Competency Policies and Practices

The COSO “Competency Policies and Practices” requirement means you must define what “competent” looks like for roles that design, operate, or test internal controls, then run repeatable practices to confirm people meet those expectations and gaps get fixed. Put role-based competency standards into policy, tie them to hiring/training/performance, and retain evidence that the right people were assigned to control-critical work. (COSO IC-IF (2013))

Key takeaways:

• Define role-based competency requirements for internal-control responsibilities, not generic HR skills. (COSO IC-IF (2013))
• Implement recurring practices to assess competency, remediate gaps, and document decisions. (COSO IC-IF (2013))
• Examiners look for evidence that competency expectations connect to control ownership, change management, and issue remediation. (COSO IC-IF (2013))

“Competency policies and practices” fails in a predictable way: the organization has an HR training catalog and job descriptions, but nothing that proves control owners, reviewers, and testers are qualified for the control work they perform. COSO’s intent is operational. Policies should state the competence expectations needed to achieve objectives, and practices should show you actually verify those expectations are met in day-to-day execution. (COSO IC-IF (2013))

For a CCO or GRC lead, treat this as a requirement to harden the “people layer” of internal control. You are building an auditable link from (1) objectives and risks, to (2) key controls and who owns them, to (3) the competency required to run those controls correctly, to (4) proof that people assigned to the work have the knowledge and skills, and to (5) corrective actions when they do not. (COSO IC-IF (2013))

This page gives you requirement-level guidance you can implement quickly: who must be in scope, what to write into policy, what operating routines to run, what evidence to keep, and what auditors typically challenge.

Regulatory text

COSO Principle 4 – Point of Focus: “Policies and practices reflect expectations of competence necessary to support the achievement of objectives.” (COSO IC-IF (2013))

Operator interpretation: You need (a) documented expectations of competence for roles that support internal control and objective achievement, and (b) implemented practices that evaluate whether individuals meet those expectations, including remediation when they do not. This is not satisfied by a general “training policy” alone; the expectation must connect to the work that affects control performance. (COSO IC-IF (2013))

Plain-English interpretation (what the requirement really demands)

A practical reading is: control work must be assigned to qualified people, and you must be able to prove it. Competence includes the knowledge to understand the objective and risk, the skill to execute the control as designed, and the judgment to escalate exceptions or control failures. (COSO IC-IF (2013))

This requirement is also about consistency. You cannot rely on informal tribal knowledge (“Jane knows how to do it”). Competency expectations must survive turnover, reorgs, and growth because they are embedded in policies and reinforced through standard practices like onboarding, training, performance management, and periodic reassessment. (COSO IC-IF (2013))

Who it applies to (entity and operational context)

Entity scope: Any organization using COSO’s Internal Control – Integrated Framework, including teams responsible for internal control oversight and internal auditors evaluating internal control. (COSO IC-IF (2013))

Operational scope (who must be covered):

• Control owners/operators for key controls (financial, compliance, operational, technology).
• Control reviewers/approvers (supervisory review, reconciliation approval, access review approvers).
• Control designers (process owners, control design SMEs).
• Control testers/assurers (internal audit, compliance testing, QA teams).
• Supporting roles with control impact (IT admins for access provisioning, security engineering for logging, HR for background screening controls, procurement for third-party onboarding controls). (COSO IC-IF (2013))

Third-party angle (often missed): If third parties perform control activities or operate systems that host your controls, you still need competency expectations for (a) your internal roles managing them and (b) the third party personnel requirements you contract for (for example, qualified staff for SOC operations or payroll processing). Keep the focus on objective achievement and internal control responsibility. (COSO IC-IF (2013))

What you actually need to do (step-by-step)

Step 1: Identify “control-critical” roles and decisions

Build a short list of roles where incompetence can cause a control failure. Use:

• Your control inventory (key controls first).
• Recent audit findings and recurring issues.
• Processes with high judgment, high change velocity, or complex systems. (COSO IC-IF (2013))

Output: “Control-critical role register” mapping roles to the controls they operate, review, design, or test.

