Commitment to Competence

The COSO “commitment to competence” requirement means you must define what “competent” looks like for roles that affect internal control, then prove you attract, develop, and retain people who meet those expectations. Operationalize it by setting role-based competency standards, embedding them in hiring and performance processes, and keeping auditable evidence that gaps are identified, escalated, and closed. (COSO IC-IF (2013))

Key takeaways:

• Define competency expectations for control-relevant roles and map them to objectives and control responsibilities. (COSO IC-IF (2013))
• Build repeatable HR and control-owner processes for hiring, training, evaluation, remediation, and succession. (COSO IC-IF (2013))
• Keep evidence that competency decisions happened (not just policies) and that gaps were corrected or risk-accepted with approvals. (COSO IC-IF (2013))

“Commitment to competence” is easy to agree with and easy to fail in practice because auditors and internal control testers look for proof that competence is managed as a control dependency, not treated as an HR slogan. COSO’s Principle 4 under the Control Environment expects an organization to demonstrate a commitment to attract, develop, and retain competent individuals aligned with objectives. (COSO IC-IF (2013)) That expectation lands directly on functions that own key controls and on leaders who rely on judgment calls: finance close, revenue recognition, access provisioning, change management, third-party onboarding, model risk, incident response, and internal audit.

For a CCO, GRC lead, or compliance officer, the fastest path is to convert competence into measurable, role-based requirements, then integrate those requirements into the operating cadence you already have: hiring requisitions, onboarding, training plans, certifications (where relevant), performance reviews, and documented control operation. Done well, this requirement reduces control failures caused by turnover, undertraining, and unclear accountability, and it makes your control testing more predictable because the “who” operating the control is consistently qualified. (COSO IC-IF (2013))

Regulatory text

COSO Principle 4 (Control Environment): “The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.” (COSO IC-IF (2013))

Operator interpretation: you need a defensible system that (1) defines competence for roles that impact internal control and objectives, (2) puts mechanisms in place to hire and train to those expectations, (3) monitors whether people remain competent as processes and risks change, and (4) addresses gaps through training, supervision, role changes, or documented risk acceptance. The exam question is rarely “do you train people?” It is “can you show that the person operating this control was qualified at the time, and that management manages competence as a control input?” (COSO IC-IF (2013))

Plain-English requirement (what it really means)

Competence is the combination of skills, knowledge, experience, and authority needed to perform responsibilities that support objectives and internal control. COSO expects you to manage that competence deliberately across the employee lifecycle: attract (recruit/select), develop (onboard/train/coach), and retain (career paths, succession coverage, and continuity plans). (COSO IC-IF (2013))

This requirement becomes “real” when you can point to:

• A clear definition of what a competent control owner/operator looks like for each critical role.
• Evidence that the organization checks and maintains that competence over time.
• A documented response when competence is missing (temporary supervision, remediation plan, reassignment, or formal exception). (COSO IC-IF (2013))

Who it applies to

Entity scope: any organization using COSO’s Internal Control – Integrated Framework as a basis for internal control design, assessment, or reporting. (COSO IC-IF (2013))

Operational scope: prioritize roles that either:

• Design controls (control designers, process owners).
• Execute controls (control operators, reviewers/approvers).
• Evaluate controls (internal audit, compliance testing).
• Make high-impact judgments tied to objectives (accounting estimates, credit decisions, security access approvals, third-party risk acceptances). (COSO IC-IF (2013))

Third-party angle (often missed): if you outsource control activities to a third party (for example, payroll processing, SOC operations, claims processing, KYC operations), competence still matters. Your responsibility shifts to defining required competence, selecting qualified providers, and retaining evidence that the provider’s staff qualifications and oversight meet your expectations. Keep this in scope because auditors often treat outsourced control execution as “still your control environment.” (COSO IC-IF (2013))

What you actually need to do (step-by-step)

Step 1: Identify “control-relevant” roles and decisions

Create a list of roles that directly impact objectives and internal control performance. Start with your risk and control inventory and mark:

• Control owners (accountable).
• Control operators (doers).
• Control reviewers/approvers (checkers).
• Key management judgment roles tied to significant risks. (COSO IC-IF (2013))

Output: a “control-relevant roles register” tied to your control framework.

Step 2: Define competency standards per role

For each control-relevant role, document:

• Core knowledge: policies, procedures, systems, and regulatory obligations relevant to the role.
• Skills: technical ability (for example, reconciliations, log review, access administration), analytical judgment, documentation quality.
• Experience thresholds: define the level of prior experience or supervised operation required before independent control execution.
• Authority and independence constraints: who can approve, who cannot self-review, segregation expectations.
• Required training/certifications (if applicable): keep this specific to the role’s control responsibilities. (COSO IC-IF (2013))

Practical tip: write standards in observable terms (“can prepare X report and document exceptions”) instead of generic adjectives (“strong communicator”).

