2. Whistleblowing
Before developing the maturity model, it is necessary to understand the nature of whistleblowing, its limitations, its place in the internal control framework, and the need for a whistleblowing maturity model.
One of the major limitations in the academic research of whistleblowing is that there is no commonly accepted definition.
Near and Miceli (
1985) defined whistleblowing as «the disclosure by organizational members (former or current) of illegal, immoral, or illegitimate practices under the control of their employers, to persons or organizations that may be able to effect action», while (
Ravishankar 2003) defined whistle-blowers as the «employees who bring wrongdoing at their organizations to the attention of superiors». These definitions indicate the need for specific results. That differentiates whistleblowing from rumors, gossip, or grievances. However, other researchers suggested that considering only employees as whistleblowers may no longer be appropriate and may not adequately portray the whistleblower (
Ayers and Kaplan 2005). Empirical evidence (
ACFE 2022) shows that reports can also derive from external parties, in rare cases, even from competitors verifying this perspective. In addition, reports from external parties provide «greater evidence of wrongdoing, and they tend to be more effective in changing organizational practices» (
Dworkin and Baucus 1998). Other definitions concentrated on whistle-blowers and their virtues rather than on the act of whistleblowing itself (for example (
Berry 2004) and (
Alford 2002)), hypothesizing that whistleblowers are highly ethical individuals with the courage to face the fear of reprisal. However, other studies have shown that in many cases, whistleblowers act opportunistically (
Henik 2015). A more appropriate definition has been provided by (
TI-NL 2019) that defined whistleblowing as «the disclosure of information related to corrupt, illegal, fraudulent or hazardous activities being committed in or by public or private sector organizations—which are of concern to or threaten the public interest—to individuals or entities believed to be able to effect action».
Internal controls can be distinguished based on two criteria. The first is whether the internal control is designed to prevent the occurrence of loss events (preventive control) or to identify internal control failures (detective control) after their occurrence. Whistleblowing has been categorized as a «potentially active or passive detection method» by (
ACFE 2022) and as «an essential last line of defense in companies’ systems of internal control» (
ICAEW 2019), meaning that it is more a detective rather than a preventive one. The second criterion is whether the internal control is specific to certain transactions or business processes (specific control) affects the control environment as a whole (entity-level control). Whistleblowing is an entity-level control with a pervasive effect in the control environment.
Even though whistleblowing is effective internal control, it is also associated with many limitations. Inertia may be one of the most significant ones. Organizations often received early notice but failed to act upon them. The example of Harry Markopolos may be one of the most indicative examples. Harry Markopolos, a financial analyst and fraud examiner, provided red flags of fraud to SEC for the biggest Ponzi scheme in history for over a decade before it imploded. However, his concerns were ignored repeatedly and when the fraud was exposed, the losses for the investors had already reached 65bn US dollars (
The Guardian 2010). However, inertia may also derive from those who observe wrongdoing or business risks. Following (
Miceli et al. 1987), whistleblowing is a «complex phenomenon that is based upon organizational, situational, and personal factors» which is not entirely within the control of the organizations, and «it is virtually impossible to change individuals’ core values which have been learned and consolidated over a lifetime» (
ICAEW 2019). Academic literature and empirical evidence reveal that frequently too little information comes to the attention of the management or the regulators, and if it does come, it may come too late. For example, the Parliamentary Commission on Banking Standards was shocked by the evidence that so many people ignored misbehavior (
CIIA 2014). As a result, the main weakness of whistleblowing as an internal control is that it depends on human behavior.
3. Maturity Models
Maturity models are often used on a self-assessment basis to help organizations understand their current level of capability in a particularly functional, strategic, or organizational area (
OECD 2022). Maturity models provide a holistic approach (
Martinek-Jaguszewska and Rogowski 2022) to depict the current situation based on objective criteria; envision the future, and find a way to achieve the desired state by following a disciplined method that is easy to use and implement (
IIA 2013). In addition, the maturity models provide an early warning for an organization’s challenges (
OECD 2022). Effectively, maturity models contribute to achieving a business process’s full potential. For these reasons, maturity models have been used in many areas, including information systems development (
OECD 2022), internal auditing (
KPMG 2013;
OECD 2021;
IIA 2019), fraud prevention and deterrence (
ACFE and Grant Thornton 2020), tax law enforcement (
OECD 2019a,
2019b,
2020). The fact that the Institute of Internal Auditors issued a practice guidance specifically in selecting, using, and developing maturity models before a decade proves their relevance to the internal audit. In addition, the (
ACFE 2022) study reveals that the primary internal control failures that contributed to fraud are the lack of internal controls (29%); override of controls (20%); poor tone at the top (10%); lack of competent personnel in oversight roles (8%). A robust whistleblowing framework may reduce all these internal control failures. For example, management may be reluctant to override controls when the possibility of getting caught is high; additional internal controls may be implemented or the existing ones need to be improved.
