Monday, 16 December 2013

Internal Control Systems (PAPAMOSS)

By Chan Hoi Leong, Researcher
Topic: Education
Area of discussion: Auditing
Chapter: Internal Control Systems (PAPAMOSS)

The primary objective of this posting is to critically discuss and explain each element of PAPAMOSS in detail, with some practical examples given to facilitate a clearer understanding. I noticed that there are lack of detailed notes available online nor in books about this topic, so I decided to do some researches and write about this PAPAMOSS’s concept. By the way, this topic is examinable in ACCA examinations (e.g. P1 & P8). Seriously, I hope that this posting can help you to understand the concept better. Kindly share this information with your friends, if you find that this is useful. In addition, if you have any comments which can improve the content of this posting, please do leave a message below.

Internal control systems

                As defined in Paragraph 4(c) of ISA 315, internal control is “the process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations.”

                     It includes all the policies and procedures (internal controls) adopted by the directors and management of an entity in order to achieve their goals of ensuring, as far as practicable, the orderly and efficient conduct of its business, including: adherence to management policies; safeguarding of assets; prevention and detection of fraud and error; ensuring the accuracy and completeness of the accounting records; and timely preparation of reliable financial statements (Kan, 2013; Kwok, 2005). Auditors generally seek to rely on the internal controls within an entity to reduce the amount of testing on final balances.

              Interestingly, the eight features of an internal control system are popularly known through these two mnemonics words, namely “PAPAMOSS” or “SOAPSPAM”. The eight features are:

Physical control:

This is mainly concerned with the custody and protection of assets such as cash and inventories. It involves tight security measures and procedures to ensure that only authorised personnel have access to the records and assets. For examples, the installation of fences, gates, doors as well as the use of locks and keys.

Authorisation and approval control:

No transactions should be carried out and no documents should be processed, without the approval or permission from an appropriate and responsible person. Approval like signing must be done with consent. Not only that, limits on authorisation should be clearly specified too.

Personnel control:

These are procedures put in place to ensure that staffs have capabilities commensurate with their responsibilities. Kan (2013, p.162) highlights that the hiring of well-motivated competent employees, who have the required integrity for their tasks, will ensure that the control system operates properly. Most importantly, the consideration here should stress on the qualification, selection, training and the worker’s innate personal characteristics. Besides, big companies usually have their own dress code systems which require personnel to wear specific attire or uniform in order to indicate a personnel’s rank or department.

Arithmetical and accounting control:

Persons in charge should ensure that all transactions have been authorised before they are sent for recording and processing purposes. After that, the persons in charge must check whether they got left out anything and make sure that all transactions are correctly recorded and accurately processed. Such controls may include checking the arithmetical accuracy of the records like control accounts, cross totals, reconciliations, trial balance and sequential controls over documents.

Management control:

These are the controls exercised by the management outside the daily routine of the system. For example, overall supervisory controls, review of management accounts, budgetary controls, internal audit function and other special review procedures.

Organisational control:

Kan (2013, p.162) states that a well-defined organisational structure shall show clearly how responsibilities and authorities are delegated as well as identify lines of reporting for all aspects of the enterprise’s operations. A tall organisational structure usually has a narrow span of control where managers can manage their subordinates easily but communication might be distorted due to higher level of hierarchy plus employing many managers is costly. Research organisations normally have these characteristics. Conversely, a flat organisational structure has a wider span of control where managers have fewer time to supervise all their subordinates but there will be lesser distortion in communication as the hierarchy level is shorter plus subordinates are cheaper to hire as compared to managers. This is common in manufacturing industries (Jones and George, 2003, pp.311-312). 

Supervision control:

Supervision by responsible officials of the day-to-day transactions and the recording thereof is an integral part of any control system. For instance, management accounts are reviewed for reasonableness by a qualified accountant. Centralisation might facilitate supervision across management.

Segregation of duties:

Ideally, responsibilities and duties must be separated to a number of people, so that no individual can fully record and process a transaction completely. Furthermore, it reduces the risk of intentional manipulation or mistake and increase the element of checking. Functions which should be separated include authorisation, execution, custody, recording and so on. However, if collusion takes place or if people work together to circumvent the system, then segregation of duties may be ineffective as this situation often making fraud difficult to detect (Gray and Manson, 2011, p.282).  


            It is noted that significant deficiencies in internal controls shall be communicated in writing to those charged with governance in a report to management. The written communication should include a description of the deficiencies and their potential effects. ISA 265 requires auditors to find out the number of identified deficiencies and their relative significance. Auditors may also provide suggestions for remedial action.


Gray, I. and Manson, S., 2011. The audit process: principles, practice and cases. 5th ed. Australia: South-Western Cengage.

Jones, G.R. and George, J.M., 2003. Contemporary management. 3rd ed. New York: McGraw-Hill.

Kan, E., 2013. Audit and assurance – principles and practices in Singapore. 3rd ed. Singapore: CCH.

Kwok, B.K.B., 2005. Accounting irregularities in financial statements: a definitive guide for litigators, auditors, and fraud investigators. Aldershot: Gower Publishing Limited.


  1. Part of your answers mentions that auditors in general seek to rely on Internal Controls. But somehow i felt that when auditors conduct audit in a company , they tend to rely more on external evidence than internal one.
    correct me if i am wrong on this.