Whistleblowing Based on the Three Lines Model

: Directive 1937/2019 on the protection of persons who report breaches of Union law became effective very recently. However, Directive 1937/2019 lacks sufficient guidance on the implementation or governance of whistleblowing frameworks. In addition, the existing literature lacks a definition of whistleblowing and whistleblowing frameworks that is appropriate for internal audit and fraud prevention. The purpose of this paper is to address the lack of a definition of whistleblowing and whistleblowing framework appropriate for internal auditing and to guide the roles and responsibilities within an organization to apply and maintain a robust whistleblowing framework. To this effect, the Three Lines Model is used, one of the most recognized theoretical models in effective risk governance and internal audit.


Introduction
After decades of delay compared to the US and the UK, EU (Directive 1937/2019) on the protection of persons who report breaches of Union law became effective recently, drawing the attention of researchers and practitioners across Europe.The aim of the Directive is to enhance transparency and accountability by providing uniform and effective whistleblower protection standards across the EU, to any persons who report breaches of EU law.However, this may be proven beneficial to the organizations as well.An organization that relies on good governance can not only achieve compliance with whistleblowing legislation but also use whistleblowing to achieve legal compliance with other laws and regulations, strengthen its internal control environment, and meet the expectations of its stakeholders (TI-NL 2019).However, Directive 1937/2019 sets the requirements for effective whistleblowing reporting channels but does not provide implementation guidelines.It is therefore left to the organizations to decide how they will achieve compliance.In this context, the internal audit function, due to its independence, can play a vital role (ACCA 2019;CIIA 2014) by providing assurance or consulting services.
The Three Lines of Defense Model (TLDM) introduced in 2013 by the Institute of Internal Auditors (IIA 2013) aimed to outline the roles and the responsibilities of each level of hierarchy within the risk management framework, to ensure that risks were identified, assessed and effectively managed.The Three Lines Model (TLM) is an enhanced development of the Three Lines of Defense Model (IIA 2020).Both models were developed to assist in successful governance and risk management (IIA and WBCSD 2022).However, the new model is more flexible and describes the main principles and interactions more clearly.Both frameworks provide general guidance and they have been modified to meet the specific requirements of many sectors-for example, central banks (Luburić 2017), commercial banks Adm. Sci.2024, 14, 83 2 of 13 (Minto and Arndorfer 2015;Borg et al. 2020), and Islamic financial institutions (Hakim 2017)-and business processes, such as quality management (Luburić et al. 2015), the use of artificial intelligence in banks (Tammenga 2020), andESG (IIA andWBCSD 2022).Similarly, TLM could provide a solid basis for the governance of whistleblowing.
In recent years, a series of studies have been conducted in relation to many aspects of whistleblowing.These include the joint (IIA and ACFE 2022) study that provides key statistics in respect of whistleblowing, and other studies focused on the reasons facilitating or discouraging individuals to report, including cultural aspects (Tavakoli et al. 2003;Keenan 2007).All these studies highlight different aspects.However, research on whistleblowing as an internal control mechanism is still limited.In addition, many definitions have been provided in respect of whistleblowing.Most of these definitions have been developed in different contexts and their relevance for internal audit and fraud prevention is limited.
The structure of the article is as follows.The next section (Section 2) defines whistleblowing, whistleblowing framework, and other relevant terminology.The third part provides the application of a whistleblowing framework in the context of the Three Lines Model.Finally, the paper provides a conclusion.

Definition of Whistleblowing and Whistleblowing Framework
This part of the paper provides definitions for internal whistleblowing (when the reports are submitted to the organization) and an internal whistleblowing framework that are appropriate for internal auditing and fraud deterrence.This is achieved by examining who the potential whistleblowers are (Section 2.1), discussing whether emphasis should be given to whistleblowing or the whistleblower (Section 2.2), focusing on relevant aspects of whistleblowing (Section 2.3), and finally defining other relevant terms (Sections 2.4 and 2.5).The suggested framework does not deal with external whistleblowing (when reports are submitted to the competent authorities) or public disclosures (when the information on breaches becomes available in the public domain).The reason for this distinction is that, in external whistleblowing and public disclosures, the ability of organizations to affect the process is limited.

Internal and External Whistleblowers
The early definitions of whistleblowing considered only employees as potential whistleblowers.For example, (Near and Miceli 1985) defined whistleblowing as "the disclosure by organizational members (former or current) of illegal, immoral, or illegitimate practices under the control of their employers, to persons or organisations that may be able to effect action".A similar definition was provided by (Ravishankar 2003).Other researchers have disagreed with this perspective since it does not "adequately portray the whistleblower" (Ayers and Kaplan 2005) and meaningful information may derive from external whistleblowers (Kagias et al. 2023) (based on ACFE 2022a, 2022b insights).Moreover, (Dworkin and Baucus 1998) suggested that reports from external whistleblowers provide "greater evidence of wrongdoing, and they tend to be more effective in changing organizational practices".Modern whistleblowing initiatives (ISO 2022; TI-NL 2019; US Accountability Project 2015) and researchers (Culiberg and Mihelič 2017) do not exclude external whistleblowers.

Whistleblower versus Whistleblowing
Other definitions have concentrated directly or indirectly on the virtues of the whistleblower rather than on the act of whistleblowing itself.For example, (Alford 2002) defined whistleblowing as "a heroic act of virtuous individuals" or "an avenue for maintaining integrity by speaking one's truth about what is right and what is wrong" (Berry 2004).These definitions hypothesize that the whistleblower is a highly moral individual with the courage to overcome the threat of retaliation.However, the motivations of whistleblowers may not always be altruistic.Recognizing this perspective, (Henik 2015) distinguishes whistleblowers into three categories: the "strategic moral guardians" who are ethical indi-viduals characterized by accountability and bravery against retaliation, "fed up vigilants" who are motivated by anger and revenge, and "servants of two masters", who struggle to uphold commitments and conflicts of value but choose to remain silent even though they may at times feel post-decisional shame.In addition, the definitions of (Near and Miceli 1985;TI-NL 2019) emphasize that, in certain cases, it can be reasonably assumed that the objectives of an organization regarding whistleblowing are to prevent or identify wrongdoing in a timely manner, to assist the recovery of losses, or to achieve another outcome.Lastly, (Fleming et al. 2018) point out that internal auditors or fraud examiners are not psychologists, criminologists, or experts in the scientific study of human behavior, and that it is not practical to identify the motivations of wrongdoers.It can reasonably be assumed that this is also applicable for whistleblowers as well.Of course, when the reports are anonymous, is almost impossible to make such hypotheses.Therefore, in the context of fraud prevention and deterrence and internal auditing, the motivations for reporting are irrelevant.Therefore, the definition of whistleblowing in the context of internal audit, fraud investigation and deterrence should emphasize internal control (whistleblowing) rather than the whistleblower and their personal characteristics or incentives.

Emphasis on Internal Audit and Fraud Examination
An interesting definition of whistleblowing is provided by (Jubb 1999), who defines whistleblowing as the "deliberate, non-obligatory act of disclosure, which gets onto public record and is made by a person who has or had privileged access to data or information of an organization, about non-trivial illegality or other wrongdoing whether actual, suspected or anticipated which implicates and is under the control of that organization, to an external entity having the potential to rectify the wrongdoing".In the context of internal auditing, fraud prevention and deterrence, this definition may be one of the most problematic for a number of reasons.The first reason is that it excludes internal whistleblowing.In accordance with the (TI-NL 2019), internal whistleblowing sends a public signal of commitment to integrity and social responsibility, contributes to the prevention and mitigation of liability and financial losses, and contributes to continuous improvement in compliance and risk management and the enhancement of organizational culture.Similarly, Directive 1937/2019 requires EU Member States to encourage reporting through internal reporting channels before reporting through external reporting channels, provided that the breach can be addressed effectively internally and where the reporting person considers that there is no risk of retaliation.The second flaw of this definition is the term "non-trivial illegality", which introduces materiality considerations in respect of the wrongdoing.This is also inappropriate since a whistleblower may not have a complete picture of the extent of the wrongdoing.A perceived "trivial" illegality, if investigated properly, may be proven material.Moreover, this perspective contradicts the zero-tolerance approach to malpractice that many organizations implement.In addition, "illegality" excludes legal but unethical behavior.The third flaw of this definition is the requirement for privileged access.In many cases, wrongdoing may be identified without privileged access or specialized skills.For example, an eyewitness may identify misappropriation of assets without privileged access or victims may report harassment.The last flaw is the notion of volunteer disclosure.In some cases, for example anti-money laundering, legislation requires mandatory disclosure to the competent authorities, with serious penalties if this is not applied.
From a fraud-examination point of view, it is prohibited for fraud examiners to commence or continue a fraud investigation unless there is a proper predication, which is "the totality of circumstances that would lead a reasonable, professionally trained, and prudent individual to believe that a fraud has occurred, is occurring, or will occur" (ACFE 2022a).If this is not applied, an examination may not start in the first place.
To be useful for internal audit purposes, the definition of whistleblowing should take into consideration the definition of internal auditing, which is "an independent, objective assurance and consulting activity designed to add value and improve an organization's operations.It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes" (IIA 2024).Moreover, in accordance with the (IIA 2019), "the internal auditor should not be expected to have the expertise of a person whose primary responsibility is to investigate fraud", such as a fraud examiner.However, internal auditors "must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization".Therefore, from an internal-audit point of view, the objective of whistleblowing is to identify wrongdoing and to confirm or alter the understanding of the organization in relation to risks (current or emerging) and/or the design and the operating effectiveness of existing internal controls.Usually, this information derives from the outcomes of investigations.Although whistleblowing largely consists of information that is received (inbound information) and processed, and ends with certain findings (outbound information), the quality of information has not been considered by the existing literature.Inspired by the (IFRS 2018) conceptual framework, Table 1 summarizes the qualitative characteristics of whistleblowing (inbound and outbound information) in the context of fraud prevention and internal audit.

Inbound Information
Outbound Information

Relevance If it provides a reasonable basis to initiate an investigation
If it uncovers malpractice and/or confirms or alters the understanding of the organization on risks and controls.

Timeliness
If it is provided within a time frame that makes it actionable.
If it is investigated within the period provided by the law.

Faithfull representation
Complete, neutral, and free from misrepresentations Impartial and based on factual evidence Verifiability If a competent third party would reach the same conclusions.
Designed by the Authors, inspired by (IFRS 2018).
Lastly, it is usual for standard setters to use consistent terminology (for example, ISO standards, International Standards on Audit, International Standards for the Professional Application of Internal Auditing, etc.).None of the definitions provided so far uses terminology that internal auditors or fraud examiners are familiar with.Therefore, in the context of internal audit and fraud risk management, a definition should observe the following: (a) be focused on the whistleblowing rather than the whistleblowers; (b) outline the objectives of whistleblowing; (c) include both internal and external whistleblowers; (d) exclude materiality considerations; (e) not examine the motivations of the whistleblowers; (f) consider the qualitative characteristics of the information; and (g) use terminology that internal auditors and fraud examiners are familiar with.Such a definition could be the following (Table 2): Whistleblowing is the disclosure of real, suspected, or anticipated cases of actionable information.Information is actionable if it is relevant and faithful.

■
Information is relevant if it allows the Organization to identify actual, suspected, or anticipated illegal, immoral, or dangerous practices and/or to confirm or alter its understanding of current or emerging risks, and/or the design and/or the operating effectiveness of internal controls, and if it is provided on a timely manner.

■
Information is faithful if it is considered true at the time of the reporting, and it provides sufficient predication to initiate an investigation.
This is similarly to (TI-NL 2019), which proposed different definitions for whistleblowing and the whistleblowing framework, due to the fact that the framework has a broader scope.An appropriate definition of a whistleblowing framework in the context of internal audit and fraud examination could be the following (Table 3): An internal whistleblowing framework is the totality of formal and informal practices which proactively encourage reporting of actionable information and safeguard impartial 1 investigations and the governance mechanisms that define roles and responsibilities, allowing the Organization to enhance risk management (including fraud risks) and strengthen the overall internal control environment.Such practices could be the avoidance of conflicts of interest, or the assignment of ultimate responsibility to non-executive directors or committees consisting of nonexecutive directors.

Definition of "Reasonable Suspicions"
Directive 1937/2019 provides protection to reporting persons who report based on reasonable suspicions.This condition serves as a safeguard to prevent malicious reporting.However, this terminology is subjective and may have the effect that potential risk-averse whistleblowers do report wrongdoing.The term "reasonable suspicion" could be defined as "a reasonable degree of satisfaction not necessarily amounting to belief but at least beyond speculation that a reportable event has occurred".In other words, the whistleblower is not required to have proof that malpractice has occurred; however, his/her report must have some factual basis.Otherwise, the "predication" to initiate an investigation is not applied.

Definition and Application of the "Impartiality" Imperative
A whistleblowing framework achieves impartiality if (a) it is free from conflicts of interest and (b) it is internally consistent at all stages, from the investigation of reports to disciplinary actions.The achievement of impartiality requires an appropriate combination of organizational structures, infrastructure, processes, and people.In the suggested model, impartiality is embedded in every line.

The IIA's Three Lines Model and Its Application to a Whistleblowing Framework
The aim of this section is to describe the roles and responsibilities of each line and the associations between each line.For this purpose, the TLM developed by the (IIA 2020) is used.The (IIA 2020) follows a principle-based approach to allow enough flexibility which focusing on achieving the organizational objectives and creating value.The principles of the TLM are (a) governance which refers to accountability, actions, and assurance; (b) governing body roles; (c) management (first and second-line) roles; (d) third-line roles; (e) third-line independence; and (f) creating and protecting value.The main components of the model are the Governing Body (the first and the second line), the internal audit function (frequently referred as the third line), and the external assurance providers.The external assurance providers are usually the external auditors, and they are frequently referred to as the fourth line of defense (Minto and Arndorfer 2015; Vousinas 2021).

Governing Body
Based on the IIA's Three Lines Model (IIA 2020), the Governing Body (the Board of Directors) has ultimate responsibility for the Organization's governance.It accepts responsibility and delegates resources to the management level to achieve the organization's objectives and establish an independent, objective, and competent internal audit function.The Governing Body also ensures that legal, regulatory, and ethical expectations are met.In the context of a whistleblowing framework, the Governing Body accepts ultimate responsibility; 2 forms a competent investigation team that will be free from conflicts of interest and undue influence; and implements and maintains appropriate infrastructure for receiving and investigating reports.
It is also relevant to note that different organizations may choose different objectives for their whistleblowing framework.For example, (Kagias et al. 2023) identified five different objectives, leading into five levels of whistleblowing maturity (Figure 1).These levels start from compliance with whistleblowing legislation, and the highest is using a whistleblowing framework to achieve ESG objectives and to meet the stakeholders' expectations.A reasonable assumption is that the maturity level of organizations depends on their industry, size, multiple geographic locations, the regulatory framework, their vision, their mission, and values.
In the context of a whistleblowing framework, the Governing Body accepts ultimate responsibility 2 ; forms a competent investigation team that will be free from conflicts of interest and undue influence; and implements and maintains appropriate infrastructure for receiving and investigating reports.
It is also relevant to note that different organizations may choose different objectives for their whistleblowing framework.For example, (Kagias et al. 2023) identified five different objectives, leading into five levels of whistleblowing maturity (Figure 1).These levels start from compliance with whistleblowing legislation, and the highest is using a whistleblowing framework to achieve ESG objectives and to meet the stakeholders' expectations.A reasonable assumption is that the maturity level of organizations depends on their industry, size, multiple geographic locations, the regulatory framework, their vision, their mission, and values.Table 4 provides the application of the TLM into a whistleblowing framework.

IIA's Three Lines Model Application to Whistleblowing Framework
The Governing Body Accepts accountability to stakeholders for oversight of the organization  Accepts responsibility for an effective whistleblowing framework that will safeguard the impartiality of investigations and consistency in disciplinary actions.


Determines the current status of the whistleblowing framework and the desired maturity level by performing internal or external benchmarking 3 Engages with stakeholders to monitor their interests and communicate transparently on the achievement of objectives


Engages with stakeholders to comprehend their concerns, achieving their consensus and support for implementing an effective whistleblowing framework  Determines whether external disclosures, including summary statistics and narratives, are required 4 Table 4 provides the application of the TLM into a whistleblowing framework.

First-Line Roles
In accordance with the TLM, the role of first-line managers is to direct actions for the application of resources; to report frequently to the Governing Body on planned, actual, and expected objectives and risks; to establish and maintain appropriate structures and processes for the management of operations and risk; and to ensure legal and ethical compliance (IIA 2020).In the context of whistleblowing, the first-line role mainly involves the management of reports, since the investigation falls to the second line.However, research has shown that employees frequently report malpractice to their line managers first before submitting a report (Zhuang et al. 2005), and that executives frequently advocate whistleblowing while at the same time requiring "submissiveness and obedience" (Hirigoyen 2004).Therefore, their major role except from handling the reports is to encourage employees and other potential whistleblowers to report wrongdoing.

Second-Line Roles
Based on the IIA's TLM, the role of the second line is to provide complementary expertise, support, and monitoring (IIA 2020).Usually, the duty to investigate reports falls to the compliance department or the internal audit function.In order to safeguard impartiality and effectiveness in investigations, the compliance department should be competent and free from undue influences.This requires a combination of appropriate organizational structures and business practices, for example, organizational independence; investigation protocols; and human resource practices that ensure only employees with high moral standards are hired, retained, and promoted.In comparison to the first-line managers, second-line managers have higher organizational status and are more likely to become recipients of reports.In addition, due to their higher degree of access to information and their higher skill levels, they may identify malpractice on their own and not as a result of reporting by others.As a result, it is important for the second-line managers (other than the investigators) to report wrongdoing when they identify it and support others.

IIA's Three Lines Model Application to Whistleblowing Framework
The Governing Body Accepts accountability to stakeholders for oversight of the organization ■ Accepts responsibility for an effective whistleblowing framework that will safeguard the impartiality of investigations and consistency in disciplinary actions.■ Determines the current status of the whistleblowing framework and the desired maturity level by performing internal or external benchmarking 3 Engages with stakeholders to monitor their interests and communicate transparently on the achievement of objectives ■ Engages with stakeholders to comprehend their concerns, achieving their consensus and support for implementing an effective whistleblowing framework ■ Determines whether external disclosures, including summary statistics and narratives, are required 4 Nurtures a culture promoting ethical behavior and accountability ■ Sets the tone at the top, underpinning the personal liability of employees to protect the organization ■ Empowers employees and others to report wrongdoing 5 Establishes structures and processes for governance, including auxiliary committees as required ■ Assigns ultimate responsibility for an effective whistleblowing framework to a non-executive director or committee consisting of non-executive directors.■ Safeguards the independence of the investigation team to be free from undue influences Delegates responsibility and provides resources to management to achieve the objectives of the organization ■ Establishes an investigation department with competent professionals to conduct impartial investigations or outsources the investigations to such professionals 6 Determines organizational appetite for risk and exercises oversight of risk management ■ Ensures a high degree of interaction between the investigations team and the internal audit function to confirm (or reverse) the organization's understanding on risks, and/or the design and operating performance of internal controls.
Maintains oversight of compliance with legal, regulatory, and ethical expectations ■ Ensures that the whistleblowing framework achieves compliance with legislation ■ Uses the whistleblowing framework to achieve compliance with other laws and regulations and the desired level of maturity ■ Determines when to report to the authorities and how to facilitate their investigations Establishes and oversees an independent, objective, and competent internal audit function ■ Assigns the audit function to provide assurance to the Board that whistleblowing mechanisms and investigations are effective It is also important to note that, based on the outcomes of an investigation, an organization may confirm (or alter) its understanding of identified fraud risks or the design or the operating performance of its internal controls.The opposite is also true.The internal audit function, when it provides assurance or consulting engagements, may identify weaknesses in internal controls that limit their ability to prevent or detect malpractice.Therefore, an Adm. Sci.2024, 14, 83 8 of 13 appropriate interaction should be achieved between the compliance department, the risk committee, and the internal audit function.

Third Line
In accordance with the (CIIA 2023), the internal audit function can either provide consulting or assurance engagements to retain its independence.Where the internal audit function provides consulting engagements, assurance has to be obtained by other assessors.In this context, the third line is considered the party that provides assurance to the Governing Body.By applying the suggestions of (IIAA 2021) in auditing risk culture, whistleblowing assurance could follow one of the three approaches listed below (Figure 2): ■ surface-level whistleblowing assessment, ■ deep-dive whistleblowing audits, or ■ surface-level and deep-dive whistleblowing audits.
audit function, when it provides assurance or consulting engagements, may i weaknesses in internal controls that limit their ability to prevent or detect malp Therefore, an appropriate interaction should be achieved between the compliance d ment, the risk committee, and the internal audit function.

Third Line
In accordance with the (CIIA 2023), the internal audit function can either p consulting or assurance engagements to retain its independence.Where the interna function provides consulting engagements, assurance has to be obtained by other sors.In this context, the third line is considered the party that provides assurance Governing Body.By applying the suggestions of (IIAA 2021) in auditing risk c whistleblowing assurance could follow one of the three approaches listed below 2):  surface-level whistleblowing assessment,  deep-dive whistleblowing audits, or  surface-level and deep-dive whistleblowing audits.Method 1: surface-level assessment This approach provides indications that either encourage or prevent repor wrongdoing across the organization.Audit tools that can be used are surveys and ioral observations.The main focus in these engagements is to identify internal and nal conditions that affect whistleblowing in a positive or negative way.Method 1: surface-level assessment This approach provides indications that either encourage or prevent reporting of wrongdoing across the organization.Audit tools that can be used are surveys and behavioral observations.The main focus in these engagements is to identify internal and external conditions that affect whistleblowing in a positive or negative way.

Method 2: deep-dive assessment
This approach provides assurance on key functions relevant to whistleblowing such as the compliance department or the investigation team.The scope of this approach is narrower compared with surface-level assessment.The main focus is to ensure, at a minimum, that compliance with whistleblowing legislation has been achieved.In other words, the assessment should ensure that the reporting channels are sufficient, the identity of the reporting person and any person included in the reporting remains confidential throughout the investigation process, and that the investigations are conducted in a legal manner.This approach requires assessors with sufficient knowledge of the legal perspectives of whistleblowing and fraud investigation.Possible tools that can be used may include checklists, detailed review of the established policies, and detailed assessments of the investigations conducted.It is however more likely that the assessment team would perform audits specifically designed to assess certain whistleblowing perspectives and would not include whistleblowing as an element in other assurance engagements.
Adm. Sci.2024, 14, 83 9 of 13 Method 3: surface-level assessment and deep-dive assessment This approach combines breadth and depth.Possible tools that can be used are maturity models, for example, the whistleblowing maturity model provided by (Kagias et al. 2023).The final suggested theoretical model which is based on the Three Lines of Defense Model (IIA 2020) is as follows (Figure 3): manner.This approach requires assessors with sufficient knowledge of the legal perspectives of whistleblowing and fraud investigation.Possible tools that can be used may include checklists, detailed review of the established policies, and detailed assessments of the investigations conducted.It is however more likely that the assessment team would perform audits specifically designed to assess certain whistleblowing perspectives and would not include whistleblowing as an element in other assurance engagements.
Method 3: surface-level assessment and deep-dive assessment This approach combines breadth and depth.Possible tools that can be used are maturity models, for example, the whistleblowing maturity model provided by (Kagias et al. 2023).The final suggested theoretical model which is based on the Three Lines of Defense Model (IIA 2020) is as follows (Figure 3):

Transnational Aspects
Whistleblowing largely depends on the ethics of those who observe wrongdoing and decide whether they will report or not.Many researchers have performed cross-cultural research (for example Tavakoli et al. 2003;Keenan 2007).In these studies, one or more variables were the cultural dimensions (power distance, uncertainty-avoidance, individualism, and masculinity versus femininity) suggested by (Hofstede 1984) and the other variables examined different aspects of whistleblowing (for example, whether employees decide to report, to whom they report and how they report).Usually, the cultures selected

Transnational Aspects
Whistleblowing largely depends on the ethics of those who observe wrongdoing and decide whether they will report or not.Many researchers have performed crosscultural research (for example Tavakoli et al. 2003;Keenan 2007).In these studies, one or more variables were the cultural dimensions (power distance, uncertainty-avoidance, individualism, and masculinity versus femininity) suggested by (Hofstede 1984) and the other variables examined different aspects of whistleblowing (for example, whether employees decide to report, to whom they report and how they report).Usually, the cultures selected had substantial difference in at least one of the cultural dimensions.The results showed that cultural differences affect the decision of the observers of wrongdoing to report and how to report.For example, in cultures with high "power distance", where people accept the unequal distribution of power, they also tend to rationalize wrongdoing by upper management (Tavakoli et al. 2003) and decide not to report.However, the sevendimensional framework suggested by (Berry 2004) could be used to encourage employees to report.It is also obvious that the legal framework and the degree of protection from retaliation also affects the decisions of whistleblowers.As best practice, (Kagias et al. 2023) suggest that equal protection measures be given voluntarily from multinational organizations to jurisdictions with less robust whistleblowing legislation.
Moreover, a debatable aspect relevant to whistleblowing is monetary rewards for whistleblowers.Recently, SEC has provided more than USD 28 million to seven (external) whistleblowers (SEC 2023).In accordance with (Karpacheva and Hock 2024), most of the whistleblowers reported to SEC were foreign nationals, and they have more chances to receive monetary rewards than US nationals.As a result, non-US nationals chose to report in the US rather than their country.In some cases, whistleblowers face significant legal costs.It is likely that monetary rewards are seen as a measure to mitigate this risk.Another reasonable explanation may be that some whistleblowers may trust US authorities more.Directive 1937/2019 does not follow this approach.However, irrespective of the monetary rewards, organizations should consider monetary and non-monetary rewards to promote an ethical culture.In addition, (Brenninkmeijer et al. 2018) focuses on the role of "best practices" or the "soft law" that derives from private institutions rather than authorities to meet the needs of stakeholders.This is consistent with the whistleblowing maturity framework suggested by (Kagias et al. 2023).In this framework, achieving compliance with whistleblowing legislation is the second of the five levels of maturity.The higher levels of maturity follow a reasonable escalation of best practice.Existing or emerging best practice can assist internal auditors to add value to the organizations and therefore to comply with the definition of internal auditing and the standards.Lastly, (Hock and Dávid-Barrett 2022) focused on the relationship between bribery and non-trial resolutions.They found that deferred prosecutions may result in the reformation of internal governance systems and the introduction of compliance programs which change corporate behavior.This may also be applicable to whistleblowing as well.(Hock and Dávid-Barrett 2022) point out that compliance programs signal the "good character" of organizations.The suggested model, if applied, may ensure that organizations act as good corporate citizens and that whistleblowing is not used for window-dressing purposes.

Conclusions
This study bridges the gap between the provisions of Directive 1937/2019 and the practice of internal auditing and fraud examination.This is achieved in two ways: first, by providing definitions for whistleblowing and whistleblowing frameworks that are appropriate for this purpose, and second, by describing the roles and associations for the governance of whistleblowing based on one of the most fundamental concepts of internal auditing.In addition, the suggested framework and guidance may assist internal auditors to comply with the standards of internal auditing by adding value to whistleblowing processes.
While this paper establishes a foundational understanding, future research could explore the applicability of the Three Lines Model in varying organizational contexts.Investigations into different industries or sectors could reveal unique challenges and adaptations necessary for implementing effective whistleblowing frameworks.Further studies might also examine the long-term outcomes of these frameworks in preventing fraud and fostering ethical organizational cultures.
Practitioners are strongly encouraged to assimilate and incorporate the valuable and enlightening perspectives and understanding derived from the contents of this scholarly article into their existing operational processes and practices in order to enhance and optimize their workflow efficiency and effectiveness.For instance, the implementation of our whistleblowing framework could involve training sessions for employees to recognize and report unethical practices effectively.Additionally, organizations could develop policies that align with the Three Lines Model, ensuring clear roles and responsibilities in managing whistleblowing cases, thus promoting a culture of transparency and accountability.

Figure 3 .
Figure 3. WBF based on the TML.Designed by the authors, inspired by (IIA 2020).

Figure 3 .
Figure 3. WBF based on the TML.Designed by the authors, inspired by (IIA 2020).

Table 4 .
Roles and responsibilities of the Governing body.

Table 4 .
Roles and responsibilities of the Governing body.