Validating the Whistleblowing Maturity Model Using the Delphi Method

Paschalis Kagias; Nikolaos Sariannidis; Alexandros Garefalakis; Ioannis Passas; Panagiotis Kyriakogkonas

doi:10.3390/admsci13050120

Validating the Whistleblowing Maturity Model Using the Delphi Method

Kagias, Paschalis;Sariannidis, Nikolaos;Garefalakis, Alexandros;Passas, Ioannis;Kyriakogkonas, Panagiotis 2023-04-29 00:00:00 administrative sciences Article Validating the Whistleblowing Maturity Model Using the Delphi Method 1 1 2 , 3 2 , 3 , Paschalis Kagias , Nikolaos Sariannidis , Alexandros Garefalakis , Ioannis Passas * and Panagiotis Kyriakogkonas Department of Accounting and Finance, University of Western Macedonia, 501 00 Kozani, Greece; paschaliskagias@hotmail.com (P.K.); nsariannidis@uowm.gr (N.S.) Department of Business Administration and Tourism, Hellenic Mediterranean University, 714 10 Iraklio, Greece; agarefalakis@hmu.gr or a.garefalakis@nup.ac.cy Department of Accounting and Finance, Neapolis University Pafos, Paphos 8042, Cyprus; p.kyriakogkonas@nup.ac.cy * Correspondence: ipassas@hmu.gr Abstract: Empirical research identiﬁes whistleblowing as one of the most effective internal antifraud controls. Very recently, Directive 1937/2019 became effective in the EU, aiming to deal with the defragmentation of whistleblowing legislation among the member states and provide common min- imum accepted standards. The present article aims to provide a veriﬁed, weighted comparative maturity model. The suggested model has been constructed based on the methodology for con- structing comparative maturity models and validated based on the Delphi method. The weights on each validated component have been calculated based on the summing of votes method. The study resulted in eight main components «scope», «corporate governance», «reporting mechanisms», «protection», «tone at the top», «organizational and human resource practices», «investigations» and «monitor and review» divided further into 18 elements. The suggested maturity model may provide a pathway for organizations to develop and maintain a robust whistleblowing maturity framework that will beneﬁt both the organizations and the public welfare. Keywords: whistleblowing; EU Directive 1937; benchmarking; internal audit; ESG Citation: Kagias, Paschalis, Nikolaos Sariannidis, Alexandros Garefalakis, Ioannis Passas, and Panagiotis Kyriakogkonas. 2023. Validating the 1. Introduction Whistleblowing Maturity Model The most recent (ACFE 2022) study identiﬁes whistleblowing as the most effective Using the Delphi Method. fraud identiﬁcation method with a great difference from the second one, while the recent Administrative Sciences 13: 120. adoption of the (Directive (EU) 2019/1937) in the EU draws the attention of organizations https://doi.org/10.3390/ and anti-fraud professionals (fraud examiners and internal auditors). admsci13050120 The article’s objective is to provide a validated maturity framework concerning whistle- Received: 12 March 2023 blowing that organizations can use to enhance their performance regarding whistleblowing Revised: 17 April 2023 and the internal control environment in total, and to allow internal and external bench- Accepted: 24 April 2023 marking. Concerning the internal audit, the proposed model aims to provide to internal Published: 29 April 2023 auditors the adequate, objective criteria to evaluate governance, risk management, and controls (IIA 2017) for whistleblowing. The ﬁrst maturity models were developed in the 1990s in management and information technology to assess the level of competency, capability, or sophistication of business Copyright: © 2023 by the authors. processes (De Bruin et al. 2005). Although it is not a requirement for a maturity model to be Licensee MDPI, Basel, Switzerland. validated to be helpful, validation by experts may provide valuable inputs, insights, and a This article is an open access article degree of assurance in respect to its credibility and relevance. In practice, many maturity distributed under the terms and models have been validated through the Delphi method (for example CR3M developed conditions of the Creative Commons by (Głuszek 2021) and the BPAMM developed by (Martinek-Jaguszewska and Rogowski Attribution (CC BY) license (https:// 2022), while others are not (KPMG 2013; ACFE and Grant Thornton 2020). creativecommons.org/licenses/by/ 4.0/). Adm. Sci. 2023, 13, 120. https://doi.org/10.3390/admsci13050120 https://www.mdpi.com/journal/admsci Adm. Sci. 2023, 13, 120 2 of 20 The Delphi method was developed in the 1950s by the Rand Corporation (Turoff and Linstone 2002), and since then it has been used in various sectors, including public health, transport, and education (Kittell-Limerick 2005). The Delphi Method aims to «obtain the most reliable consensus of a group of experts by a series of intensive questionnaires inter- spersed with controlled feedback» (Turoff and Linstone 2002). The use of this method is appropriate where the subject matter is complex (Ono and Wedemeyer 1994), where empir- ical evidence is lacking (Murphy et al. 1998), or when the knowledge is incomplete (Turoff and Hiltz 1996). That is applied to whistleblowing because it is a complex phenomenon that depends on legal, organizational, situational, and personal factors. In addition, although there is extensive research on the factors facilitating or discouraging whistleblowing, the study of whistleblowing as a control mechanism is limited. The structure of the article is as follows. The next section (Section 2) covers the literature review on whistleblowing; Section 3 covers the theory and the application of the Delphi method. Section 4 presents the collection of data, Section 5 presents the results and the discussion while the last section covers the conclusions. 2. Literature Review 2.1. Whistleblowing Before developing the maturity model, it is necessary to understand the nature of whistleblowing, its limitations, its place in the internal control framework, and the need for a whistleblowing maturity model. One of the major limitations in the academic research of whistleblowing is that there is no commonly accepted deﬁnition. Near and Miceli (1985) deﬁned whistleblowing as «the disclosure by organizational members (former or current) of illegal, immoral, or illegitimate practices under the control of their employers, to persons or organizations that may be able to effect action», while (Ravishankar 2003) deﬁned whistle-blowers as the «employees who bring wrongdoing at their organizations to the attention of superiors». These deﬁnitions indicate the need for speciﬁc results. That differentiates whistleblowing from rumors, gossip, or grievances. However, other researchers suggested that considering only employees as whistleblowers may no longer be appropriate and may not adequately portray the whistleblower (Ayers and Kaplan 2005). Empirical evidence (ACFE 2022) shows that reports can also derive from external parties, in rare cases, even from competitors verifying this perspective. In addition, reports from external parties provide «greater evidence of wrongdoing, and they tend to be more effective in changing organizational practices» (Dworkin and Baucus 1998). Other deﬁnitions concentrated on whistle-blowers and their virtues rather than on the act of whistleblowing itself (for example (Berry 2004) and (Alford 2002)), hypothesizing that whistleblowers are highly ethical individuals with the courage to face the fear of reprisal. However, other studies have shown that in many cases, whistleblowers act opportunistically (Henik 2015). A more appropriate deﬁnition has been provided by (TI-NL 2019) that deﬁned whistleblowing as «the disclosure of information related to corrupt, illegal, fraudulent or hazardous activities being committed in or by public or private sector organizations—which are of concern to or threaten the public interest—to individuals or entities believed to be able to effect action». Internal controls can be distinguished based on two criteria. The ﬁrst is whether the internal control is designed to prevent the occurrence of loss events (preventive control) or to identify internal control failures (detective control) after their occurrence. Whistleblowing has been categorized as a «potentially active or passive detection method» by (ACFE 2022) and as «an essential last line of defense in companies’ systems of internal control» (ICAEW 2019), meaning that it is more a detective rather than a preventive one. The second criterion is whether the internal control is speciﬁc to certain transactions or business processes (speciﬁc control) affects the control environment as a whole (entity-level control). Whistleblowing is an entity-level control with a pervasive effect in the control environment. Even though whistleblowing is effective internal control, it is also associated with many limitations. Inertia may be one of the most signiﬁcant ones. Organizations often Adm. Sci. 2023, 13, 120 3 of 20 received early notice but failed to act upon them. The example of Harry Markopolos may be one of the most indicative examples. Harry Markopolos, a ﬁnancial analyst and fraud examiner, provided red ﬂags of fraud to SEC for the biggest Ponzi scheme in history for over a decade before it imploded. However, his concerns were ignored repeatedly and when the fraud was exposed, the losses for the investors had already reached 65bn US dollars (The Guardian 2010). However, inertia may also derive from those who observe wrongdoing or business risks. Following (Miceli et al. 1987), whistleblowing is a «complex phenomenon that is based upon organizational, situational, and personal factors» which is not entirely within the control of the organizations, and «it is virtually impossible to change individuals’ core values which have been learned and consolidated over a lifetime» (ICAEW 2019). Academic literature and empirical evidence reveal that frequently too little information comes to the attention of the management or the regulators, and if it does come, it may come too late. For example, the Parliamentary Commission on Banking Standards was shocked by the evidence that so many people ignored misbehavior (CIIA 2014). As a result, the main weakness of whistleblowing as an internal control is that it depends on human behavior. 