The Australian Securities and Investments Commission (ASIC) has called on companies to review their whistleblower arrangements after a national questionnaire showed wide differences in how organisations design and implement their programs.
Report 827, Insights from the ASIC Whistleblower Questionnaire: July 2024 to June 2025 (REP 827), is based on responses from 134 entities across 18 industries. It compares current whistleblower policies and procedures with approaches ASIC has previously set out in regulatory guidance and earlier reviews.
ASIC commissioner Alan Kirkland described whistleblowers as an important source of information for boards, regulators, and other stakeholders. “Whistleblowers play a crucial role in identifying and exposing misconduct that can harm customers, shareholders, companies and the broader community. Without effective policies and programs to encourage whistleblowers to come forward, misconduct may otherwise go unreported and undetected,” Kirkland said.
The questionnaire identified substantial variation in how whistleblower frameworks are structured and managed. More than one-third of participating entities did not have a dedicated whistleblower web page for lodging concerns, reducing one of the formal channels available for reporting. About a quarter of surveyed companies did not provide regular training for staff on their whistleblower program. More than half had not sought employee feedback on the design or operation of their program in the previous year.
ASIC reported that larger listed entities and mining-sector firms were more likely to have relatively mature whistleblower arrangements and higher levels of disclosures. At the same time, some smaller companies were found to have well-developed programs, indicating that organisational scale is not the sole driver of program capability.
Across the 134 entities, respondents reported 8,095 whistleblower disclosures. The average time to complete an investigation was 49 days. According to ASIC, 69% of disclosures were received through a dedicated whistleblower web page or hotline. On average, 24% of in-scope disclosures that proceeded to investigation were substantiated. Forty-two percent of companies said disciplinary action against staff members was the most common outcome where matters were confirmed.
The report sets out several issues for boards and executives to consider, including in general insurance, life insurance, and intermediated distribution. Twenty-two per cent (22%) of companies reported receiving no disclosures. ASIC said such results should prompt directors and senior management to consider whether employees and other eligible whistleblowers are sufficiently aware of the program, whether they have confidence in internal channels, and whether accessible, secure options exist to raise concerns.
Thirty per cent (30%) of respondents indicated they do not regularly review the effectiveness of their whistleblower program. ASIC said entities should consider not only whether their policies comply with legal requirements but also how they operate in practice, the outcomes generated, and whether governance arrangements remain appropriate.
A quarter of companies said they did not provide regular training on the whistleblower program. ASIC noted that training and ongoing communication may affect awareness of, and willingness to use, whistleblower channels. In addition, 58% of entities had not sought feedback from employees about their arrangements. ASIC said feedback can offer insight into understanding of the program, levels of trust, and preparedness to speak up about potential misconduct.
Kirkland said the questionnaire results point to concrete steps available to Australian companies. “While whistleblower processes need to be tailored to the circumstances of each company, providing dedicated web pages for whistleblower reporting, enabling communication with anonymous disclosers, and fostering a stronger speak-up culture are all steps companies can take to support whistleblowers and encourage disclosures. Strong, appropriate, and effective whistleblower practices go to the core of good corporate governance. These programs provide important information for directors to oversee their company’s operations and compliance with the law,” Kirkland said.
ASIC is encouraging companies to use the report’s findings as a reference point and to review how their whistleblower policies and procedures operate in practice. The regulator said it will continue to monitor whistleblower practices and engage with entities assessed as having non-compliant or significantly less mature programs.
ASIC reiterated that companies are required by law to provide specific protections to whistleblowers and to manage disclosures confidentially. Whistleblower policies should describe how those protections will be applied and how the organisation will support and protect people who report, taking into account its structure, activities, and risk profile.
REP 827 forms part of ASIC’s ongoing work on whistleblower governance. This work includes Regulatory Guide 270: Whistleblower policies (RG 270), released in November 2019, which outlines ASIC’s expectations for compliant policies. In October 2021, ASIC wrote to chief executives asking them to review whistleblower policies after identifying compliance concerns in a sample review. In March 2023, it published Report 758, Good practices for handling whistleblower disclosures (REP 758), following a targeted review of seven firms’ programs.
