CASE STUDY: “The 10‑Day Notice” That Woke Up a Regional CFO. How One Call to Piroi™ Romania Internal Audit Saved 16% of EBITDA
- Bogdan Nastase
- 7 days ago
- 7 min read
Updated: 6 days ago
INTRO
Thursday, 8:45 AM. Canary Wharf, London. Our fictional character Emma, Regional CFO for Central & Eastern Europe, is on her second coffee, scrolling through overnight emails. The 2025 close looks strong, and the Romanian subsidiary, a "star performer" in the group with a turnover that just crossed €10 million, seems stable.
Then a red subject line hits her inbox from the local team.
In Romania, internal audit can be legally mandatory when the entity is subject to statutory audit (Law 162/2017). And in 2026, HQ management fees face a new deductibility pressure point under Fiscal Code Art. 25¹. Emma doesn’t know it yet, but she’s about to learn how fast these two threads can merge into one crisis.
(Illustrative) STORY UNFOLDS
SPV Monitor (Internal Compliance Bot): “Priority alert: New message detected in ANAF SPV inbox.”
SPV Monitor (Internal Compliance Bot): “Subject: REQUEST FOR INFORMATION: intra‑group management/consulting services (illustrative).”
SPV Monitor (Internal Compliance Bot): “Deadline: 10 days (illustrative countdown set by internal workflow).”
SPV / ANAF Message (illustrative excerpt): “Please provide supporting documents regarding intra‑group services billed to the Romanian entity (scope, deliverables, benefit to the entity, contractual basis). Please respond within the deadline indicated in this request.”
SPV Monitor (Internal Compliance Bot): “Risk flags: (1) Management fees exposure (Fiscal Code Art. 25¹, 2026). (2) Governance exposure: verify whether internal audit is mandatory (Law 162/2017, Art. 65(7)).”
Emma (to herself): “Please tell me this is an error.”
Emma (calling): “Bogdan?”
Bogdan (Managing Partner, Piroi™ Audit Firm, Bucharest, Romania): “Emma. If you’re calling me this early in January, I’m guessing Romania just turned your coffee cold.”
Emma: “I have a red SPV alert. They want documentation for management services… and my team is panicking. Also, my local accountant keeps saying ‘internal audit is optional.’ Tell me she’s right.”
Bogdan: “Emma, breathe. First, we separate the noise from the legal triggers. Give me two numbers for 2024 and 2025: turnover and total assets. In RON.”
Emma: “2024 turnover: 51 million RON. 2025 turnover: 52 million RON. Assets: 28 million RON in 2024, 30 million RON in 2025. Employees: around 70.”
Bogdan: “Good. Now the uncomfortable truth: the thresholds changed. For 2026 work, the practical thresholds you must test in Romania are RON 50 million turnover and RON 25 million assets, and your entity exceeded both, two years in a row.”
Emma: “So… statutory audit?”
Bogdan: “Yes. Statutory audit. And Romania has a rule HQs often miss: if you have statutory audit, internal audit becomes mandatory under Law 162/2017, Art. 65(7).”
Emma: “Mandatory as in… ‘nice to have’?”
Bogdan: “Mandatory as in: ‘the law says you must organize and ensure internal audit.’ Not optional. Not a governance preference. A compliance obligation.”
Emma: “And who enforces that? ANAF?”
Bogdan: “Different lanes. Internal audit obligation is in the audit regulation lane: the oversight authority is ASPAAS. ANAF is the tax lane. But your situation is exactly where lanes collide, because tax risk loves weak governance.”
Emma: “What’s the fine for missing internal audit?”
Bogdan: “The administrative penalty range is up to RON 100,000. And here’s the part HQ should fear more: sanctions can be publicly posted by the regulator, meaning a reputational footprint that doesn’t fit nicely into a quarterly report. You don’t want your subsidiary’s name on a 'bad governance' blacklist that your global auditors scan”
Emma: “So the fine is survivable. The headline is not.”
Bogdan: “Exactly.”
Emma: “Now the tax part. My HQ charges Romania EUR 1.2 million in management fees.”
Bogdan: “Ok. What are Romania’s total expenses, ballpark?”
