How can internal audit get a seat at the table and help the organization keep pace with today’s evolving risks? Learn how John Sidwell, Senior Director of Internal Audit at Cypress Semiconductor Corporation, built an ERM program that strengthened his relationship with the audit committee, and how his internal audit department is up-scaling skill sets to meet the emerging risks of new technologies.
John Sidwell’s years in financial management as a controller were great preparation for his current role as Senior Director of Internal Audit at Cypress Semiconductor Corporation—but his true passion has always been internal audit. As the head of an internal audit department that is split between the Philippines and Cypress’s headquarters in San Jose, CA, one of John’s most celebrated accomplishments has been developing an enterprise risk management program that has empowered their audit committee and executive team to get in front of changes before they happen. Learn more about how John built a close reporting relationship with the audit committee, why the audit groups of the future must focus on emerging global risk, and how on-the-job training projects help his team cultivate the cutting-edge skill sets to keep on top of today’s technological challenges.
What drew you to a career in internal audit?
John: I went into public accounting after college, and I was intrigued when an internal audit opportunity opened at PepsiCo. That position turned out to be the most fun of my life, but I felt that I needed to get other experience. I joined Coca-Cola, and spent ten years in financial management positions, ending up as the division controller of their largest division. Although my time at Coca-Cola was a great experience, I found that as a controller I was continuously working around month, quarter and year end closes—for me, always being driven by inflexible deadlines grew repetitive. Internal audit has deadlines too, of course, but you have more control over what you do, when you do it, and for how long.
I decided to move back into internal audit in the technology industry. For the past several years I’ve focused on risk management value and audit activities at technology-oriented companies like SunPower, Electronic Arts, 3COM, and Dolby Laboratories. While financial management has made me a better internal auditor, my real passion is for the internal audit world.
What is the biggest change you’ve seen in the last five years in what audit committees are looking for?
John: Over the last five years I’ve seen audit committee members becoming dramatically more engaged in internal audit and risk management. Their goal at the end of the day is to make sure that the control environment is working effectively around financial reporting, but they are also heavily focused on making sure the company is aware of risks—whether it’s strategic, financial, regulatory, or operational—before they happen. In this volatile geopolitical environment, they don’t want to be surprised with emerging risks and external risks.
It’s gotten to the point that when I present to the audit committee meetings, I have to grant two sessions: one for risk management, and one for internal audit including SOX. I tend to spend probably 80% of the allotted audit committee presentation time on risk management, due to the amount of questions. I think their focus on risk-based activities, both internal and external, has been emphasized over the last five years. I actually feel like I report to my audit committee chairman rather than just on paper. We have conversations fairly regularly, and that’s a very positive difference.
How have you been able to demonstrate the value of your internal audit team to the audit committee?
John: I’ve changed the focus of the department’s mission from being mostly focused on SOX to adapt to the strategic direction that the audit committee and the board are focused on with the company. Shortly after I arrived at Cypress, we implemented an enterprise risk management program as a part of a larger transformation plan. Our ERM program has really added value and earned us a seat at the table by the CEO, CFO, and audit committee members. In the past year there were three or four risks that they were not aware of at the same level of detail that we developed. We supported the executives in developing treatment plans, which were then incorporated in the company’s annual strategic plan moving forward. I get more compliments from the audit committee members and executives on our ERM program than I do for anything else.
What do you think is the most difficult challenge facing internal auditors today?
John: The audit groups of the future must continue to widen their focus to global risk. We have a lot of information technology, big data, and new technology risks in ongoing processes, and we need to be able to help identify the real emerging risks for the company and industry. The world is changing at such a pace that not keeping up can be disastrous for a company. Audit departments need to work towards optimizing for agility in the future and creating more value-add to the bottom line. But in the shorter term, we need to find ways to automate, and leverage existing skill sets to respond to evolving digitization, artificial intelligence, RPA, and more. The competition for talented people is tremendously high.
How do you approach training your team to face new technological changes?
John: About 80% of my staff is new this year, and there are certainly challenges with up-scaling skill sets to meet the emerging risks of new technologies. It’s not easy to find and hire auditors with cutting-edge technology skills. At Cypress, I’ve hired some people with strengths in data analytics, as well as some younger hires (even college interns) with the requisite academic training. We have to increase our digital fitness to at least a conversational level. We’re also developing on-the-job training projects that will get us involved in some of the artificial intelligence programs that Cypress is already using in the marketing and sales side. Plus our finance team is working with RPAs and implementing bots in some areas. The idea is that we’ll take a project involving people who have a certain technology skill set, and work side-by-side with them to gain experience on the job.