea offices
15yr+
IT audit & internal controls experience
Cross-border
Global audit & fraud investigation
End-to-End
From audit design to capability transfer
Your Challenges

Sound Familiar?

Regardless of industry or scale, the fundamental questions around IT controls remain the same.

Listed Companies · IPO Candidates

We don't know where to begin with IT controls for our internal accounting management system

K-SOX compliance scope keeps expanding, but we lack the in-house expertise to perform ITGC assessments — and the criteria to evaluate external specialists.

→ GTI performs comprehensive ITGC/ITAC assessments using full-population data verification based on the COSO framework
Accounting Firms · Audit Teams

Every client runs a different ERP, and audit windows are tight

From SAP to YoungLimWon, Douzone, and UniERP — each system requires a different approach, and sample-based testing alone isn't enough for regulatory review readiness.

→ GTI brings hands-on audit experience across 6+ ERP platforms, backed by full-population analysis for regulatory defensibility
Financial Institutions · Insurance · Capital

A regulatory IT inspection is approaching, and we can't gauge our readiness

We can't identify which of the 67 inspection items are vulnerable, and we're concerned that gaps between policies and actual operations will lead to regulatory findings.

→ GTI builds inspection-ready frameworks through a three-tier package: Policies → Procedures → Operating Manuals
Manufacturing · Retail · Construction · All Industries

Transaction volumes are massive, but we have no way to proactively detect anomalies

Embezzlement and misappropriation risks exist, but manual reviews can't cover the full population — we're left relying on after-the-fact detection.

→ GTI automatically reconciles full transaction datasets to identify anomalous patterns before they become losses
Service 01

K-SOX IT Audit

IT General Controls & Application Controls for Internal Accounting

We systematically verify access controls, change management, operations management, and security management across all domains. Instead of sampling, we analyze complete log populations and extract ERP system configurations directly to objectively demonstrate control effectiveness.

Listed Companies IPO Candidates Accounting Firms Manufacturing · IT · Retail
  • ITGC assessment across 4 domains (Access · Change · Operations · Security)
  • IT Application Controls (ITAC) design & operating effectiveness testing
  • RCM-based audit workpaper documentation & deficiency evaluation
  • ERP-specific audit approaches (SAP · YoungLimWon · Douzone · UniERP)
Access Controls

Full-population access log analysis, automated identification of privileged access & SoD violations

Change Management

Complete automated reconciliation of migration history against approval records

IT Operations

Batch job execution log pattern analysis, automated failure & delay detection

Security

Full database access attempt analysis, automated anomalous query filtering

Service 02

Internal Audit Framework

IT Self-Audit Guidelines · Capability Transfer · Regulatory Compliance

Based on FSS (Financial Supervisory Service) IT audit guidelines, we design the complete framework for organizations to independently perform IT audits. Beyond policy development, we build self-sustaining audit capabilities through a 3-year phased internalization roadmap — eliminating dependency on external consultants.

Insurance Capital · Leasing Banking · Securities Fintech
  • IT self-audit management guidelines & inspection criteria (mapped to FSS 67 items)
  • Auditor qualification & independence governance framework
  • Audit operating manual & template development (plans, reports, remediation plans)
  • 3-phase capability transfer: GTI-led → Joint operations → Independent operations
Phase 1

GTI-led — Establish guidelines, execute first audit cycle, validate procedures

Phase 2

Joint operations — Coach internal auditors, co-execute second audit cycle

Phase 3

Independent operations — Full internal execution, GTI advisory support (2x/year)

Deliverables

Policies → Procedures → Operating Manuals, complete three-tier package

Service 03

Internal Controls Framework

IT Governance Design · Operational Risk Management · Policy Development

From IT committee structure and operations, segregation of duties, change management, to disaster recovery — we architect and institutionalize your organization's IT control framework. We deliver industry-specific designs that reflect regulatory requirements, not generic templates.

