Mapping Internal Controls Using System Documentation Tools

The 2002 Sarbanes-Oxley Act requires managers to assess and attest to the internal financial controls and the IT controls within the firm.  Therefore, documenting and assessing internal financial controls and IT controls has become an important and necessary task for auditors and management.  This paper provides an approach for developing an internal control map using data flow diagrams.  The internal control map can be used by external or internal auditors to evaluate a system’s internal controls in general and also to find internal control deficiencies in the system.