A forensic investigations expert says the KPMG debacle is a masterclass in what not to do and a timely warning for every Australian people leader
The KPMG Australia whistleblower scandal has become one of the most damaging governance failures in Australian corporate history, and the fallout is far from over.
What began as an internal disclosure in May 2024, when a former audit director alleged that confidential client documents were being misused to win work from companies including Macquarie Group, Westpac, and Dexus, has since triggered a federal parliamentary inquiry, the resignation of two of the firm's most senior executives, and mounting pressure on several others still inside the firm.
Three investigations failed to substantiate the whistleblower's claims. A fourth, conducted by law firm Allens and still ongoing as at June 2026, is now challenging the conclusions of every prior review.
KPMG has publicly acknowledged that its treatment of the whistleblower and the rigour of its investigations fell short of the firm's expectations, the whistleblower's expectations, and those of the broader community.
The crisis has now taken a darker turn. KPMG's IT personnel, acting under instructions from the office of the firm's general counsel, covertly accessed the whistleblower's work laptop twice in November 2024, identifying two documents that outlined misconduct and had not yet been formally disclosed.
Those files were copied and distributed to former chief executive Andrew Yates and senior leaders within audit and human resources. While KPMG had the legal right to access a work device, doing so during an active whistleblowing standoff raises serious questions about the independence of the firm's process.
A public parliamentary hearing before the Parliamentary Joint Committee on Corporations and Financial Services (PJCCFS) is scheduled for 19 June 2026, at which up to a dozen current and former KPMG partners have been summoned to give evidence.
What went wrong
David Morgan, managing director at Veremark and a former detective constable with the Metropolitan Police Service in London, has spent 15 years handling whistleblower cases at PwC and Deloitte. In discussion with HRD, he said the KPMG case bears the hallmarks of an investigation that lost its way early.
"The first thing that jumped out to me was the investigation scope," Morgan said. "People focus on the motivation of the person – whether they are of good standing or not. And straight away, you've made an error in terms of how you're assessing that disclosure."
Morgan said the covert laptop access reflects a wider problem: when the identity of a whistleblower becomes known to those implicated, self-protection instincts take over.
"This person has come forward and is known to some of these people that have done the wrong thing. And that in itself creates a problem because they're then going to protect themselves first and foremost at the expense of the whistleblower," he said.
He draws a direct parallel with the PricewaterhouseCoopers (PwC) tax leaks scandal of 2023–2024, which resulted in the effective break-up of PwC's government advisory arm. "If you look at the PwC leakage scandal, there was significant change that happened to that business in terms of the business being broken up. There's still a long way to run with this case," Morgan said.
Public support for reform is growing
The KPMG scandal is unfolding against a backdrop of rising community expectations around whistleblower protections. A February 2025 survey of 2,009 Australians by The Australia Institute, conducted in collaboration with the Human Rights Law Centre and the Whistleblower Justice Fund, found that 86% of Australians support stronger legal protections for whistleblowers, with more than half (52%) expressing strong support.
Four in five Australians (81%) believe whistleblowers make Australia a better place, and 84% support the introduction of a dedicated Whistleblower Protection Authority.
The Australia Institute has described a Whistleblower Protection Authority as a crucial missing piece in Australia's anti-corruption laws, arguing it would provide independent oversight, practical guidance and support for disclosers, and the ability to investigate alleged detrimental action against them. Support for such an authority has risen from 79% of Australians in 2023 to 84% in 2025, according to The Australia Institute's polling.
Australia's whistleblower protections were significantly broadened under the Corporations Act 2001, as amended by the Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019. The government's concurrent review of those laws is currently open for public consultation until 29 July 2026.
What HR leaders need to do differently
The KPMG case is not just a story about auditors and governance committees. Human resources sits squarely in the frame. An Australian Securities and Investments Commission (ASIC) survey of 134 Australian companies, published in December 2025 as Report 827, found that 20% did not provide a dedicated whistleblower hotline, 25% did not provide regular staff training on their whistleblower program, and 58% did not seek feedback from employees on their speak-up culture in the last year.
Morgan pointed to three fundamentals that organisations must get right.
The first is process. "You need really clear role descriptions as to who does what – who protects the whistleblower, who conducts the investigation – keeping those things separate," he said. "If somebody senior is implicated, how do you get beyond that person to ensure there isn't a risk of matters being dealt with at a level where something more senior has been implicated? Because that's not impartial."
The second is systems – specifically, safe and anonymous reporting mechanisms. "What you need with a system set up is a system that can collect good quality information to help progress the complaint effectively, but at the same time have a mechanism to make sure that person's safe."
The third is capability. "Do the people handling the whistleblower, conducting the investigation, and assessing the information – do they have the capability and the independence to act upon that information effectively? If you don't have those three things working together, you're going to get more problems like the KPMG case," Morgan explained.
For people and culture leaders specifically, Morgan noted their role depends heavily on organisation size. In smaller and mid-sized firms, the chief people officer or head of HR may own the program outright. In larger organisations, it typically sits within a compliance function. Either way, HR cannot afford to be passive.
"If you're seen disciplining a whistleblower, that can obviously count against you as an independent person in that process," he said – a dynamic he believes played out at KPMG.
Ultimately, Morgan argued the value of a well-run whistleblower program extends far beyond risk mitigation. "If organisations spend the time and investment in this programme, it can provide a lot of value to businesses – not just in identifying poor behaviour, but in identifying opportunities for broader organisational improvement," he said.
"If companies and executives look at this as an opportunity for improvement and look at this in a positive light, they'll get a lot more out of both the whistleblower and this mechanism."
The regulatory floor is rising in Australia. Organisations that treat their speak-up frameworks as a compliance checkbox, rather than a genuine governance mechanism, are the ones most likely to end up in the headlines.