Step 3: Embed standards into hiring and internal movement

Operationalize “attract” by baking competence into talent processes:

• Job descriptions and requisitions reference the competency standard.
• Interview guides include control-relevant scenario questions.
• Hiring approvals include an explicit check that baseline competence is met for control responsibilities.
• Transfers/promotions into control-relevant roles trigger a competence check and onboarding plan. (COSO IC-IF (2013))

Evidence principle: auditors want to see the organization prevented an unqualified assignment, not just that training exists later.

Step 4: Build role-based onboarding and training, then track completion

Operationalize “develop” with:

• Role-based onboarding checklists linked to the competency standard.
• Mandatory training mapped to specific control procedures and systems access.
• A method to assess learning (manager sign-off, observed performance, quality review results). (COSO IC-IF (2013))

Training completion alone is weak evidence if you cannot show the person can perform the control. Add a manager attestation or a “first-cycle supervised execution” sign-off for critical controls.

Step 5: Maintain competence through monitoring, QA, and performance management

Competence degrades when systems change, rules change, or turnover increases. Add ongoing mechanisms:

• Periodic quality reviews of control execution (sample checks, evidence quality scoring).
• Performance review inputs tied to control responsibilities (timeliness, exception handling, documentation quality).
• Trigger-based refresh training after process changes, new systems, or control failures. (COSO IC-IF (2013))

Step 6: Define how you handle competence gaps (and document it)

You need a consistent playbook:

• Detect: failed QA checks, repeated errors, audit findings, missed deadlines, abnormal exception rates.
• Triage: is this training, resourcing, unclear procedure, or poor fit?
• Respond: coaching/training plan, increased supervision, remove access, reassign control operator, or pause the control with a compensating control.
• Escalate: define when gaps become a formal risk acceptance requiring leadership approval. (COSO IC-IF (2013))

This is where many programs break. They fix issues informally and leave no trace, which fails the “demonstrates” standard.

Step 7: Cover retention and continuity for critical roles

Operationalize “retain” and continuity:

• Identify single points of failure (only one person can run a key control).
• Cross-train backups and document coverage expectations.
• Maintain succession coverage for high-impact roles.
• Plan for transitions: offboarding checklists, knowledge transfer artifacts, and access removal. (COSO IC-IF (2013))

Step 8: Make it auditable with a single control narrative

Create a short narrative that ties together:

• Competency standards,
• Talent lifecycle touchpoints,
• Evidence locations,
• Governance and reporting. (COSO IC-IF (2013))

If you manage this in a GRC tool, Daydream can help centralize role-to-control mappings, training attestations, exception workflows, and evidence requests so you are not chasing screenshots and email threads during audits.

Required evidence and artifacts to retain

Keep artifacts that prove execution, not intention:

Governance

• Competence/Training Policy or Control Owner Competency Standard document aligned to objectives. (COSO IC-IF (2013))
• Role-to-control mapping (control-relevant roles register). (COSO IC-IF (2013))

Attract (hire/select)

• Job descriptions reflecting control responsibilities.
• Interview guides or hiring checklists showing competency evaluation.
• Hiring approval records (where maintained). (COSO IC-IF (2013))

Develop (train/qualify)

• Role-based onboarding checklist completion.
• Training curriculum mapped to roles and controls.
• Training completion logs and manager sign-offs.
• “First-time supervised control execution” attestations for critical controls. (COSO IC-IF (2013))

Retain (continuity)

• Cross-training plans and backup assignments.
• Succession coverage notes for critical control roles.
• Knowledge transfer documentation for departures. (COSO IC-IF (2013))

Gap management

• QA review results, control performance issues, remediation plans.
• Exceptions/risk acceptances with approvals and compensating controls. (COSO IC-IF (2013))

Common exam/audit questions and hangups

Auditors and internal control assessors typically press on these points:

• “Show me how you decide who is qualified to operate this control.” (COSO IC-IF (2013))
• “Where is the documented competency standard for this role?” (COSO IC-IF (2013))
• “Prove the operator was trained before they had access to execute the control.” (COSO IC-IF (2013))
• “What happens when the control fails due to human error; do you treat it as a competency issue?” (COSO IC-IF (2013))
• “How do you prevent turnover from breaking the control?” (COSO IC-IF (2013))
• “For outsourced processes, how do you evaluate the competence of the third party’s staff and oversight?” (COSO IC-IF (2013))

