Startups

Whistleblower Claims Expose KPMG Culture and Confidentiality Failings

By Alex Sterling

Share

Leaks, lawyers and a whistleblower: how did KPMGs failings emerge and could more have been done?

Allegations that KPMG staff leaked confidential information from Lendlease and Optus to colleagues pursuing lucrative audit mandates at Westpac, Dexus and Telstra have ignited scrutiny of the firm’s culture, controls and governance. According to evidence presented to a parliamentary inquiry, at least three partners were implicated. The claims surfaced after a whistleblower emailed the then head of audit, Julian McPherson, on 30 May 2024, warning that partners were driving “revenue growth at all costs” and flagging other workplace concerns. The episode has raised urgent questions about how the failings came to light—and whether earlier, stronger safeguards could have prevented them.

How the failings emerged

The catalyst was an internal email from a whistleblower to senior leadership, outlining conduct that allegedly breached client confidentiality and professional standards. That alert, and subsequent disclosures at a parliamentary inquiry, traced a pattern in which internal teams seeking new audit work reportedly received information drawn from other clients’ engagements. While the full timeline and scope remain a matter for investigations, the sequence—internal tip-off, leadership notification, and public examination—highlights the critical role of speak-up channels when formal controls break down or are circumvented.

In large partnerships where commercial pressures are intense, the speed and seriousness with which leaders respond to such reports can determine whether an issue is contained early or escalates into a systemic failing. Here, the whistleblower’s account, coupled with testimony that multiple partners were involved, suggests that any weaknesses were not purely isolated misjudgments but reflected broader cultural and incentive dynamics.

What the leaks involved—and why they matter

At the heart of the allegations is the misuse of confidential client information to gain an advantage in pitches for other audit engagements. This raises profound risks:

  • Client trust: Companies engage auditors with the expectation that their information remains strictly ring-fenced and used only for the agreed purpose.
  • Professional integrity: Audit firms are bound by independence and confidentiality obligations; using one client’s data to benefit another undermines those foundations.
  • Market confidence: Perceived unfair tendering and lax controls can erode confidence in the audit market’s fairness and the profession’s ethical bedrock.

Beyond reputational harm, such conduct can invite regulatory scrutiny, client relationship damage and significant internal consequences for individuals and the firm.

The culture and incentives question

The whistleblower’s phrase—“revenue growth at all costs”—captures a long-recognised tension in professional services: the pull between commercial ambition and professional duty. When revenue and win-rates dominate partner scorecards, risk awareness can dull and informal workarounds proliferate. Signals that a culture may be veering off course include excessive emphasis on sales metrics, weak challenge to high performers, and rationalisation of boundary-pushing behaviour as “normal market practice.”

Correcting this is not just about policies; it requires unambiguous tone from the top, visible consequences for breaches, and incentive structures that reward how results are achieved, not just what is achieved.

Could more have been done?

Yes. Firms can deploy a layered set of controls and cultural reinforcements to reduce the likelihood and impact of such failings:

  • Stronger information barriers: Enforce strict need-to-know access for all client files; segregate data by client, engagement and pursuit teams, with automated approvals and periodic access reviews.
  • Data loss prevention: Implement monitoring that flags and blocks transfers of client-identified content across teams, including email, chat and shared drives, with rapid escalation for attempted breaches.
  • Tender protocols with prohibitions: Codify a bright-line rule that client-confidential information may not be used in any pitch without explicit, documented client consent—and in most audit contexts, prohibit cross-use entirely.
  • Independent deal “gatekeepers”: Require compliance or risk sign-off for significant tenders, with authority to halt pursuits where conflicts, independence or confidentiality risks appear.
  • Partner accountability: Link a meaningful portion of partner remuneration and promotion to conduct, risk management and team culture; apply swift, public (internally) consequences for breaches, regardless of commercial performance.
  • Speak-up channels and anti-retaliation: Maintain multiple, confidential reporting avenues overseen by independent governance, with guaranteed protections and regular reporting to the board or risk committee.
  • Targeted training and simulations: Use scenario-based ethics training tailored to pursuits and cross-selling, reinforced by “red team” tests to probe controls and temptations where failures are most likely.
  • External oversight: Engage independent reviewers to assess culture, incentives and controls; publish high-level findings to clients and staff to rebuild trust.
  • Client notifications and remediation: Where breaches are suspected, promptly inform affected clients, outline remediation steps, and, where appropriate, withdraw from conflicted tenders.
  • Board-level risk ownership: Ensure the firm’s governance body actively monitors misconduct indicators—hotline trends, access anomalies, tender win patterns—and challenges leadership on remediation progress.

What happens next

Investigations typically focus on who accessed what, when, and why; how controls were bypassed; whether leaders acted promptly; and the breadth of any cultural contributors. Outcomes may include disciplinary actions, process overhauls, client notifications and commitments to independent assurance on reforms. Regulators and clients will expect clear timelines, transparency about findings to the extent permissible, and evidence that the fixes address root causes rather than symptoms.

Why this matters beyond one firm

Auditors occupy a position of public trust. When that trust is shaken, the implications ripple across capital markets, boards and the investing public. This episode underscores that ethical resilience is built as much on culture and incentives as on manuals and systems. The lesson is stark: without unwavering guardrails around confidentiality and independence—and leaders prepared to sacrifice short-term wins to uphold them—commercial success can come at an unacceptable cost.

Alex Sterling
Alex Sterlinghttps://www.businessorbital.com/
Alex Sterling is a seasoned journalist with over a decade of experience covering the dynamic world of business and finance. With a keen eye for detail and a passion for uncovering the stories behind the headlines, Alex has become a respected voice in the industry. Before joining our business blog, Alex reported for major financial news outlets, where they developed a reputation for insightful analysis and compelling storytelling. Alex's work is driven by a commitment to provide readers with the information they need to make informed decisions. Whether it's breaking down complex economic trends or highlighting emerging business opportunities, Alex's writing is accessible, informative, and always engaging.

Table of contents [hide]

Read more

Latest News