Next Article in Journal
Critical Perspectives of Organisational Behaviour towards Stakeholders through the Application of Corporate Governance Principles
Next Article in Special Issue
Gender-Specific Implications of Foreign Direct Investments on Wage Dynamics in Croatia: A Comprehensive Management Perspective
Previous Article in Journal
Unlocking Value Co-Creation in Entrepreneurial Ecosystems: The Vital Role of Institutions
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Whistleblowing Based on the Three Lines Model

by
Paschalis Kagias
1,
Alexandros Garefalakis
2,
Ioannis Passas
2,3,*,
Panagiotis Kyriakogkonas
3 and
Nikolaos Sariannidis
1
1
Department of Accounting and Finance, University of Western Macedonia, 501 00 Kozani, Greece
2
Department of Business Administration and Tourism, Hellenic Mediterranean University, 714 10 Iraklio, Greece
3
Department of Accounting and Finance, Neapolis University Pafos, Paphos 8042, Cyprus
*
Author to whom correspondence should be addressed.
Adm. Sci. 2024, 14(5), 83; https://doi.org/10.3390/admsci14050083
Submission received: 29 January 2024 / Revised: 6 April 2024 / Accepted: 17 April 2024 / Published: 25 April 2024
(This article belongs to the Special Issue AI, Tokenization, and FinTech: Implications of Governance Issues)

Abstract

:
Directive 1937/2019 on the protection of persons who report breaches of Union law became effective very recently. However, Directive 1937/2019 lacks sufficient guidance on the implementation or governance of whistleblowing frameworks. In addition, the existing literature lacks a definition of whistleblowing and whistleblowing frameworks that is appropriate for internal audit and fraud prevention. The purpose of this paper is to address the lack of a definition of whistleblowing and whistleblowing framework appropriate for internal auditing and to guide the roles and responsibilities within an organization to apply and maintain a robust whistleblowing framework. To this effect, the Three Lines Model is used, one of the most recognized theoretical models in effective risk governance and internal audit.

1. Introduction

After decades of delay compared to the US and the UK, EU (Directive 1937/2019) on the protection of persons who report breaches of Union law became effective recently, drawing the attention of researchers and practitioners across Europe. The aim of the Directive is to enhance transparency and accountability by providing uniform and effective whistleblower protection standards across the EU, to any persons who report breaches of EU law. However, this may be proven beneficial to the organizations as well. An organization that relies on good governance can not only achieve compliance with whistleblowing legislation but also use whistleblowing to achieve legal compliance with other laws and regulations, strengthen its internal control environment, and meet the expectations of its stakeholders (TI-NL 2019). However, Directive 1937/2019 sets the requirements for effective whistleblowing reporting channels but does not provide implementation guidelines. It is therefore left to the organizations to decide how they will achieve compliance. In this context, the internal audit function, due to its independence, can play a vital role (ACCA 2019; CIIA 2014) by providing assurance or consulting services.
The Three Lines of Defense Model (TLDM) introduced in 2013 by the Institute of Internal Auditors (IIA 2013) aimed to outline the roles and the responsibilities of each level of hierarchy within the risk management framework, to ensure that risks were identified, assessed and effectively managed. The Three Lines Model (TLM) is an enhanced development of the Three Lines of Defense Model (IIA 2020). Both models were developed to assist in successful governance and risk management (IIA and WBCSD 2022). However, the new model is more flexible and describes the main principles and interactions more clearly. Both frameworks provide general guidance and they have been modified to meet the specific requirements of many sectors—for example, central banks (Luburić 2017), commercial banks (Minto and Arndorfer 2015; Borg et al. 2020), and Islamic financial institutions (Hakim 2017)—and business processes, such as quality management (Luburić et al. 2015), the use of artificial intelligence in banks (Tammenga 2020), and ESG (IIA and WBCSD 2022). Similarly, TLM could provide a solid basis for the governance of whistleblowing.
In recent years, a series of studies have been conducted in relation to many aspects of whistleblowing. These include the joint (IIA and ACFE 2022) study that provides key statistics in respect of whistleblowing, and other studies focused on the reasons facilitating or discouraging individuals to report, including cultural aspects (Tavakoli et al. 2003; Keenan 2007). All these studies highlight different aspects. However, research on whistleblowing as an internal control mechanism is still limited. In addition, many definitions have been provided in respect of whistleblowing. Most of these definitions have been developed in different contexts and their relevance for internal audit and fraud prevention is limited.
The structure of the article is as follows. The next section (Section 2) defines whistleblowing, whistleblowing framework, and other relevant terminology. The third part provides the application of a whistleblowing framework in the context of the Three Lines Model. Finally, the paper provides a conclusion.

2. Definition of Whistleblowing and Whistleblowing Framework

This part of the paper provides definitions for internal whistleblowing (when the reports are submitted to the organization) and an internal whistleblowing framework that are appropriate for internal auditing and fraud deterrence. This is achieved by examining who the potential whistleblowers are (Section 2.1), discussing whether emphasis should be given to whistleblowing or the whistleblower (Section 2.2), focusing on relevant aspects of whistleblowing (Section 2.3), and finally defining other relevant terms (Section 2.4 and Section 2.5). The suggested framework does not deal with external whistleblowing (when reports are submitted to the competent authorities) or public disclosures (when the information on breaches becomes available in the public domain). The reason for this distinction is that, in external whistleblowing and public disclosures, the ability of organizations to affect the process is limited.

