Company auditor obligations under the whistleblower protection provisions

This is Information Sheet 246 (INFO 246). It summarises the obligations of company auditors and members of internal or external audit teams under the whistleblower provisions. It also provides guidance for auditors, audit firms and audit teams on complying with the whistleblower provisions.

Company auditors and members of internal or external audit teams have obligations under the whistleblower protection provisions (whistleblower provisions) in Part 9.4AAA of the Corporations Act 2001 (Corporations Act). The Corporations Act provides strong protections for corporate sector whistleblowers to encourage them to come forward with their concerns.

If you are a company auditor or member of an audit team, you are an 'eligible recipient' under the Corporations Act. This means that eligible whistleblowers can make 'qualifying disclosures' to you and then access the whistleblower rights and protections. For more information on who is an 'eligible whistleblower', see Information Sheet 238 Whistleblower rights and protections (INFO 238).

You must ensure you do not breach the whistleblower provisions when handling a whistleblower disclosure. Your main legal obligations are to not:

You can be found to breach the whistleblower provisions if you are involved in another person's breach of the obligations. This may include where you are involved in a breach by the company or an officer or employee of the company you are auditing.

We encourage company auditors, audit firms, and internal audit teams to put in place arrangements for handling whistleblower disclosures. These arrangements can help ensure you, your firm or your team handle any disclosures you or they receive in line with the legislative requirements.

The whistleblower provisions also affect how you, your firm or your team, or the company you are auditing, can respond to a whistleblower's concerns. This includes investigating the allegations and addressing or reporting on the misconduct. We have provided guidance on how you can obtain consent from whistleblowers to disclose their identity as part of your investigation.

If you are unsure about your obligations under the whistleblower provisions, either generally or regarding a specific qualifying disclosure, we encourage you to seek legal advice.

How to identify qualifying disclosures

If a whistleblower's disclosure meets certain criteria, it is a 'qualifying disclosure'. It is important that you, as an eligible recipient, identify a qualifying disclosure when you receive it.

A qualifying disclosure is a disclosure of information from an eligible whistleblower who has reasonable grounds to suspect that the information concerns:

  • misconduct
  • an improper state of affairs or circumstances
  • a breach of the law, or
  • danger to the public or the financial system.

In your role as an auditor, this will mean the information must be about the company you are auditing, an officer or employee of that company, a related company, or an officer or employee of the related company.

The definition of 'misconduct' in the Corporations Act includes fraud, negligence, default, breach of trust and breach of duty. 'Improper state of affairs or circumstances' is not defined and is intentionally broad. It may not involve unlawful conduct, but may indicate a systemic issue that a relevant regulator should know about to properly perform its functions. It may also relate to unethical business behaviour and practices that may cause consumer harm.

The whistleblower's motives or personal views about the people or companies involved are irrelevant, but the whistleblower must have reasonable grounds to suspect the concerns that they report. This is an objective test. A person is not protected for a false claim. It must be an allegation they have reasonable grounds to suspect is the case.

A disclosure solely about a personal work-related grievance is not covered by the whistleblower provisions. However, a disclosure that includes a personal work-related grievance may be covered in certain circumstances.

If you are unsure whether an individual's disclosure to you is a qualifying disclosure, we encourage you to seek legal advice.

Personal work-related grievances

A disclosure from an individual solely about their personal work-related grievance is not considered a qualifying disclosure, and therefore is not covered by the whistleblower provisions.

A disclosure is solely about a personal work-related grievance if the information concerns a grievance related to the employee's employment or former employment, has implications for the employee personally, and does not also have significant implications for the employer.

Examples of grievances that may be personal work-related grievances include:

  • an interpersonal conflict between the individual and another employee
  • a decision about the engagement, transfer or promotion of the individual
  • a decision about the terms and conditions of engagement of the individual
  • a decision to suspend or terminate the engagement of the individual, or to otherwise discipline the individual.

