How to conduct a whistleblowing investigation

Friday, June 23, 2023

12 Minutes reading time

Whistlehub content team

This guide explains the steps you need to follow or consider to conduct a successful whistleblowing investigation. This guide is updated whenever new best practises are introduced. We recommend you use this guide as a template whenever you have a case to investigate.


Corporate investigations are crucial for uncovering potential misconduct and ensuring that organizations operate with integrity. Whistleblowing investigations, in particular, play a significant role in addressing allegations brought forward by concerned employees or stakeholders. This step-by-step guide outlines the essential considerations and actions necessary to conduct a comprehensive and effective whistleblowing investigation.

What you need to do

1. Evaluate the Allegation

  • Carefully assess the seriousness of the allegation, including any potential violations of criminal law or company policies.
  • Consider the involvement of senior management or board members in the alleged misconduct.
  • Evaluate the potential exposure and the likelihood of further violations, ongoing misconduct, or risks to health and safety.
  • Determine if the allegations question the credibility of internal controls or financial certifications.
  • Review the company's obligations under relevant laws or regulations, including the requirement to self-report.

2. Determine the Need for an Investigation

  • Based on the seriousness of the allegations and potential impact, decide whether an internal investigation is warranted.
  • Assess available resources and potential disruptions to business operations.
  • Consider the need for an investigation in relation to pending or potential civil litigation and regulatory inquiries.
  • Evaluate the potential benefits of conducting an internal investigation before external regulators become involved.

3. Appoint an Independent Investigator or Team

  • Select a qualified investigator or assemble a team consisting of internal members, external consultants, and legal counsel.
  • Ensure independence of the investigators, especially when senior management or the corporate entity is implicated.
  • In cases involving potential legal implications, involve legal counsel to provide guidance throughout the investigation.
  • Consider involving experts, such as forensic accountants, to support the investigation if necessary.

4. Develop an Investigative Plan

  • Prepare a comprehensive investigative plan that outlines the scope and objectives of the investigation.
  • Define the key areas to be examined and the jurisdictions involved.
  • Identify the relevant documents, data, and potential witnesses to be reviewed or interviewed.
  • Address potential data privacy and state secrets laws while collecting and reviewing information.
  • Determine the need to protect legal privilege and ensure proper communication with experts.

5. Conduct Interviews and Document Findings

  • Schedule and conduct interviews with relevant individuals, including the whistleblower.
  • Prepare interview questions that cover all relevant areas of the investigation.
  • Consider allowing interviewees to have separate independent counsel if appropriate.
  • Ensure the presence of legal counsel during interviews to maintain privilege and advise interviewees.
  • Document all findings and statements made during the interviews accurately and comprehensively.

6. Preserve and Collect Evidence

  • Identify and preserve all relevant evidence, including documents, emails, phone records, and other data sources.
  • Document the process of preserving and collecting evidence to demonstrate compliance later on.
  • Engage forensic specialists if required to analyze digital evidence and identify any potential misconduct.

7. Analyze and Evaluate Findings

  • Assess the collected evidence and information to determine the veracity of the allegations.
  • Consider the relevance of the findings in relation to applicable laws, regulations, and company policies.
  • Evaluate the potential impact on the organization and any necessary remedial actions required.
  • Seek legal advice to navigate any legal and regulatory implications arising from the investigation.

8. Mitigate Risk and Implement Corrective Measures

  • Develop and implement appropriate remedial actions to address any identified misconduct.
  • Communicate the findings and actions to relevant stakeholders, including the board and senior management.
  • Update internal controls, policies, and procedures to prevent future violations.
  • Consider self-reporting the findings and actions to regulatory authorities when required by law.
  • Engage in ongoing monitoring and follow-up to ensure the effectiveness of implemented measures.

9. Protect Confidentiality and Whistleblower Rights

  • Safeguard the confidentiality of the investigation to protect the rights of involved parties.
  • Comply with data privacy regulations to ensure the protection of personal information.
  • Establish a system to handle retaliation or protection of whistleblowers from adverse consequences.
  • Communicate internally regarding non-retaliation policies and encourage reporting of any retaliation incidents.

10. Document the Investigation

  • Maintain a comprehensive record of the investigation's processes, findings, and actions taken.
  • Ensure documentation supports legal requirements, such as attorney-client privilege or legal advice privilege.
  • Keep internal stakeholders informed through regular updates and reports on the progress and outcomes.
  • Archive all documents and evidence related to the investigation for future reference if necessary.

How to do this in Whistlehub

1. Create a new inbox for the issue

Create an inbox for the specific issue so you have a seperate place where all the information is easily accessible, organized and secure. We recommend this because:

  • You have everything one place, so you can easily find what you need.
  • You avoid having case related data in multiple systems, which increases the risk of information being leaked or accessed by the wrong people.
  • You can easily archive everything related to the case in the same place, if you need to keep it for reference or compliance needs.

2. Add the independant investigator or your team to the inbox

Add the team you appointed in the previous step 3 to the inbox. You can add internal team members or external consultants. We recommend this because:

  • Everyone has a shared place with access to all the information, which makes it easier to collaborate.
  • You can easily add or remove people, so you always control who has access to the case related data. This means you don't have to worry about emails with sensitive data being forgotten or lost, or someone having access to information they should no longer have.

Now that you have set up an inbox for investigating the case, it's time to get some information. Share the inbox link with all relevant parties. The relevant parties would be groups of people you think have valuable information about the issue, ie. all employees, only some employees, the public or other stakeholders. We recommend this because:

  • This makes it easy to quickly get information from many sources at the same time. This initial information will not only give you potentially important facts, but also help lead you in the right direction from the beginning.
  • Inboxes can be anonymous, which means you are more likely to also get information from people who are worried about speaking to you directly. This could be people who fear that speaking up will have negative consequenses for them in the future.
  • You can quickly identify sources that know relevant information and keep the conversation going to get more information.
  • When the case is over you can delete or archive the inbox, so the link can no longer be used.
  • Inbox links are flexible, so you can create as many links for an inbox as you want. This makes it easy to share and revoke links with different groups of people, to get as much information as possible while also preventing spam or abuse. For example, if you want to share a link with both the public and your employees to get as much information as possible, it would be best to create a seperate link for each, so you can easily delete the public link if people are spamming it or providing unimportant information, whilst keeping the link for employees open.

4. Organize conversations

When you start getting information you should archive conversations that are not important and keep the once that are. For each conversation you should keep private notes with your team, so you have all notes and discussions organized next to eachother. We recommend this beause:

  • Archiving makes it easy to have all the relevant information in one place and all the irrelevant information in another place without needing to delete data. You can also delete conversations if they are spam.
  • Notes makes it easy to have seperate notes for seperate sources, so everything is organized in the right context.

5. Whistlehub summary

By following these steps you will have all the information related to a case in one place, needly organized and accessable only to the right people. This will help you investigate and solve issues faster and keep your data more secure.


If a case has public relevance and you think it might become a source of negative publicity we recommend being upfront about the case from the beginning. This shows that you are proactively dealing with the issue and it helps distance your organization from the source of the issue, which can greatly decrease the probability of negative publicity.


By following these steps, organizations can conduct thorough and effective whistleblowing investigations, protecting their interests, ensuring compliance, and fostering a culture of integrity and accountability within their ranks.

© All Rights Reserved. Whistlehub Inc