COSO internal controls show why governance still fails under change

At a glance

What this is: This is an overview of the COSO internal control framework and its role in governance, risk management, reporting, and compliance.

Why it matters: It matters because identity, access, and control governance programmes fail when accountability, monitoring, and segregation of duties are not applied consistently across human, machine, and automated processes.

👉 Read Pathlock's COSO framework analysis for internal controls and governance

Context

COSO is a framework for internal control that helps organisations organise governance, risk assessment, control activities, communication, and monitoring around business objectives. In practice, it matters because control failures rarely begin with one bad decision, they begin when oversight, accountability, and validation stop working together.

For IAM and governance teams, the relevance is indirect but real: the same control logic that COSO applies to financial reporting also applies to identity lifecycle, privilege review, and delegated access. When access is granted, recorded, reviewed, and monitored in separate silos, control assurance weakens across the programme.

Key questions

Q: How should security teams apply COSO principles to identity governance?

A: Treat identity governance as a control system with ownership, monitoring, and independent review, not as an access administration queue. Map provisioning, certification, remediation, and escalation to explicit control objectives, then test whether each step creates evidence that an auditor or risk owner can trust. The goal is assurance, not just process completion.

Q: What breaks when the same team can approve and certify access?

A: Control independence breaks. If one group can grant access, record the decision, and later confirm its own work, segregation of duties is no longer real even if the workflow looks formal. That creates self-validation, weakens accountability, and makes it harder to detect entitlement errors before they become audit or security findings.

Q: How do you know if identity monitoring is actually working?

A: Monitoring is working when exceptions surface quickly, owners are assigned, and deficiencies are corrected before the next review cycle. If stale access, failed certifications, or unresolved exceptions remain hidden in spreadsheets or ticket backlogs, the programme is reporting activity, not controlling risk.

Q: Who should be accountable when access control deficiencies are found?

A: Accountability should sit with the control owner who can fix the issue, the risk owner who accepts residual exposure, and the governance function that verifies escalation when remediation stalls. COSO works only when deficiencies are reported to the right authority fast enough to change outcomes.

Technical breakdown

Control environment and segregation of duties

COSO starts with the control environment, meaning the standards, authority, and accountability structure that makes the rest of the programme work. Segregation of duties is central here: the person who authorises an action should not also record or approve the same action without independent review. In identity programmes, that logic maps cleanly to privileged access, access certification, and exception handling. When the same team owns provisioning, approvals, and review evidence, control independence becomes weak even if the process looks complete on paper.

Practical implication: separate entitlement approval, implementation, and review ownership so the same actor cannot validate its own access decisions.

Monitoring activities and timely deficiency reporting

COSO treats monitoring as an ongoing control, not a quarterly formality. That means controls must be tested, exceptions must be visible, and deficiencies must reach accountable parties quickly enough to matter. In identity terms, this is the difference between real oversight and box-ticking recertification. If exceptions sit in spreadsheets, stale access remains active, or failed reviews are not escalated, the organisation has a reporting problem as much as a control problem.

Practical implication: define control monitoring thresholds, exception escalation routes, and owner follow-up times so access defects are not left to age silently.

Internal controls over reporting, compliance, and operational access

COSO is built around three control objectives: operations, reporting, and compliance. That structure is useful for identity governance because access controls often fail when they protect only one objective and ignore the others. A credential may be technically valid, yet still create reporting risk if it cannot be attributed, or compliance risk if it is not recertified. The broader lesson is that access management should be measured as a control system, not as a provisioning workflow.

Practical implication: evaluate identity controls against operational continuity, auditability, and regulatory evidence, not just against ticket completion.

NHI Mgmt Group analysis

COSO remains relevant to identity governance because access control is a control system, not a workflow. The article’s strongest contribution is its reminder that authorisation, review, monitoring, and escalation are meant to work together, not as separate administrative steps. That maps directly to IAM, PAM, and NHI governance, where the programme fails if entitlement decisions are not independently checked. Practitioners should treat access control as part of the internal control environment, not a standalone administrative process.