2.1. Internal and External Whistleblowers

The early definitions of whistleblowing considered only employees as potential whistleblowers. For example, (Near and Miceli 1985) defined whistleblowing as “the disclosure by organizational members (former or current) of illegal, immoral, or illegitimate practices under the control of their employers, to persons or organisations that may be able to effect action”. A similar definition was provided by (Ravishankar 2003). Other researchers have disagreed with this perspective since it does not “adequately portray the whistleblower” (Ayers and Kaplan 2005) and meaningful information may derive from external whistleblowers (Kagias et al. 2023) (based on ACFE 2022a, 2022b insights). Moreover, (Dworkin and Baucus 1998) suggested that reports from external whistleblowers provide “greater evidence of wrongdoing, and they tend to be more effective in changing organizational practices”. Modern whistleblowing initiatives (ISO 2022; TI-NL 2019; US Accountability Project 2015) and researchers (Culiberg and Mihelič 2017) do not exclude external whistleblowers.

2.2. Whistleblower versus Whistleblowing

Other definitions have concentrated directly or indirectly on the virtues of the whistleblower rather than on the act of whistleblowing itself. For example, (Alford 2002) defined whistleblowing as “a heroic act of virtuous individuals” or “an avenue for maintaining integrity by speaking one’s truth about what is right and what is wrong” (Berry 2004). These definitions hypothesize that the whistleblower is a highly moral individual with the courage to overcome the threat of retaliation. However, the motivations of whistleblowers may not always be altruistic. Recognizing this perspective, (Henik 2015) distinguishes whistleblowers into three categories: the “strategic moral guardians” who are ethical individuals characterized by accountability and bravery against retaliation, “fed up vigilants” who are motivated by anger and revenge, and “servants of two masters”, who struggle to uphold commitments and conflicts of value but choose to remain silent even though they may at times feel post-decisional shame. In addition, the definitions of (Near and Miceli 1985; TI-NL 2019) emphasize that, in certain cases, it can be reasonably assumed that the objectives of an organization regarding whistleblowing are to prevent or identify wrongdoing in a timely manner, to assist the recovery of losses, or to achieve another outcome. Lastly, (Fleming et al. 2018) point out that internal auditors or fraud examiners are not psychologists, criminologists, or experts in the scientific study of human behavior, and that it is not practical to identify the motivations of wrongdoers. It can reasonably be assumed that this is also applicable for whistleblowers as well. Of course, when the reports are anonymous, is almost impossible to make such hypotheses. Therefore, in the context of fraud prevention and deterrence and internal auditing, the motivations for reporting are irrelevant. Therefore, the definition of whistleblowing in the context of internal audit, fraud investigation and deterrence should emphasize internal control (whistleblowing) rather than the whistleblower and their personal characteristics or incentives.

2.3. Emphasis on Internal Audit and Fraud Examination

An interesting definition of whistleblowing is provided by (Jubb 1999), who defines whistleblowing as the “deliberate, non-obligatory act of disclosure, which gets onto public record and is made by a person who has or had privileged access to data or information of an organization, about non-trivial illegality or other wrongdoing whether actual, suspected or anticipated which implicates and is under the control of that organization, to an external entity having the potential to rectify the wrongdoing”. In the context of internal auditing, fraud prevention and deterrence, this definition may be one of the most problematic for a number of reasons. The first reason is that it excludes internal whistleblowing. In accordance with the (TI-NL 2019), internal whistleblowing sends a public signal of commitment to integrity and social responsibility, contributes to the prevention and mitigation of liability and financial losses, and contributes to continuous improvement in compliance and risk management and the enhancement of organizational culture. Similarly, Directive 1937/2019 requires EU Member States to encourage reporting through internal reporting channels before reporting through external reporting channels, provided that the breach can be addressed effectively internally and where the reporting person considers that there is no risk of retaliation. The second flaw of this definition is the term “non-trivial illegality”, which introduces materiality considerations in respect of the wrongdoing. This is also inappropriate since a whistleblower may not have a complete picture of the extent of the wrongdoing. A perceived “trivial” illegality, if investigated properly, may be proven material. Moreover, this perspective contradicts the zero-tolerance approach to malpractice that many organizations implement. In addition, “illegality” excludes legal but unethical behavior. The third flaw of this definition is the requirement for privileged access. In many cases, wrongdoing may be identified without privileged access or specialized skills. For example, an eyewitness may identify misappropriation of assets without privileged access or victims may report harassment. The last flaw is the notion of volunteer disclosure. In some cases, for example anti-money laundering, legislation requires mandatory disclosure to the competent authorities, with serious penalties if this is not applied.
From a fraud-examination point of view, it is prohibited for fraud examiners to commence or continue a fraud investigation unless there is a proper predication, which is “the totality of circumstances that would lead a reasonable, professionally trained, and prudent individual to believe that a fraud has occurred, is occurring, or will occur” (ACFE 2022a). If this is not applied, an examination may not start in the first place.
To be useful for internal audit purposes, the definition of whistleblowing should take into consideration the definition of internal auditing, which is “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes” (IIA 2024). Moreover, in accordance with the (IIA 2019), “the internal auditor should not be expected to have the expertise of a person whose primary responsibility is to investigate fraud”, such as a fraud examiner. However, internal auditors “must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization”. Therefore, from an internal-audit point of view, the objective of whistleblowing is to identify wrongdoing and to confirm or alter the understanding of the organization in relation to risks (current or emerging) and/or the design and the operating effectiveness of existing internal controls. Usually, this information derives from the outcomes of investigations. Although whistleblowing largely consists of information that is received (inbound information) and processed, and ends with certain findings (outbound information), the quality of information has not been considered by the existing literature. Inspired by the (IFRS 2018) conceptual framework, Table 1 summarizes the qualitative characteristics of whistleblowing (inbound and outbound information) in the context of fraud prevention and internal audit.
Lastly, it is usual for standard setters to use consistent terminology (for example, ISO standards, International Standards on Audit, International Standards for the Professional Application of Internal Auditing, etc.). None of the definitions provided so far uses terminology that internal auditors or fraud examiners are familiar with. Therefore, in the context of internal audit and fraud risk management, a definition should observe the following: (a) be focused on the whistleblowing rather than the whistleblowers; (b) outline the objectives of whistleblowing; (c) include both internal and external whistleblowers; (d) exclude materiality considerations; (e) not examine the motivations of the whistleblowers; (f) consider the qualitative characteristics of the information; and (g) use terminology that internal auditors and fraud examiners are familiar with. Such a definition could be the following (Table 2):
This is similarly to (TI-NL 2019), which proposed different definitions for whistleblowing and the whistleblowing framework, due to the fact that the framework has a broader scope. An appropriate definition of a whistleblowing framework in the context of internal audit and fraud examination could be the following (Table 3):
Such practices could be the avoidance of conflicts of interest, or the assignment of ultimate responsibility to non-executive directors or committees consisting of non-executive directors.