2.2. Maturity Models Maturity models are often used on a self-assessment basis to help organizations under- stand their current level of capability in a particularly functional, strategic, or organizational area (OECD 2022). Maturity models provide a holistic approach (Martinek-Jaguszewska and Rogowski 2022) to depict the current situation based on objective criteria; envision the future, and ﬁnd a way to achieve the desired state by following a disciplined method that is easy to use and implement (IIA 2013). In addition, the maturity models provide an early warning for an organization’s challenges (OECD 2022). Effectively, maturity models contribute to achieving a business process’s full potential. For these reasons, maturity models have been used in many areas, including information systems development (OECD 2022), internal auditing (KPMG 2013; OECD 2021; IIA 2019), fraud prevention and deter- rence (ACFE and Grant Thornton 2020), tax law enforcement (OECD 2019a, 2019b, 2020). The fact that the Institute of Internal Auditors issued a practice guidance speciﬁcally in selecting, using, and developing maturity models before a decade proves their relevance to the internal audit. In addition, the (ACFE 2022) study reveals that the primary internal control failures that contributed to fraud are the lack of internal controls (29%); override of controls (20%); poor tone at the top (10%); lack of competent personnel in oversight roles (8%). A robust whistleblowing framework may reduce all these internal control failures. For example, management may be reluctant to override controls when the possibility of getting caught is high; additional internal controls may be implemented or the existing ones need to be improved. 3. Whistleblowing Maturity Framework 3.1. Development of Maturity Models Usually, the maturity models are ranked using ﬁve steps. Each step illustrates the current or desired capabilities (De Bruin et al. 2005) and follows a reasonable escalation or path from the lowest to the highest. The maturity models can be distinguished to: 1. Descriptives that are useful to depict the current situation; 2. Prescriptive maturity models that also provide a roadmap to achieve the desired outcomes and; 3. Comparative maturity models that also allow internal or external benchmarking (Becker et al. 2009). The suggested model falls in the third category. In developing maturity models, the (IIA 2013) suggests the following steps: 1. To determine the model and its components; 2. To determine its scale and; 3. To determine the expectations for each component. Adm. Sci. 2023, 13, x FOR PEER REVIEW 4 of 20 Adm. Sci. 2023, 13, 120 4 of 20 1. To determine the model and its components; 2. To determine its scale and; 3. To determine the expectations for each component. The ﬁrst step involves ascertaining what is to be assessed and based on that, identifying The first step involves ascertaining what is to be assessed and based on that, identi- the components leading to this objective. Key considerations include whether the inclusion fying the components leading to this objective. Key considerations include whether the or exclusion of a component will increase or decrease the likelihood of achieving outcomes, inclusion or exclusion of a component will increase or decrease the likelihood of achieving respectively. In the second stage, 5 scales are usually used (Martinek-Jaguszewska and outcomes, respectively. In the second stage, 5 scales are usually used (Martinek- Rogowski 2022). The lower levels, 0 or 1, illustrate the absence of a capability, competency, Jaguszewska and Rogowski 2022). The lower levels, 0 or 1, illustrate the absence of a ca- or level of sophistication and level 5 illustrates the highest level. The (IIA 2013) also draws pability, competency, or level of sophistication and level 5 illustrates the highest level. The attention to the appropriateness of each level’s description. It is noted that scope of this (IIA 2013) also draws attention to the appropriateness of each level’s description. It is paper is to validate the two ﬁrst parts of the WBMM. noted that scope of this paper is to validate the two first parts of the WBMM. 3.2. Stages 3.2. Stages The ﬁrst stage initially considered is compliance with the (Directive (EU) 2019/1937). The first stage initially considered is compliance with the (Directive (EU) 2019/1937). The underlying logic is that non-compliance is not an option. Many organizations will The underlying logic is that non-compliance is not an option. Many organizations will consider this stage sufﬁcient. However, it is likely that many organizations will use whistle- consider this stage sufficient. However, it is likely that many organizations will use whis- blowing to comply with other laws and regulations not included in the scope of the tleblowing to comply with other laws and regulations not included in the scope of the Directive or their code of conduct. The «wheel of whistleblowing» suggested by (Culiberg Directive or their code of conduct. The «wheel of whistleblowing» suggested by (Culiberg and Mihelic ˇ 2017) includes many wrongdoings and threats not included in the scope of the and Mihelič 2017) includes many wrongdoings and threats not included in the scope of (Directive (EU) 2019/1937). In addition, other organizations may also use whistleblowing the (Directive (EU) 2019/1937). In addition, other organizations may also use whistleblow- to enhance their risk management or to achieve their ESG objectives. In accordance with ing to enhance their risk management or to achieve their ESG objectives. In accordance (ICAEW 2019) whistleblowing provides a weapon to root out complacency and inertia with (ICAEW 2019) whistleblowing provides a weapon to root out complacency and in- which can be viewed as rigorousness for enhancing the internal control environment. In ertia which can be viewed as rigorousness for enhancing the internal control environment. respect of the contribution of whistleblowing to achieve ESG objectives the (Directive (EU) In respect of the contribution of whistleblowing to achieve ESG objectives the (Directive 2019/1937) includes many wrongdoings that affect society while the «wheel of whistle- (EU) 2019/1937) includes many wrongdoings that affect society while the «wheel of whis- blowing» suggests even more (Culiberg and Mihelic ˇ 2017). Therefore, the maturity levels tleblowing» suggests even more (Culiberg and Mihelič 2017). Therefore, the maturity lev- (see as Figure 1) of the suggested WBMM are: els (see as Figure 1) of the suggested WBMM are: 1. Initial; 1. Initial; 2. Compliance with the Directive; 2. Compliance with the Directive; 3. Compliance with other laws and regulations; 3. Compliance with other laws and regulations; 4. Enhancement of internal control environment and; 4. Enhancement of internal control environment and; 5. Contributing to the achievement of ESG objectives. 5. Contributing to the achievement of ESG objectives. Figure 1. Designed by the authors. Figure 1. Designed by the authors. 3.3. Components 3.3. Components The components identiﬁed through a thorough study of the literature are divided into The components identified through a thorough study of the literature are divided eight categories: into eight categories: 1. The scope of the whistleblowing policy; 1. The scope of the whistleblowing policy; 2. Corporate governance; 2. Corporate governance; 3. Reporting mechanisms; 3. Reporting mechanisms; 4. Protection; 4. Protection; 5. Tone at the top; 6. Organizational culture and human resource practices; 7. Objective investigations and; 8. Monitor and review. Adm. Sci. 2023, 13, 120 5 of 20 Accordingly, these result in 22 elements. The contribution of each main component and element is discussed below. 3.3.1. Scope The scope of whistleblowing is two-dimensional and comprises what wrongdoings or dangers will be reported and followed up on and who can report them. The ﬁrst dimension has already been analyzed. Regarding the second, the (Directive (EU) 2019/1937) also determines the persons who have the right to report. However, in some cases, organizations may be appropriate to expand the possible reporting persons. 3.3.2. Corporate Governance Corporate governance refers to the mechanisms that provide the basis for objective investigations and corporate reporting. This component is divided into three elements: 1. Overall responsibility; 2. Assurance and; 3. Corporate reporting. Consensus has been established that the overall responsibility needs to be assigned to independent, non-executive directors or committees consisting of them. (PCBS 2013; PCW 2013) suggest a non-executive director, preferably the chairman; (CIIA 2014) proposes the audit committee, while (Greene and Latting 2004) suggest the ethics committee. In accordance with (CIIA 2014), organizations should obtain assurance in respect of whistle- blowing either from the internal audit function or elsewhere. In addition, through the reports and the outcomes of the investigations, the internal audit function can conﬁrm or alter its understanding of risks, procedures, and controls, allowing it to fulﬁll its obligations concerning ERM. The (Directive (EU) 2019/1937) does not set an obligation for disclosures relevant to whistleblowing. However, both (TI-NL 2019) and (GRI 2018) suggest certain disclosures in the annual reports or elsewhere. 3.3.3. Reporting Mechanisms Reporting mechanisms include all necessary steps to enable a possible reporting person to make informed decisions on whether and how to report and provide secure reporting channels. The elements considered are: 1. Anonymity; 2. Reporting channels; 3. Advice on reporting and; 4. Visibility, clarity, and completeness of the information. The (Directive (EU) 2019/1937) leaves the member states to decide whether anony- mous reports will be received and investigated. However, (TI-NL 2019) ranked higher organizations that accept anonymous reports because it provides an additional safety line to the reporting person. Organizations also have to establish secure reporting channels that «protect the identity of the whistle-blower and any other individual included in the report» (Directive (EU) 2019/1937). A step further (TI-NL 2019) suggests that at least one to be available at any time and at least allow oral reporting. In addition, the (ACFE 2022) shows the preference of whistle-blowers for electronic reporting methods (email and web-based forms) compared to the traditional ones. The (Directive (EU) 2019/1937) also predicts free of-charge conﬁdential advice to be provided by the facilitator, a «natural person who assists a reporting person in the reporting process in a work-related context, and whose assistance should be conﬁdential». However, in many cases, whistle-blowers face ethical dilemmas and internal conﬂicts (Hersh 2002), and assistance in the bureaucratic process of ﬁlling reports may not be sufﬁcient in the same cases. Adm. Sci. 2023, 13, 120 6 of 20 3.3.4. Protection Academic research, empirical evidence, and the (Directive (EU) 2019/1937) identiﬁed the threat of retaliation as a primary factor negatively affecting the decision to report. The consequences to the whistle-blower may vary signiﬁcantly in terms of severity, from negative perceptions against whistle-blowers (Worth 2013), negative consequences in the work environment such as bullying (Bjørkelo 2013), to blackballing isolation, humiliation (Berry 2004), to psychological effects such as depression (Bechtoldt and Schmitt 2010), anxiety (Bjørkelo 2013), post-traumatic stress (Kreiner et al. 2008) or even to become life- threatening. Protection covers the conﬁdentiality of the reporting person’s identity and any person referred to the reports as required by the (Directive (EU) 2019/1937) and the provision of adequate anti-retaliation measures. A practical implication may arise in cases where the organization has operations in jurisdictions will less robust legal protection. In such a case, it shall determine whether the same protection will be granted voluntarily. 