Whistleblower Investigation: Vigil Mechanism & SEBI Compliance
Quick Answer
Every listed company and prescribed class of companies must establish a vigil mechanism under Companies Act, 2013, Section 177(9). When a whistleblower complaint is received, the Audit Committee must ensure independent investigation — preferably by an external forensic firm — with anti-victimisation safeguards per Section 177(10). For listed companies, SEBI LODR Regulation 22 adds disclosure and review requirements. At Virtual Auditor, whistleblower investigations are led by CA V. Viswanathan (FCA, ACS, CFE, IBBI/RV/03/2019/12333) using ACFE-standard investigation methodology. We produce reports that are admissible before NCLT, SEBI, and civil/criminal courts.
Definition — Vigil Mechanism (Whistle Blower Policy): A structured channel through which directors, employees, and stakeholders can report concerns about unethical behaviour, actual or suspected fraud, or violation of the company’s code of conduct or legal provisions. The mechanism must provide for confidentiality, protection against retaliation, and direct access to the chairperson of the Audit Committee. Mandated by Section 177(9) of the Companies Act, 2013 and SEBI LODR Regulation 22 for listed companies.
Definition — Whistleblower Investigation: A forensic examination triggered by a whistleblower complaint, conducted independently (typically by an external CFE/forensic firm), following evidence preservation protocols and structured interview techniques. The investigation produces a factual report for the Audit Committee with findings, evidence, and recommendations for remedial action or legal proceedings.
Legal Framework: Who Must Have a Vigil Mechanism
Companies Act, 2013 — Section 177(9) and (10)
Section 177(9) states: “Every listed company or such class or classes of companies, as may be prescribed, shall establish a vigil mechanism for directors and employees to report genuine concerns in such manner as may be prescribed.”
Section 177(10) states: “The vigil mechanism under sub-section (9) shall provide for adequate safeguards against victimisation of persons who use such mechanism and make provision for direct access to the chairperson of the Audit Committee in appropriate or exceptional cases.”
Rule 7 of the Companies (Meetings of Board and its Powers) Rules, 2014 prescribes the following classes of companies that must establish a vigil mechanism:
- Every listed company
- Every company which accepts deposits from the public
- Every company which has borrowed money from banks and public financial institutions in excess of fifty crore rupees
SEBI LODR Regulation 22 — Vigil Mechanism for Listed Companies
SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015, Regulation 22 provides:
- Regulation 22(1): The listed entity shall formulate a vigil mechanism for directors and employees to report genuine concerns.
- Regulation 22(2): The Audit Committee shall review the functioning of the whistle blower mechanism at least once in a year.
- Regulation 22(3): The vigil mechanism shall provide for adequate safeguards against victimisation of director(s) or employee(s) or any other person who avail the mechanism, and also provide for direct access to the chairperson of the Audit Committee in appropriate or exceptional cases.
- Regulation 22(4): The details of establishment of the vigil mechanism shall be disclosed by the listed entity on its website and in the Board’s report.
SEBI Informant Mechanism for Insider Trading
SEBI (Prohibition of Insider Trading) Regulations, 2015, Regulation 7A (inserted via amendment in 2020) establishes a separate informant mechanism specifically for reporting insider trading violations. Key features:
- Informants can report original information about insider trading violations to SEBI
- Financial reward of up to ₹1 crore for information leading to disgorgement of at least ₹5 crore
- Identity protection for informants — SEBI shall not disclose the identity except as required by law
- Informants must submit through a legal representative
Why Independent Investigation Matters
Expert Insight — CA V. Viswanathan, CFE
The single most common failure in whistleblower complaint handling is assigning the investigation to the internal audit team. When the complaint involves senior management — which it frequently does — internal audit lacks independence. Even when it does not involve management, internal auditors may have working relationships with the accused that compromise objectivity. An external CFE-qualified forensic investigator brings both independence and specialised fraud examination skills that most internal audit teams do not possess. The Audit Committee should insist on external investigation for any complaint involving amounts above ₹10 lakh or allegations against management personnel.
Consequences of Poor Investigation
- Regulatory risk: If SEBI or the ROC later finds that a complaint was inadequately investigated, the Audit Committee members face personal liability.
- Litigation risk: An accused person who is terminated based on a flawed investigation can challenge the termination, and the company faces liability for wrongful termination.