2.4. Definition of “Reasonable Suspicions”

Directive 1937/2019 provides protection to reporting persons who report based on reasonable suspicions. This condition serves as a safeguard to prevent malicious reporting. However, this terminology is subjective and may have the effect that potential risk-averse whistleblowers do report wrongdoing. The term “reasonable suspicion” could be defined as “a reasonable degree of satisfaction not necessarily amounting to belief but at least beyond speculation that a reportable event has occurred”. In other words, the whistleblower is not required to have proof that malpractice has occurred; however, his/her report must have some factual basis. Otherwise, the “predication” to initiate an investigation is not applied.

2.5. Definition and Application of the “Impartiality” Imperative

A whistleblowing framework achieves impartiality if (a) it is free from conflicts of interest and (b) it is internally consistent at all stages, from the investigation of reports to disciplinary actions. The achievement of impartiality requires an appropriate combination of organizational structures, infrastructure, processes, and people. In the suggested model, impartiality is embedded in every line.

3. The IIA’s Three Lines Model and Its Application to a Whistleblowing Framework

The aim of this section is to describe the roles and responsibilities of each line and the associations between each line. For this purpose, the TLM developed by the (IIA 2020) is used. The (IIA 2020) follows a principle-based approach to allow enough flexibility which focusing on achieving the organizational objectives and creating value. The principles of the TLM are (a) governance which refers to accountability, actions, and assurance; (b) governing body roles; (c) management (first and second-line) roles; (d) third-line roles; (e) third-line independence; and (f) creating and protecting value. The main components of the model are the Governing Body (the first and the second line), the internal audit function (frequently referred as the third line), and the external assurance providers. The external assurance providers are usually the external auditors, and they are frequently referred to as the fourth line of defense (Minto and Arndorfer 2015; Vousinas 2021).

3.1. Governing Body

Based on the IIA’s Three Lines Model (IIA 2020), the Governing Body (the Board of Directors) has ultimate responsibility for the Organization’s governance. It accepts responsibility and delegates resources to the management level to achieve the organization’s objectives and establish an independent, objective, and competent internal audit function. The Governing Body also ensures that legal, regulatory, and ethical expectations are met. In the context of a whistleblowing framework, the Governing Body accepts ultimate responsibility;2 forms a competent investigation team that will be free from conflicts of interest and undue influence; and implements and maintains appropriate infrastructure for receiving and investigating reports.
It is also relevant to note that different organizations may choose different objectives for their whistleblowing framework. For example, (Kagias et al. 2023) identified five different objectives, leading into five levels of whistleblowing maturity (Figure 1). These levels start from compliance with whistleblowing legislation, and the highest is using a whistleblowing framework to achieve ESG objectives and to meet the stakeholders’ expectations. A reasonable assumption is that the maturity level of organizations depends on their industry, size, multiple geographic locations, the regulatory framework, their vision, their mission, and values.
Table 4 provides the application of the TLM into a whistleblowing framework.

3.2. First-Line Roles

In accordance with the TLM, the role of first-line managers is to direct actions for the application of resources; to report frequently to the Governing Body on planned, actual, and expected objectives and risks; to establish and maintain appropriate structures and processes for the management of operations and risk; and to ensure legal and ethical compliance (IIA 2020). In the context of whistleblowing, the first-line role mainly involves the management of reports, since the investigation falls to the second line. However, research has shown that employees frequently report malpractice to their line managers first before submitting a report (Zhuang et al. 2005), and that executives frequently advocate whistleblowing while at the same time requiring “submissiveness and obedience” (Hirigoyen 2004). Therefore, their major role except from handling the reports is to encourage employees and other potential whistleblowers to report wrongdoing.