Emma: “About EUR 20 million.”
Bogdan: “Then the 2026 math you need to understand is this: a 1% deductibility cap logic. One percent of EUR 20 million is EUR 200,000. If your facts fall into Art. 25¹’s limitation bucket, the ‘excess’ over the cap can become non‑deductible. At 16% corporate tax, that turns into a six‑figure cash tax leak, before interest and penalties.”
Emma: “So my budget is bleeding and nobody told me?”
Bogdan: “Some teams hear ‘transfer pricing documentation’ and think it’s enough. In 2026, Romania is pushing toward proof of substance. When the question becomes ‘did HQ actually deliver this service and did Romania benefit,’ you need an evidence file, not vibes.”
Emma: “And internal audit… helps with that?”
Bogdan: “Internal audit is the most defensible way to produce the file quickly, because it is a structured, independent function that can test reality: contracts, deliverables, approvals, outcomes.”
Emma: “But how do we stop the 1% cap?”
Bogdan: “You don’t ‘stop it’ with a memo. You use the one explicit safe‑route the law gives: an APA.”
Emma: “APA… as in ‘Advance Pricing Agreement Romania’?”
Bogdan: “Yes. And in the Art. 25¹ context, the key point is simple: a valid APA can remove you from the cap’s scope for the covered transaction, subject to the APA’s terms.”
Emma: “How long does that take?”
Bogdan: “An APA is a process, not a magic word. Timing depends on complexity, completeness, and authority workload. But we can do something immediately: we build the compliance spine so you survive the short deadline and position for the APA.”
Emma: “Talk to me like I’m briefing my CEO in two minutes.”
Bogdan: “Perfect. Here’s your two‑minute HQ briefing, one sentence at a time.”
Emma: “Go.”
Bogdan: “Question one: ‘Is internal audit mandatory in Romania for us?’ Answer: ‘Yes, because we are subject to statutory audit, and Law 162/2017 Art. 65(7) ties statutory audit to internal audit.’”
Emma: “Next.”
Bogdan: “Question two: ‘What’s the consequence if we ignore it?’ Answer: ‘Penalty range plus publication exposure; reputational governance issue.’”
Emma: “Next.”
Bogdan: “Question three: ‘Why is this on my desk now?’ Answer: ‘Because ANAF is asking for support for intra‑group services, and 2026 deductibility rules punish weak substance.’”
Emma: “Next.”
Bogdan: “Question four: ‘What’s the solution?’ Answer: ‘Activate internal audit fast, build the evidence pack, gather all data, and pursue APA for certainty.’”
Emma: “Ok. Now give me the plan.”
Bogdan: “Step 1: We implement an internal audit function immediately, outsourced or co‑sourced, so you have governance structure and documents on file: Charter, plan, reporting line.”
Emma: “And you can do that without hiring?”
Bogdan: “Yes. That’s why outsourcing exists.”
Emma: “Step 2?”
Bogdan: “Step 2: A targeted internal audit mission: Benefit Test for management services. We map invoices to actual deliverables: emails, reports, logs, meeting notes, KPI impact, anything that proves reality.”
Emma: “Step 3?”
Bogdan: “Step 3: A SAF‑T / D406 health check. Not because SAF‑T ‘reports internal audit’, it doesn’t. Because if your accounting story, tax story, and intercompany story don’t reconcile, ANAF will see contradictions before you finish your first slide deck.”
Emma: “Step 4?”
Bogdan: “Step 4: APA strategy. We prepare a defensible file, decide scope, and, where legally available, we evaluate whether a roll‑back request makes sense for risk closure. No promises. Only what the law allows and what the facts support.”
Emma: “I need one thing clear: do you guarantee ANAF won’t challenge us?”
Bogdan: “No serious professional guarantees outcomes with a tax authority. What we do guarantee is this: we build a clean, consistent, evidence‑driven file that can survive scrutiny. That’s how you protect your margin and your board credibility.”
Emma: “Send me an ‘evidence pack checklist’ I can forward to my Romania GM and Group Tax.”
Bogdan: “Here it is, copy‑paste ready.”
