Whistleblowers - company auditors obligations

This page is currently under review following the commencement of the new corporate sector whistleblower protection regime on 1 July 2019.

See also INFO 238 Whistleblower rights and protections and INFO 239 How ASIC handles whistleblower reports.

Company auditors and members of external audit teams have legal obligations under the Corporations Act 2001 (Corporations Act) if they receive a revelation from a whistleblower. Unless audit staff handle the revelation correctly they may inadvertently breach the Act if they tell the audit partner. But if the revelation is not shared with the audit partner then the quality of the audit may be in jeopardy.

Before looking closer at the how you can prepare your auditors and audit team members for a whistleblower’s revelation, it is useful to look at the benefits of protecting whistleblowers.

Corporate cultures of silence, which allow wrong doing to go undetected, are seen as contributing to the recent round of local and international corporate failures. A regime protecting whistleblowers is seen as part of the answer because it encourages reporting of contraventions by employees.

International whistleblower protection

Whistleblower legislation is becoming increasingly common. It has traditionally been more common in the public sector than the private sector. But in the late 1990s it started to become part of the international regulatory response to corporate fraud, particularly covering up such fraud in the financial reports.

In the USA the Sarbanes-Oxley Act gives whistleblower protection for corporate employees and mandates companies establish procedures to permit anonymous reporting by employees. It places the obligation to establish these on the audit committee.

In the United Kingdom, the Combined Code of Corporate Governance establishes whistle blower protections and recommends audit committees have whistleblower arrangements for financial reporting irregularities.

Australian whistleblower protection

Whistleblower legislation is in place in some States although it has historically been more focused on the public sector than on the private sector.

The Australian government first signalled its intention to legislate in this area in 2002, in its discussion paper Corporate Disclosure: Strengthening the financial reporting framework.

The Australian Stock Exchange’s Corporate Governance Council issued Principles of Good Corporate Governance and Best Practice Recommendations in 2003. It recommends companies establish a code of conduct for directors and senior executives. The recommendations include fostering and encouraging whistleblower behaviour by staff.

Report into the National Australia Bank

The need for good corporate governance policy to foster upward reporting in an environment free from recriminations and victimisation is essential if senior management and the board are to adequately manage risk and cultural issues within their company. This need was starkly highlighted in the Australian Prudential Regulation Authority’s (APRA) report into currency option trading at the National Australia Bank (NAB), which the bank disclosed to the market in March 2004. The report said:

    NAB’s highly regimented culture acted to impede transparency and mollify the message when it involved acknowledging concerns or difficulties at operational level. (page 72 of the report)

The report identified the close management of information flows as a significant factor that discourages the escalation of issues of concern to the board or to relevant external parties.

The existence or otherwise of the types of policies identified in the NAB report will be a significant factor for you as an auditor when you are evaluating the reliability of a company’s internal controls.

Protection of whistleblowers in Australia

A person is protected as a whistleblower if they are:

  • an officer or
  • an employee of a company or
  • a contractor or their employee who has a contract to supply goods or services to the company.

The Corporations Act restricts any retaliation against a whistleblower and gives them a civil right, including seeking reinstatement of employment. Protection is extensive. It:

  • provides qualified privilege against defamation and
  • precludes contractual or other remedies being enforced including civil and criminal liability for making the disclosure. This means that secrecy provisions in any employment contracts and the like will not preclude whistleblowing.

To qualify for protection a whistleblower’s revelation must be made to any of the following:

  • ASIC
  • the company's auditor
  • a member of an auditing team appointed to conduct an audit of the company
  • a director, secretary
  • senior manager of the company
  • another person authorised by the company to receive revelations of this kind.

To trigger the provisions of the Corporations Act the whistleblower must:

  • give their name before making the disclosure and
  • have reasonable grounds to suspect that their revelation indicates the company or an officer or employee has, or may have, contravened the Corporations legislation (which includes both the Corporations Act and the ASIC Act) and
  • act in good faith.

The commentary on the exposure draft bill said of this requirement: ‘This is considered appropriate given the need to discourage malicious or unfounded disclosures being made to ASIC. Where a person has a malicious or secondary purpose in making a disclosure, it is considered that the good faith requirement would not be met.’

The protection only covers whistleblowers reporting breaches of the Corporations Act and the ASIC Act (protected disclosure). However, in many cases contraventions of other legislation will involve secondary offences under these Acts because books or records have been falsified or misleading information given to the market or the auditor in an attempt to cover the primary offence.

Handling revelations from a whistleblower

Under the Corporations Act you can only pass on the revelation and the identity of the whistleblower (or information that may lead to the identity of the whistle blower) under the following circumstances:

  • You can pass it onto ASIC, APRA or the Australian Federal Police without asking for the whistleblower's permission.
  • You can only pass it onto another person if the whistleblower has given their consent. This means that as a member of an audit team you cannot pass on the revelation to an audit partner unless the whistleblower has consented to you doing this.


Procedures for auditors and their staff

Good practice would suggest the need for you to set up proper internal processes for handling revelations from whistleblowers. This would include training all staff and also periodically checking on the effectiveness of your processes. The Corporations Act does not prescribe any particular procedures.

Ideally your training should focus on the importance of obtaining the whistleblowers consent to pass the information. This ensures that an audit team member can pass on a revelation to an audit partner without inadvertently breaching the Corporations Act.

Of course you obligations as an auditor under section 311 to report significant breaches of the Corporations Act will mandate reporting to ASIC of a sub class of the type of protected disclosures.

Further information

The whistleblower provisions of the Corporations Act are in Part 9.4AAA, which commenced on 1 July 2004.

Standards Australia has an Australian Standard (AS 8004-2003) on whistleblowers that will assist implementation of appropriate procedures in companies and other organisations.

Read our:

What's new

More releases on financial reporting and audit

Last updated: 20/10/2014 12:00