3.3. Second-Line Roles

Based on the IIA’s TLM, the role of the second line is to provide complementary expertise, support, and monitoring (IIA 2020). Usually, the duty to investigate reports falls to the compliance department or the internal audit function. In order to safeguard impartiality and effectiveness in investigations, the compliance department should be competent and free from undue influences. This requires a combination of appropriate organizational structures and business practices, for example, organizational independence; investigation protocols; and human resource practices that ensure only employees with high moral standards are hired, retained, and promoted. In comparison to the first-line managers, second-line managers have higher organizational status and are more likely to become recipients of reports. In addition, due to their higher degree of access to information and their higher skill levels, they may identify malpractice on their own and not as a result of reporting by others. As a result, it is important for the second-line managers (other than the investigators) to report wrongdoing when they identify it and support others.
It is also important to note that, based on the outcomes of an investigation, an organization may confirm (or alter) its understanding of identified fraud risks or the design or the operating performance of its internal controls. The opposite is also true. The internal audit function, when it provides assurance or consulting engagements, may identify weaknesses in internal controls that limit their ability to prevent or detect malpractice. Therefore, an appropriate interaction should be achieved between the compliance department, the risk committee, and the internal audit function.

3.4. Third Line

In accordance with the (CIIA 2023), the internal audit function can either provide consulting or assurance engagements to retain its independence. Where the internal audit function provides consulting engagements, assurance has to be obtained by other assessors. In this context, the third line is considered the party that provides assurance to the Governing Body. By applying the suggestions of (IIAA 2021) in auditing risk culture, whistleblowing assurance could follow one of the three approaches listed below (Figure 2):
surface-level whistleblowing assessment,
deep-dive whistleblowing audits, or
surface-level and deep-dive whistleblowing audits.
  • Method 1: surface-level assessment
This approach provides indications that either encourage or prevent reporting of wrongdoing across the organization. Audit tools that can be used are surveys and behavioral observations. The main focus in these engagements is to identify internal and external conditions that affect whistleblowing in a positive or negative way.
  • Method 2: deep-dive assessment
This approach provides assurance on key functions relevant to whistleblowing such as the compliance department or the investigation team. The scope of this approach is narrower compared with surface-level assessment. The main focus is to ensure, at a minimum, that compliance with whistleblowing legislation has been achieved. In other words, the assessment should ensure that the reporting channels are sufficient, the identity of the reporting person and any person included in the reporting remains confidential throughout the investigation process, and that the investigations are conducted in a legal manner. This approach requires assessors with sufficient knowledge of the legal perspectives of whistleblowing and fraud investigation. Possible tools that can be used may include checklists, detailed review of the established policies, and detailed assessments of the investigations conducted. It is however more likely that the assessment team would perform audits specifically designed to assess certain whistleblowing perspectives and would not include whistleblowing as an element in other assurance engagements.
  • Method 3: surface-level assessment and deep-dive assessment
This approach combines breadth and depth. Possible tools that can be used are maturity models, for example, the whistleblowing maturity model provided by (Kagias et al. 2023). The final suggested theoretical model which is based on the Three Lines of Defense Model (IIA 2020) is as follows (Figure 3):

3.5. Transnational Aspects

Whistleblowing largely depends on the ethics of those who observe wrongdoing and decide whether they will report or not. Many researchers have performed cross-cultural research (for example Tavakoli et al. 2003; Keenan 2007). In these studies, one or more variables were the cultural dimensions (power distance, uncertainty-avoidance, individualism, and masculinity versus femininity) suggested by (Hofstede 1984) and the other variables examined different aspects of whistleblowing (for example, whether employees decide to report, to whom they report and how they report). Usually, the cultures selected had substantial difference in at least one of the cultural dimensions. The results showed that cultural differences affect the decision of the observers of wrongdoing to report and how to report. For example, in cultures with high “power distance”, where people accept the unequal distribution of power, they also tend to rationalize wrongdoing by upper management (Tavakoli et al. 2003) and decide not to report. However, the seven-dimensional framework suggested by (Berry 2004) could be used to encourage employees to report. It is also obvious that the legal framework and the degree of protection from retaliation also affects the decisions of whistleblowers. As best practice, (Kagias et al. 2023) suggest that equal protection measures be given voluntarily from multinational organizations to jurisdictions with less robust whistleblowing legislation.
Moreover, a debatable aspect relevant to whistleblowing is monetary rewards for whistleblowers. Recently, SEC has provided more than USD 28 million to seven (external) whistleblowers (SEC 2023). In accordance with (Karpacheva and Hock 2024), most of the whistleblowers reported to SEC were foreign nationals, and they have more chances to receive monetary rewards than US nationals. As a result, non-US nationals chose to report in the US rather than their country. In some cases, whistleblowers face significant legal costs. It is likely that monetary rewards are seen as a measure to mitigate this risk. Another reasonable explanation may be that some whistleblowers may trust US authorities more. Directive 1937/2019 does not follow this approach. However, irrespective of the monetary rewards, organizations should consider monetary and non-monetary rewards to promote an ethical culture. In addition, (Brenninkmeijer et al. 2018) focuses on the role of “best practices” or the “soft law” that derives from private institutions rather than authorities to meet the needs of stakeholders. This is consistent with the whistleblowing maturity framework suggested by (Kagias et al. 2023). In this framework, achieving compliance with whistleblowing legislation is the second of the five levels of maturity. The higher levels of maturity follow a reasonable escalation of best practice. Existing or emerging best practice can assist internal auditors to add value to the organizations and therefore to comply with the definition of internal auditing and the standards. Lastly, (Hock and Dávid-Barrett 2022) focused on the relationship between bribery and non-trial resolutions. They found that deferred prosecutions may result in the reformation of internal governance systems and the introduction of compliance programs which change corporate behavior. This may also be applicable to whistleblowing as well. (Hock and Dávid-Barrett 2022) point out that compliance programs signal the “good character” of organizations. The suggested model, if applied, may ensure that organizations act as good corporate citizens and that whistleblowing is not used for window-dressing purposes.

