It was confirmed that LG Uplus had entrusted Deloitte Anjin LLC (hereinafter Anjin), which is in charge of its external audit, with non-audit services worth more than 1 billion won above the audit fee. Many of the non-audit services were tied to the company's risks, including personal information, cybersecurity, and responses to tax audits. A key question has arisen over whether an external auditor can independently audit the same company's internal controls and financial impacts after being involved in improving and inspecting the company's security.
According to a compilation of ChosunBiz reporting on the 1st, LG Uplus's fees for non-audit services contracted with Deloitte Anjin last year totaled 2.532 billion won. That is 1.7 times the 1.4685 billion won in audit fees allocated to Anjin during the same period.
The scale of non-audit services also surged compared with before. The non-audit fees disclosed by LG Uplus were 77 million won in 2023 and 45 million won in 2024. In 2025, they ballooned to the 2.5 billion won range. This shift appeared right after LG Uplus changed its external auditor to Deloitte Anjin starting in 2025. Large non-audit contracts were concentrated in the first year of the auditor change.
Non-audit services were concentrated on personal information and cybersecurity work. The largest engagement was a 900 million won project to check the results and implementation of destroying personal information databases (DB). The cybersecurity innovation initiative PMO (project management office) project was similar in size at 892 million won. In addition, there were 350 million won for responding to a regular tax audit, 179 million won for evaluating an electronic signature certification business operator, 80 million won for corporate tax adjustments, and 53 million won to support the production and publication of an information security white paper.
Entrusting non-audit services to an external auditor is not illegal in itself. However, in the accounting industry, when the advisory and inspection fees received from an audit client exceed the audit fees, independence controls should be stricter. This is because there may be a "self-interest threat," in which the auditor may hesitate to make critical judgments due to the economic relationship with the company, and a "self-review threat," in which the auditor ends up reassessing the results of work they performed during the audit.
In particular, in the case of LG Uplus, some say there is room for controversy because the non-audit services are tied not to simple accounting advice but to security risks. Last year, a public-private joint investigation team under the Ministry of Science and ICT said it confirmed an actual internal information leak related to LG Uplus's integrated server access control solution. However, because key servers had their operating systems (OS) reinstalled or were discarded, the exact intrusion route and scope of damage were not identified. The investigation team deemed these actions inappropriate, and the Ministry of Science and ICT has asked police to investigate on suspicion of obstruction of official duties by deception.
A telecommunications industry official said, "For a telecom company, personal information and cybersecurity are not matters managed outside the financial statements. If an incident occurs, it can lead to a penalty surcharge, damages, customer compensation expense, provision, contingent liabilities, and an evaluation under the internal accounting control system," adding, "If the external auditor was involved in checking the destruction of personal information DBs or in the cybersecurity innovation initiative PMO, what matters later is how conflicts of interest were blocked when auditing the related costs and internal controls."
What matters is the actual scope of the security-related non-audit services that Anjin handled. If they were limited to simple advice or post hoc checks, the independence threat may be limited. But if the firm also handled schedule, performance, and execution management of improvement tasks, the situation changes. That is because the auditor could end up reassessing the appropriateness of security improvements they were involved in, the related expense treatment, and the effectiveness of internal control improvements.
LG Uplus listed reporting procedures through the audit committee in its business report. The audit committee received a report in Apr. last year on the "2025 auditor's non-audit work execution plan," and in Oct. and Nov., it also handled items for a post-report and a report on results. An accounting industry official said, "The issue with an external auditor's non-audit services is not just whether they constitute prohibited work," adding, "What matters is whether the audit team and the service delivery team were separated, whether the service outputs were blocked from influencing audit judgments, and whether the audit committee substantively reviewed these matters."
Regarding this, LG Uplus said, "We selected the (non-audit) firm in consideration of the specificity, expertise, and continuity of the work, and all contracts proceeded after the audit committee completed its review (deliberation)," adding, "(Regarding security) the engagement was contracted as simple 'advice and inspection.'"