3.3.5. Tone at the Top The (ACFE 2022) identiﬁes the lack of proper tone at the top as an internal control weakness in many frauds. The relationship between whistleblowing and tone at the top is bilateral, employees will only report if they know the whistleblowing policy and they believe that the top management supports it (Tsahuridu and Vandekerckhove 2008). On the other hand, if top the management is negligent in receiving and investigating reports, the wrongdoing could be seen as a routine practice (Kaptein 2011). 3.3.6. Organizational Culture and Human Resource Practices For the purposes of this study, organizational culture initially distinguished to: 1. Risk culture; 2. Ethical culture; 3. Learning culture and; 4. Cultural differences. Risk culture is the «part of the organizational culture that helps or hinders the effective risk management» (IIAA 2021) or a «mindful watchfulness for threats» (Berry 2004) that will allow alertness for malpractices and the ethical culture will allow malpractices to be reported once identiﬁed. Research shows that possible reporting persons who do not perceive reporting as their duty are unlikely to report it (Miceli et al. 1991), and they become oblivious to those wrongdoings not addressed in the code of ethics (Painter-Morland 2010). In addition, a lack of learning culture contributes to risk management frameworks failing (Schmidt 2020). Learning culture refers to organizations learning from their mistakes and build resilience to risks by creating, transferring, and retaining knowledge. Lastly, many researchers (Tavakoli et al. 2003; Zhuang et al. 2005) found that cultural differences can affect the decision of an individual to report and how to report. The main practical implication of this perspective is the consideration of cultural differences when an organization operates in multiple jurisdictions. 3.3.7. Investigations The investigation of reports is the ultimate purpose of the whole whistleblowing mechanism. The elements initially considered that will allow unbiased judgments are: 1. Organizational independence of the investigation team; 2. Professional training; 3. Appropriate risk prioritization; 4. Investigation protocols and; 5. Contribution to risk management. The organizational independence of the investigation team may be safeguarded from the corporate governance mechanisms and the ethical decision-making of the team mem- bers. A reasonable assumption is that professionals, subject to a code of conduct and Adm. Sci. 2023, 13, 120 7 of 20 experience in ethical decision-making, may be less likely to accept undue inﬂuence. The professional training of those who manage reports is a mandatory requirement of the (Directive (EU) 2019/1937). In addition, investigation protocols determine key aspects such as the composition of the investigation team and methods of gathering factual evi- dence. Their contribution is that they enhance the effectiveness of the investigations. The risk prioritization is to ensure that the most severe reports are investigated ﬁrst with the possible effect of the minimization and/or the recovery of the losses that the organization suffered. Lastly, the outcomes of the investigations may conﬁrm or alter the understanding of the organization on risks and controls, allowing the enhancement of the internal control environment in total. 3.3.8. Monitoring and Review Consensus on the need for monitoring the effectiveness of whistleblowing has been achieved (TI-NL 2019; IOS 2021, ISO 37002:2021). An interesting aspect of whistleblowing is that it is an entity-level control, not limited to isolated business processes and transactions. Likely, considering whistleblowing in isolation may not provide sufﬁcient grounds to conclude. Therefore, the elements initially considered were (a) the assessment of whistle- blowing in isolation of other controls with KPIs and key statistics and (b) considering the effectiveness of whistleblowing in other assessments. The proposed models before the validation by the experts can be illustrated as follows(Table 1). Table 1. Initially proposed maturity model. Compliance with Contributing to Compliance with Enhancement of Initial Other Laws and Achievement of the Directive Internal Control Regulations ESG Objectives Scope Scope Corporate governance Overall Responsibility Assurance Corporate reporting Reporting mechanisms Anonymity Reporting channels Advice on reporting Visibility, clarity, and completeness of information Protection Anti-retaliation Conﬁdentiality Tone at the top Tone at the top Organizational culture Risk culture Ethical culture Learning culture Cultural differences Adm. Sci. 2023, 13, 120 8 of 20 Table 1. Cont. Compliance with Contributing to Compliance with Enhancement of Initial Other Laws and Achievement of the Directive Internal Control Regulations ESG Objectives Investigations Organizational Independence Investigation Protocols Professional training Risk prioritization Contribution to risk management Monitoring and review Monitoring on separate activities Assess whistleblowing during other assessments 4. Theory of the Delphi Method 4.1. Methodology of the Delphi Method The characteristics of the Delphi method are: 1. The anonymity of the members of the panel of experts that will allow them to modify their opinions; 2. Statistical analysis and; 3. Controlled feedback will provide them with the basis to change their views (Kittell- Limerick 2005). The steps of this method can be summarized in the following Table 2. Table 2. Summary of the Delphi Panel Method. 1. Researchers deﬁne a problem and development of related questions. 2. Researchers select a panel of diverse experts (whose anonymity is generally protected). 3. Researchers distribute the questionnaire to the panel. 4. Researchers analyze and summarize the data and develop follow-up questions. 5. Repeat step 4 as required. 6. As consensus begins forming and issues are clariﬁed, repeat step 4 as required. 7. Researchers invite panelists to revise or review consensus and specify reasons for dissenting opinions. 8. Repeat steps 4–7 as required. 9. Researchers summarize consensus and provide feedback to the panel. 10. Researchers publish the ﬁnal consensus statement. Source: Hohmann et al. (2018). 4.2. Panel of Experts In relation to the size of the panel of experts, the minimum is seven experts (Linstone and Turoff 1975). Useful results can be drowned by a panel of 10–15 experts provided that the group is homogenous (Cyphert and Gant 1971). The initial sample consisted of 10 experts who are certiﬁed fraud examiners and/or internal auditors and/or PhD holders with relevant research interests. To ensure the completeness of specializations in the panel of experts, they have been asked to identify other professionals who may contribute to the study. Some experts considered external auditors, compliance ofﬁcers and lawyers. However, the panel already included experts who are also external auditors or compliance ofﬁcers. As a result, 3 lawyers with sufﬁcient knowledge of labor law and GDPR legislation have been selected. Adm. Sci. 2023, 13, 120 9 of 20 From the anti-fraud experts (N =10) who accepted to participate in the study; (N = 2) were theorists, (N = 5) were professionals, and (N = 3) were both professionals and theorists (Table 3). In addition, (N = 5) experts were holders of Ph.D.; (N = 2) were Ph.D. candidates with relevant research interests, and (N = 4) had a postgraduate diploma relevant to accounting and auditing (Table 4). Table 3. Final composition of the panel of experts. First Group of Second Group of Category Total Participants Participants Theorists (only) 2 0 2 Professionals (only) 5 3 8 Both theorists and professionals 3 0 3 Total 10 3 13 Table 4. Minimum education level of the panel of experts. Antifraud Category Theorists Lawyers Total Professionals Ph.D. 2 2 0 4 Ph.D. candidates 0 2 0 2 Postgraduate degree 0 4 2 6 University degree 0 0 1 1 All antifraud professionals («professionals» and «both professionals and theorists») (N = 8) had at least one professional qualiﬁcation in internal audit or fraud investigation (MIN = 1), on average (M = 3.750) (Tables 5 and 6). They all comply with the continu- ing professional requirements (Table 7) they have adequate post-qualiﬁcation experience (Table 8). Most anti-fraud experts have more than one relevant occupation which gives them a broader view of the subject matter (Table 9), and they work in senior positions (Table 10). Table 5. Summary of professional qualiﬁcations of anti-fraud professionals. Professional Qualiﬁcations N Min Max Total Average Qualiﬁcations in Internal Audit 8 0 7 14 1.750 Qualiﬁcations in Fraud Examination 8 0 3 9 1.125 Other qualiﬁcations 8 0 2 7 0.875 Total qualiﬁcations 8 1 9 30 3.750 Antifraud professionals and theorists are self-assessed with adequate knowledge of internal auditing, fraud prevention, and whistleblowing (Table 11). Especially in whistle- blowing, the theorists (N = 2) had experience through their research activities, while the antifraud professionals (N = 8), (N = 5) replied that their competency derives from practice and (N = 3) replied that their competency derives from both practice and research. The lawyers (N = 3) rank high in their organizations, and (N = 2) hold a relevant master ’s degree; (N = 1) do not hold a master ’s degree, but their experience exceeds 25 years. In addition, they also self-assessed that they have adequate knowledge of la- bor law, General Data Protection Regulation, the (Directive (EU) 2019/1937) and Law 4990/2022, which incorporates the (Directive (EU) 2019/1937) into the national legislation. As a result, it was ensured (a) completeness of the relative competencies and (b) that the panel meets the qualitative criteria to place reliance on their views. Adm. Sci. 2023, 13, 120 10 of 20 Table 6. Analysis of professional qualiﬁcations of anti-fraud professionals. Qualiﬁcations Relevant to Internal Audit N Certiﬁcation in Control Self-Assessment (CCSA) 1 Certiﬁed Internal Auditor (CIA) 2 Certiﬁed Government Audit Professional (CGAP) 1 Certiﬁcation in Risk Management Assurance (CRMA) 3 Certiﬁed Internal Control Auditor (CICA) 3 COSO ERM 1 COSO IC 1 Registry of Internal Auditors (Ministry of Finance in Greece) 2 Total 14 Qualiﬁcations relevant to Fraud detection and prevention N Association of Certiﬁed Fraud Examiners (ACFE) 6 Certiﬁed Global Sanctions Specialist Certiﬁcation (CGSS) 1 Certiﬁed as an Anti-Money Laundering Specialist (CAMS) 1 Cert (ABC) 7 Total Other relevant qualiﬁcations N Association of Chartered Certiﬁed Accountants (ACCA) 1 Certiﬁed Management accountant (CMA) 1 CPA’s training Institute of Greece 3 Institute of Chartered Accountants in England and Wales (ICAEW) 2 Total 7 Table 7. Compliance with Continuing Professional Requirements. Compliance with CPD Requirements Antifraud Professionals Lawyers Total Yes 8 3 