4. Conclusions

This study bridges the gap between the provisions of Directive 1937/2019 and the practice of internal auditing and fraud examination. This is achieved in two ways: first, by providing definitions for whistleblowing and whistleblowing frameworks that are appropriate for this purpose, and second, by describing the roles and associations for the governance of whistleblowing based on one of the most fundamental concepts of internal auditing. In addition, the suggested framework and guidance may assist internal auditors to comply with the standards of internal auditing by adding value to whistleblowing processes.
While this paper establishes a foundational understanding, future research could explore the applicability of the Three Lines Model in varying organizational contexts. Investigations into different industries or sectors could reveal unique challenges and adaptations necessary for implementing effective whistleblowing frameworks. Further studies might also examine the long-term outcomes of these frameworks in preventing fraud and fostering ethical organizational cultures.
Practitioners are strongly encouraged to assimilate and incorporate the valuable and enlightening perspectives and understanding derived from the contents of this scholarly article into their existing operational processes and practices in order to enhance and optimize their workflow efficiency and effectiveness. For instance, the implementation of our whistleblowing framework could involve training sessions for employees to recognize and report unethical practices effectively. Additionally, organizations could develop policies that align with the Three Lines Model, ensuring clear roles and responsibilities in managing whistleblowing cases, thus promoting a culture of transparency and accountability.

Author Contributions

Conceptualization, P.K. (Paschalis Kagias), N.S and I.P.; methodology P.K. (Paschalis Kagias), I.P. and P.K. (Panagiotis Kyriakogkonas); software, P.K. (Paschalis Kagias) and I.P.; validation, P.K. (Paschalis Kagias), A.G. and I.P.; formal analysis, P.K. (Paschalis Kagias), N.S. and I.P.; investigation, P.K. (Paschalis Kagias) and I.P.; resources, P.K. (Paschalis Kagias), A.G., I.P. and P.K. (Panagiotis Kyriakogkonas); data curation, P.K. (Paschalis Kagias) A.G., I.P. and P.K. (Panagiotis Kyriakogkonas); writing—original draft preparation, P.K. (Paschalis Kagias) N.S., I.P. and P.K. (Panagiotis Kyriakogkonas); writing—review and editing, P.K. (Paschalis Kagias), A.G. and I.P.; visualization, P.K. (Panagiotis Kyriakogkonas), A.G. and I.P.; supervision, P.K. (Paschalis Kagias), A.G. and I.P.; project administration, I.P. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Data are contained within the article.

Conflicts of Interest

The authors declare no conflicts of interest.

Notes

1
Impartiality
The need for impartial investigations is highlighted by (ISO 37002:2021) and researchers (Kagias et al. 2023).
2
Ultimate responsibility
Although Directive 1937/2019 does not provide any guidance in respect of ultimate responsibility, professional bodies, standard-setting bodies, and researchers (PCBS 2013; Public Concern at Work 2013; CIIA 2014; Greene and Latting 2004; Kagias et al. 2023) suggest that it should be assigned to independent non-executive directors, or committees consisting of non-executive directors.
3
Level of maturity
The maturity model provided by (Kagias et al. 2023) may be used to establish objective criteria.
4
Reporting: The (GRI 2016) suggests certain disclosures in the annual reports or elsewhere.
5
Framework and strategies for facilitating employee whistleblowing.
The framework provided by (Berry 2004) could be used.
6
Outsourcing activities
Both the International Standards for the Professional Practice for Internal Auditing and the International Standards on audit recognize the risks associated with the outsourcing of activities. The IIA has issued recommended guidance (IIA 2018).

