Date posted: 23/07/2021 4 min read

The impact of Australia’s whistleblowing laws on auditors

It is vital that auditors understand their obligations when handling whistleblowing disclosures

In Brief

  • An auditor may receive a disclosure from a whistleblower in respect of a client.
  • Audit firms should have a formal process in place to deal with whistleblower disclosures.
  • There are several practical and operational considerations that need to be worked though.

On 1 July 2019, Australia’s whistleblower protection regime in the Corporations Act 2001 (Cth) was strengthened to provide greater protections for whistleblowers, requiring public companies, large proprietary companies, and corporate trustees of APRA-regulated superannuation entities to have a whistleblower policy from 1 January 2020. Provisions have also been introduced in the Taxation Administration Act 1953 to provide protections for whistleblowers in relation to tax affairs and breaches carry serious penalties. Auditors also have a separate set of obligations under section 360 of APES 110 Code of Ethics for Professional Accountants (including Independence Standards) (the Code) to respond to instances of non-compliance with laws and regulations (NOCLAR). 

For protections to be afforded to a whistleblower under the legislation, a disclosure must be made by an eligible whistleblower to an eligible recipient about a disclosable matter. This is known as a protected disclosure.

Company auditors and members of audit teams are ‘eligible recipients’. When on the receiving end of a whistleblowing disclosure, the main legal obligations are to not

  • Victimise, cause or threaten to cause detriment to a whistleblower for making their disclosure
  • Disclose a whistleblower's identity or information likely to lead to their identification, unless authorised under law. 

Authorised disclosures include: 

  • suspected breaches of the Corporations Act to ASIC (e.g. under sections 311, 601HG and 990K). 
  • When it is reasonably necessary to investigate the allegations made in the disclosure, for example, to prevent a serious threat to a person’s health or safety.
  • Under certain circumstances auditors may need to report NOCLAR to an appropriate authority.
  • If the whistleblower has consented to the sharing of their identity and the confidential information.
  • obtaining legal advice about whistleblowing legislation from a lawyer.

Practical and operational considerations

Auditors are treated as individuals, not entities meaning that if a junior member of the audit team receives a protected disclosure, they may be limited in what they can share with superiors, including the audit partner. This puts the junior auditor in a difficult situation as it is unlikely they are best placed to receive the disclosure. Whistleblowing can give rise to a range of other practical considerations including impacts on audit risk, client relationships and business. A clear policy and up to date training can minimise these risks.

Here are a few things you can try:

  • Review your clients’ whistleblowing policy to see who is listed as eligible recipients. You may expect out of common courtesy that they would have consulted with you on the drafting if they refer to auditors but this is not always the case. 
    • Consider asking them to be specific about who a disclosure should be made to in the audit team. 
    • Consider encouraging them to engage their own specialist external service provider.
  • Provide staff with training on what to do if they receive a potential whistleblower disclosure. Some suggestions include:
    • Understanding the distinction between a personal or work-related grievance and a disclosable matter.
    • Asking for the whistleblower's consent to share their identifying information to escalate it within the firm.
    • Encouraging the whistleblower to make the disclosure using the arrangements your firm has established or authorised.
    • Encouraging the whistleblower to make the disclosure to another eligible recipient in a better position to take appropriate action. 

Audit firms are encouraged to make arrangements for handling whistleblower disclosures but the legislation does not prescribe any particular approach. ASIC Regulatory Guide 270 Whistleblower policies explains the obligations for entities that must have a formal whistleblower policy, but it could also be a useful reference for audit firms wishing to establish arrangements to handle whistleblower disclosures.