COSO Principle 4 — Workforce Competence

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as medium-severity findings with remediation guidance.

Document role-based security competence requirements: which roles need which certifications, training, or demonstrable skills. Track completion in HRIS. Run annual security training with role-based modules. Document training requirements in job descriptions.

Untrained workforce breach exposure: 3.2× higher cost vs trained workforce (PwC 2024 AI Incident Cost Study). 64% of SOC 2 audits flag CC1.4 when investigating breach root causes that trace to staff competence. Insurance renewal denial rate where training isn't documented: 22% in 2024.

• 1.What security competence is required for engineering vs ops vs finance roles?
• 2.Show training completion records for the last 12 months across all roles.
• 3.What certifications are required for elevated permissions (e.g., production access)?
• 4.Walk me through how a new hire achieves security competence before getting production credentials.
• 5.Show one example of an employee whose access was held back pending training completion.

• ⛔Training as one-time onboarding only — no annual refresh as threat landscape changes
• ⛔Training that doesn't tie to access grants (anyone can request production credentials regardless of training)
• ⛔Generic security awareness training without role-specific deep-dives (engineers need different competence than finance teams)