The person may still have rights and protections under workplace or other laws, even if the whistleblower provisions do not apply to their disclosure. For example, these disclosures may be protected under the Fair Work Act 2009. You may wish to encourage the person to pursue their concerns through the company's processes for employee relations or workplace disputes.

A disclosure of a personal work-related grievance may fall under the whistleblower provisions if:

  • the person suffers, or is threatened with, detriment for making the disclosure
  • the disclosure includes information about misconduct, an improper state of affairs or circumstances, a breach of the law, or danger to the public or the financial system, in addition to the personal work-related grievance, or
  • the disclosure suggests misconduct that has significant implications for the company beyond the discloser's personal circumstances.

Maintaining the confidentiality of the whistleblower's identity

When disclosing to you as an eligible recipient, a whistleblower does not have to give you their name or contact details, and they can remain anonymous.

Even if you know the whistleblower's identity, you must maintain their confidentiality. This can mean that, once you receive a qualifying disclosure, you cannot disclose the whistleblower's identifying details to the audit partner, other members of the audit team or other eligible recipients. However, in some instances you may be authorised to disclose under the law – for example, if the whistleblower consents or if it is necessary for the investigation into the concerns (the 'investigation defence').

Unauthorised disclosure of a whistleblower's identity

The Corporations Act makes it illegal (through a criminal offence and a civil penalty) for someone to disclose the identity, or information likely to lead to the identification, of a whistleblower. The exception to this is if the disclosure is authorised under the law.

The offence and penalty only apply if you make an unauthorised disclosure of the whistleblower's identity, or information likely to lead to their identification, gained directly or indirectly from the whistleblower's qualifying disclosure. You can disclose other information from the qualifying disclosure, such as the alleged misconduct, as long as this does not also amount to an unauthorised disclosure of the whistleblower's identity or information likely to lead to their identification.

We can investigate allegations that a person has made an unauthorised disclosure of a whistleblower's identity, or information likely to lead to their identification.

Whistleblowers can also seek compensation from, and other remedies against, people involved in detrimental conduct or threatened detrimental conduct towards them for making their report. 'Detrimental conduct' includes damage to the whistleblower's reputation, which could result from a breach of their confidentiality.

Authorised disclosure of a whistleblower's identity

An 'authorised disclosure' of a whistleblower's identity, or information likely to lead to their identification, is a disclosure:

  • to ASIC, the Australian Prudential Regulation Authority or the Australian Federal Police
  • to a lawyer for advice about the whistleblower provisions, or
  • with the whistleblower's consent.

You can disclose information likely to lead to a whistleblower's identification without their consent under the investigation defence – that is, when the disclosure is part of an investigation into the concerns. This can include an investigation you, your firm or your team lead or if you contribute to an investigation by the company you are auditing.

You may only rely on the investigation defence if:

  • the information does not include the whistleblower's identity
  • you have taken all reasonable steps to reduce the risk that the whistleblower will be identified from the information, and
  • it is reasonably necessary for investigating the whistleblower's concerns.

Reasonable steps could include, among other things, removing the whistleblower's name, position title, team and other identifying details from their disclosure. You could also investigate the concern with the company without commenting on or attributing the source, or after masking the source.

If you are uncertain about whether you can rely on the investigation defence, you should seek advice from a legal practitioner.

As an external auditor appointed to a company, you have obligations to report certain breaches or suspected breaches to ASIC: see sections 311, 601HG and 990K of the Corporations Act. These provisions may also require you to report matters that a whistleblower has disclosed to you. Disclosing information to ASIC is an authorised disclosure under the whistleblower provisions. For further information on reporting breaches to ASIC, see Regulatory Guide 34 Auditors' obligations: Reporting to ASIC (RG 34).

Arrangements for managing whistleblower correspondence

We appreciate that you may have staff who receive, manage or draft your correspondence on your behalf. This may include staff who are responsible for or administer the technology systems your company uses to record and manage correspondence and other documents. Through their role, these staff may become aware of a qualifying disclosure addressed to you. They should be mindful of the obligations in the whistleblower provisions and how your firm or team handles qualifying disclosures. This will help ensure that your staff are able to handle the disclosure on your behalf in accordance with the legislative requirements.

