8 areas of focus for Audit Committees in 2026

In 2026, audit committees in Romania will need to navigate a landscape shaped by rapid technological change, growing regulatory demands and continued geopolitical uncertainty. Their role will require agility, strong oversight of emerging risks, and closer collaboration with management and auditors. As organizations confront new reporting requirements, evolving cyber threats and the expanding impact of AI, audit committees must remain forward‑looking, ensuring resilient internal controls, transparent and high‑quality disclosures, and the right talent and capabilities to sustain investor confidence. At KPMG in Romania, our close dialogue with business leaders highlights the priorities that should define the Audit Committee agenda for 2026. 

In 2026, Romanian companies, like many businesses across Europe and the wider world, continue to operate in a landscape marked by uncertainty but also significant opportunity. Geopolitical tensions persist in the region, supply chains remain vulnerable, and regulatory expectations are rising, particularly in areas such as sustainability reporting, tax transparency and digital compliance. While inflation has eased across the EU, the combination of global instability and domestic policy shifts keeps the economic outlook difficult to predict.

At the same time, organizations in Romania must navigate the accelerating adoption of AI, respond to evolving cyber threats, and prepare for new reporting requirements, most notably the implementation of the Corporate Sustainability Reporting Directive (CSRD), the expansion of electronic invoicing, and heightened scrutiny around tax disclosures. Romania’s economy continues to demonstrate resilience, creating space for companies that innovate and manage risks proactively.

Against this backdrop, Audit Committees have an increasingly critical role in overseeing financial reporting, internal controls, risk management and compliance, while also supporting management in adapting to rapid technological and regulatory change. At KPMG in Romania, our close interaction with business leaders has enabled us to identify the key priorities that we believe should shape the Audit Committee agenda for 2026.

Audit committees should maintain heightened vigilance over the impact of economic volatility, regional geopolitical tensions, supply‑chain disruptions, inflationary pressures, and regulatory-driven digital reporting (SAF‑T, RO e‑Factura, RO e‑Transport) on the company’s financial statements and internal controls. Transparent, well‑supported forward-looking judgments, particularly those related to impairment, credit losses, revenue recognition, and going concern, remain critical. Robust documentation, scenario analyses, and timely updates of estimates and controls are essential to ensure high-quality disclosures that clearly articulate the company’s risk position and resilience.

The audit committee must ensure management is proactively monitoring and preparing for a rapidly evolving regulatory landscape, including EU-wide and Romanian requirements. Beyond general corporate governance expectations, Romanian companies must navigate extensive reporting obligations such as CSRD/ESRS sustainability reporting, NIS2 cybersecurity obligations, DORA (for financial sector entities), and nationwide digital tax systems (e.g., RO e‑Factura, SAF‑T). Committees should oversee how these developments affect internal control frameworks, disclosure practices, accountability, and data integrity. Clear, concise, and impactful reporting, aligned with new Romanian and EU standards - should be encouraged.

Audit committees should clarify their oversight role in relation to the company’s use of AI technologies, cybersecurity posture, and data governance frameworks. AI adoption across financial reporting, forecasting, customer processes, and operations introduces new risks related to data quality, model transparency, explainability, and accountability. Cyber threats continue to escalate in sophistication, requiring strong resilience, incident response procedures, and business continuity planning aligned with NIS2 and EU AI Act requirements. Committees must assess whether internal controls and governance practices keep pace with technological change and whether the organization has sufficient expertise, internally or through external advisors, to challenge management effectively.

Audit committees should evaluate how the finance function is adapting to digital transformation, automation, and increasing expectations for strategic insights. Romanian finance teams face additional complexity due to mandatory electronic invoicing, SAF‑T reporting, and high data‑quality thresholds. Committees should focus on workforce capabilities, ensuring the finance team possesses a balanced mix of financial, technological, analytical, and risk‑management skills. They should also monitor how AI-enabled tools are used to streamline manual processes while preserving strong human oversight and maintaining control integrity during transitions.

Audit committees should ensure the organization is adequately preparing for CSRD‑aligned sustainability reporting and that sustainability disclosures are embedded into broader strategic and risk‑management frameworks rather than treated as a parallel exercise. Romanian reporting requirements, phased in under OMF 85/2024 and ESRS standards, demand rigorous governance, consistent data, clearly defined responsibilities, and internal controls comparable to those used for financial reporting. Committees should challenge management on readiness, data traceability, double materiality assessments, and the roadmap toward third‑party assurance.

To enhance audit value, audit committees should set clear expectations in relation to audit quality, transparency, and communication. In Romania, where statutory audit and public‑interest entity oversight are governed by ASPAAS, committees must actively assess how auditors address emerging risks such as AI use, digital tax reporting, cyber threats, and evolving sustainability obligations. Discussions should extend beyond required communications to include the auditor’s use of technology, quality‑management systems, resource allocation, and inspection outcomes. Constructive, ongoing dialogue supports stronger risk insights and enhances stakeholder confidence.

Internal audit should remain focused on the organization’s most critical risks; strategic, operational, technological (including AI and automation), cybersecurity, compliance, and sustainability, not solely on financial reporting. Given that Romanian entities subject to statutory audit must also maintain a compliant internal audit function, the committee should verify that internal audit has the appropriate mandate, independence, and expertise (including in data analytics, ESG, and cyber). The internal audit plan should be risk‑based, agile, technology‑enabled, and aligned with evolving business and regulatory expectations.

Audit committees should periodically reassess whether their composition, expertise, and time capacity are sufficient to oversee an expanded risk landscape. Romanian law requires at least one member with accounting and statutory audit expertise for public‑interest entities, but the committee must also incorporate or access skills in AI, cybersecurity, sustainability, data governance, and digital reporting. Committees should evaluate potential over‑boarding risks, ensure effective succession planning, and determine whether certain mission‑critical risks should be handled by the full board or specialized committees. A refreshed, skills‑aligned structure strengthens governance and investor confidence.