References

  1. Alford, C. Fred. 2002. Whistleblowers: Broken Lives and Organizational Power. Ithaca: Cornell University Press. [Google Scholar]
  2. Association of Certified Fraud Examiners (ACFE). 2022a. Manual. Available online: www.acfe.com/-/media/images/acfe/products/publication/fraud-examiners-manual/2022_fem_sample_chapter.ashx#:~:text=Act%20on%20Predication,-Fraud%20examinations%20must&text=In%20other%20words%2C%20predication%20is,each%20step%20in%20an%20examination (accessed on 15 February 2024).
  3. Association of Certified Fraud Examiners (ACFE). 2022b. Occupational Fraud 2022. A Report to the Nations. Available online: https://legacy.acfe.com/report-to-the-nations/2022 (accessed on 16 February 2024).
  4. Association of Chartered Certified Accountants (ACCA). 2019. Internal Audit’s Role in Whistleblowing. Available online: www.accaglobal.com/gb/en/member/discover/cpd-articles/governance-risk-control/ias-role-in-whistleblowing.html#:~:text=Internal%20Audit’s%20assurance%20role%20includes,Review%20the%20whistleblowing%20policy (accessed on 16 February 2024).
  5. Ayers, Susan, and Steven E. Kaplan. 2005. Wrongdoing by consultants: An examination of employees’ reporting intentions. Journal of Business Ethics 57: 121–37. [Google Scholar] [CrossRef]
  6. Berry, Benisa. 2004. Organizational culture: A framework and strategies for facilitating employee whistleblowing. Employee Responsibilities and Rights Journal 16: 1–11. [Google Scholar] [CrossRef]
  7. Borg, Glen, Peter J. Baldacchino, Sandra Buttigieg, Engin Boztepe, and Simon Grima. 2020. Challenging the adequacy of the Conventional ‘Three lines of Defence’ model: A case Study on Maltese Credit Institutions. In Contemporary Issues in Audit Management and Forensic Accounting. Bingley: Emerald Publishing Limited, vol. 102, pp. 303–24. [Google Scholar]
  8. Brenninkmeijer, Alex, Gaston Moonen, Raphael Debets, and Branislav Hock. 2018. Auditing standards and the accountability of the European Court of Auditors (ECA). Utrecht Law Review 14: 1–17. [Google Scholar] [CrossRef]
  9. Chartered Institute of Internal Auditors (CIIA). 2014. Whistleblowing and Corporate Governance. In The Role of Internal Audit in Whistleblowing. London: Chartered Institute of Internal Auditors. [Google Scholar]
  10. Chartered Institute of Internal Auditors (CIIA). 2023. Position Paper: Internal Audit and Whistleblowing. Available online: www.iia.org.uk/resources/ethics-values-and-culture/whistleblowing/position-paper-internal-audit-and-whistleblowing/ (accessed on 16 February 2024).
  11. Culiberg, Barbara, and Katarina Katja Mihelič. 2017. The evolution of whistleblowing studies: A critical review and research agenda. Journal of Business Ethics 146: 787–803. [Google Scholar] [CrossRef]
  12. Directive 1937/2019, on the Protection of Persons Who Report Breaches of Union Law. Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32019L1937 (accessed on 15 February 2024).
  13. Dworkin, Terry Morehead, and Melissa S. Baucus. 1998. Internal vs. external whistleblowers: A comparison of whistleblowering processes. Journal of Business Ethics 17: 1281–98. [Google Scholar] [CrossRef]
  14. Fleming, Scott, Jonathan Marks, and Richard Riley. 2018. Meta-model of fraud. Fraud Magazine, July/August. pp. 24–31. [Google Scholar]
  15. Global Reporting Initiative (GRI). 2016. GRI 102: General Disclosures 2016. Amsterdam: Global Reporting Initiative. [Google Scholar]
  16. Greene, Annette D., and Jean Kantambu Latting. 2004. Whistleblowing as a form of advocacy: Guidelines for the practitioner and organization. Social Work 49: 219–30. [Google Scholar] [CrossRef] [PubMed]
  17. Hakim, Andi Lukman. 2017. Application of Three Lines of Defence in Islamic Financial Institution in Malaysia. International Journal of Management and Applied Research 4: 44–57. [Google Scholar] [CrossRef]
  18. Henik, Erika. 2015. Understanding whistle-blowing: A set-theoretic approach. Journal of Business Research 68: 442–50. [Google Scholar] [CrossRef]
  19. Hirigoyen, Marie-France. 2004. Stalking the Soul. New York: Helen Marx Books. [Google Scholar]
  20. Hock, Branislav, and Elizabeth Dávid-Barrett. 2022. The compliance game: Legal endogeneity in anti-bribery settlement negotiations. International Journal of Law, Crime and Justice 71: 100560. [Google Scholar] [CrossRef]
  21. Hofstede, Geert. 1984. The cultural relativity of the quality of life concept. Academy of Management Review 9: 389–98. [Google Scholar] [CrossRef]
  22. IFRS Foundation. 2018. Conceptual Framework. London: IFRS Foundation. [Google Scholar]
  23. International Organization for Standardization (ISO). 2022. ISO 37002. Whistleblowing Management SystemsGuidelines. Geneva: International Organization for Standardization (ISO). Available online: https://www.iso.org/standard/65035.html (accessed on 15 February 2024).
  24. Jubb, Peter B. 1999. Whistleblowing: A restrictive definition and interpretation. Journal of Business Ethics 21: 77–94. [Google Scholar] [CrossRef]
  25. Kagias, Paschalis, Nikolaos Sariannidis, Alexandros Garefalakis, Ioannis Passas, and Panagiotis Kyriakogkonas. 2023. Validating the Whistleblowing Maturity Model Using the Delphi Method. Administrative Sciences 13: 120. [Google Scholar] [CrossRef]
  26. Karpacheva, Elina, and Branislav Hock. 2024. Foreign whistleblowing: The impact of US extraterritorial enforcement on anti-corruption laws in Europe. Journal of Financial Crime 31: 1–13. [Google Scholar] [CrossRef]
