Whistleblowing – a role for internal audit

Whistleblowing (or speak up) is a crucial mechanism for detecting and addressing misconduct, fraud and other unethical activities within your organisation. Internal auditors have a critical role in promoting ethical conduct and fostering a culture that encourages employees to raise concerns without fear of retaliation. Establishing an effective whistleblowing framework is part of our advisory role as it contributes to the overall governance, risk management, and compliance framework of an organisation.

This guidance sets out how an effective whistleblowing framework can be established within your organisation including, where relevant, the role of internal audit.




1. Understand the requirements

Whistleblowing refers to the act of reporting concerns about wrongdoing, misconduct or illegal activities within an organisation through appropriate channels and governance. In the UK whistleblowing is protected by the Public Interest Disclosure Act, which provides legal safeguards to individuals who disclose information in the public interest. The Protected Disclosures (Amendment) Act 2022 applies in Ireland having transposed the EU Whistleblowing Directive into Irish law.

Internal auditors can provide an advisory role to management at this stage and should therefore familiarise themselves with the legal framework. A thorough understanding of the law and its specific implications for both employees, internal auditors and your own organisation is an essential first step.

2. Establishing a Whistleblowing Framework (such as COSO) 

  • Develop a clear policy. Publish a comprehensive whistleblowing policy that outlines the purpose, scope, and procedures for reporting concerns. The policy should include information on how to make anonymous disclosures, the protection provided, and the steps taken to investigate reports. The policy works best as a matter reserved to the board; this sets the position clear from the top. The board should decide if  a whistleblowing champion/gatekeeper is required, this might be a requirement for your industry, otherwise it would be good practice to ensure that there is a clear point of contact for whistleblowing.

          This is an area where internal audit can advise and provide assurance over the design of the policy and framework.

  • Agree day-to-day responsibility for managing whistleblowing procedures (more on this in step five). Internal audit’s independence and objective approach means that the Head of Internal Audit (HIA) / Chief Audit Executive (CAE) is well placed to facilitate or manage this on behalf of the board. The HIA/CAE’s role, particularly if responsible, should be included in the policy and referenced in the internal audit charter. The HIA cannot manage whistleblowing alone, good governance for managing whistleblowing might also include executives such as the Head of HR and Head of Legal.

3. Communication and training

Effectively communicate the policy to all employees and provide training on whistleblowing procedures, emphasising the importance of reporting misconduct. Raise awareness of the policy through various channels, including intranet portals, staff newsletters, and training sessions. Consider parts of the organisation that might not be regular users of the intranet and ensure that communication to those employees is appropriate, for examples posters in staff areas such as canteens and other common areas. Ensure communication is repeated at consider key points of the employee lifecycle, inductions, change of roles and promotion to senior management. Internal audit should ideally be  part of the induction process for new employees (separate to a whistleblowing champion/gatekeeper), this ensures that whistleblowing will be  appropriately covered as part of governance and risk management in addition to educating about the three lines and the role of internal audit.

4. Reporting Mechanisms and Channels

a. Establish multiple reporting channels: Providing different options gives employees choice in how to report concerns, such as to named individuals (eg, HIA/CAE, Head of HR, Head of Legal), a dedicated whistleblowing hotline, email, or an online reporting system. All channels must be accessible, user-friendly, provide the required confidentiality / anonymity if required, and if not all, at least one mechanism should be available 24/7.

b. Third-party service providers: The board should consider engaging an independent third-party service provider to manage and handle the reporting process, ensuring anonymity and impartiality. Factors influencing this decision will include the organisations culture, maturity of risk awareness, risk appetite in relation to reputational damage, cost and if it a regulatory requirement for the industry.

c. Board set their reporting and escalation requirements - how often whistleblowing matters be reported to the board by the whistleblowing champion and the agreed reporting process such as direct or via the audit committee or an executive committee. Escalation protocols should also be agreed, for example how a whistleblowing allegation is managed if raised against an executive.

d. Conflicts of interest: consider and agree how any perceived or actual conflicts will be managed, for example if a whistleblowing allegation is received against the HIA/CAE , the process, whether in-house or operated by a third-party service provider should by-pass the HIA/CAE and go directly to the Head of Legal, Head of HR or the Audit Committee chair as appropriate.