Prohibition on victimising or causing detriment to a whistleblower

The Corporations Act makes it illegal (through a criminal offence and a civil penalty) for someone to cause or threaten to cause detriment to, or victimise, a person because they believe or suspect that the person has made, may have made, or could make a qualifying disclosure. You, your firm or members of your team could also be liable to pay compensation to a whistleblower if you or they are involved in conduct that causes or threatens the whistleblower with detriment for making their qualifying disclosure.

The criminal offence and civil penalty, as well as civil liability, apply even if the person has not made a qualifying disclosure. However, the reason (or part of the reason) the offender caused or threatened detriment to the person must be because they believed or suspected that the person had made, may have made or could make a qualifying disclosure.

Detriment includes actions or other conduct against a whistleblower or potential whistleblower to:

  • harass or intimidate them
  • harm or injure them, including causing them psychological harm
  • damage their property
  • damage their reputation
  • damage their business or financial position
  • cause them any other damage.

It also includes action against a whistleblower's employment arrangements, including terminating their employment.

We can investigate allegations that a person caused or threatened to cause detriment to a whistleblower. This may result in a penalty to the offender or company involved.

Arrangements for handling whistleblower disclosures

We encourage company auditors, audit firms, and internal audit teams to put arrangements in place for handling any whistleblower disclosures they receive in line with the legislative requirements.

Effective arrangements for handling disclosures from whistleblowers will help you comply with the whistleblower provisions and the auditing standards. It will also complement your obligations to the company, your statutory reporting obligations to ASIC, and your compliance with your professional responsibilities.

Accounting Professional and Ethical Standard APES 110 Code of Ethics for Professional Accountants (including independence standards) sets out your responsibilities when you encounter or become aware of non-compliance with laws and regulations. This could extend to information you receive from a whistleblower. However, some breaches and suspected breaches must be reported to ASIC: see sections 311, 601HG and 990K of the Corporations Act.

The firm's partners should take responsibility to oversee the program and periodically review its effectiveness. This may involve ensuring staff implement the program, adequately managing risks, and periodically reviewing the program's effectiveness. Managers of an internal audit team should also take responsibility for their team's program, which may align with the other governance arrangements for their team within their company.

Guidance on arrangements for handling whistleblower disclosures

The Corporations Act does not prescribe any particular approach to handling whistleblower disclosures. However, you must not:

We encourage you, your firm or your team to develop arrangements to handle whistleblower disclosures that suit your particular circumstances. The arrangements should be tailored to the nature, size, scale and complexity of your business.

Effective, tailored arrangements can help you comply with the whistleblower provisions and handle whistleblower disclosures in line with the legislative requirements. Effective arrangements for handling disclosures from whistleblowers could include documented processes to:

  • receive disclosures
  • assess the concerns and investigate them if necessary
  • raise the concerns with the company and seek redress or correction
  • limit access to materials related to disclosures using secure recording-keeping or technology systems
  • communicate with the whistleblower
  • train staff in their obligations.

The arrangements could be run internally or use an external service provider – for example, to receive or investigate whistleblower disclosures. The arrangements may align with other arrangements you have in place for raising concerns you identify through your audit work with the company.

Regulatory Guide 270 Whistleblower policies (RG 270) explains the obligations for companies that must have a formal whistleblower policy that contains information on how the company will handle whistleblower disclosures. RG 270 could also be a reference for audit firms wishing to establish arrangements to handle whistleblower disclosures and address whistleblower concerns. However, only public companies, large proprietary companies and corporate trustees of registrable superannuation entities are required to have a whistleblower policy meeting the requirements set out in the law.

Guidance on dealing with disclosures made directly or personally to you

Whistleblowers can report their concerns directly to you as an eligible recipient and access the whistleblower rights and protections.

