Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​The Board and Whistleblowers

Corporate boards' need for a strong, durable process to oversee allegations of executive misconduct has never been more clear.

Comments Views

In 2018 the CEO of Barclays, Jes Staley, was castigated by British regulators for trying to unmask a whistleblower who had raised concerns about one of Staley's top lieutenants. Barclays' board clawed back a £500,000 bonus from Staley, and regulators fined him £640,000. Regulators in New York then hit Barclays, itself, with another $15 million penalty.

The year prior, life sciences company Bio-Rad had to pay nearly $8 million to former general counsel Sanford Wadler after he reported fears of possible bribe payments to government officials in China. The company sacked Wadler, who filed a whistleblower retaliation lawsuit.

Bio-Rad and Barclays are especially noteworthy because in both cases, the whistleblowers' allegations were later determined to be unfounded. An arbitrary approach to handling whistleblowers is what got those companies into hot water. In our highly regulated, highly litigious, highly transparent world, it always is. Hence the need for rigor — and the need for boards to assure that rigor exists.

"It's important to set up a process [for addressing whistleblower complaints] in advance because you have to take every one of these issues seriously," says Dotty Hayes, a former CAE at both Intuit and Hewlett-Packard and now chair of the board of directors at First Tech Federal Credit Union in San Jose, Calif., and a board member and audit committee chair at a range of organizations. "You can't do it haphazardly."

That point is true even if the allegation doesn't seem credible, and even if it's proven wrong, Hayes says. The last thing a board wants is to improvise a response. 

Be Disciplined; Be Independent

The good news is that truly grave whistleblower reports — allegations so serious that the board should oversee them, and should do so immediately — seem to be rare. "In my experience, if you have one or two a year that are significant and require high priority, that's a lot," says David Diamond, former head of internal audit at Lionsgate Entertainment, and now audit committee chair for The Daily Breath, a chain of Pilates studios in Brazil and the U.S. Likewise, Charlotte Valeur, CEO of the Global Governance Group and currently a director on seven boards, says that in 14 years of working in board governance, she has encountered only two instances of whistleblower allegations so serious that only the board could address it.

Again, so what? Boards don't know the veracity of a whistleblower allegation when the report first arrives. So establishing a consistent, disciplined, objective process to evaluate whistleblower reports is paramount.

"Independence on boards is key for whistleblowing," Valeur says. "If you don't have independent board members who can deal with it — and will deal with it, truly independently — everybody is at risk. The whistleblower is at risk, and the company is at risk."

In truth, that triage process is a nuanced tango between board and management. Boards might receive reports, but they should not investigate reports; that duty should go to trained professionals: internal audit, the compliance or legal team, human resources (HR), or even outside counsel. Even in grave scenarios such as allegations of CEO misconduct, the board should oversee that investigations are happening and moving forward — but not participate in the investigation, itself. "The last thing I want to do is be the investigator," Hayes says.

Conversely, management receives lots of reports, and might even investigate many of them without troubling the board. That's fine, so long as all parties have a clear understanding of which reports should be escalated to the board right away.

So what should that process look like? Who's involved in the triage? Typically a large company will outsource its whistleblower hotline; that's one layer of independence. A whistleblower might be able to select categories of complaint (accounting fraud, employee bullying, discrimination, theft, and so forth), or specialists at the outsourced hotline provider could assign one based on certain key phrases, issues, or even names the whistleblower might include.

A critical question is which categories of complaint should automatically go to the board, even if the board then bats the issue right back to audit, legal, or compliance for further action. For example, anything that mentions corporate accounting, compliance violations, or CEO misconduct should go to the board. If the issue involves personal misconduct rather than financial, consideration by a risk or governance committee might be the best option. 

Should the accused be informed of the allegations against him or her? Generally no, although some privacy rules in Europe can make that a complicated question best left to professional investigators. And should a company try to unmask a whistleblower? Pretty much never, since that action is a whisker away from retaliation and violates the spirit of following the facts wherever they may lead. ("It's irrelevant," Valeur says of the idea.)

And regardless of how any specific allegation is investigated, boards still need a process to oversee whistleblower reporting holistically. Valeur, for example, says she wants regular briefings on the total number of reports, the issues they involve, substantiation rates, and so forth.

"All companies over a certain threshold should have a mature process," Diamond adds. "If you don't, in this day and age, you're way behind."

Speaking of Substantiation...

Boards might also be surprised at this news: Whistleblower reports based on secondhand knowledge — that is, information passed along to the whistleblower from someone else; or that the whistleblower discovers by finding evidence of misconduct, without witnessing the act directly — tend to be more reliable than reports from people with firsthand knowledge. So says research from The George Washington University and the University of Utah, where academics studied 2 million whistleblower reports filed at more than 1,000 companies from 2004 through 2017. They found that management was 48% more likely to substantiate whistleblower reports based on secondhand information. Those reports were more likely to be about accounting and business integrity issues, too; while firsthand reports are more often about HR issues.

That makes sense when you think about it. People filing firsthand reports are usually claiming that they have somehow been wronged personally — and, yes, some portion of those reports will be false, or based on hot-headed judgments that don't hold up under scrutiny.

Whistleblowers with secondhand information, however, are claiming that something in the company is amiss. You typically wouldn't do that unless you care about the organization. And if you care about the organization, you're probably not involved in the misconduct, so it's more likely you have fragments of evidence. In other words, boards should welcome whistleblower reports based on secondhand information, even though that means more investigative spadework to find the truth. 

"Many times the report needs to be ferreted out," Diamond says. "A lot more details need to be derived to understand the full significance of the report."

True, but investigations are the subject for a different day. The importance of establishing a process to oversee whistleblower allegations in an objective, disciplined way and follow the facts where they lead — that advice is irrefutable.

Matt Kelly
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Matt KellyMatt Kelly<p>​Matt Kelly is editor and CEO of, an independent blog about audit, compliance, and risk management issues, based in Boston. ​</p>


Comment on this article

comments powered by Disqus
  • IIA GRC_July 2020_Premium 1
  • AuditBoard_July 2020_Premium 2
  • IDEA_July 2020_Premium 3