4. Whistleblowing Maturity Framework
4.1. Development of Maturity Models
Usually, the maturity models are ranked using five steps. Each step illustrates the current or desired capabilities (
De Bruin et al. 2005) and follows a reasonable escalation or path from the lowest to the highest. The maturity models can be distinguished to:
The suggested model falls in the third category. In developing maturity models, the (
IIA 2013) suggests the following steps:
-
To determine the model and its components;
-
To determine its scale and;
-
To determine the expectations for each component.
The first step involves ascertaining what is to be assessed and based on that, identifying the components leading to this objective. Key considerations include whether the inclusion or exclusion of a component will increase or decrease the likelihood of achieving outcomes, respectively. In the second stage, 5 scales are usually used (
Martinek-Jaguszewska and Rogowski 2022). The lower levels, 0 or 1, illustrate the absence of a capability, competency, or level of sophistication and level 5 illustrates the highest level. The (
IIA 2013) also draws attention to the appropriateness of each level’s description. It is noted that scope of this
presea
perrch is to validate the two first parts of the WBMM.
4.2. Stages
The first stage initially considered is compliance with the (
Directive (EU) 2019/1937). The underlying logic is that non-compliance is not an option. Many organizations will consider this stage sufficient. However, it is likely that many organizations will use whistleblowing to comply with other laws and regulations not included in the scope of the Directive or their code of conduct. The «wheel of whistleblowing» suggested by (
Culiberg and Mihelič 2017) includes many wrongdoings and threats not included in the scope of the (
Directive (EU) 2019/1937). In addition, other organizations may also use whistleblowing to enhance their risk management or to achieve their ESG objectives. In accordance with (
ICAEW 2019) whistleblowing provides a weapon to root out complacency and inertia which can be viewed as rigorousness for enhancing the internal control environment. In respect of the contribution of whistleblowing to achieve ESG objectives the (
Directive (EU) 2019/1937) includes many wrongdoings that affect society while the «wheel of whistleblowing» suggests even more (
Culiberg and Mihelič 2017). Therefore, the maturity levels (see as
Figure 1) of the suggested WBMM are:
Figure 1. Designed by the authors.
-
Initial;
-
Compliance with the Directive;
-
Compliance with other laws and regulations;
-
Enhancement of internal control environment and;
-
Contributing to the achievement of ESG objectives.
4.3. Components
The components identified through a thorough study of the literature are divided into eight categories:
-
The scope of the whistleblowing policy;
-
Corporate governance;
-
Reporting mechanisms;
-
Protection;
-
Tone at the top;
-
Organizational culture and human resource practices;
-
Objective investigations and;
-
Monitor and review.
Accordingly, these result in 22 elements. The contribution of each main component and element is discussed below.
4.3.1. Scope
The scope of whistleblowing is two-dimensional and comprises what wrongdoings or dangers will be reported and followed up on and who can report them. The first dimension has already been analyzed. Regarding the second, the (
Directive (EU) 2019/1937) also determines the persons who have the right to report. However, in some cases, organizations may be appropriate to expand the possible reporting persons.
4.3.2. Corporate Governance
Corporate governance refers to the mechanisms that provide the basis for objective investigations and corporate reporting. This component is divided into three elements:
-
Overall responsibility;
-
Assurance and;
-
Corporate reporting.
Consensus has been established that the overall responsibility needs to be assigned to independent, non-executive directors or committees consisting of them. (
PCBS 2013;
PCW 2013) suggest a non-executive director, preferably the chairman; (
CIIA 2014) proposes the audit committee, while (
Greene and Latting 2004) suggest the ethics committee. In accordance with (
CIIA 2014), organizations should obtain assurance in respect of whistleblowing either from the internal audit function or elsewhere. In addition, through the reports and the outcomes of the investigations, the internal audit function can confirm or alter its understanding of risks, procedures, and controls, allowing it to fulfill its obligations concerning ERM. The (
Directive (EU) 2019/1937) does not set an obligation for disclosures relevant to whistleblowing. However, both (
TI-NL 2019) and (
GRI 2018) suggest certain disclosures in the annual reports or elsewhere.