  27. Keenan, John P. 2007. Comparing Chinese and American managers on whistleblowing. Employee Responsibilities and Rights Journal 19: 85–94. [Google Scholar] [CrossRef]
  28. Luburić, Radoica. 2017. Strengthening the three lines of defense in terms of more efficient operational risk management in central banks. Journal of Central Banking Theory and Practice 6: 29–53. [Google Scholar] [CrossRef]
  29. Luburić, Radoica, Milan Perovic, and Rajko Sekulovic. 2015. Quality management in terms of strengthening the “three lines of defence” in risk management-process approach. International Journal for Quality Research 9: 243. [Google Scholar]
  30. Minto, Andrea, and Isabella Arndorfer. 2015. The “Four Lines of Defence Model” for Financial Institutions. Taking the Three-Lines-of-Defence Model Further to Reflect Specific Governance Features of Regulated Financial Institutions. BIS Papers. Basel: BIS, vol. 11, pp. 1–29. [Google Scholar]
  31. Near, Janet P., and Marcia P. Miceli. 1985. Organizational dissidence: The case of whistle-blowing. Journal of Business Ethics 4: 1–16. [Google Scholar] [CrossRef]
  32. Parliamentary Commission on Banking Standards (PCBS). 2013. Available online: www.parliament.uk/globalassets/documents/banking-commission/Banking-final-report-volume-i.pdf (accessed on 16 February 2024).
  33. Public Concern at Work. 2013. Report on the Effectiveness of Existing Arrangements for Workplace Whistleblowing in the UK. London: Public Concern at Work. [Google Scholar]
  34. Ravishankar, Lilanthi. 2003. Encouraging Internal Whistleblowing in Organizations. Available online: www.scu.edu/ethics/publications/submitted/whistleblowing.html (accessed on 16 February 2024).
  35. Securities Exchange Commission (SEC). 2023. SEC Awards More than $28 Million to Seven Whistleblowers. Available online: www.sec.gov/news/press-release/2023-257#:~:text=Whistleblower%20awards%20can%20range%20from,could%20reveal%20a%20whistleblower’s%20identity (accessed on 16 February 2024).
  36. Tammenga, Alette. 2020. The application of Artificial Intelligence in banks in the context of the three lines of defence model. Maandblad voor Accountancy en Bedrijfseconomie 94: 219–30. [Google Scholar] [CrossRef]
  37. Tavakoli, A. Assad, John P. Keenan, and Biljana Cranjak-Karanovic. 2003. Culture and whistleblowing an empirical study of Croatian and United States managers utilizing Hofstede’s cultural dimensions. Journal of Business Ethics 43: 49–64. [Google Scholar] [CrossRef]
  38. The Institute of Internal Auditors (IIA). 2013. The Three Lines of Defense in Effective Risk Management and Control. Position Paper. Available online: https://www.iia.org.uk/policy-and-research/position-papers/the-three-lines-of-defence/ (accessed on 16 February 2024).
  39. The Institute of Internal Auditors (IIA). 2018. Auditing Third-Party Risk Management. Lake Mary: IIA. [Google Scholar]
  40. The Institute of Internal Auditors (IIA). 2019. Fraud and Internal Audit. Assurance over Fraud Controls Fundamental to Success. Lake Mary: IIA. [Google Scholar]
  41. The Institute of Internal Auditors (IIA). 2020. The IIA’s Three Lines Model. Lake Mary: IIA. [Google Scholar]
  42. The Institute of Internal Auditors (IIA). 2024. Definition of Internal Auditing. Available online: www.theiia.org/en/standards/what-are-the-standards/definition-of-internal-audit/ (accessed on 16 February 2024).
  43. The Institute of Internal Auditors (IIA), and Association of Certified Fraud Examiners (ACFE). 2022. Building a Best-in-Class Whistleblower Hotline Program. Lake Mary: IIA. Austin: ACFE. [Google Scholar]
  44. The Institute of Internal Auditors (IIA), and WBCSD. 2022. Embedding ESG and Sustainability Considerations into the Three Lines Model. Lake Mary: IIA. Geneva: WBCSD. [Google Scholar]
  45. The Institute of Internal Auditors Australia (IIAA). 2021. Auditing Risk Culture: Practical Guide. Sydney: IIA-Australia. [Google Scholar]
  46. Trasparency International Netherlands (TI-NL). 2019. Whistleblowing Frameworks 2019 Assessing Companies in Trade, Industry, Finance and Energy in The Netherlands. Amsterdam: Trasparency International Netherlands. [Google Scholar]
  47. US Accountability Project. 2015. A Framework for Managing Fraud Risks in Federal Programs; Washington, DC: U.S. Government Accountability Office.
  48. Vousinas, Georgios L. 2021. Beyond the three lines of defense: The five lines of defense model for financial institutions. ACRN Journal of Finance and Risk Perspectives 10: 95–110. [Google Scholar] [CrossRef]
  49. Zhuang, Jinyun, Stuart Thomas, and Diane L. Miller. 2005. Examining culture’s effect on whistle-blowing and peer reporting. Business & Society 44: 462–86. [Google Scholar]
Figure 1. Whistleblowing maturity levels. Source: (Kagias et al. 2023).
Figure 1. Whistleblowing maturity levels. Source: (Kagias et al. 2023).
Admsci 14 00083 g001
Figure 2. Assessment types of WBF. Designed by the authors, inspired by (IIAA 2021).
Figure 2. Assessment types of WBF. Designed by the authors, inspired by (IIAA 2021).
Admsci 14 00083 g002
Figure 3. WBF based on the TML. Designed by the authors, inspired by (IIA 2020).
Figure 3. WBF based on the TML. Designed by the authors, inspired by (IIA 2020).
Admsci 14 00083 g003
Table 1. Qualitaive characteristics of whistleblowing information.
Table 1. Qualitaive characteristics of whistleblowing information.