11 No 0 0 0 Table 8. Years of post-qualiﬁcation experience. Post Qualiﬁcation Antifraud Theorists Lawyers Total Experience in Years Professionals 0–5 1 2 0 3 5–10 1 1 2 4 10–15 0 2 0 2 20–25 0 2 0 2 25+ 0 1 1 2 Table 9. Ranking in the organization of primary occupation (antifraud professionals). Secondary Occupation Primary Internal Fraud External Compliance None Professor Occupation Auditor Examiner Auditor Ofﬁcer Internal auditor 1 0 1 0 1 1 Fraud examiner 1 1 0 0 0 0 External auditor 0 1 2 0 1 0 Table 10. Ranking in the organization of primary occupation (antifraud professionals). Position in the Organization of Primary Occupation N Partner 2 Head of department 6 Adm. Sci. 2023, 13, 120 11 of 20 Table 11. Self-assessment of theorists and anti-fraud professionals. Self-Assessment of Theorists and Very High High None Antifraud Professionals Internal audit 8 1 1 Fraud detection and prevention 10 0 0 Whistleblowing 10 0 0 4.3. Achievement of Consensus Consensus does not mean absolute agreement. Usually, the consensus is assessed using 5- or 10-point Likert scales. However, even though the Delphi method aims to achieve the most reliable consensus, there is not yet a commonly accepted method or benchmark. The decision criteria usually involve the mean, median, interquartile range, coefﬁcient, and variation; for this reason, considering more than one criterion has been suggested (Głuszek 2021). Lawshe’s Content Validity Ratio (CVR) was also considered in this study. According to this method, experts are asked to determine whether a component is «essential», «useful but not essential», or «not useful». The following formula gives the ratio. CVR = where n it is the number of experts who indicate that the component is essential, and N is the total number of experts. CVR can rank between 1 and 1. When most experts agree that an item is essential, the CVR is positive, and if there is total agreement, CVR will be equal to 1 (Lawshe 1975). The advantage of this criterion is that provides a clear cut-off decision rule. However, this ratio ignores the useful components. That may be problematic for some organizations that may consider it necessary to include useful, but not necessary elements in their whistleblowing framework. To provide a maturity model of sufﬁcient ﬂexibility, consensus will be achieved where more than half of the respondents consider the suggested elements as «useful but not essential» and «essential», and their contribution will be depicted with lower relative importance. 5. Results and Discussion 5.1. First Round Questions The ﬁrst round of questions was to record the competencies of the panel of experts, to ensure completeness in the competencies, and verify the appropriateness of the stages of the WBMM and their sequence. Speciﬁcally, in this round, experts were asked to assess the ﬁve maturity levels suggested; their sequence or identify other steps not considered initially and to highlight irrelevant steps. All experts agreed that the maturity levels are relevant and in the appropriate sequence, and no additional maturity level has been suggested. 5.2. Second-Round Questions In the second round of questions, experts were asked (a) to rank each of the elements as «essential», «useful but not essential», or «not useful», and (b) to propose additional elements not identiﬁed by the researchers. Table 12 summarizes the CVR results of the responses to the second-round questions. The results show that all components that are obligatory by the (Directive (EU) 2019/1937) are considered «essential». Those components are the «scope», «reporting channels», «ad- vice on reporting», «visibility, clarity, and completeness of information», «anti-retaliation», «conﬁdentiality», and «professional training». This ﬁnding is also consistent to the maturity levels and their sequence, veriﬁed in the ﬁrst stage. Adm. Sci. 2023, 13, 120 12 of 20 Table 12. Results of the CVR test. Decision n CVR CVR0.54 Scope Scope 13 0.85 Retain Corporate governance Overall Responsibility 13 0.69 Retain Assurance 13 0.69 Retain Corporate reporting 11 1.00 Reject Reporting mechanisms Anonymity 13 1.00 Retain Reporting channels 13 1.00 Retain Advice on reporting 13 1.00 Retain Visibility, clarity, and completeness of the information 13 1.00 Retain Protection Anti-retaliation 13 1.00 Retain Conﬁdentiality 13 1.00 Retain Tone at the top Tone at the top 13 1.00 Retain Organizational culture Risk culture 13 0.85 Retain Ethical culture 13 0.85 Retain Learning culture 13 0.38 Reject Cultural differences 6 1.00 Reject Investigations Organizational Independence 13 0.85 Retain Investigation Protocols 13 0.69 Retain Professional training 13 1.00 Retain Risk prioritization 13 0.69 Retain Contribution to risk management 13 0.69 Retain Monitoring and review Monitoring on separate activities 13 0.69 Retain Assess whistleblowing during other assessments 13 0.85 Reject Moreover, in consistency with prior research, all experts (CVR = 1) agreed that the commitment from the top management is essential for the success of whistleblowing. Another signiﬁcant ﬁnding is that the panel of experts agreed on the importance of the anonymous reports (CVR = 1) irrespectively whether it is required by the national leg- islation. Something that is consistent with the suggestions of (TI-NL 2019). In respect of the corporate governance, experts agreed (CVR = 0.69) that the ultimate responsibility for whistleblowing should be assigned to the top management, preferably to a non-executive di- rector or a committee consisted of non-executive directors and that assurance (CVR = 0.69) should be obtained. Regarding the cultural aspects of whistleblowing, consensus has been achieved in respect of the risk culture (CVR = 0.85) that will allow malpractices to be identiﬁed and the ethical culture that will allow them to be reported (CVR = 0.85). Learning culture was rejected based on the CVR test (CVR = 0.38). However, all experts agreed it is either essential (N = 9) or useful (N = 4). None of the experts considered it irrelevant. For this reason, the model has included it as an optional element. In contrast, cultural differences failed in both tests since the CVR was negative (CVR = 1.00), and fewer than half of the Adm. Sci. 2023, 13, 120 13 of 20 experts (N = 6) consider it «useful but not essential». As a result, cultural differences are excluded from the WBMM. In respect of the investigation phase, experts agreed (CVR = 0.85) that organizational structure is essential to safeguard the objectivity and the impartiality. They also agreed that investigation protocols and risk prioritization enhance the outcomes of the investigations (CVR = 0.69) and (CVR = 0.69) respectively. Therefore, both elements included in WBMM as essential elements. The experts also agreed that whistleblowing can contribute to the risk management (CVR = 0.69) and that its effectiveness shall be monitored through speciﬁcally designed assurance engagements (CVR = 0.69). However, considering the effectiveness of whistleblowing during other monitoring activities failed to pass both tests and is excluded from the WBMM, since the (CVR = 0.85) and most experts considered it irrelevant (N = 8). Lastly, the «corporate reporting» failed to pass the CVR test (CVR = 0.38). None of the experts considered it essential. However, most of the experts considered it useful but not essential (N = 11) and only 2 (N = 2) as not useful, as a result it will be included in the WBMM as an optional element. After eliminating the elements of «cultural differences» and «monitoring whistleblow- ing during other activities». The remaining elements are distinguished into «essential» and «optional» based on the summing of votes technique (Dening et al. 2013; Sanderson et al. 2012), which is usually applied along with the Nominal Group Technique. The nominal Group Technique is also a consensus-seeking technique, with many similarities to the Adm. Sci. 2023, 13, x FOR PEER REVIEW 16 of 20 Delphi Method (Figure 2). Under this method, the scores from each participant for every component are summed. The relative importance is given from the formula: score f or the item Corporate reporting 0 11 2 24 3.22% Relative importance = maximum points per group Total 12 1 0 745 100.00% Relative importance (essential and optional elements) Scope Corporate reporting 5.50% Overall… Learning culture Assurance 5.00% Monitoring on… Anonymity 4.50% 4.00% Contribution to… Reporting channels 3.50% Risk prioritization Advice on reporting 3.00% Professional training Visibility, clarity,… Investigation… Anti-retaliation Organizational… Confidentiality Ethical culture Tone at the top Risk culture Figure 2. Designed by the authors. Figure 2. Designed by the authors. In summary, experts considered as essential not only the elements that derive di- Table 13 presents the relative importance of each element of the WBMM if only the rectly from the (Directive (EU) 2019/1937), but also some elements that derive from best essential elements are included; Table 14 presents the relative importance if the learning practices, and are likely to make whistleblowing work as intended, for example, commit- ment from the top management; ethical culture and risk culture. From the above-weighted factors and the performance in each component, organiza- tions can have a score in each component and an overall score when the individual scores are amalgamated. For example, an organization that assess both the obligatory and the optional elements in its assessment and ranks in the second level of maturity in respect of the scope, its score will be 5.10% × = 0.0204 from the 0.051, which is the maximum for this element. Possible assessment criteria for external benchmarking may include mean, median, quartiles, and interquartile range. However, there are some limitations on this study. One limitation is that the first two steps of developing maturity models have been validated while the third is not. That is partially compensated because having verified the previous steps it is not hard for organ- izations to follow a reasonable escalation from the lower to the highest level of maturity. Another limitation is that most experts derive from a single member state of the EU, and, likely, research in a larger scale and experts from other member states may be needed. Moreover, the suggested model does not assess the differences in the legal environment and the effectiveness of the judicial system. Although one of the aims of the Directive is to provide common minimum standards across the member states, there are substantial differences in the effectiveness of the judicial systems across the member states (World Justice Project 2022). In addition, the member states can extend the provision of the Di- rective into their national legislation. In addition, the proposed model does not address differentiations among industries since some of them are highly regulated or Adm. Sci. 2023, 13, 120 14 of 20 culture also included Table 15 if the corporate reposting is included and ﬁnally, Table 16 present the relative importance of the elements