Step 2: Define competency requirements per role (not per person)

For each control-critical role, define competencies in a way that is testable and reviewable:

• Domain knowledge: what regulations, policies, and process rules the role must know.
• Control knowledge: what the control is, the failure modes, required evidence, and escalation triggers.
• System competence: tools/systems used to execute or evidence the control.
• Judgment and escalation: what requires supervisory approval, incident response, or issue management.
• Minimum qualification signals: training completion, certification (if you require it), demonstrated experience, or manager sign-off criteria. (COSO IC-IF (2013))

Keep it operational: “Can accurately perform quarterly access recertification in System X and document approvals per policy” is stronger than “understands access management.”

Output: A role-based competency matrix linked to control responsibilities.

Step 3: Put expectations into policy and related standards

Create or update a Competency Policy for Internal Control Responsibilities that includes:

• Scope of roles and activities covered.
• Requirement for role-based competency definitions and ownership.
• Minimum onboarding and periodic assessment expectations.
• Remediation expectations (training, supervision, reassignment, or process change).
• Documentation and retention requirements. (COSO IC-IF (2013))

Then align related documents:

• Job descriptions and requisitions for control-critical roles.
• Training standards for high-risk processes.
• Access provisioning standards (competence to grant/approve access).
• Change management standards (competence for approvers and implementers). (COSO IC-IF (2013))

Step 4: Implement competency assessment practices

Pick assessment methods that match the risk and the role. Common options:

• Manager attestation against a defined checklist tied to controls.
• Work-sample review (review a reconciliation, access review, or exception handling record for correctness).
• Training with validation (quiz, scenario review, or supervised execution).
• Peer review or second-line quality checks for complex controls.
• Internal audit/compliance testing feedback loops that feed training needs. (COSO IC-IF (2013))

Rule to enforce: no one becomes the accountable control owner until competency is evidenced.

Step 5: Close gaps with tracked remediation

When a gap appears (new hire, process change, audit finding, performance issue):

• Assign an owner and due date.
• Define remediation type (training, supervised run, revised procedure, re-design of control).
• Track completion and confirm effectiveness (re-test the control output). (COSO IC-IF (2013))

Step 6: Operationalize with governance and reporting

Add competency to existing governance:

• Control owner assignment workflow includes competency check.
• Audit issues include “root cause: competency” tagging where relevant.
• Periodic reporting to risk/compliance committees on material gaps and remediation status. (COSO IC-IF (2013))

How Daydream fits naturally: If you manage controls and third parties in Daydream, store the role-to-control mapping, attach competency attestations and training evidence to each control owner, and route reassessments when controls, systems, or third parties change. That turns “we think they’re qualified” into inspectable evidence tied to each control.

Required evidence and artifacts to retain

Auditors and internal audit typically want to see a clean chain from expectations to execution. Retain:

• Competency policy (approved, versioned).
• Role-based competency matrix linked to internal control responsibilities. (COSO IC-IF (2013))
• Control ownership roster showing named owners/reviewers/testers per key control.
• Hiring/onboarding artifacts for control-critical roles (job descriptions, required training assignments).
• Training completion records tied to required competencies (course roster, completion evidence).
• Competency assessment records (manager sign-off, work-sample review notes, test results).
• Remediation tickets/plans and closure evidence.
• Change triggers showing reassessment after major process/system changes (meeting minutes, change approvals, reassessment task). (COSO IC-IF (2013))

Common exam/audit questions and hangups

Expect variants of:

• “Show me how you determine competency requirements for control owners.” (COSO IC-IF (2013))
• “Pick a key control. Prove the person performing it is qualified and trained.” (COSO IC-IF (2013))
• “How do you reassess competency after a system implementation or process change?” (COSO IC-IF (2013))
• “How do you handle competency gaps? Is reassignment allowed and documented?” (COSO IC-IF (2013))
• “Does internal audit have competency requirements for the controls they test?” (COSO IC-IF (2013))

Hangup: teams show training completion but cannot show that training maps to specific control responsibilities, or that performance was validated.

