Whistleblower Investigation: Vigil Mechanism & SEBI Compliance

Legal Framework: Who Must Have a Vigil Mechanism

Companies Act, 2013 — Section 177(9) and (10)

Section 177(9) states: “Every listed company or such class or classes of companies, as may be prescribed, shall establish a vigil mechanism for directors and employees to report genuine concerns in such manner as may be prescribed.”

Section 177(10) states: “The vigil mechanism under sub-section (9) shall provide for adequate safeguards against victimisation of persons who use such mechanism and make provision for direct access to the chairperson of the Audit Committee in appropriate or exceptional cases.”

Rule 7 of the Companies (Meetings of Board and its Powers) Rules, 2014 prescribes the following classes of companies that must establish a vigil mechanism:

• Every listed company
• Every company which accepts deposits from the public
• Every company which has borrowed money from banks and public financial institutions in excess of fifty crore rupees

SEBI LODR Regulation 22 — Vigil Mechanism for Listed Companies

SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015, Regulation 22 provides:

• Regulation 22(1): The listed entity shall formulate a vigil mechanism for directors and employees to report genuine concerns.
• Regulation 22(2): The Audit Committee shall review the functioning of the whistle blower mechanism at least once in a year.
• Regulation 22(3): The vigil mechanism shall provide for adequate safeguards against victimisation of director(s) or employee(s) or any other person who avail the mechanism, and also provide for direct access to the chairperson of the Audit Committee in appropriate or exceptional cases.
• Regulation 22(4): The details of establishment of the vigil mechanism shall be disclosed by the listed entity on its website and in the Board’s report.

SEBI Informant Mechanism for Insider Trading

SEBI (Prohibition of Insider Trading) Regulations, 2015, Regulation 7A (inserted via amendment in 2020) establishes a separate informant mechanism specifically for reporting insider trading violations. Key features:

• Informants can report original information about insider trading violations to SEBI
• Financial reward of up to ₹1 crore for information leading to disgorgement of at least ₹5 crore
• Identity protection for informants — SEBI shall not disclose the identity except as required by law
• Informants must submit through a legal representative

Why Independent Investigation Matters

Consequences of Poor Investigation

• Regulatory risk: If SEBI or the ROC later finds that a complaint was inadequately investigated, the Audit Committee members face personal liability.
• Litigation risk: An accused person who is terminated based on a flawed investigation can challenge the termination, and the company faces liability for wrongful termination.
• Reputational risk: Leaks about suppressed complaints cause far greater reputational damage than transparent, properly conducted investigations.
• Continued fraud: If the investigation is inadequate, the underlying fraud continues, compounding financial losses.

Categories of Whistleblower Complaints

Based on our experience across 100+ whistleblower investigations, complaints typically fall into these categories:

Financial Fraud (45% of complaints)

• Embezzlement and misappropriation of company funds
• Vendor fraud and fictitious billing (see our detailed guide: Vendor Fraud Detection: Benford’s Law & Shell Company Analysis)
• Expense reimbursement fraud
• Revenue manipulation and financial statement fraud
• Related party transaction concealment

Corruption and Bribery (20% of complaints)

• Kickbacks from vendors or customers
• Bribery of government officials
• Conflict of interest — undisclosed business relationships

Regulatory Non-Compliance (15% of complaints)

• Environmental violations
• Labour law violations
• Tax evasion
• SEBI/FEMA non-compliance

Workplace Misconduct (15% of complaints)

• Harassment and discrimination
• Safety violations
• Data privacy breaches
• Intellectual property theft

Insider Trading (5% of complaints)

• Trading on unpublished price sensitive information (UPSI)
• Tipping — sharing UPSI with family or associates
• Front-running by intermediaries

Our Whistleblower Investigation Methodology

At Virtual Auditor, we follow a structured investigation process aligned with ACFE standards:

Phase 1: Complaint Assessment and Scoping (Day 1-5)

• Complaint review: Analyse the complaint for specificity, supporting evidence, and credibility indicators
• Preliminary risk assessment: Evaluate potential financial impact, legal exposure, and regulatory implications
• Scope definition: Define the investigation scope, time period, entities involved, and deliverables — documented in a formal engagement letter
• Evidence preservation notice: Issue a legal hold / document preservation notice to prevent destruction of relevant records
• Investigation plan: Prepare a detailed plan covering data requirements, interview list, timeline, and reporting structure

Phase 2: Evidence Collection and Data Analytics (Week 1-3)

