Studying this technical article and answering the related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units. 

The three whistleblowers were: Colleen Rowley, FBI agent who wrote to the Director of the FBI in 2002 setting out failures of US intelligence agencies prior to the terrorist attacks on 11 September 2001; Sherron Watkins, the Enron executive who alerted Enron’s chairman to concerns about accounting tricks that the company was using to boost its share price; and Cynthia Cooper, the Head of Internal Audit at WorldCom who uncovered and reported to the Audit Committee one of the largest senior management accounting frauds in history. 


In an era when blowing the whistle attracted much controversy, Time magazine presented the three women as heroes. That decision was notable, it helped to change attitudes. In many countries, whistleblowers are now protected by law. Learning lessons from the Financial Crisis, governance standards are more robust today - there is a sharper focus on corporate culture, personal behaviour and business ethics. In 2019, effective whistleblowing arrangements are widely regarded as an important feature of good corporate governance.

This article considers the role of Internal Audit in whistleblowing and examines the different approaches that it can adopt. Its independence from management means that it has the potential to be directly involved in whistleblowing arrangements, whether in a triage role or as investigators.  Alternatively, Internal Audit’s role around improving controls makes it ideally placed to provide assurance to the board on the effectiveness of the whistleblowing processes. It cannot do both, however.     

Why whistleblowing is increasingly important

Whistleblowing is the raising of a concern, either by an employee or a third party, about suspected wrongdoing at work, using confidential reporting mechanisms rather than normal line-manager channels. Most mechanisms involve a dedicated telephone number (or “hotline”) but can include a web-based reporting system or traditional reporting by mail to a specified address. Confidential reporting can be achieved using internal processes established by the organization (internal whistleblowing) or to an external body such as a regulator (external whistleblowing).   

Today, whistleblowing is an important feature of good governance. It can uncover organizational failures that may culminate in serious harm better and faster than other mechanisms and it is relatively cost-effective. Such failures include: criminal activity (e.g. fraud or bribery and corruption); health and safety shortfalls; environmental damage; negligence (in a school, hospital or care home for example); and the mis-selling of financial products. 

In 2018, the UK Corporate Governance Code was significantly revised. Whistleblowing was included in one the Code principles - Principle E: “The workforce should be able to raise any matters of concern”. Provision 6 expands on this:

“There should be a means for the workforce to raise concerns in confidence and – if they wish – anonymously. The board should routinely review this and the reports arising from its operation. It should ensure that arrangements are in place for the proportionate and independent investigation of such matters and for follow-up action.” 

This highlights the importance of establishing and maintaining an effective whistleblower programme. The Code applies to companies listed on the London Stock Exchange, but it provides a signpost of best governance practices and any organisation may benefit from its guidance.   

Ultimate responsibility for the whistleblower programme lies with the board. The detailed operational arrangements are the responsibility of managers. Whistleblowing disclosures are sensitive, with conflict of interest situations highly likely. Internal Audit plays an important role in supporting the board and management in ensuring that whistleblowing arrangements are fully effective as part of a healthy organisational culture. This support can either be direct or by way of assurance services.     

Direct involvement

Blowing the whistle carries professional and personal risk. There are two important barriers to people coming forward with their suspicions: first, fears that the organisation’s assurances of confidentiality will not be respected; and secondly concerns that the reports will not be properly investigated, so that the underlying issues remain unresolved. 

Trust in the process is required for effective whistleblowing. Internal auditors can help here. If they are seen to be an integral part of the day to day arrangements, their independence and objectivity will help to promote trust in the whistleblowing process.

Internal Audit can act as a communications channel for the whistleblowing hotline, coordinating responses. There are two specific areas of internal audit work to consider: at triage and during investigations.