of the WBMM if all essential and valuable elements included. Table 13. Table of relative importance if only the essential elements included. Responses from Experts Useful but Essential Irrelevant Not Essential Sum Relative 3 2 1 Scores Importance Scope 12 1 0 38 5.54% Overall Responsibility 11 2 0 37 5.39% Assurance 11 2 0 37 5.39% Anonymity 13 0 0 39 5.69% Reporting channels 13 0 0 39 5.69% Advice on reporting 13 0 0 39 5.69% Visibility, clarity, and completeness of 13 0 0 39 5.69% information Anti-retaliation 13 0 0 39 5.69% Conﬁdentiality 13 0 0 39 5.69% Tone at the top 13 0 0 39 5.69% Risk culture 12 1 0 38 5.54% Ethical culture 12 1 0 38 5.54% Organizational 12 1 0 38 5.54% Independence Investigation Protocols 11 2 0 37 5.39% Professional training 13 0 0 39 5.69% Risk prioritization 11 2 0 37 5.39% Contribution to risk 11 2 0 37 5.39% management Monitoring on separate 11 2 0 37 5.39% engagements Total 12 1 0 686 100.00% Table 14. Table of relative importance—essential elements and learning culture. Responses from Experts Useful but Essential Irrelevant Not Essential Sum Relative 3 2 1 Scores Importance Scope 12 1 0 38 5.27% Overall Responsibility 11 2 0 37 5.13% Assurance 11 2 0 37 5.13% Anonymity 13 0 0 39 5.41% Reporting channels 13 0 0 39 5.41% Advice on reporting 13 0 0 39 5.41% Visibility, clarity, and completeness of 13 0 0 39 5.41% information Anti-retaliation 13 0 0 39 5.41% Conﬁdentiality 13 0 0 39 5.41% Tone at the top 13 0 0 39 5.41% Risk culture 12 1 0 38 5.27% Ethical culture 12 1 0 38 5.27% Organizational 12 1 0 38 5.27% Independence Adm. Sci. 2023, 13, 120 15 of 20 Table 14. Cont. Responses from Experts Useful but Essential Irrelevant Not Essential Sum Relative 3 2 1 Scores Importance Investigation Protocols 11 2 0 37 5.13% Professional training 13 0 0 39 5.41% Risk prioritization 11 2 0 37 5.13% Contribution to risk 11 2 0 37 5.13% management Monitoring on separate 11 2 0 37 5.13% engagements Learning culture 9 4 0 35 4.85% Total 12 1 0 721 100.00% Table 15. Table of relative importance—essential elements and corporate reporting. Responses from Experts Useful but Essential Irrelevant Not Essential Sum Relative 3 2 1 Scores Importance Scope 12 1 0 38 5.35% Overall Responsibility 11 2 0 37 5.21% Assurance 11 2 0 37 5.21% Anonymity 13 0 0 39 5.49% Reporting channels 13 0 0 39 5.49% Advice on reporting 13 0 0 39 5.49% Visibility, clarity, and completeness of 13 0 0 39 5.49% information Anti-retaliation 13 0 0 39 5.49% Conﬁdentiality 13 0 0 39 5.49% Tone at the top 13 0 0 39 5.49% Risk culture 12 1 0 38 5.35% Ethical culture 12 1 0 38 5.35% Organizational 12 1 0 38 5.35% Independence Investigation Protocols 11 2 0 37 5.21% Professional training 13 0 0 39 5.49% Risk prioritization 11 2 0 37 5.21% Contribution to risk 11 2 0 37 5.21% management Monitoring on separate 11 2 0 37 5.21% engagements Corporate reporting 0 11 2 24 3.38% Total 12 1 0 710 100.00% Adm. Sci. 2023, 13, 120 16 of 20 Table 16. Table of relative importance—essential elements and corporate reporting and learning culture. Responses from Experts Useful but Essential Irrelevant Not Essential Sum Relative 3 2 1 Scores Importance Scope 12 1 0 38 5.10% Overall Responsibility 11 2 0 37 4.97% Assurance 11 2 0 37 4.97% Anonymity 13 0 0 39 5.23% Reporting channels 13 0 0 39 5.23% Advice on reporting 13 0 0 39 5.23% Visibility, clarity, and completeness of 13 0 0 39 5.23% information Anti-retaliation 13 0 0 39 5.23% Conﬁdentiality 13 0 0 39 5.23% Tone at the top 13 0 0 39 5.23% Risk culture 12 1 0 38 5.10% Ethical culture 12 1 0 38 5.10% Organizational 12 1 0 38 5.10% Independence Investigation Protocols 11 2 0 37 4.97% Professional training 13 0 0 39 5.23% Risk prioritization 11 2 0 37 4.97% Contribution to risk 11 2 0 37 4.97% management Monitoring on separate 11 2 0 37 4.97% engagements Learning culture 9 4 0 35 4.70% Corporate reporting 0 11 2 24 3.22% Total 12 1 0 745 100.00% In summary, experts considered as essential not only the elements that derive directly from the (Directive (EU) 2019/1937), but also some elements that derive from best practices, and are likely to make whistleblowing work as intended, for example, commitment from the top management; ethical culture and risk culture. From the above-weighted factors and the performance in each component, organiza- tions can have a score in each component and an overall score when the individual scores are amalgamated. For example, an organization that assess both the obligatory and the optional elements in its assessment and ranks in the second level of maturity in respect of the scope, its score will be 5.10% = 0.0204 from the 0.051, which is the maximum for this element. Possible assessment criteria for external benchmarking may include mean, median, quartiles, and interquartile range. However, there are some limitations on this study. One limitation is that the ﬁrst two steps of developing maturity models have been validated while the third is not. That is partially compensated because having veriﬁed the previous steps it is not hard for organizations to follow a reasonable escalation from the lower to the highest level of maturity. Another limitation is that most experts derive from a single member state of the EU, and, likely, research in a larger scale and experts from other member states may be needed. Moreover, the suggested model does not assess the differences in the legal environment and the effectiveness of the judicial system. Although one of the aims of the Directive is to provide common minimum standards across the member states, there are substantial differences in the effectiveness of the judicial systems across the member states (World Justice Project 2022). In addition, the member states can extend the provision of the Adm. Sci. 2023, 13, 120 17 of 20 Directive into their national legislation. In addition, the proposed model does not address differentiations among industries since some of them are highly regulated or differentiations deriving from the different sizes of organizations. Finally, the suggested model provides objective criteria to antifraud professionals to provide assurance or consulting engagements. Assessing the implementation of the policy and if those criteria are met is the next stage of engagement, and it is not addressed in the model. 6. Conclusions Despite the extensive research on the factors inﬂuencing reporting behavior and the effects of whistleblowing, there is limited research on the contribution of whistleblowing as an internal control, despite its importance as a preventive, entity-level internal control and one of the most effective anti-fraud measures. This study identiﬁed and assessed twenty- two elements related to whistleblowing based on expert opinions, out of which eighteen were considered essential for effective whistleblowing, while two were rejected and two were considered optional. Weightings were calculated for various combinations of essential and optional elements to create a suggested model that can help businesses understand their current performance and design responses to fully realize whistleblowing’s potential. This model can also assist anti-fraud professionals in conforming to the code of ethics, deﬁnition, and standards of internal audit in their engagements, as well as facilitate internal and external benchmarking. However, there are limitations to this research. Firstly, the expert panel consisted of members from a single member state of the European Union, which may limit the generalizability of the ﬁndings to other jurisdictions. Further research on a larger scale, encompassing multiple countries and regions, may be needed to validate the results and provide a more comprehensive understanding of whistleblowing as an internal control. Additionally, the suggested model should be tested and validated in real-world settings to assess its practical applicability and effectiveness. Furthermore, as the regulatory landscape and business environment continue to evolve, future research should also consider the dynamic nature of whistleblowing and its implications for internal controls. In future research, exploring the impact of cultural and contextual factors on whistle- blowing as an internal control would be valuable. Different organizational cultures, legal frameworks, and societal norms may inﬂuence the effectiveness of whistleblowing prac- tices, and studying these factors could provide valuable insights for organizations and policymakers. Additionally, the research can further investigate the relationship between whistleblowing and other internal controls, such as risk management and corporate gover- nance, to better understand their interactions and synergies. To conclude, while this study contributes to understanding whistleblowing as an internal control, further research is needed to address the limitations and explore the potential of whistleblowing in different contexts. This will provide valuable insights for organizations, policymakers, and anti-fraud professionals in designing and implementing effective whistleblowing practices as part of their internal control frameworks. Author Contributions: Conceptualization, P.K. (Paschalis Kagias), N.S and I.P.; methodology P.K. (Paschalis Kagias), I.P. and P.K. (Panagiotis Kyriakogkonas); software, P.K. (Paschalis Kagias) and I.P.; validation, P.K. (Paschalis Kagias), A.G. and I.P.; formal analysis, P.K. (Paschalis Kagias), N.S. and I.P.; investigation, P.K. (Paschalis Kagias) and I.P.; resources, P.K. (Paschalis Kagias), A.G., I.P. and P.K. (Panagiotis Kyriakogkonas); data curation, P.K. (Paschalis Kagias) A.G., I.P. and P.K. (Panagiotis Kyriakogkonas); writing—original draft preparation, P.K. (Paschalis Kagias) N.S., I.P. and P.K. (Panagiotis Kyriakogkonas); writing—review and editing, P.K. (Paschalis Kagias), A.G. and I.P.; visualization, P.K. (Panagiotis Kyriakogkonas), A.G. and I.P.; supervision, P.K. (Paschalis Kagias), A.G. and I.P.; project administration, P.K. (Paschalis Kagias) and I.P. All authors have read and agreed to the published version of the manuscript. Funding: This research received no external funding. Institutional Review Board Statement: Not applicable. Adm. Sci. 2023, 13, 120 18 of 20 Informed Consent Statement: Not applicable. Data Availability Statement: Not applicable. Conﬂicts of Interest: The authors declare no conﬂict of interest. References ACFE (Association of Certiﬁed Fraud Examiners), and Grant Thornton. 2020. Anti-Fraud Playbook. Available online: https: //www.grantthornton.com.tr/globalassets/1.-member-ﬁrms/turkey/rapor-ve-aratrmalar/antifraud-playbook.pdf (accessed on 1 December 2022). ACFE (Association of Certiﬁed Fraud Examiners). 2022. Occupational Fraud 2022. A Report to the Nations. Available online: https://legacy.acfe.com/report-to-the-nations/2022/ (accessed on 1 December 2022). Alford, C. F. 2002. Whistleblowers: Broken Lives and Organizational Power. Austin: Cornell University Press. Ayers, Susan, and Steven E. Kaplan. 2005. Wrongdoing by consultants: An examination of employees’ reporting intentions. Journal of Business Ethics 57: 121–37. [CrossRef] Bechtoldt, Myriam N., and Kathrin D. Schmitt. 