FEI Daily spoke with Martin Naraschewski, Vice President and head of finance and GRC solution management at SAP at the 2018 SAPPHIRE NOW + ASUG Annual Conference, about how companies are responding to new data regulations, such as GDPR and IFRS and the changing role of the CFO.
FEI Daily: How do financial executives see their roles changing when it comes to compliance and risk?
Martin Naraschewski: There a number of individual topics which are driving the interest of CFOs. One of the topics which is significantly present in terms of attention and importance is cybersecurity, or security in a broader sense. A CFO, as a steward of a company, does care in general, however what I'm sensing is they're caring even more ‘personally,’ since more and more of these schemes are not just a break-in from the outside, but going the social engineering direction, where, by whatever means, an employee is then used to do something wrong in favor of somebody who's driving the fraud scheme from the outside.
But this employee typically is sitting where the money is being transferred. From a personal management responsibility, it's the employees of the CFOs who are at risk of being involuntarily involved to such a scheme and that's clearly one of the reasons why this has become so much of a hot topic on the CFO agenda.
Another topic is regulation. That's more on the legal, compliance side. The most recent one is in Europe, the General Data Protection Rule (GDPR). Data privacy is not only finance, you may say, this is broader. But the CFO is a steward of a lot of the data and is a steward for the company.
There are regulations from the tax side. There are all kinds of new regulations emerging around electronic reporting, the context of indirect tax, like Standard Audit Files for Tax (SAF-T) in Poland, Immediate Supply of Information on VAT (SII) in Spain, all modeled after what exists already in Brazil for many years, Nota Fiscal Eletrônica (NF-e), where the government wants to see already basically the raw data, what's happening in the business in order to be able to check whether this is then matching what is being reported for tax reporting purposes. And the expectation is that more and more countries will adopt these electronic reporting regulations.
FEI Daily: Which of these drivers is posing the biggest challenge for not just the CFO but the finance team?
Naraschewski: It depends on the country. GDPR is a topic in Europe but still relevant for global companies. If you do not have customers in Europe then it's not relevant. But the large companies we are dealing with typically are multinational and they have customers in Europe.
The tax topics depend a little bit on the local regulation, if it is affected or not.
Another topic I didn't mention and it's also pretty universal are the new IFRS standards, which has a sibling, so to say, in U.S. GAAP on the American side. And, in particular, the ones for revenue recognition and leasing, depending on the circumstances of the company, will have a significant impact on the balance sheet. The nature of what is revenue by when, in leasing costs are being shifted towards assets, so running recurrent costs shifting towards being treated as assets, which is significantly changing the structure of P&L.
Those are all topics of very significant attention and have a broader reach than the other topics.
FEI Daily: As far as GDPR, did you find that businesses were adequately prepared to implement the changes that they needed to make?
Naraschewski: Well there's a recurrent pattern that we're seeing with most of these regulations. It's taking the regulation bodies quite some time to evolve the concept. IFRS has significant disruptions in the way conceptually how it is working and then there has been a lot of discussion on how to formulate this into rules and find the right rules.
And then of course after a long time of deliberation everybody wants to see this be live in a relatively short timeframe, but it's a stretch for the entire ecosystem: for customers, for auditors, consulting partners, the software vendors, to really find the right way to deal with this. Nobody is perfectly prepared for this.
Even some of the rules, thinking about the IFRS standards, businesses still probably need a bit more practical experience with how to apply them in the right way, how to interpret them in a particular situation that may not have been studied before. So there's a lot of interpretation work that needs to happen, which is stretching everybody in the system.
Some customers adopted knowledge earlier, others waited a little bit more to see the dust settle, so this is a matter of how aggressive are you as a company to adopt automation technology. There are many workarounds for all of these solutions but, of course, the more complex it's getting from a compliance perspective, the more attractive it is to have an automated solution.
FEI Daily: How has technology has changed risk as it relates to the finance team and their responsibilities?
Naraschewski: First of all, it is helping to create a more 360 degree, comprehensive overview of risks. There's always a balance between protecting against risk and maximizing, optimizing performance. You need to take certain risks if you want to be entrepreneurial, but on the other hand, the risk can kill you. So you need to find the right balance. And technology is helping to really create the transparency which is needed.
On the other hand, automation is taking all kind of human risks out of the system, in the sense of where there are no manual transactions that need to be processed, there is less risk of human beings making mistakes, clearly. Not intentional wrongdoing - that's yet another angle- but just ‘sloppiness’ or errors. So automation is reducing risk from that perspective.
But then there's the intentional risk, on top of that. We mentioned already cybercrime events, but it could also be internal wrongdoing. There is a need for new technologies to help protect systems against all kinds of internal and external crime risk. And these technologies do exist, not only firewalls but protection mechanisms which safeguard systems.
More and more the focus is shifting to complement the real-time monitoring mechanism, where even if you cannot prevent a breach or prevent a crime event, that you're detecting it at least fast and you still hopefully have the time to react and to make sure the size or amount of it is not getting out of control. So it's really the complement of the protection system, firewalls, in a broader sense, plus real-time monitoring systems, which alert you about things, finding patterns, finding behaviors which are unusual to at least react fast when something is amiss.
And all here technology can help to communicate faster but also identify faster.
The digital world is really bringing performance-related information and risk-related information closer together. The new technologies help to do scenario simulation, in a much better way, and that's the direction we’re going. This coming together of risk and performance management through mechanisms like scenario simulation and forecasting, I think this will be an important element. System-generated forecasts are becoming more and more a reality.