- Reputational risk: Leaks about suppressed complaints cause far greater reputational damage than transparent, properly conducted investigations.
- Continued fraud: If the investigation is inadequate, the underlying fraud continues, compounding financial losses.
Categories of Whistleblower Complaints
Based on our experience across 100+ whistleblower investigations, complaints typically fall into these categories:
Financial Fraud (45% of complaints)
- Embezzlement and misappropriation of company funds
- Vendor fraud and fictitious billing (see our detailed guide: Vendor Fraud Detection: Benford’s Law & Shell Company Analysis)
- Expense reimbursement fraud
- Revenue manipulation and financial statement fraud
- Related party transaction concealment
Corruption and Bribery (20% of complaints)
- Kickbacks from vendors or customers
- Bribery of government officials
- Conflict of interest — undisclosed business relationships
Regulatory Non-Compliance (15% of complaints)
- Environmental violations
- Labour law violations
- Tax evasion
- SEBI/FEMA non-compliance
Workplace Misconduct (15% of complaints)
- Harassment and discrimination
- Safety violations
- Data privacy breaches
- Intellectual property theft
Insider Trading (5% of complaints)
- Trading on unpublished price sensitive information (UPSI)
- Tipping — sharing UPSI with family or associates
- Front-running by intermediaries
Our Whistleblower Investigation Methodology
At Virtual Auditor, we follow a structured investigation process aligned with ACFE standards:
Phase 1: Complaint Assessment and Scoping (Day 1-5)
- Complaint review: Analyse the complaint for specificity, supporting evidence, and credibility indicators
- Preliminary risk assessment: Evaluate potential financial impact, legal exposure, and regulatory implications
- Scope definition: Define the investigation scope, time period, entities involved, and deliverables — documented in a formal engagement letter
- Evidence preservation notice: Issue a legal hold / document preservation notice to prevent destruction of relevant records
- Investigation plan: Prepare a detailed plan covering data requirements, interview list, timeline, and reporting structure
Phase 2: Evidence Collection and Data Analytics (Week 1-3)
- Document collection: Financial records, emails, contracts, bank statements, ERP data, access logs — all obtained through the Audit Committee with chain-of-custody documentation
- Data analytics: Benford’s Law testing, duplicate transaction detection, trend analysis, anomaly identification — depending on the nature of the complaint
- Email and communication review: Keyword searches, chronological analysis, relationship mapping between parties mentioned in the complaint
- Background verification: MCA, GST, PAN checks on entities and individuals identified in the complaint
Phase 3: Interviews (Week 2-4)
We follow the ACFE interview methodology, which structures interviews in a specific sequence:
- Neutral witnesses first: Persons with no stake in the outcome who can provide context
- Corroborative witnesses: Persons who can confirm or deny specific facts
- The complainant: Detailed interview with the whistleblower (maintaining confidentiality)
- Suspects last: Confrontational interviews with accused persons, conducted only after documentary evidence and witness statements have been gathered
All interviews are documented contemporaneously. Where legally permissible and with consent, audio recording is used.