2010. It’s not my fault, it’s theirs: Explanatory style of bullying targets with unipolar depression and its susceptibility to short-term therapeutical modiﬁcation. Journal of Occupational and Organizational Psychology 83: 395–417. [CrossRef] Becker, Jörg, Ralf Knackstedt, and Jens Pöppelbuß. 2009. Developing maturity models for IT management: A procedure model and its application. Business & Information Systems Engineering 1: 213–22. Berry, Benisa. 2004. Organizational culture: A framework and strategies for facilitating employee whistleblowing. Employee Responsibilities and Rights Journal 16: 1–11. [CrossRef] Bjørkelo, Brita. 2013. Workplace bullying after whistleblowing: Future research and implications. Journal of Managerial Psychology 28: 306–23. [CrossRef] CIIA (Chartered Institute of Internal Auditors). 2014. Whistleblowing and Corporate Governance. In The Role of Internal Audit in Whistleblowing. London: Chartered Institute of Internal Auditors. Culiberg, Barbara, and Katarina Katja Mihelic ˇ. 2017. The evolution of whistleblowing studies: A critical review and research agenda. Journal of Business Ethics 146: 787–803. Cyphert, Frederick R., and Walter L. Gant. 1971. The Delphi technique: A case study. Phi Delta Kappan 52: 272–73. De Bruin, Tonia, Michael Rosemann, Ronald Freeze, and Uday Kaulkarni. 2005. Understanding the main phases of developing a maturity assessment model. In Australasian Conference on Information Systems (ACIS). Brisdane: Brisdane Australasian Chapter of the Association for Information Systems, pp. 8–19. Dening, Karen H., Louise Jones, and Elizabeth L. Sampson. 2013. Preferences for end-of-life care: A nominal group study of people with dementia and their family carers. Palliative Medicine 27: 409–17. [CrossRef] [PubMed] Directive (EU). 2019. Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the Protection of Persons Who Report Breaches of Union Law. Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX: 32019L1937 (accessed on 1 December 2022). Dworkin, Terry Morehead, and Melissa S. Baucus. 1998. Internal vs. external whistleblowers: A comparison of whistleblowering processes. Journal of Business Ethics 17: 1281–98. [CrossRef] Głuszek, Ewa. 2021. Use of the e-Delphi method to validate the corporate reputation management maturity model (CR3M). Sustainability 13: 12019. [CrossRef] GRI (Global Reporting Initiative). 2018. GRI 102: General Disclosures 2016. Amsterdam: Global Reporting Initiative. Greene, Annette D., and Jean Kantambu Latting. 2004. Whistle-blowing as a form of advocacy: Guidelines for the practitioner and organization. Social Work 49: 219–30. [CrossRef] [PubMed] Henik, Erika. 2015. Understanding whistle-blowing: A set-theoretic approach. Journal of Business Research 68: 442–50. [CrossRef] Hersh, Marion A. 2002. Whistleblowers—Heroes or traitors?: Individual and collective responsibility for ethical behaviour. Annual Reviews in Control 26: 243–62. [CrossRef] Hohmann, Erik, Jefferson C. Brand, Michael J. Rossi, and James H. Lubowitz. 2018. Expert opinion is necessary: Delphi panel methodology facilitates a scientiﬁc approach to consensus. Arthroscopy: The Journal of Arthroscopic & Related Surgery 34: 349–51. ICAEW (Institute of Chartered Accountants in England and Wales). 2019. How Whistleblowing Helps Companies. Available online: https://www.icaew.com/technical/corporate-governance/committees/corporate-culture/culture-articles/how- whistleblowing-helps-companies#:~:text=Whistleblowing%20is%20central%20to%20a,ICAEW%20chief%20executive%20 Michael%20Izza (accessed on 5 October 2022). IIA (The Institute of Internal Auditors). 2013. Selecting, using, and creating maturity models. In A Tool for Assurance and Consulting Engagements. Lake Mary: The Institute of Internal Auditors. IIA (The Institute of Internal Auditors). 2017. International Standards for the Professional Practice of Internal Auditing. Standard 2210.A3. Lake Mary: The Institute of Internal Auditors. IIA (The Institute of Internal Auditors). 2019. Internal Audit Capability Model (IA-CM) For the Public Sector. Lake Mary: The IIA Research Foundation. Adm. Sci. 2023, 13, 120 19 of 20 IIAA (The Institute of Internal Auditors Australia). 2021. Auditing Risk Culture: Practical Guide. Available online: https://www.iia. org.au/sf_docs/default-source/technical-resources/iia_auditing-risk-culture-guide-fa.pdf?sfvrsn=4 (accessed on 16 December 2022). IOS (International Organization for Standardization). 2021. Whistleblowing Management Systems—Guidelines. ISO 37002:2021. Available online: https://www.iso.org/standard/65035.html (accessed on 1 December 2022). Kaptein, Muel. 2011. From inaction to external whistleblowing: The inﬂuence of the ethical culture of organizations on employee responses to observed wrongdoing. Journal of Business Ethics 98: 513–30. [CrossRef] Kittell-Limerick, Patricia. 2005. Perceived Barriers to Completion of the Academic Doctorate: A Delphi Study. Commerce: Texas A&M University-Commerce. KPMG. 2013. Transforming Internal Audit: A Maturity Model from Data Analytics to Continuous Assurance. Available online: https:// assets.kpmg.com/content/dam/kpmg/pdf/2015/09/ch-pub-20150922-transforming-internal-audit-maturity-model-en.pdf (ac- cessed on 1 December 2022). Kreiner, Barbara, Christoph Sulyok, and Hans-Bernd Rothenhäusler. 2008. Does mobbing cause posttraumatic stress disorder? Impact of coping and personality. Neuropsychiatrie: Klinik, Diagnostik, Therapie und Rehabilitation: Organ der Gesellschaft Osterreichischer Nervenarzte und Psychiater 22: 112–23. Lawshe, Charles H. 1975. A quantitative approach to content validity. Personnel Psychology 28: 563–75. [CrossRef] Linstone, Harold A., and Murray Turoff, eds. 1975. The Delphi Method. Reading: Addison-Wesley. Martinek-Jaguszewska, Klaudia, and Waldemar Rogowski. 2022. Development and Validation of the Business Process Automation Maturity Model: Results of the Delphi Study. Information Systems Management 2022: 1–17. [CrossRef] Miceli, Marcia P., Janelle B. Dozier, and Janet P. Near. 1987. Personal and Situational Determinants of Whistleblowing. Paper presented at the Meeting of the Academy of Management, New Orleans, LA, USA, November 1. Miceli, Marcia P., Janet P. Near, and Charles R. Schwenk. 1991. Who blows the whistle and why? ILR Review 45: 113–30. [CrossRef] Murphy, M. K., N. A. Black, D. L. Lamping, C. M. McKee, C. F. Sanderson, J. Askham, and T. Marteau. 1998. Consensus development methods, and their use in clinical guideline development. Health Technology Assessment 2: i-88. [CrossRef] Near, Janet P., and Marcia P. Miceli. 1985. Organizational dissidence: The case of whistle-blowing. Journal of Business Ethics 4: 1–16. [CrossRef] OECD. 2019a. Tax Compliance Burden Maturity Model. Available online: https://www.oecd.org/tax/forum-on-tax-administration/ publications-and-products/tax-compliance-burden-maturity-model.htm (accessed on 2 January 2023). OECD. 2019b. Tax Debt Management Maturity Model. Available online: https://www.oecd.org/tax/forum-on-tax-administration/ publications-and-products/tax-debt-management-maturity-model.htm (accessed on 2 January 2023). OECD. 2020. Tax Crime Investigation Maturity Model. Available online: https://www.oecd.org/tax/crime/tax-crime-investigation- maturity-model.htm (accessed on 2 January 2023). OECD. 2021. Enterprise Risk Management Maturity Model. Available online: https://www.oecd.org/tax/forum-on-tax- administration/publications-and-products/enterprise-risk-management-maturity-model.htm (accessed on 2 January 2023). OECD. 2022. Tax Administration Maturity Model Series Analytics Maturity Model. Available online: https://www.oecd.org/tax/ forum-on-tax-administration/publications-and-products/analytics-maturity-model.htm (accessed on 2 January 2023). Ono, Ryota, and Dan J. Wedemeyer. 1994. Assessing the validity of the Delphi technique. Futures 26: 289–304. [CrossRef] Painter-Morland, Mollie. 2010. Questioning corporate codes of ethics. Business Ethics: A European Review 19: 265–79. [CrossRef] PCBS (Parliamentary Commission on Banking Standards). 2013. Available online: https://www.parliament.uk/globalassets/ documents/banking-commission/Banking-ﬁnal-report-volume-i.pdf (accessed on 16 December 2022). PCW (Public Concern at Work). 2013. Report on the Effectiveness of Existing Arrangements for Workplace Whistleblowing in the UK. London: Public Concern at Work. Ravishankar, Lilanthi. 2003. Encouraging Internal Whistleblowing in Organizations. Available online: https://www.scu.edu/ethics/ publications/submitted/whistleblowing.html (accessed on 11 November 2022). Sanderson, Tessa, Sarah Hewlett, Pam Richards, Marianne Morris, and Michael Calnan. 2012. Utilizing qualitative data from nominal groups: Exploring the inﬂuences on treatment outcome prioritization with rheumatoid arthritis patients. Journal of Health Psychology 17: 132–42. [CrossRef] [PubMed] Schmidt, Chris. 2020. Why risk management frameworks fail to prevent wrongdoing. The Learning Organization 27: 133–45. [CrossRef] Tavakoli, A. Assad, John P. Keenan, and Biljana Cranjak-Karanovic. 2003. Culture and whistleblowing an empirical study of Croatian and United States managers utilizing Hofstede’s cultural dimensions. Journal of Business Ethics 43: 49–64. [CrossRef] The Guardian. 2010. The Man Who Blew the Whistle on Bernard Madoff. Available online: https://www.theguardian.com/business/ 2010/mar/24/bernard-madoff-whistleblower-harry-markopolos (accessed on 16 December 2022). TI-NL (Transparency International Netherland). 2019. Whistleblowing Frameworks 2019. In Assessing Companies in Trade, Industry, Finance, and Energy in the Netherlands. Amsterdam: Transparency International Netherland. Tsahuridu, Eva E., and Wim Vandekerckhove. 2008. Organisational whistleblowing policies: Making employees responsible or liable? Journal of Business Ethics 82: 107–18. [CrossRef] Turoff, Murray, and Harold A. Linstone. 2002. The Delphi Method-Techniques and Applications. Boston: Addison Wesley Publishing Company. Adm. Sci. 2023, 13, 120 20 of 20 Turoff, Murray, and Starr Roxanne Hiltz. 1996. Computer based Delphi processes. In Gazing into the Oracle: The Delphi Method and Its Application to Social Policy and Public Health. London: Jessica Kingsley Publishers, pp. 56–85. World Justice Project. 2022. The 2022 WJP Rule of Law Index. Available online: https://worldjusticeproject.org/rule-of-law-index/ (accessed on 12 April 2023). Worth, Mark. 2013. Whistleblowing in Europe: Legal protections for whistleblowers in the EU. Transparency International Secretariat 2013: 91–111. Zhuang, Jinyun, Stuart Thomas, and Diane L. Miller. 2005. Examining culture’s effect on whistle-blowing and peer reporting. Business & Society 44: 462–86. Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png Administrative Sciences Multidisciplinary Digital Publishing Institute http://www.deepdyve.com/lp/multidisciplinary-digital-publishing-institute/validating-the-whistleblowing-maturity-model-using-the-delphi-method-zslEsHZfXV

Loading next page...