Frequent implementation mistakes (and how to avoid them)

1. Mistake: Treating competency as generic HR training.
   Fix: build the role-to-control mapping first, then define competencies from the control requirements. (COSO IC-IF (2013))

2. Mistake: No reassessment triggers.
   Fix: define triggers like process redesigns, system migrations, control changes, or recurring errors that force a competency re-check. (COSO IC-IF (2013))

3. Mistake: Overbuilding a “skills framework” nobody can maintain.
   Fix: start with control-critical roles and key controls; expand only when evidence shows gaps elsewhere. (COSO IC-IF (2013))

4. Mistake: Competency defined, but exceptions handled informally.
   Fix: require documented risk acceptance or temporary supervision plans when staffing constraints exist.

5. Mistake: Third parties performing control work are ignored.
   Fix: include contract clauses for qualified personnel where third parties run control-relevant processes; document your oversight role competency too.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so you should treat this as a controls effectiveness risk rather than a “name-and-shame” citation risk. The practical impact shows up as repeat audit findings, control failures, poor issue remediation, and weak evidence that control performance is sustainable through turnover. COSO frames competence as a condition for achieving objectives through internal control, so deficiencies here can cascade into broader control environment findings. (COSO IC-IF (2013))

Practical 30/60/90-day execution plan

First 30 days (stabilize and define)

• Name an executive owner (often Compliance, Internal Audit, or Operational Risk) and an operational owner (GRC lead).
• Inventory key controls and assign named control owners/reviewers/testers.
• Draft the role-to-control mapping for control-critical roles.
• Draft the competency policy outline and a first-pass competency matrix. (COSO IC-IF (2013))

Days 31–60 (implement practices and evidence capture)

• Finalize and approve the competency policy.
• Implement assessment method per role (manager attestation, work-sample review, training validation).
• Establish documentation storage and retention rules.
• Run a pilot on a small set of high-risk controls; remediate gaps found. (COSO IC-IF (2013))

Days 61–90 (scale and embed into governance)

• Expand to remaining key controls and control-critical roles.
• Add reassessment triggers into change management and control change workflows.
• Create a recurring reporting cadence for open competency gaps and remediation.
• Prepare an audit-ready package: policy, matrix, sample evidence for selected controls, and remediation examples. (COSO IC-IF (2013))

Frequently Asked Questions

Do we need a standalone “competency policy,” or can it be part of another policy?

Either works if it clearly states competency expectations for internal control responsibilities and the practices used to verify them. Auditors care more about traceability from controls to role requirements to evidence. (COSO IC-IF (2013))

What counts as “evidence” of competency besides training records?

Manager attestations against a defined checklist, work-sample reviews, supervised control runs, and documented performance reviews tied to control execution all work. Keep the evidence tied to the specific control responsibility. (COSO IC-IF (2013))

How do we handle situations where a person is capable but doesn’t meet a stated qualification (for example, certification)?

Document an exception process with compensating controls such as supervision, peer review, or restricted scope, plus a remediation plan. The key is that the risk decision is explicit and retained. (COSO IC-IF (2013))

Do internal auditors need competency definitions too?

Yes, if they test internal control, their role supports the achievement of objectives through internal control. Define competency expectations for audit/testing methods, relevant domains, and tools used. (COSO IC-IF (2013))

How should we treat third parties who perform control activities?

Translate competency expectations into contracting and oversight: require qualified personnel for control-relevant services and document that your internal owners overseeing the third party are competent for that oversight. (COSO IC-IF (2013))

What’s the quickest way to pass an audit challenge on this topic?

Pick a small set of key controls and build perfect traceability: role requirements, named owner, completed assessment, and remediation tickets for any gaps. Then expand coverage. (COSO IC-IF (2013))