Financial Institutions Listed Companies Healthcare · Pharma Energy · Public Sector
  • IT committee & council governance design with RACI matrix
  • Change management, IT project management & disaster recovery policies
  • Segregation of duties codification & conflict-of-interest exception procedures
  • Open-source software management & third-party IT risk assessment framework
Governance Structure

IT committee & council role separation, standardized decision-making framework

Operating Policies

Comprehensive change management, DR, network & DB management guidelines

Third-Party Risk

Open-source SCA tool operations, external IT service risk assessment

Information Assets

Asset inventory, classification tiers, and protection standards framework

Service 04

Risk Assurance

Full-Population Data Analysis · Anomaly Detection · IT Risk Assurance

We uncover what manual reviews miss — through automated full-population transaction reconciliation and pattern analysis. We verify cash flow integrity, proactively identify anomalous transactions, and prevent embezzlement and misappropriation risks before they materialize.

All Industries Manufacturing · Construction Retail · Distribution Financial Services
  • Full-population automated reconciliation of bank transfers against general ledger (Posting Reconciliation)
  • Cross-verification of payees against registered counterparties (Counterparty Verification)
  • Duplicate payment detection, time-based anomaly analysis, Benford's Law testing
  • System environment risk identification, assessment & assurance reporting
Step 1

Posting Reconciliation — Verify completeness of fund transfers against general ledger

Step 2

Counterparty Verification — Cross-validate payment recipients

Analytics

Duplicate payments, time-of-day, day-of-week & Benford's Law multi-dimensional analysis

Expected Outcome

Full-population fraud detection + strengthened preventive internal controls

Our Approach

Audit Methodology for a Changing IT Landscape

AI and cloud adoption, growing third-party IT risks, and regulators shifting from rules-based to principles-based oversight — these are the forces reshaping IT governance. Built on the COSO framework, GTI continuously advances its audit procedures to keep pace with this evolving landscape.

Full-Population Testing

We analyze the entire population, not samples. Omission risk is eliminated at the source.

Direct System Extraction

Configuration values and logs are extracted directly from ERP, DB, and OS. No reliance on interviews or documentation.

Automated Evidence Collection

Repetitive verification procedures are automated — eliminating human error and increasing audit efficiency.

Pattern-Based Detection

Statistical analysis and pattern recognition identify anomalies proactively, before they become issues.

Conventional vs. GTI Approach

Access Control Review

Conventional

Extract sample of N users from user list and verify manually

GTI

Automatically analyze full access logs to instantly identify anomalous access & privilege violations

Change Management Review

Conventional

Sample change requests and review documents one by one

GTI

Full-population reconciliation of migration history, automatic detection of unauthorized changes

Batch Job Review

Conventional

Visual inspection of batch schedule listings

GTI

Full execution log analysis with automated detection of failure spikes & schedule deviations

Database Security Review

Conventional

Extract and review database account listings

GTI

Full access attempt log analysis with automated filtering of anomalous queries

Coverage

Supported Environments

Hands-on experience across diverse system environments.

ERP Systems

  • SAP / Oracle ERP
  • YoungLimWon ERP (K-System)
  • Douzone iCube / Bizbox
  • UniERP (Bizentro)

Infrastructure

  • On-premise server environments
  • AWS / Azure cloud
  • Hybrid infrastructure
  • Cloud carve-out handling

Database & Security

  • MS-SQL / Oracle DB / MySQL
  • DB access control solutions (SecureMax, etc.)
  • Network security architecture review
  • Physical access control verification
Process

Engagement Process

A structured process that gives even first-time partners confidence. We maintain independence and execute NDAs upfront.

1

Discovery Meeting

Scope, current state & timeline alignment; NDA execution

2

Audit Planning

RCM review, test procedure design, role allocation

3

Fieldwork

Evidence collection, system access, full-population data analysis

4

Documentation

Client-format customized deliverables

5

Reporting & Follow-up

Findings report, remediation recommendations, post-engagement support

About GTI

About GTI Audit

"We help organizations build the capability to govern their own IT risks."

The founder of GTI Audit brings extensive experience from Global Big 4 firm offices in the United States, Australia, and Korea — spanning financial audit, IT audit, internal controls review, internal audit, and fraud investigation.

In the U.S., the practice included financial services sector audits and IT-driven financial data verification for global asset managers, hedge funds, and insurance companies. This was complemented by ISAE 3402-based internal controls reviews and reporting for global manufacturing, IT, and logistics corporations.

In Korea, engagements covered internal accounting management system (K-SOX) reviews, financial data substantive audits, and business process & control effectiveness consulting for major listed companies across telecommunications, aviation, semiconductors, financial services, and energy. This included business process control activity reviews and management inspections of global investee entities.

