COSO internal controls: what IAM and NHI teams should do

TL;DR: COSO’s five-component internal control framework remains the core language for designing, testing, and evidencing control effectiveness across financial reporting, access governance, and monitoring, according to Pathlock. The practical lesson is that IAM, NHI, and compliance teams need one connected control model, not isolated checks that fail when ownership, evidence, or review cadence breaks down.

NHIMG editorial — based on content published by Pathlock: the five components of an internal control system in COSO

Questions worth separating out

Q: How should security teams map identity governance to COSO controls?

A: Start by mapping access approvals, segregation of duties, review cycles, and monitoring to the five COSO components.

Q: Why do access controls fail even when policies exist?

A: Access controls fail when the control environment is weak, ownership is unclear, or monitoring does not detect drift.

Q: How do organisations know if internal controls are actually working?

A: They know by testing control performance over time, checking whether exceptions are detected, and verifying that remediation is completed.

Practitioner guidance

• Map identity controls to COSO components Document which IAM, NHI, PAM, and monitoring controls support control environment, risk assessment, control activities, information and communication, and monitoring.
• Tie approvals to real business transactions Align access approvals, segregation of duties, and verification steps to the transactions and systems that create financial or operational risk.
• Build continuous control monitoring for exceptions Use dashboards, alerts, and remediation tracking to detect control failures early and prove follow-up.

What's in the full article

Pathlock's full blog post covers the operational detail this post intentionally leaves for the source:

• Detailed explanation of all five COSO components and the 17 supporting principles
• Implementation checklist for building and reviewing control environment, activities, and monitoring
• Examples of common control pitfalls that affect audit readiness and remediation
• Pathlock’s continuous controls monitoring approach for control testing and exception handling

👉 Read Pathlock's guide to the five COSO internal control components →

COSO internal controls: what IAM and NHI teams should do?

Explore further

View Full Forum →  |  NHI Foundation Course →