Phase 4: Analysis and Reporting (Week 3-5)
- Evidence synthesis: Correlate documentary evidence, data analytics findings, and interview statements
- Findings: Factual findings with evidence references — the report states what happened, not opinions
- Loss quantification: Where financial fraud is established, quantify the loss with supporting calculations
- Legal admissibility: Report structured for admissibility under Indian Evidence Act, Section 45 (expert opinion) and Section 65B (electronic records)
- Recommendations: Remedial actions, internal control improvements, and legal options (FIR, civil suit, NCLT petition, SEBI complaint)
Phase 5: Post-Investigation Support
- Presentation of findings to the Audit Committee
- Support for disciplinary proceedings
- Expert witness testimony before NCLT, civil courts, criminal courts, or SEBI proceedings
- Assistance with FIR filing and police coordination
- Implementation support for remedial recommendations
Designing an Effective Vigil Mechanism: Compliance Checklist
For companies setting up or reviewing their vigil mechanism, we recommend the following structure based on statutory requirements and best practice:
Policy Document Requirements
- Clear definition of what constitutes a reportable concern (fraud, corruption, regulatory violation, safety hazard)
- Specification of who can file complaints (directors, employees, contractual workers, vendors, stakeholders)
- Multiple reporting channels (dedicated email, web portal, telephone hotline, physical letter to Audit Committee chairperson)
- Provision for anonymous complaints — the policy should not require identification as a precondition for filing
- Explicit anti-victimisation clause per Section 177(10) — protection against termination, demotion, harassment, or other adverse action
- Direct access to Audit Committee chairperson for exceptional cases per Section 177(10)
- Timeline for acknowledgement (within 48 hours) and preliminary assessment (within 7 days)
- Commitment to maintain confidentiality of the complainant’s identity
- Process for engaging external investigators when internal investigation is inappropriate
SEBI LODR Specific Requirements for Listed Companies
- Policy must be disclosed on the company website — Regulation 22(4)
- Details of the vigil mechanism must be included in the Board’s report in the annual report
- Audit Committee must review the functioning of the vigil mechanism at least once a year — Regulation 22(2)
- The annual review should cover: number of complaints received, categories, investigation status, outcomes, and time taken for resolution
Governance Structure
- Receiving authority: Typically the Company Secretary or a designated Ethics Officer receives complaints
- First review: Preliminary assessment of complaint credibility and categorisation
- Investigation decision: Audit Committee decides whether to investigate and whether external investigators are needed
- Investigation oversight: Audit Committee (not management) oversees the investigation
- Outcome review: Audit Committee reviews findings and decides on remedial action
- Reporting: Anonymised summary reported to the Board
Common Failures in Vigil Mechanism Implementation
Expert Insight — CA V. Viswanathan, CFE
In our experience reviewing vigil mechanism policies across listed and unlisted companies, the most common failures are: (1) The policy exists on paper but employees do not know about it — no training, no communication, no visibility. (2) Complaints are routed to HR or the company secretary who reports to the MD — destroying independence when the complaint involves senior management. (3) Investigation is conducted by internal audit with no forensic training — leading to inadequate evidence gathering. (4) No feedback is given to the complainant — discouraging future reporting. (5) The Audit Committee treats the annual review as a formality rather than a substantive governance exercise.
Whistleblower Protection: Current Legal Position
Whistleblowers Protection Act, 2014
This Act was passed by Parliament in 2014 but has not been brought into force as of March 2026. It was designed to protect whistleblowers who disclose corruption and misuse of power by public servants. Key features (not yet operative):
- Protection against victimisation for persons making disclosures related to corruption
- Competent authority to inquire into disclosures
- Penalties for false or frivolous complaints
- Protection of identity of complainants
Existing Protections in the Private Sector
In the absence of a comprehensive whistleblower protection law for the private sector, protection comes from:
- Companies Act Section 177(10): Requires the vigil mechanism to provide adequate safeguards against victimisation
- Individual company policies: The vigil mechanism policy should include specific anti-retaliation provisions
- Labour law protections: Wrongful termination of an employee who filed a good-faith complaint may be challenged under the Industrial Disputes Act, 1947
- SEBI Informant Mechanism (Regulation 7A): Provides identity protection specifically for insider trading informants
Investigation of Specific Complaint Types
Financial Fraud Complaints
The most common and highest-value complaints. Investigation approach:
- Forensic data analytics on the financial period and transactions identified in the complaint
- Benford’s Law testing, duplicate detection, and anomaly analysis
- Bank statement analysis and fund tracing
- Vendor/customer background verification through MCA and GST databases
- Related party transaction analysis per Section 188 of the Companies Act
- Forensic report suitable for filing under IPC Section 420 (cheating) or Companies Act Section 447 (fraud)
Insider Trading Complaints
For listed companies, insider trading complaints require specific expertise in SEBI regulations:
- Analysis of trading patterns around unpublished price sensitive information (UPSI) events
- Identification of connected persons per SEBI (Prohibition of Insider Trading) Regulations, 2015
- Review of the structured digital database maintained under Regulation 3(5)
- Communication analysis for evidence of UPSI sharing (tipping)
- Report suitable for submission to SEBI or for the company’s internal code of conduct proceedings
Related Party Transaction Complaints
- Verification against Section 188 of the Companies Act and SEBI LODR Regulation 23
- Analysis of whether transactions were at arm’s length
- Independent valuation of transactions where pricing is disputed
- Review of board and shareholder approvals
- Disclosure compliance verification
Pricing for Whistleblower Investigation Services
| Service | Scope | Starts From |
|---|---|---|
| Complaint Assessment & Scoping | Preliminary review, risk assessment, investigation plan | ₹50,000 |
| Single-Issue Investigation | One complaint, data analytics + interviews + report | ₹1,50,000 |
| Comprehensive Forensic Investigation | Multi-allegation, multiple periods, full evidence gathering | ₹3,00,000 |
| Vigil Mechanism Policy Design | Policy drafting + governance structure + training | ₹75,000 |
| Expert Witness Testimony | NCLT / SEBI / civil court / criminal court | Separate engagement |
For a custom quote, visit Virtual Auditor Pricing or call +91 99622 60333.