In Australia, the work encompassed transaction integrity reviews, potential management and employee fraud detection, and control improvement consulting for global investment funds, national carriers, government agencies, and retail & industrial companies.

Drawing on this global field experience, GTI combines direct data verification and automated audit methodologies on top of the COSO framework, designing capability internalization through a three-tier package of Policies → Procedures → Operating Manuals.

KICPA · AICPA

Korean & US Certified Public Accountant

CISA · CISSP

Information Systems Audit & Security

CFE

Certified Fraud Examiner

Big 4 Alumni

US · Australia · Korea — 3 countries

Differentiators

Why GTI

Systems and Processes — We Cover Both

Built on deep IT controls expertise, our audit perspective extends across entire business processes — covering risk and control structures end to end.

Field-Proven Deliverables

Not theoretical consulting — our deliverables have been tested in real financial institutions and listed companies, surviving regulatory inspections.

Full-Population Analysis, Zero Omission

We verify the entire population, not samples. Omission risk is eliminated at the source, and regulatory review readiness is secured.

Internalization by Design

We design the capability transfer roadmap from day one — so you don't stay dependent on GTI. Independent operations within three years is the goal.

Industry-Specific Approach

We deliver differentiated audits that reflect the regulatory nuances and system environments of each industry — financial services, manufacturing, IT, retail, and beyond.

Partner Positioning

We collaborate as a partner that elevates audit quality. Structural safeguards for independence and confidentiality are built into every engagement.

References

Project References

Anonymized to protect client confidentiality.

Global Financial Services — Asset Management · Hedge Funds · Insurance

Financial Services Sector Audit & IT Verification

Financial audit and IT-driven financial data verification for global asset managers, hedge funds, and major insurance companies. Applied financial services sector-specialized audit methodology.

Global Manufacturing · IT · Logistics

ISAE 3402 Internal Controls Review

Design and operating effectiveness review of internal controls for global automotive, gaming, and logistics companies under international audit standards, with formal report issuance.

Major Korean Listed Companies — Telecom · Aviation · Semiconductors · Financial Services · Energy

K-SOX Review & Process Improvement

Internal accounting management system review, financial data substantive audit, and business process & control effectiveness improvement consulting across diverse industries.

Global Corporations — Internal Audit · Fraud Investigation

Cross-Border Fraud Detection & Control Improvement

Transaction integrity review for global investment funds, national carriers, government agencies, and retail & industrial companies. Potential management and employee fraud detection and control improvement consulting.

Korean Insurance Company

IT Audit Framework — Full Build

Established IT self-audit management guidelines, mapped all FSS 67 inspection items, developed complete operating manuals and templates. Successfully passed subsequent regulatory inspection.

Korean Listed Manufacturer

K-SOX ITGC Audit Engagement

Full-population verification of ERP access controls and change management, application controls effectiveness testing, audit workpaper documentation and deficiency evaluation.

Insights

Insights

Regulatory trends, practical guides, and audit perspectives.

Regulatory Update

Electronic Financial Supervision Regulation Amendments: Key Changes & Institutional Response

Analysis of major regulatory amendments and their impact on IT internal controls, with practical compliance strategies.

Practical Guide

FSS 67 IT Inspection Items: Where to Start

Priority-ranked breakdown of key regulatory inspection items with recommended initiation strategies.

Checklist

10 Essential Self-Assessment Questions Before a Regulatory IT Inspection

Core diagnostic questions to evaluate your organization's readiness for an upcoming IT inspection.

Let's Get Started

The first meeting is complimentary. Share your current situation, and we'll propose the optimal approach.

Get in Touch Download Service Brochure
Contact

Contact Us

Project inquiries, complimentary diagnostic assessments, partnership proposals — we welcome all conversations.

GTI Audit

Systems & Process Audit specialists.
We build audit environments where systems prove their own integrity.


Contact · Head of IT Audit
Cell+82 10 4296 3365
Emailseongsong@gti-audit.kr
Address3F, 47-6 Hannam-daero 20-gil, Yongsan-gu, Seoul, Korea

Complimentary Diagnostic Assessment

We offer a complimentary assessment covering 20 key items from the FSS 67-item IT audit checklist, plus a 1-hour expert review session. Select "Complimentary Assessment" in the form below.