References (29)

Susan Ayers, S. Kaplan (2005)
Wrongdoing by Consultants: An Examination of Employees’ Reporting Intentions
Journal of Business Ethics, 57
M. Kaptein (2009)
From Inaction to External Whistleblowing: The Influence of the Ethical Culture of Organizations on Employee Responses to Observed Wrongdoing
Journal of Business Ethics, 98
(2013)
Whistleblowing in Europe: Legal protections for whistleblowers in the EU
A. Tavakoli, J. Keenan, B. Cranjak-Karanovic (2003)
Culture and Whistleblowing An Empirical Study of Croatian and United States Managers Utilizing Hofstede's Cultural Dimensions
Journal of Business Ethics, 43
T. Sanderson, S. Hewlett, P. Richards, M. Morris, M. Calnan (2012)
Utilizing Qualitative Data from Nominal Groups: Exploring the Influences on Treatment Outcome Prioritization with Rheumatoid Arthritis Patients
Journal of Health Psychology, 17
T. Dworkin, M. Baucus (1998)
Internal vs. External Whistleblowers: A Comparison of Whistleblowering Processes
Journal of Business Ethics, 17
F. Cyphert, Walter Gant (1971)
The Delphi Technique: A Case Study.
Phi Delta Kappan
Jinyu Zhuang, Stuart Thomas, Diane Miller (2005)
Examining Culture’s Effect on Whistle-Blowing and Peer Reporting
Business & Society, 44
M. Bechtoldt, K. Schmitt (2010)
It's not my fault, it's theirs: Explanatory style of bullying targets with unipolar depression and its susceptibility to short‐term therapeutical modification
Journal of Occupational and Organizational Psychology, 83
Brita Bjørkelo (2013)
Workplace bullying after whistleblowing: Future research and implications
Journal of Managerial Psychology, 28
M. Miceli, J. Near, Charles Schwenk (1991)
Who Blows the Whistle and Why?
Industrial & Labor Relations Review, 45
C. Schmidt (2020)
Why risk management frameworks fail to prevent wrongdoing
The Learning Organization, 27
J. Becker, R. Knackstedt, J. Pöppelbuß (2009)
Developing Maturity Models for IT Management
Business & Information Systems Engineering, 1
Klaudia Martinek-Jaguszewska, W. Rogowski (2022)
Development and Validation of the Business Process Automation Maturity Model: Results of the Delphi Study
Information Systems Management, 40
Barbara Culiberg, K. Mihelič (2017)
The Evolution of Whistleblowing Studies: A Critical Review and Research Agenda
Journal of Business Ethics, 146
Eva Tsahuridu, Wim Vandekerckhove (2008)
Organisational Whistleblowing Policies: Making Employees Responsible or Liable?
Journal of Business Ethics, 82
J. Near, M. Miceli (1985)
Organizational dissidence: The case of whistle-blowing
Journal of Business Ethics, 4
M. Painter-Morland (2010)
Questioning Corporate Codes of Ethics
Wiley-Blackwell: Business Ethics: A European Review
Mk Murphy, Cfb Sanderson, N. Black, J. Askham, Dl Lamping, T. Marteau, Cm Mckee, I. Russell, Doug Altman, Mr Bower, C. Ms, Clark, David Cohen, Mr Dowdeswell, M. Eccles, J. Hewison, M. Horlington, Hope Hospital, S. Professor, A. Kitson, M. Knapp, D. Lamping, A. Maynard, Sally Mcintyre, J. Nicholl, G. Parker, Tim Peters, M. Severs, D. Spiegelhalter, A. Szczepura, Graham Watt, David Williams, Mark Williams, J. Wyatt, S. Adam, M. Buxton, A. Culyer, Peter Doyle, John Farndon, T. Hope, H. Glennester, J. Evans, M. John, H. James, Westminster Health, Richard Lilford, W. Midlands, M. Maisey, J. Metters, G. Poste, M. Rawlins, M. Roland, Hugh Mr, Ross, Healthcare Nhs, Trust Professor, Tre Sheldon, J. Tripp, T. Walley, M. Irving, Murphy Mk, Lamping Dl, Mckee Cm, Sanderson Cfb, Askham J, Andrew Stevens, R. Milne, K. Stein, J. Robertson (1998)
Consensus development methods, and their use in clinical guideline development.
Health technology assessment, 2 3
B. Kreiner, Christoph Sulyok, H. Rothenhäusler (2008)
[Does mobbing cause posttraumatic stress disorder? Impact of coping and personality].
Neuropsychiatrie : Klinik, Diagnostik, Therapie und Rehabilitation : Organ der Gesellschaft Osterreichischer Nervenarzte und Psychiater, 22 2
Ewa Głuszek (2021)
Use of the e-Delphi Method to Validate the Corporate Reputation Management Maturity Model (CR3M)
Sustainability
Annette Greene, J. Latting (2004)
Whistle-blowing as a form of advocacy: guidelines for the practitioner and organization.
Social work, 49 2
C. Lawshe (1975)
A QUANTITATIVE APPROACH TO CONTENT VALIDITY
Personnel Psychology, 28
M. Hersh (2001)
Whistleblowers - heroes or traitors?: Individual and collective responsibility for ethical behaviour
Annu. Rev. Control., 26
E. Hohmann, J. Brand, Michael Rossi, J. Lubowitz (2018)
Expert Opinion Is Necessary: Delphi Panel Methodology Facilitates a Scientific Approach to Consensus.
Arthroscopy : the journal of arthroscopic & related surgery : official publication of the Arthroscopy Association of North America and the International Arthroscopy Association, 34 2
K. Dening, L. Jones, E. Sampson (2013)
Preferences for end-of-life care: A nominal group study of people with dementia and their family carers
Palliative Medicine, 27
Benisa Berry (2004)
Organizational Culture: A Framework and Strategies for Facilitating Employee Whistleblowing
Employee Responsibilities and Rights Journal, 16
R. Ono, D. Wedemeyer (1994)
Assessing the validity of the Delphi technique
Futures, 26
Erika Henik (2015)
Understanding whistle-blowing: a set-theoretic approach
Journal of Business Research, 68

Publisher: Multidisciplinary Digital Publishing Institute
Copyright: © 1996-2023 MDPI (Basel, Switzerland) unless otherwise stated Disclaimer Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. Terms and Conditions Privacy Policy
ISSN: 2076-3387
DOI: 10.3390/admsci13050120
Publisher site: See Article on Publisher Site

Abstract

administrative sciences Article Validating the Whistleblowing Maturity Model Using the Delphi Method 1 1 2 , 3 2 , 3 , Paschalis Kagias , Nikolaos Sariannidis , Alexandros Garefalakis , Ioannis Passas * and Panagiotis Kyriakogkonas Department of Accounting and Finance, University of Western Macedonia, 501 00 Kozani, Greece; paschaliskagias@hotmail.com (P.K.); nsariannidis@uowm.gr (N.S.) Department of Business Administration and Tourism, Hellenic Mediterranean University, 714 10 Iraklio, Greece; agarefalakis@hmu.gr or a.garefalakis@nup.ac.cy Department of Accounting and Finance, Neapolis University Pafos, Paphos 8042, Cyprus; p.kyriakogkonas@nup.ac.cy * Correspondence: ipassas@hmu.gr Abstract: Empirical research identiﬁes whistleblowing as one of the most effective internal antifraud controls. Very recently, Directive 1937/2019 became effective in the EU, aiming to deal with the defragmentation of whistleblowing legislation among the member states and provide common min- imum accepted standards. The present article aims to provide a veriﬁed, weighted comparative maturity model. The suggested model has been constructed based on the methodology for con- structing comparative maturity models and validated based on the Delphi method. The weights on each validated component have been calculated based on the summing of votes method. The study resulted in eight main components «scope», «corporate governance», «reporting mechanisms», «protection», «tone at the top», «organizational and human resource practices», «investigations» and «monitor and review» divided further into 18 elements. The suggested maturity model may provide a pathway for organizations to develop and maintain a robust whistleblowing maturity framework that will beneﬁt both the organizations and the public welfare. Keywords: whistleblowing; EU Directive 1937; benchmarking; internal audit; ESG Citation: Kagias, Paschalis, Nikolaos Sariannidis, Alexandros Garefalakis, Ioannis Passas, and Panagiotis Kyriakogkonas. 2023. Validating the 1. Introduction Whistleblowing Maturity Model The most recent (ACFE 2022) study identiﬁes whistleblowing as the most effective Using the Delphi Method. fraud identiﬁcation method with a great difference from the second one, while the recent Administrative Sciences 13: 120. adoption of the (Directive (EU) 2019/1937) in the EU draws the attention of organizations https://doi.org/10.3390/ and anti-fraud professionals (fraud examiners and internal auditors). admsci13050120 The article’s objective is to provide a validated maturity framework concerning whistle- Received: 12 March 2023 blowing that organizations can use to enhance their performance regarding whistleblowing Revised: 17 April 2023 and the internal control environment in total, and to allow internal and external bench- Accepted: 24 April 2023 marking. Concerning the internal audit, the proposed model aims to provide to internal Published: 29 April 2023 auditors the adequate, objective criteria to evaluate governance, risk management, and controls (IIA 2017) for whistleblowing. The ﬁrst maturity models were developed in the 1990s in management and information technology to assess the level of competency, capability, or sophistication of business Copyright: © 2023 by the authors. processes (De Bruin et al. 2005). Although it is not a requirement for a maturity model to be Licensee MDPI, Basel, Switzerland. validated to be helpful, validation by experts may provide valuable inputs, insights, and a This article is an open access article degree of assurance in respect to its credibility and relevance. In practice, many maturity distributed under the terms and models have been validated through the Delphi method (for example CR3M developed conditions of the Creative Commons by (Głuszek 2021) and the BPAMM developed by (Martinek-Jaguszewska and Rogowski Attribution (CC BY) license (https:// 2022), while others are not (KPMG 2013; ACFE and Grant Thornton 2020). creativecommons.org/licenses/by/ 4.0/). Adm. Sci. 2023, 13, 120. https://doi.org/10.3390/admsci13050120 https://www.mdpi.com/journal/admsci Adm. Sci. 2023, 13, 120 2 of 20 The Delphi method was developed in the 1950s by the Rand Corporation (Turoff and Linstone 2002), and since then it has been used in various sectors, including public health, transport, and education (Kittell-Limerick 2005). The Delphi Method aims to «obtain the most reliable consensus of a group of experts by a series of intensive questionnaires inter- spersed with controlled feedback» (Turoff and Linstone 2002). The use of this method is appropriate where the subject matter is complex (Ono and Wedemeyer 1994), where empir- ical evidence is lacking (Murphy et al. 1998), or when the knowledge is incomplete (Turoff and Hiltz 1996). That is applied to whistleblowing because it is a complex phenomenon that depends on legal, organizational, situational, and personal factors. In addition, although there is extensive research on the factors facilitating or discouraging whistleblowing, the study of whistleblowing as a control mechanism is limited. The structure of the article is as follows. The next section (Section 2) covers the literature review on whistleblowing; Section 3 covers the theory and the application of the Delphi method. Section 4 presents the collection of data, Section 5 presents the results and the discussion while the last section covers the conclusions. 