We have let ourselves down and I take accountability
When the institutions built to safeguard trust are themselves found wanting, the reckoning that follows speaks to something deeper than any single resignation. KPMG Australia's chief executive Andrew Yates stepped down this week after the firm's repeated failures to properly investigate a whistleblower's allegations — that audit partners had accessed confidential client documents without authorisation — ultimately gave way to a third, more rigorous inquiry that confirmed the original concerns and uncovered further breaches. The episode, now drawing scrutiny from Australia's financial regulator ASIC, raises a question that extends well beyond one accounting firm: whether the structures meant to protect those who speak up, and the clients who confide, are genuinely fit for purpose.
- A whistleblower's warnings were dismissed twice — first by an internal review, then by an external legal firm — before a third investigation finally confirmed the misconduct was real and more widespread than first alleged.
- The discovery of a separate, previously unknown incident of improper client data sharing transformed what might have been a contained embarrassment into a systemic credibility crisis for one of Australia's largest professional services firms.
- KPMG's own chairman was forced to issue a three-way apology — to the whistleblower, to affected clients including Lendlease, and to the firm's broader staff — as the reputational damage spread beyond any single individual or incident.
- ASIC has opened investigations into three registered auditors connected to the complaint, but KPMG's intention to claim legal professional privilege over investigation materials threatens to slow or obstruct the regulator's work.
- With an interim CEO now in place and an ethics consultant being brought in to audit the firm's speak-up culture, KPMG is attempting to signal reform — though the question of whether this failure is firm-specific or profession-wide remains unanswered.
Andrew Yates, chief executive of KPMG Australia, resigned this week after the firm's handling of a whistleblower complaint unravelled in a sequence of institutional failures that ultimately proved impossible to contain. The original allegation — that audit partners had accessed and circulated confidential client documents without authorisation — was investigated twice, first internally and then by an external legal firm, with both reviews finding no wrongdoing. It was only when the whistleblower escalated the matter to the board that a third inquiry, conducted by law firm Allens, was commissioned.
Allens' findings were damning. Not only did the investigation confirm the original allegations had merit, it uncovered a separate incident of improper internal data sharing that had gone entirely undetected. KPMG's own assessment acknowledged that its earlier investigations had lacked rigour and fallen short of the firm's own standards. Audit partner Julian McPherson also stepped down alongside Yates.
Chairman Martin Sheppard issued an apology directed at three groups simultaneously: the whistleblower who had not been properly heard, the clients whose information had not been adequately protected, and KPMG's wider staff whose professional reputations had been caught in the fallout. The firm reported its findings to affected clients, regulators, and professional bodies, and committed to hiring an ethics consultant to examine its internal speak-up culture. Stan Stavros was appointed interim chief executive.
The consequences have since moved beyond the firm itself. ASIC confirmed to a parliamentary committee that it had opened investigations into three registered auditors connected to the complaint, following a meeting with KPMG in April. Public testimony at the inquiry included a letter from Lendlease detailing multiple instances of audit partners accessing its board papers without apparent authorisation — prompting ASIC chair Joe Longo to state plainly that the normal boundaries between auditor and client had been breached. KPMG's stated intention to claim legal professional privilege over its investigation materials may yet complicate the regulator's path forward, leaving open the larger question of whether this episode reflects one firm's failure or something more systemic within the audit profession.
Andrew Yates, the chief executive of KPMG Australia, resigned effective immediately this week after the firm bungled its response to a whistleblower who raised concerns about confidential client documents being shared inappropriately within the organization. In a brief statement, Yates acknowledged the failure: he had championed a culture where employees felt safe speaking up, yet the firm had fallen short in this case, and he was taking responsibility for that lapse.
The sequence of events that led to his departure reveals a troubling pattern of institutional neglect. A whistleblower first brought allegations to senior leadership that audit partners had accessed and circulated client documents without authorization. KPMG conducted an internal investigation, which found no wrongdoing. An external legal firm was then brought in to review the matter and reached the same conclusion. But when the whistleblower escalated complaints to the board, dissatisfied with how the matter had been handled, KPMG appointed a different external law firm—Allens—to conduct a fresh inquiry.
That third investigation proved far more rigorous than the first two. Allens uncovered not only that the original allegations had merit, but that a separate, previously unknown incident had also occurred in which client information was improperly shared internally. The firm's own assessment was damning: the initial investigations had lacked the necessary rigor and fell short of KPMG's own standards. Auditing partner Julian McPherson also stepped down from his position.
KPMG chairman Martin Sheppard issued an apology that extended in three directions at once: to the whistleblower for not being heard properly; to clients whose information had not been safeguarded with the care they deserved; and to KPMG's own staff, whose reputation had been damaged by conduct that did not reflect their work. The firm reported its findings to affected clients, regulators, and professional bodies, and announced it would hire an ethics consultant to examine its speak-up culture from the ground up. Sheppard committed to reinforcing controls around client confidentiality and pledged to assure audit clients that the breaches would not compromise the quality of their audits.
Stan Stavros was named interim chief executive while the firm searches for a permanent replacement. But the damage had already reached beyond KPMG's walls. The Australian Securities and Investments Commission, the country's financial regulator, told a parliamentary committee that it had opened investigations into three registered company auditors involved in the whistleblower complaint. ASIC deputy Sarah Court explained that the inquiries began after a meeting with KPMG on April 14 and continued after the firm provided additional case information. KPMG has indicated it intends to claim legal professional privilege over much of its investigation material, a move that may complicate ASIC's work.
Public testimony at the parliamentary inquiry included a letter from Lendlease, a major KPMG client, detailing several instances in which audit partners had accessed Lendlease board papers without apparent authorization. ASIC chair Joe Longo was direct in his assessment: there was clearly a breach of the normal boundaries that should exist between an auditor and its client. The question now hanging over the profession is whether this was an isolated failure at one firm or a symptom of deeper problems in how audit partners handle sensitive client information.
Notable Quotes
We apologise unreservedly to the whistleblower and to clients whose information was not handled with the care and respect they expect from us— KPMG chairman Martin Sheppard
There is clearly a breach of what would normally occur between an auditor and its client— ASIC chair Joe Longo
The Hearth Conversation Another angle on the story
Why did it take a third investigation to find what the first two missed?
The first two investigators—internal staff and an external firm—concluded nothing was wrong. But they weren't looking hard enough, or they weren't looking in the right places. When the whistleblower pushed back and the board got involved, KPMG brought in fresh eyes. Allens found the breaches immediately.
What does it mean that KPMG is claiming legal privilege over the investigation materials?
It means they're trying to shield the details from ASIC's regulators by arguing the investigation was confidential legal advice. It's a legal right they have, but it also means the regulator can't see the full picture of what happened and who knew what.
Did the whistleblower get vindicated?
Yes and no. They were right about the document sharing. But it took three separate investigations and a public scandal to prove it. The apology came only after the board forced the issue.
What happens to the auditors ASIC is investigating?
That depends on what ASIC finds. If they determine the auditors breached professional standards, there could be disciplinary action, fines, or suspension of their licenses. The fact that three of the four people involved are registered auditors means ASIC has direct authority over them.
Does this affect the audits KPMG did for these clients?
KPMG says the breaches don't compromise audit quality, but that's their claim. The real question is whether clients can trust that assessment, or whether they need independent verification that their financial statements were properly audited despite the confidentiality breaches.