Inbound InformationOutbound Information
RelevanceIf it provides a reasonable basis to initiate an investigationIf it uncovers malpractice and/or confirms or alters the understanding of the organization on risks and controls.
TimelinessIf it is provided within a time frame that makes it actionable.If it is investigated within the period provided by the law.
Faithfull representationComplete, neutral, and free from misrepresentationsImpartial and based on factual evidence
VerifiabilityIf a competent third party would reach the same conclusions.
Designed by the Authors, inspired by (IFRS 2018).
Table 2. Whistleblowing definition.
Table 2. Whistleblowing definition.
Whistleblowing is the disclosure of real, suspected, or anticipated cases of actionable information. Information is actionable if it is relevant and faithful.
Information is relevant if it allows the Organization to identify actual, suspected, or anticipated illegal, immoral, or dangerous practices and/or to confirm or alter its understanding of current or emerging risks, and/or the design and/or the operating effectiveness of internal controls, and if it is provided on a timely manner.
Information is faithful if it is considered true at the time of the reporting, and it provides sufficient predication to initiate an investigation.
Table 3. Whistleblowing framework definition.
Table 3. Whistleblowing framework definition.
An internal whistleblowing framework is the totality of formal and informal practices which proactively encourage reporting of actionable information and safeguard impartial1 investigations and the governance mechanisms that define roles and responsibilities, allowing the Organization to enhance risk management (including fraud risks) and strengthen the overall internal control environment.
Table 4. Roles and responsibilities of the Governing body.
Table 4. Roles and responsibilities of the Governing body.
IIA’s Three Lines ModelApplication to Whistleblowing Framework
The Governing BodyAccepts accountability to stakeholders for oversight of the organization
Accepts responsibility for an effective whistleblowing framework that will safeguard the impartiality of investigations and consistency in disciplinary actions.
Determines the current status of the whistleblowing framework and the desired maturity level by performing internal or external benchmarking3
Engages with stakeholders to monitor their interests and communicate transparently on the achievement of objectives
Engages with stakeholders to comprehend their concerns, achieving their consensus and support for implementing an effective whistleblowing framework
Determines whether external disclosures, including summary statistics and narratives, are required4
Nurtures a culture promoting ethical behavior and accountability
Sets the tone at the top, underpinning the personal liability of employees to protect the organization
Empowers employees and others to report wrongdoing5
Establishes structures and processes for governance, including auxiliary committees as required
Assigns ultimate responsibility for an effective whistleblowing framework to a non-executive director or committee consisting of non-executive directors.
Safeguards the independence of the investigation team to be free from undue influences
Delegates responsibility and provides resources to management to achieve the objectives of the organization
Establishes an investigation department with competent professionals to conduct impartial investigations or outsources the investigations to such professionals6
Determines organizational appetite for risk and exercises oversight of risk management
Ensures a high degree of interaction between the investigations team and the internal audit function to confirm (or reverse) the organization’s understanding on risks, and/or the design and operating performance of internal controls.
Maintains oversight of compliance with legal, regulatory, and ethical expectations
Ensures that the whistleblowing framework achieves compliance with legislation
Uses the whistleblowing framework to achieve compliance with other laws and regulations and the desired level of maturity
Determines when to report to the authorities and how to facilitate their investigations
Establishes and oversees an independent, objective, and competent internal audit function
Assigns the audit function to provide assurance to the Board that whistleblowing mechanisms and investigations are effective
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Kagias, P.; Garefalakis, A.; Passas, I.; Kyriakogkonas, P.; Sariannidis, N. Whistleblowing Based on the Three Lines Model. Adm. Sci. 2024, 14, 83. https://doi.org/10.3390/admsci14050083

AMA Style

Kagias P, Garefalakis A, Passas I, Kyriakogkonas P, Sariannidis N. Whistleblowing Based on the Three Lines Model. Administrative Sciences. 2024; 14(5):83. https://doi.org/10.3390/admsci14050083

Chicago/Turabian Style

Kagias, Paschalis, Alexandros Garefalakis, Ioannis Passas, Panagiotis Kyriakogkonas, and Nikolaos Sariannidis. 2024. "Whistleblowing Based on the Three Lines Model" Administrative Sciences 14, no. 5: 83. https://doi.org/10.3390/admsci14050083

APA Style

Kagias, P., Garefalakis, A., Passas, I., Kyriakogkonas, P., & Sariannidis, N. (2024). Whistleblowing Based on the Three Lines Model. Administrative Sciences, 14(5), 83. https://doi.org/10.3390/admsci14050083

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop