Nucleus Advisors
Contact
Internal audit & ICFR31 March 20261,700 words · 11 min readLinkedIn

Whistleblower mechanisms that work — and how to handle the first one

Section 177 makes a vigil mechanism mandatory. Most companies build the mechanism, post the email address, and then are unprepared when the first material complaint actually arrives. Here is the protocol that holds.

Written byCA Ashish GuptaSenior Partner · Nucleus Advisors

Every audit committee chair we have worked with says the same thing, in some form, when the first material whistleblower complaint arrives. The mechanism existed, the email address was on the website, the policy was filed with the registrar — and yet, when a complaint about a senior leader landed, the company was not ready. The triage took too long, the investigation team was not pre-defined, the interim measures were not thought through, and the retaliation protection was not operationalised before the first interview happened.

Whistleblower mechanisms are a place where compliance and operations diverge sharply. The compliance part — having the mechanism, disclosing it, training employees on it — is well-handled at most listed companies. The operational part — what happens when the first real complaint arrives — is improvised at most of them.

What the law requires

Section 177(9) of the Companies Act 2013, read with the SEBI LODR Regulation 22 and the relevant rules, requires the audit committee of every listed company, every large unlisted public company, and every company accepting deposits, to oversee a vigil mechanism that enables directors and employees to raise concerns about unethical behaviour, fraud, or violation of the company's code of conduct.

The mechanism must provide direct access to the audit committee chair in exceptional cases, must protect against retaliation, and must be disclosed in the directors' report.

What the law does not specify — and what most companies do not document until after the first complaint — is the operational protocol for handling a complaint once it arrives.

The four channels that actually work

Most vigil mechanisms offer four channels for raising a complaint.

Email. A dedicated whistleblower email address, monitored by a defined person — typically the company secretary or the chief audit executive. Easiest to set up, easiest to ignore if the monitor is not engaged.

Phone hotline. A dedicated phone number. Useful for employees who do not have company email or who do not trust the email channel to be confidential.

Postal. A physical address, often the audit committee chair's office or the company secretary, for written complaints. Used in cases where the complainant believes electronic channels may be monitored.

Third-party hotline. An external service provider — Navex, EthicsPoint, KPMG Ethics Helpline — that runs the intake, anonymises the complainant, and routes the case to the company's defined recipient.

The fourth channel is the most effective by a wide margin. Internal channels — email, phone, postal — are subject to a perception, sometimes accurate, that the recipient may be implicated, may know who the complainant is, or may not maintain confidentiality. The first three channels see a much lower complaint volume relative to actual issues in the organisation. The third-party hotline, well-marketed internally, sees more complaints and, importantly, complaints about senior leaders that the internal channels almost never receive.

The marginal cost of the third-party hotline — typically ₹2 to ₹6 lakh per year for a mid-size company — is low relative to the value of catching a material issue early.

The protocol when the first complaint arrives

What follows is the protocol we recommend, refined across multiple real engagements. The sequence matters; the timeline matters.

Stage one: intake and triage (24 to 72 hours)

The complaint arrives. The recipient — chief audit executive, company secretary, or the third-party hotline's escalation contact — logs the complaint in a confidential register, including the date, channel, complainant identity (if disclosed), and a summary of the allegation.

The first triage question is whether the complaint is material. Material means: if true, it would have a financial, regulatory, legal, or reputational impact on the company exceeding a defined threshold. Frivolous, personal-grievance, and non-material complaints are routed to HR or the standard grievance process. Material complaints proceed to preliminary inquiry.

The triage decision should be made by two people, not one. The chief audit executive and an audit committee member, or the company secretary and the audit committee chair. A single-person triage is a single point of failure — and an obvious target for influence if the complaint touches a senior leader.

Stage two: preliminary inquiry (1 to 2 weeks)

For material complaints, a preliminary inquiry confirms whether there is a credible factual basis. The inquiry is narrow in scope — it does not investigate the merits, only the threshold of credibility. Documents that the complainant referenced are pulled and reviewed. Public records that bear on the allegation are checked. The complainant is contacted (if non-anonymous) for clarifying questions.

If the preliminary inquiry concludes there is no credible basis, the matter is closed, the complainant is informed (if non-anonymous and the closure can be communicated without compromising confidentiality), and the file is retained.

If the preliminary inquiry concludes there is a credible basis, the matter proceeds to formal investigation.

Stage three: investigation team formation (1 week)

The investigation team is appointed. Members:

An investigation lead with the independence and authority to interview senior personnel. For complaints involving senior management, the lead must be external — a partner from a forensic firm, or a senior lawyer.

A finance specialist for any complaint with financial dimensions.

A legal advisor with employment and white-collar experience.

An IT-forensics resource for any complaint involving electronic evidence.

Anyone reporting to or close to the implicated individual is excluded. This is where many companies struggle. The implicated individual is often the CFO, the COO, or the head of a major business unit. Their reports run the finance, audit, or operations functions. The investigation team has to be staffed from outside that reporting line.

Stage four: interim measures (concurrent with investigation)

If the allegation involves ongoing harm — continued fraud, ongoing harassment, document destruction — interim measures are required. The implicated individual's system access may be restricted, their authority over the relevant decisions may be suspended, or in serious cases they may be put on administrative leave. Each measure has employment and legal implications and must be approved by the audit committee chair on advice of legal counsel.

Retaliation protection for the complainant is operationalised here. The complainant's reporting line is reviewed; if the implicated individual is in the complainant's reporting chain, the complainant is moved to a different reporting line during the investigation. The complainant's compensation cycle, if pending, is removed from the implicated individual's discretion. The complainant's manager is briefed (without revealing the complainant's identity) on the duty not to retaliate.

Stage five: investigation and finding (4 to 12 weeks)

Document review, interviews, forensic analysis if needed. The investigation lead delivers a written finding to the audit committee. The finding states what was alleged, what evidence was gathered, what was substantiated, what was not, and what the recommendation is.

Stage six: disposition

The audit committee acts on the finding. Disposition can include termination, demotion, training, restitution, civil action, criminal referral, or no action depending on the finding. The disposition is documented and communicated to the complainant (if non-anonymous and confidentiality can be maintained).

Real cases that have shaped Indian protocols

Two publicly reported cases inform how Indian audit committees now think about whistleblower handling.

The Infosys whistleblower complaint in 2019 — alleging unethical practices in financial reporting — was investigated by the audit committee with external counsel and an external forensic firm. The investigation concluded the allegations were not substantiated. The handling was scrutinised closely by SEBI and by institutional investors. The duration of the investigation, the independence of the team, and the disclosure timing were all examined publicly.

The Wipro whistleblower disclosures in 2020, on similar themes, were similarly investigated. The lessons that the institutional audit-committee community drew from these cases: speed of triage matters, external independence of the investigation team matters, and the audit committee chair's personal engagement matters.

Disclosure and confidentiality

A persistent question is whether the existence of a whistleblower investigation should be disclosed publicly, particularly for listed companies under SEBI's continuous disclosure requirements.

The general answer: not at the complaint stage, not at the preliminary inquiry stage, and not during investigation unless required by specific regulation or where the issue is otherwise becoming public. Disclosure at conclusion depends on the finding's materiality — if the substantiated finding is material to the company's financial statements or reputation, disclosure is appropriate.

Confidentiality protects both the complainant and the implicated individual. A premature disclosure of an unsubstantiated allegation harms the implicated individual unjustly. A failure to disclose a material substantiated allegation harms the company's investors. The line is judgement-based and should involve legal counsel and the audit committee.

What the audit committee should review quarterly

Three things, every quarter.

Complaint volume by channel and category. Trending up or down? Categories shifting?

Time-to-triage and time-to-resolution for material complaints. Is the process running to the policy timeline?

Any retaliation complaints. These are the second-order signal — a whistleblower mechanism that produces retaliation complaints is operating; one that does not may be operating, or may indicate that retaliation protection is not being enforced.

The audit committee chair's hardest moment is not the day the complaint arrives. It is two weeks later, when the implicated senior leader is asking why their authority has been restricted, the complainant is uncertain whether protection is real, the finance team is wondering why the investigation lead is interviewing them, and three institutional investors are asking unrelated questions about portfolio quality. The protocol holds in that moment, or it does not.

What to test before the first case arrives

Run a tabletop. Pick a scenario — a hypothetical complaint alleging revenue recognition manipulation by a named senior leader — and walk the protocol through it with the audit committee, the chief audit executive, the company secretary, and external counsel. Where does the protocol break? Who calls whom? What is the timeline?

The tabletop will surface gaps. The gaps are easier to close before the real case than during it.

References

  1. Companies Act 2013, Section 177(9) — Vigil Mechanism
  2. SEBI LODR Regulation 22 — Vigil Mechanism
  3. ACFE Report to the Nations 2024 — Detection by Tips

More from Ashish

Full archive

Internal audit & ICFR

AI will not replace internal auditors — but it will replace low-value audit work

11 min read

Internal audit & ICFR

What internal audit actually catches in an NBFC: five recurring control failures

9 min read

Sector risk

Why most concurrent audits miss the real branch risk

11 min read

About the author

CA Ashish Gupta

Senior Partner

Leads internal audit and risk management. Specialises in banking, finance and NBFC sectors — audits, risk assessments, and process optimisation.

Email AshishLinkedIn14 articles from Ashish