Internal auditors acting in a triage role

Established and trusted whistleblowing hotlines are likely to experience an increasing number of calls and tip-offs. In these circumstances, it is important to have a process for evaluating and prioritising reports. Medical triage programmes provide a good model. Used by modern emergency departments, paramedics and first responders, triage is the process of determining the priority of patients’ treatments based on the severity of their condition. Internal auditors should take a risk-based approach, with the following recommendations:

  • The initial capture of the tip-offs is crucial - all reports should be acknowledged and responded to as quickly as possible
  • Prioritise action on the reports according to risk. Whilst allegations of fraud or corruption are almost always serious, tip-offs concerning health and safety, or environmental breaches may be critical depending on the risk profile of the organisation
  • Delegate reports that reflect misunderstandings, personal grievances or minor errors to a support group such as HR which can handle them efficiently (complaints and grievances should be subject to a separate procedure - often in practice they are not).

Internal auditors as investigators

It is crucial for the credibility of the whistleblowing programme that all disclosures are responded to quickly and are properly investigated. Internal auditors often perform investigations, especially those involving fraud (or where other teams are conflicted). Key recommendations for internal auditors are:

  • Commit to investigating all matters fully, fairly, quickly and confidentially
  • Make recommendations for further action (disciplinary and/or reporting to the police) and liaise with the police where criminality is suspected
  • Maintain a feedback loop to whistleblowers – where their identity is known, the whistleblower should be kept informed of progress and outcomes, not ignored following interview.

It is crucial that Internal Audit is properly resourced to carry out this work in terms of staffing and skills. For example, investigators require training in the rules of evidence and conducting interviews, especially those under conditions of stress.

The board has an important role to play here. It must ensure that Internal Audit’s main functions and wider assurance role are not compromised by its direct involvement in the whistleblowing process. Also, the board must ensure that there is a separate, independent mechanism to provide it with the required assurance on the effectiveness of the whistleblowing process.

Assurance services 

In situations where it is not directly involved, Internal Audit should provide the board with assurance on the effectiveness of the whistleblowing system. Whistleblowing is a key governance control and an important component of an open corporate culture that encourages concerns to be raised. To be effective it depends on the right culture being in place.

Internal Audit’s assurance role includes: promoting whistleblowing best practice; testing case files; monitoring policy and procedures; and recommending improvements where needed. Here are three key areas: 

Review the whistleblowing policy. In particular:

  • Scope – in addition to all workers, best practice supports expansion with advantage to include suppliers, customers and other stakeholders
  • Reporting lines – providing different alternatives facilitates disclosure, these might include line managers, senior management, and an external service provider such as Protect (formerly Public Concern at Work)

Consider basic functionality – is the hotline adequately supported including funding and staffing by individuals with training and expertise to handle different types of cases

Carry out surveys  to assess how the workforce views the whistleblowing arrangements: are employees aware of the programme; do they feel safe from retaliation, trust their organisation’s commitment to confidentiality and/or anonymity; do they understand their reporting obligations?

Many organisations outsource their hotlines. Benefits include access to experience and expertise, together with the appearance of independence. Hotline providers often allow 24/7 access and provide services in many languages. Internal Audit has an important part to play in reviewing the supplier selection process prior to and during its application. On implementation, Internal Audit should examine the performance management arrangements used by the service team that owns the relationship with the outsourced provider – typically HR for hotline services. It should include a report from the outsourced provider on annual activity in its report to the board.

Of course, ultimate operational responsibility for whistleblowing procedures lies not with Internal Audit but with senior management reporting to the board.    


Despite being honoured by Time magazine, it is ironic that Cynthia Cooper was not really a whistleblower. She communicated information to the board, which is normal internal audit activity – it was the circumstances that made her actions extraordinary. 

Sometimes, internal audit concerns are not taken seriously or are overridden. Then an internal auditor may face the prospect of communicating the information outside of the organisation, either by external whistleblowing to a regulator or by public disclosure. This is never an easy situation. Ultimately, it comes down to a professional decision by the internal auditor about their obligations to their employer. 


Steve Giles is an independent consultant, lecturer and author