Internal Audit’s role in whistleblowing

James Rees-Thomas

by James Rees-Thomas

Institute of Internal Auditors New Zealand board member

As we often hear on the sports field – it ends at the final whistle. But when it comes to reporting inappropriate behaviour in an organisational setting, this metaphorical blowing of the whistle actually signals the start of a very important process. The whistle can only be blown effectively if the action occurs from within a well-constructed and supportive framework. This includes a healthy organisational culture and sincere tone from the top, a robust system for escalating concerns of wrongdoing and established people and process elements that work cohesively and collectively to promote ethical and compliant behaviour.

Internal Audit has a part to play in all of this. The recently published State Services Commission (SSC) report into the aftermath of the Ministry of Transport (MOT) fraud is a useful catalyst for action for the profession. The report is valuable because it prompts the reader to reflect on, for the first time in recent memory, the legislative and organisational frameworks that should exist to support the act of whistleblowing.

These include:

  • The Protected Disclosures Act, what it covers and its limitations
  • As a logical consequence, the difference between organisational wrongdoing, and “serious wrongdoing” as defined by the Act
  • The current scope of systems and processes that organisations have in place for dealing with concerns of wrongdoing and potential gaps
  • The impact on the person raising the concern and the safeguards necessary to ensure that disclosing a wrongdoing does not result in the whistleblower being disadvantaged.

While the Protected Disclosures Act provides a (albeit limited) basis for protecting the courageous among us, it is fair to say many New Zealanders either don’t understand it or don’t trust its application. Incidents like that which led to the SSC’s investigation of whistleblowing by MOT staff has the unfortunate result of reinforcing such perceptions.

Internal Audit’s professional standards, social obligation and corporate responsibilities coupled with its natural independence makes it the ideal guardian for disclosures of wrongdoing. This means an organisation’s Chief Internal Auditor (CIA) or equivalent is best placed to ensure the following are in place. The table below, previously published in our May and June newsletters, and now expanded in light of the SSC’s findings:



Organisations should maintain a whistleblower mechanism (phone, email or personal disclosure) that enables employees to report their concerns safely and confidentially.

Internal Audit should administer, monitor and maintain the organisation’s whistleblowing mechanism. This should be configured to ensure wrongdoing concerns are disclosed directly and confidentially to the Chief Internal Auditor (CIA) or equivalent.

The recipient of the disclosure should be knowledgeable in the Protective Disclosure Act, and its practical application in a work setting.

The CIA should be knowledgeable in the Act and its limitations and ensure that staff are encouraged and able to raise concerns of wrongdoing even if these do not fall within the narrow definition of the Act.

Mechanisms should exist to ensure and safeguard the independence of the recipient of the disclosure, or alternatively, effectively workflow the disclosure while protecting the integrity of the disclosed information and that of the whistleblower.

The whistleblowing mechanism should be regularly tested for confidentiality and security. Underlying policies and processes should be in place to manage disclosures in a manner that protects the whistleblower and ensures the organisation meets its obligations to them as a good employer. 

The recipient of the disclosure should hold an office of sufficient authority (organisational hierarchy, reporting lines and mandate) to reassure the whistleblower that the disclosure will be safeguarded and pursued.

The CIA should occupy a position of sufficient seniority and possess delegated authority to give staff confidence and guarantee that they will be protected without fear of punishment or reprisal.


Recent Activity

Protect our whistleblowers
Transparency International New Zealand (TINZ) is calls for better whistleblower protection. 8 Aug, 2017

Auditor General resignation requires transparency
Transparency International New Zealand (TINZ) calls on Parliament to release the report by Sir Maarten Wevers that lead to the resignation of Auditor-General Martin Matthews. 5 Aug, 2017

TINZ applauds decline in foreign trusts
Government implementation of tougher disclosure requirements for foreign trusts have led to around 75% discontinuing or exiting New Zealand. 9 Jul, 2017

Public Sector Integrity Media Release
State Services Commission took a very positive step in addressing a key recommendation of TINZ's Integrity Plus 2013 New Zealand National Integrity System Assessment by advertising a role for Deputy Commissioner, Integrity, Ethics and Standards. 11 May, 2017

Corruption Perceptions Index 2016 TINZ media release
Transparency International 25 Jan, 2017