Content updated on May 6, 2026
Australian companies have had mandatory whistleblower policies under the Corporations Act since 2020. More than five years on, ASIC has published its most comprehensive review to date of how well companies are actually delivering on that obligation, and the picture is uneven.
In December 2025, ASIC published Report 827, the findings of a first-of-its-kind questionnaire conducted across 134 entities in 18 industries between July 2024 and June 2025. The report benchmarks whistleblower policies and practices across corporate Australia and identifies where companies are falling short. The message from the regulator is consistent with what it has been saying since 2019: having a policy is not enough. What matters is whether the programme behind it works in practice.
What ASIC found
ASIC found significant variation in the maturity of whistleblower practices across the companies surveyed. Over one third of participating entities did not provide a dedicated whistleblower web page for raising concerns. A quarter failed to provide regular staff training on whistleblowing.
Around 18% of companies surveyed had at least one report that raised concerns about the mistreatment of a whistleblower, a figure that rises to 28% when limited to companies that received at least one in-scope report during the period.
ASIC's analysis found that companies which regularly shared information about their whistleblower programmes and provided recurring training achieved higher disclosure rates than those that communicated as a one-off. Posters and periodic emails were among the most effective measures for maintaining awareness.
The overarching finding was that too many organisations are still treating their whistleblower policy as a static document rather than an operational governance tool. ASIC Commissioner Alan Kirkland noted that strong, appropriate and effective whistleblower practices go to the core of good corporate governance, providing directors with the information they need to oversee their company's operations and compliance with the law.
The legal requirements have not changed, but expectations have risen
Public companies, large proprietary companies, and corporate trustees of registrable superannuation entities are required under the Corporations Act to maintain a whistleblower policy. That policy must clearly set out:
- The protections available to whistleblowers
- How and to whom qualifying disclosures should be made
- How investigations will be conducted to ensure fair treatment of those named in disclosures
- The measures in place to support and protect whistleblowers
- How employees and officers can access the police if necessary
ASIC has made clear it will write directly to companies where it identifies non-compliant or significantly less mature practices, and will continue to monitor whistleblower practices across corporate Australia. The regulator has consistently reminded companies that the ultimate responsibility for the whistleblower programme sits with the board, not with HR or compliance teams alone.
ASIC and ASX guidance increasingly demands that whistleblowing be seen and managed as a board governance and risk management issue, not an HR issue or management compliance requirement.
Why whistleblowing matters beyond compliance
The case for effective whistleblowing infrastructure goes well beyond avoiding regulatory penalties. Early detection of fraud, embezzlement, bribery, data breaches, unsafe working conditions, harassment, and discrimination gives organisations the opportunity to address issues before they become significantly more costly, financially and reputationally.
ASIC's own report notes that receiving whistleblower disclosures can itself be an indicator of a stronger speak-up culture. It can signal that staff feel safe and supported to raise concerns, which in turn enables organisations to uncover issues they might not otherwise detect. A low disclosure rate is not necessarily a sign that nothing is wrong. It may be a sign that employees do not trust the system.
What companies should do now
ASIC's December 2025 report is an explicit invitation for companies to benchmark themselves against its findings and take concrete steps to improve. Based on the report's findings, the priorities are clear:
- Review your policy for accuracy and currency. Incomplete and out-of-date policies remain one of the most common compliance gaps.
- Make your reporting channels visible. A third of companies surveyed did not have a dedicated whistleblower web page. If employees cannot easily find where to report, they will not report.
- Train regularly, not once. One-off training at onboarding has limited impact. Companies with higher disclosure rates consistently deliver recurring, accessible training.
- Establish board-level oversight. The board should be receiving regular reporting on whistleblowing programme activity, not just when a significant disclosure occurs.
- Use your data. Tracking disclosure rates, report categories, and resolution timelines allows organisations to assess whether their programme is working.
Conclusion
As we move through 2026, the ASIC Report 827 serves as a definitive wake-up call: a PDF tucked away on an intranet is not a whistleblowing program. The regulator has clearly signaled that the era of "passive compliance" is over, and boards are now expected to treat reporting data as a critical risk metric.
Whispli provides the independent, intuitive infrastructure that turns silence into actionable insight. We don't just help you meet ASIC’s benchmarks; we help you build a culture where integrity is measured by transparency, and where your board has the audit trails and analytics needed to prove that your program is working, not just on paper, but in practice.
%201.avif)
%201%20(2).avif)
%201%20(1).avif)
