Nigel's Eyes

20220826 Internal Auditors and Whistleblowing.

Kong v Gulf International Bank - internal audit compared with whistleblowing.

The judgment in this case is here:

Further Court documents are here:…

I am surprised that this case was handled as a "whistleblower" case and equally surprised that any issues of "protected disclosures" arose and/or were allowed to be proceeded with.

The facts are simple: A identified a failure in policy and procedure and orally brought it to the attention of her immediate superior, B. The following day, A repeated her concerns in writing but in such a way that it impugned the competence of B. Over several weeks, A's report was batted back and forth: a lack of clarity was criticised and the implications drawn were denied. But A persisted in some of her personal allegations.

When the Audit report was concluded, A was highly critical of the fact that her superiors had removed some of her comments which had been the subject of debate.

I cannot see that A's initial oral representation is "whistleblowing." If that is to be accepted, then every employee who says "I think we've got this wrong" is a whistleblower. That's ridiculous.

It follows that A's subsequent report in writing should not be considered whistleblowing.

Given that the Employment Tribunal found that it should and that that question was not before the English (not UK) Court of Appeal, leave an outstanding problem.

Further, the report was reviewed by A's direct manager, the Group Head of internal audit (he has a different title) and by the legal department and the final report reflected their considered view.

The Tribunal and the Court of Appeal found that the manner in which the written report was made was wrong and punishable. A was dismissed - and the dismissal upheld - because of her own behaviour, not because she drew attention to a problem. It is important to note that A was dismissed as a result of a decision making process at a senior level and B took no part in that process so removing any allegation that she had influenced the decision for personal reasons.

"We do not, however, accept that the Claimant questioned whether Ms Harding should have been in the role of Head of Legal or threatened to escalate that issue to the CEO."

Commentators (of which there are many on the internet) seem to start with the presumption that all internal reports should be treated as protected disclosures.

I have another point: A was an internal auditor. Identifying points of failure and weaknesses in the bank's policies and procedures is literally her job. It cannot be right that every report made by an internal auditor is automatically a whistle-blowing act. If we extrapolate this then every review of historical data produces protected disclosures.

In my view, such reports should not be considered "disclosures" at all.

We can extrapolate it to every health and safety note submitted indicating that a repair is required; every complaint of any nature is suddenly a whistle being blown.

From a Financial Crime Risk and Compliance perspective, it would mean that every file reviewed under a remediation process that identified a concern would be treated as whistleblowing.

The Court of Appeal goes through the facts very carefully and the over-riding impression that I get is of a blow-up between two colleagues. A continued to escalate the tone and her actions creating a situation where B had no choice but to respond. She took her concerns "upstairs" and A was dismissed.

After reading the entire judgment, I have come to the conclusion that this case was not about what it claims to be about. In my view it's not about whistleblowing at all, in part because I think that it's a dangerous course of action to mark an internal auditor's report as whistleblowing and in part because it really is about discipline where a junior picks on the boss, for whatever reason and brings, inter alia, hostility into consideration.

The Court of Appeal missed an opportunity to state, even obiter, a position as to whether the reports were properly accepted as protected disclosures.

That is not to say that internal auditors should not blow the whistle when it is appropriate: of course they should. But those instances should be unusual, not automatic, and they should be expressed in appropriate language and terms.