5. Triage, Investigation and Follow-up

Internal audit is well placed to oversee this element of the framework including allocating resource for investigations or coordinating other second line functions to investigate as appropriate. If the whistleblowing champion/gatekeeper is not the HIA/CAE there may be benefit in collaborating to delegate this element of the framework to the HIA/CAE.

a. Develop a triage process to ensure that whistleblowing reports are appropriately managed. For example, if a concern raised is an HR matter (grievance, performance issue) rather than whistleblowing it would be appropriate to redirect the matter to HR rather than allocate resource to investigate. Reporting protocols will determine the oversight required by the whistleblowing champion and reporting of different classifications of concerns raised.

Acknowledge reports. It is important that whistleblowers know their report is being taken seriously. The whistleblowing champion/gatekeeper might want to acknowledge each report via a standard response (eg, advised to a third-party service provider). This is an opportunity to provide contact details of the investigator.  

b. Develop a structured process for investigating matters promptly. If the organisation has a process in place to manage investigations, for example as part of the fact find section of a disciplinary case, considering leveraging this to ensure consistency of approach and treatment as matters investigated could ultimately result in disciplinary procedures being necessary. If a process is not in place, this should be developed and agreed with relevant stakeholders such as the Head of HR and Head of Legal. It will need to consider protocols for obtaining and access to and managing sensitive information that might be necessary, for example, access to employee emails or files.

c. Assign designated individuals or teams responsible for managing reports, ensuring transparency and accountability throughout the investigation. This should also consider the use of subject matter experts, for example if the report is a serious breach of health and safety, consider when it would be appropriate to advise and/or include the Head of H&S.

d. Objective investigations: Ensure that investigations are conducted in an impartial and objective manner, ensuring fairness to all parties involved. Clearly define investigation protocols and ensure that those responsible are adequately trained in conducting investigations.

e. Document all steps: Maintain detailed records of the entire whistleblowing process, including the initial report, investigation findings, actions taken, and any disciplinary measures or remedial actions implemented.

f. Communication: Ensure timely communication to all parties as appropriate. Remember that whilst a report has been received it must be fully investigated before a conclusion can be made. Communication with the reporter should be maintained, there is no obligation to share outcome or detail but there should always be careful consideration of what should be communicated and by whom.

g. Support: An investigation can take its toll on the reporter; those being investigated and on the investigation team. Ensure that appropriate support mechanisms are in place and shared. Confidentiality should be maintained, however, allowing line managers to support from a pastoral perspective should be considered. If your organisation has an employee assistance programme, parties should be reminded that is available to them if needed.

h. Oversight: The whistleblowing champion/gatekeeper should maintain oversight of reports to help ensure that they are being managed in a fair and objective way, engaging with other nominated whistleblowing concern contacts as appropriate.

6. Continuous Monitoring and Improvement

a. Regular review: Periodically review and update the whistleblowing policy and procedures to ensure they remain effective and compliant with legal requirements. This is particularly relevant when using a third-party service provider as they can help benchmark the process and outcomes. Independent services such as Protect can also be useful in this too.

b. Monitor trends and patterns: Analyse whistleblowing data to identify trends, patterns, and potential areas of concern. Use this information to report to the board, implement proactive measures and improve internal controls where appropriate.

c. Encourage feedback: Promote a culture of feedback by seeking input from employees on the effectiveness of the whistleblowing framework and identifying areas for improvement.


Internal audit’s role in whistleblowing arrangements vary considerably. This guidance was produced by a HIA/CAE in the construction sector who is the whistleblowing champion leading triage and investigation. In other organisations a HIA/CAE may distance themselves from investigations to maintain independence. There are many opportunities for advisory and assurance engagements to ensure that robust and effective arrangements are in place – whatever the role of the HIA/CAE – that is the most important point for all concerned.

Further reading

Building A Best In Class Whistleblower Hotline Program |Global IIA and ACFE collaboration 




Content reviewed: 14 November 2023