TL;DR: COSO’s five-component internal control framework remains the core language for designing, testing, and evidencing control effectiveness across financial reporting, access governance, and monitoring, according to Pathlock. The practical lesson is that IAM, NHI, and compliance teams need one connected control model, not isolated checks that fail when ownership, evidence, or review cadence breaks down.
NHIMG editorial — based on content published by Pathlock: the five components of an internal control system in COSO
Questions worth separating out
Q: How should security teams map identity governance to COSO controls?
A: Start by mapping access approvals, segregation of duties, review cycles, and monitoring to the five COSO components.
Q: Why do access controls fail even when policies exist?
A: Access controls fail when the control environment is weak, ownership is unclear, or monitoring does not detect drift.
Q: How do organisations know if internal controls are actually working?
A: They know by testing control performance over time, checking whether exceptions are detected, and verifying that remediation is completed.
Practitioner guidance
- Map identity controls to COSO components Document which IAM, NHI, PAM, and monitoring controls support control environment, risk assessment, control activities, information and communication, and monitoring.
- Tie approvals to real business transactions Align access approvals, segregation of duties, and verification steps to the transactions and systems that create financial or operational risk.
- Build continuous control monitoring for exceptions Use dashboards, alerts, and remediation tracking to detect control failures early and prove follow-up.
What's in the full article
Pathlock's full blog post covers the operational detail this post intentionally leaves for the source:
- Detailed explanation of all five COSO components and the 17 supporting principles
- Implementation checklist for building and reviewing control environment, activities, and monitoring
- Examples of common control pitfalls that affect audit readiness and remediation
- Pathlock’s continuous controls monitoring approach for control testing and exception handling
👉 Read Pathlock's guide to the five COSO internal control components →
COSO internal controls: what IAM and NHI teams should do?
Explore further
COSO remains relevant because identity governance still fails most often at the system level, not the control list level. The article is right to stress that internal controls only work when environment, activities, communication, and monitoring reinforce each other. That is the same failure pattern identity teams see when access reviews, approvals, and logging are treated as separate tasks instead of one control system. The practitioner conclusion is simple: governance succeeds when control dependencies are designed together.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, which helps explain why control evidence often lags operational reality.
A question worth separating out:
Q: Who should be accountable for control monitoring in identity programmes?
A: Accountability should sit with named control owners, with independent oversight from audit, risk, or governance functions. That split matters because monitoring is not just reporting. It is the mechanism that proves controls still work, and it requires both operational ownership and challenge from outside the control owner’s line of command.
👉 Read our full editorial: COSO internal controls still matter for identity governance