Hangups you can expect:

• No mapping between controls and people (or outdated org charts).
• Training tracked, but not tied to role expectations or control tasks.
• Competence assumed based on title, with no assessment or sign-off.
• Remediation handled informally without a documented decision trail. (COSO IC-IF (2013))

Frequent implementation mistakes (and how to avoid them)

1. Writing a generic training policy and calling it done.
   Fix: create role-based competency standards tied to control tasks and require manager sign-off for readiness. (COSO IC-IF (2013))

2. Treating competence as an annual HR activity.
   Fix: add trigger-based refresh training and QA checks after process/system changes and control failures. (COSO IC-IF (2013))

3. No evidence that competence was checked before granting access.
   Fix: connect access provisioning to training/qualification gates for high-risk systems. (COSO IC-IF (2013))

4. Single points of failure in control operations.
   Fix: cross-train backups and document coverage so you can show continuity. (COSO IC-IF (2013))

5. Outsourcing without defining competence expectations.
   Fix: include competency requirements and oversight expectations in third-party due diligence and governance routines. (COSO IC-IF (2013))

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement. Practically, the risk shows up indirectly: weak competence management increases the chance of control breakdowns, inconsistent evidence, policy violations, and delayed remediation. That translates into adverse audit outcomes, repeated findings, and avoidable operational risk events. COSO frames Principle 4 as part of the Control Environment, so failures here tend to weaken confidence in the entire internal control system, not just one process. (COSO IC-IF (2013))

Practical execution plan (30/60/90-day)

First 30 days: establish scope and minimum viable evidence

• Build the control-relevant roles register tied to your control inventory. (COSO IC-IF (2013))
• Draft competency standards for the highest-risk roles (start with roles tied to key controls and high-impact judgments). (COSO IC-IF (2013))
• Identify where evidence currently lives (HRIS, LMS, ticketing, GRC) and where it is missing.
• Implement a stopgap: manager attestation for current control operators’ readiness where formal standards are not yet embedded. (COSO IC-IF (2013))

Days 31–60: embed into processes and close obvious gaps

• Update job descriptions and hiring/interview checklists for control-relevant roles. (COSO IC-IF (2013))
• Create role-based onboarding checklists and training maps; require completion before independent control execution for critical controls. (COSO IC-IF (2013))
• Stand up a competence gap workflow (detect → remediate → approve/accept) with documented approvals. (COSO IC-IF (2013))
• Start continuity coverage planning for single points of failure. (COSO IC-IF (2013))

Days 61–90: make it durable and audit-ready

• Add periodic QA checks on control execution quality and link results to coaching/training. (COSO IC-IF (2013))
• Formalize trigger-based refresh training after changes and after control failures. (COSO IC-IF (2013))
• Build a consolidated evidence package: standards, mappings, training records, attestations, gap logs, and continuity plans. (COSO IC-IF (2013))
• If you use Daydream, configure role-to-control mappings and automate evidence requests and attestations so you can reproduce the same package each audit cycle.

Frequently Asked Questions

Do I need formal “competency models” for every role in the company?

Focus on roles that affect objectives and internal control responsibilities, then expand based on risk. COSO’s expectation is alignment with objectives and internal control, not an HR-wide competency overhaul. (COSO IC-IF (2013))

What evidence matters most to auditors?

Role-based competency standards, proof the assigned person met them before operating key controls, and documentation of how you handled any gaps. Training logs help, but readiness sign-offs and remediation records usually carry more weight. (COSO IC-IF (2013))

How do we handle competence for outsourced activities performed by a third party?

Define competence expectations in your third-party oversight approach, then retain evidence that the provider meets them (for example, oversight reports, qualification attestations, and issue remediation). You still need a competent internal owner to oversee the relationship. (COSO IC-IF (2013))

Our teams move fast; how do we avoid slowing down onboarding with gates?

Gate only the highest-risk actions, such as independent operation of key controls or privileged access, and allow supervised execution until readiness is confirmed. Document who supervised and when the operator was cleared. (COSO IC-IF (2013))

What if we discover a control owner lacks competence today?

Document the gap, assign supervision or a compensating control, and create a remediation plan with a due date and accountable owner. If risk remains, route a formal risk acceptance for approval and retain the decision trail. (COSO IC-IF (2013))

Can internal audit “own” this requirement?

Internal audit can assess whether the system works, but management owns the control environment and the talent processes that demonstrate competence. Keep roles clear so audit independence is preserved. (COSO IC-IF (2013))