Segregation of duties is the clearest COSO lesson for access governance. The same failure pattern that weakens financial reporting appears when one team can provision, certify, and remediate the same access without independent challenge. That creates a self-validating control loop, which COSO was designed to prevent. The practitioner conclusion is simple: if a control owner can approve its own evidence, the control is already weakened.

Monitoring activities matter more than periodic reassurance. COSO explicitly distinguishes ongoing evaluation from periodic review, and that distinction is critical in identity programmes where access changes faster than review cycles. Access governance that depends on late-stage audits will always lag reality, especially where privileged or delegated access can be granted and used quickly. Practitioners should design monitoring to surface exceptions while they can still be acted on.

Control objectives must be aligned to the identity subject, not only the business process. COSO’s operations, reporting, and compliance categories translate into different identity governance needs for human accounts, service accounts, and automated access paths. A single access review rhythm will not produce equivalent assurance across those actor types. The implication is that identity programmes need objective-based control design, not one generic certification model for every account class.

Internal control maturity now depends on continuous evidence, not static policy. The article points toward a broader governance truth: controls degrade when they are documented once and assumed to remain effective. Identity teams face the same issue with lifecycle offboarding, privileged access, and exception handling. Practitioners should assume that control assurance must be continuously re-earned, not periodically declared.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
• For a broader control lens, see Ultimate Guide to NHIs , Standards for how identity governance frameworks map to operational controls.

What this signals

Control assurance is the real test of identity governance. COSO’s model reinforces a point that IAM programmes often miss: documentation is not control effectiveness. When access reviews, approvals, and monitoring are disconnected, the organisation gains evidence but loses assurance. For teams building a stronger control plane, the right question is whether control failures are detected early enough to be corrected, not whether the policy exists on paper.

The governance gap widens when identity operations are scaled across human users, service accounts, and automated workflows under one review model. A single cadence rarely matches the speed of change in machine identity environments, which is why lifecycle evidence and exception handling need to become operational signals, not annual audit artefacts. The control system has to keep pace with the identity subject, not the other way around.

Identity blast radius: when controls cannot prove who approved, who changed, and who verified, the resulting exposure spreads across reporting, compliance, and operations. That is the programme signal to watch. Teams that still depend on periodic reconciliation should expect growing audit friction unless monitoring and owner escalation become continuous.

For practitioners

• Map identity controls to COSO objectives Separate access governance into operations, reporting, and compliance outcomes so you can see which control failures affect service continuity, audit evidence, or regulatory exposure.
• Enforce segregation of duties in access workflows Prevent the same role from approving, provisioning, and certifying sensitive access without independent review, especially for privileged and exception-based access.
• Move monitoring ahead of periodic review Use ongoing exception detection for stale access, failed recertifications, and unowned entitlements so deficiencies are visible before the next access review cycle.
• Tie control ownership to explicit escalation paths Document who receives deficiency reports, who must validate remediation, and when unresolved exceptions move to audit or risk leadership.

Key takeaways

• COSO’s main relevance to identity teams is structural: controls fail when ownership, review, and monitoring do not stay independent.
• The article shows that periodic control checks are not enough when access changes faster than reporting and certification cycles.
• Identity programmes should measure assurance, escalation, and segregation of duties as control outcomes, not as administrative tasks.

Key terms

• Control Environment: The control environment is the set of governance standards, authority structures, and ethical expectations that shapes how controls operate. It determines whether access and risk processes have real accountability or only procedural formality, and it is the foundation that lets other controls function consistently.
• Segregation of Duties: Segregation of duties is the practice of splitting authorisation, execution, and review across different people or roles. In identity governance, it prevents one actor from creating, approving, and validating the same access decision, which reduces self-approval risk and strengthens auditability.
• Monitoring Activities: Monitoring activities are the ongoing checks used to confirm that controls still work as intended. They include automated and manual evaluations, exception reporting, and escalation when deficiencies appear, making them essential for catching access issues before they become persistent exposure.
• Control Objective: A control objective is the intended outcome a control system is designed to achieve, such as reliable reporting, operational continuity, or compliance. In identity programmes, objectives help distinguish whether a control is protecting evidence, access, or business process integrity.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or identity governance in your organisation, it is worth exploring.

This post draws on content published by Pathlock: COSO Framework for Internal Controls. Read the original.