• Document collection: Financial records, emails, contracts, bank statements, ERP data, access logs — all obtained through the Audit Committee with chain-of-custody documentation
• Data analytics: Benford’s Law testing, duplicate transaction detection, trend analysis, anomaly identification — depending on the nature of the complaint
• Email and communication review: Keyword searches, chronological analysis, relationship mapping between parties mentioned in the complaint
• Background verification: MCA, GST, PAN checks on entities and individuals identified in the complaint

Phase 3: Interviews (Week 2-4)

We follow the ACFE interview methodology, which structures interviews in a specific sequence:

• Neutral witnesses first: Persons with no stake in the outcome who can provide context
• Corroborative witnesses: Persons who can confirm or deny specific facts
• The complainant: Detailed interview with the whistleblower (maintaining confidentiality)
• Suspects last: Confrontational interviews with accused persons, conducted only after documentary evidence and witness statements have been gathered

All interviews are documented contemporaneously. Where legally permissible and with consent, audio recording is used.

Phase 4: Analysis and Reporting (Week 3-5)

• Evidence synthesis: Correlate documentary evidence, data analytics findings, and interview statements
• Findings: Factual findings with evidence references — the report states what happened, not opinions
• Loss quantification: Where financial fraud is established, quantify the loss with supporting calculations
• Legal admissibility: Report structured for admissibility under Indian Evidence Act, Section 45 (expert opinion) and Section 65B (electronic records)
• Recommendations: Remedial actions, internal control improvements, and legal options (FIR, civil suit, NCLT petition, SEBI complaint)

Phase 5: Post-Investigation Support

• Presentation of findings to the Audit Committee
• Support for disciplinary proceedings
• Expert witness testimony before NCLT, civil courts, criminal courts, or SEBI proceedings
• Assistance with FIR filing and police coordination
• Implementation support for remedial recommendations

Designing an Effective Vigil Mechanism: Compliance Checklist

For companies setting up or reviewing their vigil mechanism, we recommend the following structure based on statutory requirements and best practice:

Policy Document Requirements

• Clear definition of what constitutes a reportable concern (fraud, corruption, regulatory violation, safety hazard)
• Specification of who can file complaints (directors, employees, contractual workers, vendors, stakeholders)
• Multiple reporting channels (dedicated email, web portal, telephone hotline, physical letter to Audit Committee chairperson)
• Provision for anonymous complaints — the policy should not require identification as a precondition for filing
• Explicit anti-victimisation clause per Section 177(10) — protection against termination, demotion, harassment, or other adverse action
• Direct access to Audit Committee chairperson for exceptional cases per Section 177(10)
• Timeline for acknowledgement (within 48 hours) and preliminary assessment (within 7 days)
• Commitment to maintain confidentiality of the complainant’s identity
• Process for engaging external investigators when internal investigation is inappropriate

SEBI LODR Specific Requirements for Listed Companies

• Policy must be disclosed on the company website — Regulation 22(4)
• Details of the vigil mechanism must be included in the Board’s report in the annual report
• Audit Committee must review the functioning of the vigil mechanism at least once a year — Regulation 22(2)
• The annual review should cover: number of complaints received, categories, investigation status, outcomes, and time taken for resolution

Governance Structure

• Receiving authority: Typically the Company Secretary or a designated Ethics Officer receives complaints
• First review: Preliminary assessment of complaint credibility and categorisation
• Investigation decision: Audit Committee decides whether to investigate and whether external investigators are needed
• Investigation oversight: Audit Committee (not management) oversees the investigation
• Outcome review: Audit Committee reviews findings and decides on remedial action
• Reporting: Anonymised summary reported to the Board

Common Failures in Vigil Mechanism Implementation

Whistleblower Protection: Current Legal Position

Whistleblowers Protection Act, 2014

This Act was passed by Parliament in 2014 but has not been brought into force as of March 2026. It was designed to protect whistleblowers who disclose corruption and misuse of power by public servants. Key features (not yet operative):

• Protection against victimisation for persons making disclosures related to corruption
• Competent authority to inquire into disclosures
• Penalties for false or frivolous complaints
• Protection of identity of complainants

Existing Protections in the Private Sector

In the absence of a comprehensive whistleblower protection law for the private sector, protection comes from:

• Companies Act Section 177(10): Requires the vigil mechanism to provide adequate safeguards against victimisation
• Individual company policies: The vigil mechanism policy should include specific anti-retaliation provisions
• Labour law protections: Wrongful termination of an employee who filed a good-faith complaint may be challenged under the Industrial Disputes Act, 1947
• SEBI Informant Mechanism (Regulation 7A): Provides identity protection specifically for insider trading informants

Investigation of Specific Complaint Types

Financial Fraud Complaints

The most common and highest-value complaints. Investigation approach:

