Board briefing: Whistleblowing and corporate governance
What is whistleblowing?
Whistleblowing is when an employee, contractor or supplier goes outside the normal management channels to report suspected wrongdoing at work, i.e. speaking out in a confidential manner. This can be done via internal processes set up by the organisation (internal whistleblowing) or to an external body such as a regulator (external whistleblowing). While public disclosure to the media can also be perceived as whistleblowing the IIA report focuses on formally prescribed channels.
Download the board briefing (PDF)
Whistleblowing and Corporate Governance
- Whistleblowing is an essential safety valve, an important element in a healthy corporate culture, and should be part of the internal control environment.
- For listed companies, the UK Corporate Governance Code states that boards should ensure these procedures are properly planned and properly implemented (reference Section C.3.5)
- Whistleblowing procedures should encourage individuals to disclose concerns using appropriate channels before these concerns become a serious problem, thus avoiding reputational damage through negative publicity, regulatory investigation, fines and/or compensation.
- Boards need to consider the effectiveness of whistleblowing policies and procedures on a regular basis as part of their oversight of the system of internal control.
- Internal audit can play a vital role in supporting boards in this area.
Our policy approach informs boards, executives and Heads of Internal Audit in establishing or developing internal audit's role to ensure that whistleblowing procedures are effective.
Key issues for Boards / Audit Committees
While the responsibility for establishing and operating effective internal whistleblowing procedures lies with the executive, boards should maintain oversight and require independent assurance that the organisation's whistleblowing policies and procedures are effective in achieving the appropriate outcomes.
Given the potential conflicts of interest, the executive will need to devolve the day-to-day running of the process to a function that is considered to be independent. Internal audit's independence from the executive and objectivity give it the potential to be involved in whistleblowing arrangements, e.g. in a triage role, as a channel of communication or carrying out investigations.
Internal audit cannot give assurance to the board on effectiveness if it is playing an integral part in the process of internal whistleblowing in the organisation.
Audit Committee Chairs should discuss the issue with their Head of Internal Audit to ensure that internal audit's involvement in whistleblowing does not undermine its ability to carry out its prime assurance functions.
Where internal audit is involved in the procedures for whistleblowing the board should ensure:
There is a separate, independent mechanism to provide assurance on the effectiveness of the whistleblowing procedures
- Internal audit's main functions and wider assurance roles are not compromised
- Internal audit is properly resourced in terms of staffing and skills
Where internal audit is not playing a direct whistleblowing role it should provide assurance on the effectiveness of the system and procedures to the board. It also should have the right to be informed of all whistleblowing reports so that it can consider what impact they have on its overall opinion to the board concerning risk management and internal control in the organisation.
Our whistleblowing survey of Heads of Internal Audit
Main findings:
- 41% of HIAs have day-to-day responsibility for their organisation's whistleblowing arrangements
- 31% lack confidence in their organisation's whistleblowing arrangements
- 57% of staff members named in policies have not received any training
- 59% may include personal complaints or grievances in their whistleblowing report
For further findings, view our full report on whistleblowing
A scenario demonstrating internals audit's role in whistleblowing, based on real-life experience
Employee A received a call from an acquaintance working in the admin department of a nearby hotel; the caller claimed that Employee B had approached them seeking a kick-back in exchange for organising an agreed number of rooms booked quarterly by other employees under their direction. Employee A shared this information with internal audit, who alerted employee B's line and HR managers and a covert investigation was immediately begun, in line with the organisation's whistleblowing policy. In this case the employee shared the information with internal audit rather than using the external line, but the outcome was the same.
Internal audit followed up with the caller to verify their statements, to the extent possible. HR interviewed employee B, who denied the claims but could not present a credible alternative explanation for the verified sequence of events. Employee B was dismissed immediately upon conclusion of the investigation. The process lasted a total of seven weeks from initial whistleblowing to the departure date of employee B.
The matter was covered in internal audit's routine reports to both the Ethics and Audit Committees. Furthermore, the HIA for the hotel group was contacted to alert the third party to the possibility of extended fraud in their organisation.
Other examples can be found in the full report on whistleblowing
Content reviewed February 2014