We appreciate that you, your firm or your team may prefer whistleblowers to use any arrangements you have established or authorised for whistleblower disclosures, rather than reporting to you directly or personally as an eligible recipient. We understand that this can help you, your firm or your team properly and systematically manage whistleblower disclosures and promptly address the concerns raised.

If you receive a whistleblower disclosure personally, you can encourage the whistleblower to report using the whistleblower arrangements you have established or authorised. This may be the most appropriate way to acknowledge a whistleblower's concerns.

If you refer the whistleblower's report to the firm's or team's whistleblower arrangements yourself, you might disclose the whistleblower's identity or information likely to lead to identification of them. Given the confidentiality obligation, you will need the whistleblower's consent to refer the report. This consent may be clear from the whistleblower's qualifying disclosure or from the context of how you receive it.

Addressing whistleblower disclosures

The whistleblower provisions will also affect how you, your firm or your team can investigate the concerns and request the company address, correct or disclose the misconduct or breach of the law.

As a company auditor or member of an audit team, the qualifying disclosures you receive may be about matters within your audit responsibilities or across the company's operations. Because of this, it is important that you understand the company's arrangements for dealing with risks and issues that may arise within its operations, so you can respond to the whistleblower's concerns about the company in line with your responsibilities.

Depending on the circumstances, you, your firm or your team may need to pursue the concern without commenting on or attributing the source, or after masking the source.

You must also comply with the confidentiality obligation while affording any procedural fairness to people who may be the subject of the qualifying disclosure. These issues will need to be handled carefully, according to the legal requirements and with the consent of the whistleblower.

Consent from the whistleblower to disclose their identity

If you, your firm or your team receives a qualifying disclosure, you must maintain the confidentiality of the whistleblower's identifying information – that is, you must not make an unauthorised disclosure of their identifying information. Whistleblowers can consent to their identifying details being disclosed.

You, your firm or your team may need to disclose the whistleblower's identity, or information likely to lead to their identification, so you can effectively investigate the concerns and address any misconduct, and (if relevant) ensure the quality and completeness of the audit. You should inform the whistleblower if this is the case, and discuss it with them.

A whistleblower's consent, and any limits to their consent, may be clear from their qualifying disclosure. If not, you should clarify how the whistleblower wishes their identifying information to be treated as soon as practicable after receiving their qualifying disclosure.

If the whistleblower is uncomfortable with providing consent, you could discuss with them how you, your firm or your team will treat them and their disclosure during any subsequent investigation and steps to address the misconduct. Your firm's or your team's arrangements could include that, with the whistleblower's consent, their identifying information will only be shared with staff within your firm or team or in the company:

  • involved in investigating and addressing the concerns, or
  • responsible for supporting the whistleblower and protecting them from detriment.

You may wish to set out your firm's or team's approach in the documentation for your arrangements. The guidance in this information sheet or in RG 270 may help you to articulate your approach and explain your processes to potential whistleblowers.

Clear information about your firm's or team's arrangements will make it easy for you to clarify with the whistleblower whether they consent to you to disclosing their identifying details. It may also alleviate any concerns they have, because they will know what to expect from making a disclosure to you, your firm or your team, and any subsequent investigation of their concerns. They will also have the opportunity to identify any of your firm's or team's processes that might raise particular concerns for them or their allegations.

Where to find more information

Read:

Important notice

Please note that this information sheet is a summary giving you basic information about a particular topic. It does not cover the whole of the relevant law regarding that topic, and it is not a substitute for professional advice. We encourage you to seek your own professional advice to find out how the applicable laws apply to you, as it is your responsibility to determine your obligations.

You should also note that because this information sheet avoids legal language wherever possible, it might include some generalisations about the application of the law. Some provisions of the law referred to have exceptions or important qualifications. In most cases, your particular circumstances must be taken into account when determining how the law applies to you.

Information sheets provide concise guidance on a specific process or compliance issue or an overview of detailed guidance.

This information sheet was issued on 30 June 2020.

What's new

More releases on financial reporting and audit

Last updated: 30/06/2020 12:00