4.3.3. Reporting Mechanisms
Reporting mechanisms include all necessary steps to enable a possible reporting person to make informed decisions on whether and how to report and provide secure reporting channels. The elements considered are:
The (
Directive (EU) 2019/1937) leaves the member states to decide whether anonymous reports will be received and investigated. However, (
TI-NL 2019) ranked higher organizations that accept anonymous reports because it provides an additional safety line to the reporting person. Organizations also have to establish secure reporting channels that «protect the identity of the whistle-blower and any other individual included in the report» (
Directive (EU) 2019/1937). A step further (
TI-NL 2019) suggests that at least one to be available at any time and at least allow oral reporting. In addition, the (
ACFE 2022) shows the preference of whistle-blowers for electronic reporting methods (email and web-based forms) compared to the traditional ones. The (
Directive (EU) 2019/1937) also predicts free of-charge confidential advice to be provided by the facilitator, a «natural person who assists a reporting person in the reporting process in a work-related context, and whose assistance should be confidential». However, in many cases, whistle-blowers face ethical dilemmas and internal conflicts (
Hersh 2002), and assistance in the bureaucratic process of filling reports may not be sufficient in the same cases.
4.3.4. Protection
Academic research, empirical evidence, and the (
Directive (EU) 2019/1937) identified the threat of retaliation as a primary factor negatively affecting the decision to report. The consequences to the whistle-blower may vary significantly in terms of severity, from negative perceptions against whistle-blowers (
Worth 2013), negative consequences in the work environment such as bullying (
Bjørkelo 2013), to blackballing isolation, humiliation (
Berry 2004), to psychological effects such as depression (
Bechtoldt and Schmitt 2010), anxiety (
Bjørkelo 2013), post-traumatic stress (
Kreiner et al. 2008) or even to become life-threatening. Protection covers the confidentiality of the reporting person’s identity and any person referred to the reports as required by the (
Directive (EU) 2019/1937) and the provision of adequate anti-retaliation measures. A practical implication may arise in cases where the organization has operations in jurisdictions will less robust legal protection. In such a case, it shall determine whether the same protection will be granted voluntarily.
4.3.5. Tone at the Top
The (
ACFE 2022) identifies the lack of proper tone at the top as an internal control weakness in many frauds. The relationship between whistleblowing and tone at the top is bilateral, employees will only report if they know the whistleblowing policy and they believe that the top management supports it (
Tsahuridu and Vandekerckhove 2008). On the other hand, if top the management is negligent in receiving and investigating reports, the wrongdoing could be seen as a routine practice (
Kaptein 2011).
4.3.6. Organizational Culture and Human Resource Practices
For the purposes of this
res
tudyearch, organizational culture initially distinguished to:
-
Risk culture;
-
Ethical culture;
Risk culture is the «part of the organizational culture that helps or hinders the effective risk management» (
IIAA 2021) or a «mindful watchfulness for threats» (
Berry 2004) that will allow alertness for malpractices and the ethical culture will allow malpractices to be reported once identified. Research shows that possible reporting persons who do not perceive reporting as their duty are unlikely to report it (
Miceli et al. 1991), and they become oblivious to those wrongdoings not addressed in the code of ethics (
Painter-Morland 2010). In addition, a lack of learning culture contributes to risk management frameworks failing (
Schmidt 2020). Learning culture refers to organizations learning from their mistakes and build resilience to risks by creating, transferring, and retaining knowledge. Lastly, many researchers (
Tavakoli et al. 2003;
Zhuang et al. 2005) found that cultural differences can affect the decision of an individual to report and how to report. The main practical implication of this perspective is the consideration of cultural differences when an organization operates in multiple jurisdictions.
4.3.7. Investigations
The investigation of reports is the ultimate purpose of the whole whistleblowing mechanism. The elements initially considered that will allow unbiased judgments are:
-
Organizational independence of the investigation team;
-
Learning culture and;
-
-
Professional training;
Cultural differences.
-
-
Appropriate risk prioritization;
-
Investigation protocols and;
-
Contribution to risk management.
The organizational independence of the investigation team may be safeguarded from the corporate governance mechanisms and the ethical decision-making of the team members. A reasonable assumption is that professionals, subject to a code of conduct and experience in ethical decision-making, may be less likely to accept undue influence. The professional training of those who manage reports is a mandatory requirement of the (
Directive (EU) 2019/1937). In addition, investigation protocols determine key aspects such as the composition of the investigation team and methods of gathering factual evidence. Their contribution is that they enhance the effectiveness of the investigations. The risk prioritization is to ensure that the most severe reports are investigated first with the possible effect of the minimization and/or the recovery of the losses that the organization suffered. Lastly, the outcomes of the investigations may confirm or alter the understanding of the organization on risks and controls, allowing the enhancement of the internal control environment in total.