Summary
Companies Act Section 177(9) mandates a vigil mechanism for listed companies and companies with borrowings exceeding ₹50 crore. Section 177(10) requires anti-victimisation safeguards and direct Audit Committee access. SEBI LODR Regulation 22 adds disclosure and annual review requirements for listed companies. Independent external investigation by a CFE-qualified forensic firm is best practice for all significant complaints. At Virtual Auditor, whistleblower investigations are led by CA V. Viswanathan (FCA, ACS, CFE, IBBI/RV/03/2019/12333). Reports are structured for legal admissibility. Related reading: Employee Fraud in Indian SMEs: Detection & Prevention.
Frequently Asked Questions
Which companies are required to establish a vigil mechanism under the Companies Act?
Under Section 177(9) of the Companies Act, 2013, every listed company and every company that accepts deposits from the public or has borrowed money from banks and public financial institutions in excess of ₹50 crore must establish a vigil mechanism. Rule 7 of the Companies (Meetings of Board and its Powers) Rules, 2014, prescribes these classes.
What is the role of the Audit Committee in whistleblower complaints?
Under Section 177(10), the vigil mechanism must provide for direct access to the chairperson of the Audit Committee in appropriate or exceptional cases. The Audit Committee oversees the mechanism, reviews complaints, decides on investigation, and monitors remedial action. For listed companies, SEBI LODR Regulation 22(2) requires the Audit Committee to review the functioning of the whistle blower mechanism at least once a year.
Does SEBI have a separate whistleblower mechanism?
Yes. SEBI (Prohibition of Insider Trading) Regulations, 2015, Regulation 7A (inserted in 2020) established an informant mechanism where individuals can report insider trading violations to SEBI and receive financial rewards of up to ₹1 crore. Separately, SEBI LODR Regulation 22 mandates that listed companies establish a vigil mechanism and disclose it on their website.
Is there whistleblower protection law in India?
The Whistleblowers Protection Act, 2014, was enacted by Parliament but has not been brought into force as of 2026. In the private sector, protection is provided through the Companies Act Section 177(10) requirement for anti-victimisation safeguards, through individual company vigil mechanism policies, and through general labour law protections against wrongful termination.
How should a company investigate a whistleblower complaint?
Best practice is to engage an independent external investigator — typically a forensic accounting firm with CFE credentials. The investigation should follow ACFE methodology: evidence preservation, document review, data analytics, structured interviews, and a legally admissible report. The Audit Committee should oversee the investigation. Contact Virtual Auditor at +91 99622 60333.
What happens if a company does not have a vigil mechanism?
Non-compliance with Section 177(9) is a violation of the Companies Act. The Registrar of Companies can issue a notice. For listed companies, SEBI can impose penalties under Section 23A of the SEBI Act and take enforcement action for violation of LODR Regulation 22. Absence of a vigil mechanism may also be treated as a corporate governance failure in any subsequent litigation.
Virtual Auditor — AI-Powered CA & IBBI Registered Valuer Firm
Valuer: V. VISWANATHAN, FCA, ACS, CFE, IBBI/RV/03/2019/12333
Chennai (HQ): G-131, Phase III, Spencer Plaza, Anna Salai, Chennai 600002
Bangalore: 7th Floor, Mahalakshmi Chambers, 29, MG Road, Bangalore 560001
Mumbai: Workafella, Goregaon West, Mumbai 400062
Phone: +91 99622 60333 | Email: support@virtualauditor.in
Book a Free Consultation