• Forensic data analytics on the financial period and transactions identified in the complaint
• Benford’s Law testing, duplicate detection, and anomaly analysis
• Bank statement analysis and fund tracing
• Vendor/customer background verification through MCA and GST databases
• Related party transaction analysis per Section 188 of the Companies Act
• Forensic report suitable for filing under IPC Section 420 (cheating) or Companies Act Section 447 (fraud)

Insider Trading Complaints

For listed companies, insider trading complaints require specific expertise in SEBI regulations:

• Analysis of trading patterns around unpublished price sensitive information (UPSI) events
• Identification of connected persons per SEBI (Prohibition of Insider Trading) Regulations, 2015
• Review of the structured digital database maintained under Regulation 3(5)
• Communication analysis for evidence of UPSI sharing (tipping)
• Report suitable for submission to SEBI or for the company’s internal code of conduct proceedings

Related Party Transaction Complaints

• Verification against Section 188 of the Companies Act and SEBI LODR Regulation 23
• Analysis of whether transactions were at arm’s length
• Independent valuation of transactions where pricing is disputed
• Review of board and shareholder approvals
• Disclosure compliance verification

Pricing for Whistleblower Investigation Services

Service	Scope	Starts From
Complaint Assessment & Scoping	Preliminary review, risk assessment, investigation plan	₹50,000
Single-Issue Investigation	One complaint, data analytics + interviews + report	₹1,50,000
Comprehensive Forensic Investigation	Multi-allegation, multiple periods, full evidence gathering	₹3,00,000
Vigil Mechanism Policy Design	Policy drafting + governance structure + training	₹75,000
Expert Witness Testimony	NCLT / SEBI / civil court / criminal court	Separate engagement

For a custom quote, visit Virtual Auditor Pricing or call +91 99622 60333.

Frequently Asked Questions

Which companies are required to establish a vigil mechanism under the Companies Act?

Under Section 177(9) of the Companies Act, 2013, every listed company and every company that accepts deposits from the public or has borrowed money from banks and public financial institutions in excess of ₹50 crore must establish a vigil mechanism. Rule 7 of the Companies (Meetings of Board and its Powers) Rules, 2014, prescribes these classes.

What is the role of the Audit Committee in whistleblower complaints?

Under Section 177(10), the vigil mechanism must provide for direct access to the chairperson of the Audit Committee in appropriate or exceptional cases. The Audit Committee oversees the mechanism, reviews complaints, decides on investigation, and monitors remedial action. For listed companies, SEBI LODR Regulation 22(2) requires the Audit Committee to review the functioning of the whistle blower mechanism at least once a year.

Does SEBI have a separate whistleblower mechanism?

Yes. SEBI (Prohibition of Insider Trading) Regulations, 2015, Regulation 7A (inserted in 2020) established an informant mechanism where individuals can report insider trading violations to SEBI and receive financial rewards of up to ₹1 crore. Separately, SEBI LODR Regulation 22 mandates that listed companies establish a vigil mechanism and disclose it on their website.

Is there whistleblower protection law in India?

The Whistleblowers Protection Act, 2014, was enacted by Parliament but has not been brought into force as of 2026. In the private sector, protection is provided through the Companies Act Section 177(10) requirement for anti-victimisation safeguards, through individual company vigil mechanism policies, and through general labour law protections against wrongful termination.

How should a company investigate a whistleblower complaint?

Best practice is to engage an independent external investigator — typically a forensic accounting firm with CFE credentials. The investigation should follow ACFE methodology: evidence preservation, document review, data analytics, structured interviews, and a legally admissible report. The Audit Committee should oversee the investigation. Contact Virtual Auditor at +91 99622 60333.

What happens if a company does not have a vigil mechanism?

Non-compliance with Section 177(9) is a violation of the Companies Act. The Registrar of Companies can issue a notice. For listed companies, SEBI can impose penalties under Section 23A of the SEBI Act and take enforcement action for violation of LODR Regulation 22. Absence of a vigil mechanism may also be treated as a corporate governance failure in any subsequent litigation.

Virtual Auditor — AI-Powered CA & IBBI Registered Valuer Firm
Valuer: V. VISWANATHAN, FCA, ACS, CFE, IBBI/RV/03/2019/12333
Chennai (HQ): G-131, Phase III, Spencer Plaza, Anna Salai, Chennai 600002
Bangalore: 7th Floor, Mahalakshmi Chambers, 29, MG Road, Bangalore 560001
Mumbai: Workafella, Goregaon West, Mumbai 400062
Phone: +91 99622 60333 | Email: support@virtualauditor.in
Book a Free Consultation