COSO internal controls: where governance breaks when risks shift

TL;DR: COSO remains the standard reference point for internal controls, but the article shows why governance still fails when organisations treat controls as static rather than continuously tested, updated, and embedded across reporting, compliance, and operations, according to Pathlock. The lesson is that control design without monitoring discipline and clear accountability still leaves material fraud and reporting risk unresolved.

NHIMG editorial — based on content published by Pathlock: COSO Framework for Internal Controls

Questions worth separating out

Q: How should security teams apply COSO principles to identity governance?

A: Treat identity governance as a control system with ownership, monitoring, and independent review, not as an access administration queue.

Q: What breaks when the same team can approve and certify access?

A: Control independence breaks.

Q: How do you know if identity monitoring is actually working?

A: Monitoring is working when exceptions surface quickly, owners are assigned, and deficiencies are corrected before the next review cycle.

Practitioner guidance

• Map identity controls to COSO objectives Separate access governance into operations, reporting, and compliance outcomes so you can see which control failures affect service continuity, audit evidence, or regulatory exposure.
• Enforce segregation of duties in access workflows Prevent the same role from approving, provisioning, and certifying sensitive access without independent review, especially for privileged and exception-based access.
• Move monitoring ahead of periodic review Use ongoing exception detection for stale access, failed recertifications, and unowned entitlements so deficiencies are visible before the next access review cycle.

What's in the full article

Pathlock's full article covers the control-model detail this post intentionally leaves for the source:

• Detailed explanation of the five COSO components and how each maps to control design
• Expanded walkthrough of the COSO cube across organisation, business unit, and function levels
• Examples of COSO extensions into sustainability reporting, healthcare, blockchain, and automation
• The article's own FAQ section on implementation steps, fraud prevention, and SOX alignment

👉 Read Pathlock's COSO framework analysis for internal controls and governance →

COSO internal controls: where governance breaks when risks shift?

Explore further

View Full Forum →  |  NHI Foundation Course →