When the watchdog watches itself: lessons from the KPMG Australia scandal

The collapse of trust at KPMG Australia is not primarily a story about the misuse of client information. It is a cautionary tale of what happens when whistleblower warnings are ignored.

The whistleblower at the centre of this scandal, a former audit director at KPMG, came forward internally in May 2024, alleging that KPMG partners had used confidential board papers from clients, among them construction giant Lendlease, to win audit contracts with other companies.

KPMG ran its own review and found nothing wrong. It was only after the whistleblower approached board members, KPMG International’s chair and global counsel, the Australian Securities and Investments Commission (ASIC), and Labour senator Deborah O’Neill – who used parliamentary privilege to air the allegations – that any serious reckoning began.

After two years of trying to sweep the whistleblower’s concerns under the carpet, KPMG Australia is now reeling from the sudden exit of its chief executive, head of audit and chief operating officer, a parliamentary inquiry and formal investigation by ASIC, the loss of longstanding clients, and the prospect of being unofficially blacklisted by government.

On Friday, former and current board members, executives and partners were forced to face the music at a Senate committee hearing headed by O’Neill. During a day of bruising testimony, KPMG’s former head of audit was asked to read out a letter the whistleblower had sent to him, which described a culture of fear and retribution that put “profit above everything else”, the Financial Times reported.

Four statements by the whistleblower tabled in parliament added granular detail to an already grim picture, describing how board documents were printed, secured in a locker and used to pursue major audit tenders while “retired partners were leveraged extensively for significant commercial advantage and KPMG staff cheated on internal exams using generative AI”.

‘An organisation that cannot be trusted’

The whistleblower claimed there were “too many commercial incentives and pressures that create significant conflicts of interest”. The result was a disregard for KPMGs own policies and pledges on transparency, accountability, integrity and whistleblower protection. “I do not say this lightly, but at a leadership and governance level, I believe KPMG, locally and globally, is presently an organisation that cannot be trusted.”

They described facing retaliation for raising concerns about  breaches of ethics, integrity and audit independence, pointing to shortcomings of Australia’s legal and regulatory framework that forced whistleblowers to carry the financial and personal cost of making protected disclosures. “It is, in effect, a framework available only to those who can afford to fund their own protection.”

The whistleblower described how KPMG executives had “covertly accessed my IT environment and examined the documents and emails held there”,  deployed “at least five external law firms across four jurisdictions”, circulated their identity “within and beyond the firm”, ended their employment and co-ordinated actions “with member firms across the global network”.

“If I were asked, genuinely, whether I would do this again, my answer would be no,” they concluded. “Not because the matters were not worth raising, and not because I regret raising them, but because of what I now know, and could not have known then, about what disclosing them at a firm like KPMG, in the legal and regulatory environment that exists in Australia today, actually involves.”

Friday, bloody Friday

Following that gruelling parliamentary hearing – dubbed “Friday, bloody Friday” by the Australian press – the chairman and another audit partner have decided to call it quits too. The committee said in response it viewed the announcement “as further vindication of the whistleblower who has brought these matters to light in service to the public interest, notwithstanding the professional risks and personal toll of calling out unethical and dishonest behaviour”. After initially stonewalling, KPMG has provided some of documents the committee requested. The next public hearings take place on 4 September in Sydney and 12 November in Melbourne.

The lesson for boards and executives from this debacle is stark: failure to properly investigate internal whistleblower complaints is no longer just a governance embarrassment when exposed. It is a direct personal liability risk for those at the top of an organisation that can lead to major financial losses and long-term reputational damage.

This matters in part because of the services KPMG has built around whistleblowing. Through its FairCall platform, which was established in 1998 and now operates in over 80 countries, KPMG’s forensic professionals receive and triage disclosures on behalf of corporate and government clients, advise on responses, and in some cases conduct investigations.

When it works, it is exactly what EU Directive 2019/1937 envisages: a professionally run mechanism that gives employees confidence their concerns will be heard impartially and acted on without retaliation. But the KPMG Australia scandal has tainted FairCall too, with questions being raised whether a firm that fails its own whistleblowers should be allowed to run a whistleblower hotline for other companies, including some of its own audit clients.

The case for independence

The stain could spread well beyond Australia. KPMG markets whistleblower services to external clients in European countries including the UK, Greece, Sweden and Germany – the latter a particularly consequential market given the mandatory obligations the EU Directive imposes on firms or organisations over a certain size. The reputational damage to the brand in Australia reverberates directly through these European operations. If a German company’s employees have reason to doubt whether whistleblower reports are handled with genuine independence from commercial relationships, the entire value proposition of the service is undermined.

The importance of independent advice provided to whistleblowers cannot be overstated. Any whistleblowing service that is financially beholden to the employer of the person making disclosures will rightly be viewed with suspicion – especially now.

This erosion of trust opens a gap that must be filled. There may be a significant role here for non-profits that do not face the same potential risks of profit-driven entities with potentially overlapping client relationships.

This is exactly the terrain that STAIRS – Safeguard the Truth: AI Solution for Whistleblower Reporting Support – is designed to explore.

Funded by the European Union under the Citizens, Equality, Rights and Values (CERV) programme, STAIRS is run by a consortium of independent NGOs that have joined forces to build free, open-source tools and capacity for whistleblower support, grounded in the EU Directive and independent of commercial incentives. It is an independent information point for potential whistleblowers seeking specific information about whistleblower information and laws in their country. Employers do not have access to logs of the helpline, and queries are deleted after a short period. In this way, whistleblowers can access the information they need to make informed choices, secure in the knowledge that the questions they ask will not be seen by their employer.

The KPMG Australia scandal makes the case with unusual clarity: whistleblowing infrastructure that is serious about serving the public interest and protecting those who report wrongdoing cannot be an adjunct to a revenue relationship. STAIRS offers a model for achieving exactly that.