Bogdan: “Evidence Pack, Minimum set: (1) Internal Audit Charter approved by governance. (2) Risk‑based audit plan. (3) Internal audit report(s) covering intra‑group services / internal controls. (4) Findings tracker and remediation log. (5) Contracts, SLAs, intercompany policies. (6) Deliverables library mapped to invoices. (7) Approval trail: who requested the service, who accepted it, and why.”
Emma: “And the audit regulator confusion, my team keeps mixing bodies.”
Bogdan: “Say this: ‘ASPAAS is the oversight/regulator and keeps the public register; CAFR is the professional body.’ For due diligence, you verify authorization in the official register.”
Emma: “Ok.”
Bogdan: “Now tell me the truth: do you have any formal internal audit documents right now?”
Emma: “…No.”
Bogdan: “Then we act today. I’ll send an engagement letter and a 72‑hour action schedule. You bring your Group Tax and Local Finance on a call in two hours.”
Emma: “Do it.”
Bogdan: “Done. And Emma, next time a red subject line shows up, I want it to be a dashboard you control, not a deadline you fear.”
ENDING: CASE STUDY INTERNAL AUDIT IN ROMANIA AND APA SHIELD 2026
Emma is fictional. The compliance pressures are not.
If your headquarters has a Romanian subsidiary that:
is under statutory audit (triggered by the RON 50m turnover / RON 25m assets size tests over two years),
receives intra‑group management/consulting/IT charges from HQ, and
cannot instantly produce an internal audit Charter + Plan + Evidence Pack,
…you don’t have a “Romania local issue.” You have a group governance issue that can turn into a cash tax leak and reputational exposure.
Piroi™ helps international groups:
determine whether internal audit in Romania is mandatory,
implement internal audit quickly (outsourced/co‑sourced),
build the benefit test / substance evidence file,
and support the APA path where appropriate for certainty under the 2026 rules.
Call-To-Action CTA: If you want, send us (i) 2024–2025 turnover/assets/employees, (ii) a summary of intercompany services charged to Romania, and (iii) your current governance structure. Piroi™ will respond with a one‑page “Yes/No + Evidence Pack Gap List” you can forward to HQ stakeholders.
Acronyms:
ANAF = National Agency for Fiscal Administration (= ro. Agenția Națională de Administrare Fiscală)
APA = Advance Pricing Agreement (=ro. Acord de Preț în Avans)
ASPAAS = Authority for the Public Oversight of the Statutory Audit Activity (=ro. Autoritatea pentru Supravegherea Publică a Activității de Audit Statutar)
CAFR = Chamber of Financial Auditors of Romania (=ro. Camera Auditorilor Financiari din România)
OMF = Order of the Minister of Finance
SAF‑T = Standard Audit File for Tax
SPV = ANAF Virtual Private Space (=ro. Spațiul Privat Virtual)
Official legal references used:
OMF nr. 4164/2024 (size thresholds update)
Law nr. 162/2017 (statutory audit; internal audit obligation; sanctions/publication framework)
Romanian Fiscal Code (Law 227/2015), Art. 25¹ (2026 deductibility limitation logic)
Romanian Fiscal Procedure framework (APA mechanism; roll‑back availability depends on legal conditions and case facts)
ANAF SAF‑T / D406 framework (data consistency checks & documentation expectations)
Disclaimer:
[EN] This is a fictional, illustrative case study created for HQ decision‑makers. The “10 days” timeline and the message text are not an official ANAF template and should not be treated as a reproduction of any authority communication. Legal thresholds and enforcement practices can change; always verify your specific position with your statutory auditor and counsel.
[RO] Studiul de caz de mai sus evidențiază obligația legală de audit intern la firmele auditate statutar în România și introduce conceptul de ‘APA Shield 2026’ – mecanismul prin care un Acord de Preț în Avans poate proteja profitul unei companii de limitarea de deductibilitate 1% impusă de Codul fiscal actualizat. Conducerea grupurilor ar trebui să acorde atenție acestor aspecte pentru a evita amenzi ASPAAS (până la 100.000 lei) și pierderi fiscale semnificative.
Bogdan Nastase, Managing Partner PIROI™, displayed centre of the Harvard Business School webpage