KPMG Employees Guide to Whistleblower Protections and Reporting Channels

Raising a concern at a Big Four firm takes nerve. Knowing exactly what happens after you do, and what protections actually attach to your report, takes information that is not always easy to find in a long policy document. KPMG's whistleblower framework, as set out in its 2025 public policy document from KPMG Australia, offers a broad definition of who qualifies for protection, five named internal reporting channels, and a stated commitment to shielding reporters from retaliation. But embedded in those provisions is a detail that matters enormously in practice: choosing the most obvious internal routes means your name goes on the report.

Who counts as a whistleblower

KPMG's policy casts a deliberately wide net. According to the firm's policy document, "a whistleblower is defined as anyone who makes a report under this policy." That definition, grounded in the Whistleblower Laws the policy references, extends well beyond current staff to cover current and former officers, partners, clients, employees, contractors and suppliers (including employees of suppliers), and associates of KPMG, as well as relatives, spouses and dependants of those individuals.

The policy goes further still. It states that KPMG may decide to treat and protect any person as a whistleblower even if their report does not fall within the scope of the Whistleblower Laws. That discretionary protection is worth noting, though the policy excerpt contains a truncated clause, "In those circumstances the protections do not apply by [...]," where the document cuts off, leaving the precise limits of that discretionary protection unclear from the available text. Anyone considering this route should obtain and read the complete policy before assuming full coverage applies.

The five internal reporting channels

KPMG's policy identifies a menu of different channels through which a concern can be reported internally. These are:

• the relevant Engagement Partner
• the Ethics and Independence Partner (for matters relating to ethics or independence)
• the Chief Risk Officer
• the General Counsel or Deputy General Counsel
• People & Inclusion (P&I) for work-related grievances

The structure here reflects how KPMG organizes accountability. Ethics and independence questions flow to a dedicated partner with that specific mandate. Grievances tied to workplace conduct or employment conditions route through P&I. Concerns broad enough to implicate firm-wide risk or legal exposure point toward the Chief Risk Officer or General Counsel. The Engagement Partner sits at the top of the list, likely as the first point of contact for audit or engagement-specific concerns, though the policy does not prescribe a hierarchy among these options. The firm's own language encourages reporters to "speak up and raise their concern via the channel through which they feel most comfortable."

The attribution question: your name is on the report

This is the provision that demands careful attention before you pick up the phone or send an email to any of those five contacts. KPMG's policy states plainly: "In choosing to report through one of the above channels, you will have been deemed to have consented to attributed reporting, which includes disclosure of your name."

That is not buried fine print; it is an explicit policy design choice. Selecting any of the internal channels listed above means your identity is disclosed as part of the report. There is no opt-out described in the available policy text, and no mention of an anonymous internal reporting alternative. For employees weighing whether to report and to whom, this consent-by-conduct mechanism is probably the most consequential sentence in the document.

The practical implication is direct: if confidentiality or anonymity matters to you given the nature of your concern, the identity of the people involved, or your own vulnerability to retaliation, you should not assume that reporting internally to an Engagement Partner or through P&I keeps your name protected. It does not.

The Eligible Recipient distinction and what it means

Alongside the attribution issue sits a technical but legally significant point about who holds formal status under the Whistleblower Laws. KPMG's policy states: "Other than in circumstances where any of the above-named individuals are expressly defined as Eligible Recipient under the Whistleblower Laws, the above individuals are not designated by KPMG and its associated entities as Eligible Recipients under the Whistleblower Laws."

In plain terms: the five internal contacts listed in the policy are not, as a general matter, the legally designated recipients whose receipt of a disclosure triggers the full suite of statutory whistleblower protections under the relevant law. The Whistleblower Laws referenced in the policy, while not named by statute in the available excerpt, are almost certainly the Australian federal framework given that the document is branded as a 2025 publication of KPMG Australia. Under Australian law, disclosures to an "Eligible Recipient" are necessary to qualify for legal protections. If the person you report to is not an Eligible Recipient in the legal sense, your report may not carry the same statutory protections even if KPMG's internal policy aims to treat you well.

This does not mean internal reporting is without value. The policy explicitly commits to protecting "the whistleblower (internal and external) from any retaliation that may arise as a result of reporting suspected or actual wrongdoing." That commitment is meaningful. But internal policy protections and statutory legal protections are different things, and knowing which you are relying on matters, especially if a dispute later ends up before a regulator or in court.

Protections against retaliation

The policy is unambiguous that protection from retaliation is a core aim. The anti-retaliation commitment covers both internal and external whistleblowers, meaning the firm's stated obligations extend to former employees, contractors, and others in the broad definitional category, not just current staff who report through internal channels.

What the available policy text does not detail is the procedural architecture behind that commitment: there is no description of how investigations are conducted, what timelines apply, how conflicts of interest are managed when the subject of a complaint is senior, or what remedies are available if retaliation does occur. Those are standard elements of a mature whistleblower program, and the absence of that detail in this excerpt does not mean those procedures do not exist; the policy itself acknowledges it "sets out the procedures and avenues available to a whistleblower reporting to KPMG." The complete document, not the excerpt analyzed here, would contain that operational detail.

What to do before you report

Given the gaps and caveats in what is publicly available, anyone considering a disclosure should take a few practical steps first. Read the full KPMG whistleblower policy, not just an excerpt, to understand the complete procedural framework and any limits on protections. Understand that reporting to the five listed internal channels means your name will be disclosed. If anonymity matters for your particular concern, ask specifically whether any channel preserves confidentiality, and ask in writing so you have a record. If the concern is serious enough to implicate potential legal violations, consider whether reporting directly to an external regulator, which in Australia would mean the Australian Securities and Investments Commission or the Australian Taxation Office for certain categories of concern, would better preserve your statutory protections by ensuring disclosure reaches a legally designated recipient.

KPMG's stated position is that people should come forward. The policy's own language frames the choice as one of comfort, not compliance: go to whoever you feel you can. The honest addition to that guidance is that the channel you choose shapes both your anonymity and your legal standing. That is a decision worth making deliberately.