2. Literature Review 2.1. Whistleblowing Before developing the maturity model, it is necessary to understand the nature of whistleblowing, its limitations, its place in the internal control framework, and the need for a whistleblowing maturity model. One of the major limitations in the academic research of whistleblowing is that there is no commonly accepted deﬁnition. Near and Miceli (1985) deﬁned whistleblowing as «the disclosure by organizational members (former or current) of illegal, immoral, or illegitimate practices under the control of their employers, to persons or organizations that may be able to effect action», while (Ravishankar 2003) deﬁned whistle-blowers as the «employees who bring wrongdoing at their organizations to the attention of superiors». These deﬁnitions indicate the need for speciﬁc results. That differentiates whistleblowing from rumors, gossip, or grievances. However, other researchers suggested that considering only employees as whistleblowers may no longer be appropriate and may not adequately portray the whistleblower (Ayers and Kaplan 2005). Empirical evidence (ACFE 2022) shows that reports can also derive from external parties, in rare cases, even from competitors verifying this perspective. In addition, reports from external parties provide «greater evidence of wrongdoing, and they tend to be more effective in changing organizational practices» (Dworkin and Baucus 1998). Other deﬁnitions concentrated on whistle-blowers and their virtues rather than on the act of whistleblowing itself (for example (Berry 2004) and (Alford 2002)), hypothesizing that whistleblowers are highly ethical individuals with the courage to face the fear of reprisal. However, other studies have shown that in many cases, whistleblowers act opportunistically (Henik 2015). A more appropriate deﬁnition has been provided by (TI-NL 2019) that deﬁned whistleblowing as «the disclosure of information related to corrupt, illegal, fraudulent or hazardous activities being committed in or by public or private sector organizations—which are of concern to or threaten the public interest—to individuals or entities believed to be able to effect action». Internal controls can be distinguished based on two criteria. The ﬁrst is whether the internal control is designed to prevent the occurrence of loss events (preventive control) or to identify internal control failures (detective control) after their occurrence. Whistleblowing has been categorized as a «potentially active or passive detection method» by (ACFE 2022) and as «an essential last line of defense in companies’ systems of internal control» (ICAEW 2019), meaning that it is more a detective rather than a preventive one. The second criterion is whether the internal control is speciﬁc to certain transactions or business processes (speciﬁc control) affects the control environment as a whole (entity-level control). Whistleblowing is an entity-level control with a pervasive effect in the control environment. Even though whistleblowing is effective internal control, it is also associated with many limitations. Inertia may be one of the most signiﬁcant ones. Organizations often Adm. Sci. 2023, 13, 120 3 of 20 received early notice but failed to act upon them. The example of Harry Markopolos may be one of the most indicative examples. Harry Markopolos, a ﬁnancial analyst and fraud examiner, provided red ﬂags of fraud to SEC for the biggest Ponzi scheme in history for over a decade before it imploded. However, his concerns were ignored repeatedly and when the fraud was exposed, the losses for the investors had already reached 65bn US dollars (The Guardian 2010). However, inertia may also derive from those who observe wrongdoing or business risks. Following (Miceli et al. 1987), whistleblowing is a «complex phenomenon that is based upon organizational, situational, and personal factors» which is not entirely within the control of the organizations, and «it is virtually impossible to change individuals’ core values which have been learned and consolidated over a lifetime» (ICAEW 2019). Academic literature and empirical evidence reveal that frequently too little information comes to the attention of the management or the regulators, and if it does come, it may come too late. For example, the Parliamentary Commission on Banking Standards was shocked by the evidence that so many people ignored misbehavior (CIIA 2014). As a result, the main weakness of whistleblowing as an internal control is that it depends on human behavior. 2.2. Maturity Models Maturity models are often used on a self-assessment basis to help organizations under- stand their current level of capability in a particularly functional, strategic, or organizational area (OECD 2022). Maturity models provide a holistic approach (Martinek-Jaguszewska and Rogowski 2022) to depict the current situation based on objective criteria; envision the future, and ﬁnd a way to achieve the desired state by following a disciplined method that is easy to use and implement (IIA 2013). In addition, the maturity models provide an early warning for an organization’s challenges (OECD 2022). Effectively, maturity models contribute to achieving a business process’s full potential. For these reasons, maturity models have been used in many areas, including information systems development (OECD 2022), internal auditing (KPMG 2013; OECD 2021; IIA 2019), fraud prevention and deter- rence (ACFE and Grant Thornton 2020), tax law enforcement (OECD 2019a, 2019b, 2020). The fact that the Institute of Internal Auditors issued a practice guidance speciﬁcally in selecting, using, and developing maturity models before a decade proves their relevance to the internal audit. In addition, the (ACFE 2022) study reveals that the primary internal control failures that contributed to fraud are the lack of internal controls (29%); override of controls (20%); poor tone at the top (10%); lack of competent personnel in oversight roles (8%). A robust whistleblowing framework may reduce all these internal control failures. For example, management may be reluctant to override controls when the possibility of getting caught is high; additional internal controls may be implemented or the existing ones need to be improved. 3. Whistleblowing Maturity Framework 3.1. Development of Maturity Models Usually, the maturity models are ranked using ﬁve steps. Each step illustrates the current or desired capabilities (De Bruin et al. 2005) and follows a reasonable escalation or path from the lowest to the highest. The maturity models can be distinguished to: 1. Descriptives that are useful to depict the current situation; 2. Prescriptive maturity models that also provide a roadmap to achieve the desired outcomes and; 3. Comparative maturity models that also allow internal or external benchmarking (Becker et al. 2009). The suggested model falls in the third category. In developing maturity models, the (IIA 2013) suggests the following steps: 1. To determine the model and its components; 2. To determine its scale and; 3. To determine the expectations for each component. Adm. Sci. 2023, 13, x FOR PEER REVIEW 4 of 20 Adm. Sci. 2023, 13, 120 4 of 20 1. To determine the model and its components; 2. To determine its scale and; 3. To determine the expectations for each component. The ﬁrst step involves ascertaining what is to be assessed and based on that, identifying The first step involves ascertaining what is to be assessed and based on that, identi- the components leading to this objective. Key considerations include whether the inclusion fying the components leading to this objective. Key considerations include whether the or exclusion of a component will increase or decrease the likelihood of achieving outcomes, inclusion or exclusion of a component will increase or decrease the likelihood of achieving respectively. In the second stage, 5 scales are usually used (Martinek-Jaguszewska and outcomes, respectively. In the second stage, 5 scales are usually used (Martinek- Rogowski 2022). The lower levels, 0 or 1, illustrate the absence of a capability, competency, Jaguszewska and Rogowski 2022). The lower levels, 0 or 1, illustrate the absence of a ca- or level of sophistication and level 5 illustrates the highest level. The (IIA 2013) also draws pability, competency, or level of sophistication and level 5 illustrates the highest level. The attention to the appropriateness of each level’s description. It is noted that scope of this (IIA 2013) also draws attention to the appropriateness of each level’s description. It is paper is to validate the two ﬁrst parts of the WBMM. noted that scope of this paper is to validate the two first parts of the WBMM. 3.2. Stages 3.2. Stages The ﬁrst stage initially considered is compliance with the (Directive (EU) 2019/1937). The first stage initially considered is compliance with the (Directive (EU) 2019/1937). The underlying logic is that non-compliance is not an option. Many organizations will The underlying logic is that non-compliance is not an option. Many organizations will consider this stage sufﬁcient. However, it is likely that many organizations will use whistle- consider this stage sufficient. However, it is likely that many organizations will use whis- blowing to comply with other laws and regulations not included in the scope of the tleblowing to comply with other laws and regulations not included in the scope of the Directive or their code of conduct. The «wheel of whistleblowing» suggested by (Culiberg Directive or their code of conduct. The «wheel of whistleblowing» suggested by (Culiberg and Mihelic ˇ 2017) includes many wrongdoings and threats not included in the scope of the and Mihelič 2017) includes many wrongdoings and threats not included in the scope of (Directive (EU) 2019/1937). In addition, other organizations may also use whistleblowing the (Directive (EU) 2019/1937). In addition, other organizations may also use whistleblow- to enhance their risk management or to achieve their ESG objectives. In accordance with ing to enhance their risk management or to achieve their ESG objectives. In accordance (ICAEW 2019) whistleblowing provides a weapon to root out complacency and inertia with (ICAEW 2019) whistleblowing provides a weapon to root out complacency and in- which can be viewed as rigorousness for enhancing the internal control environment. In ertia which can be viewed as rigorousness for enhancing the internal control environment. respect of the contribution of whistleblowing to achieve ESG objectives the (Directive (EU) In respect of the contribution of whistleblowing to achieve ESG objectives the (Directive 2019/1937) includes many wrongdoings that affect society while the «wheel of whistle- (EU) 2019/1937) includes many wrongdoings that affect society while the «wheel of whis- blowing» suggests even more (Culiberg and Mihelic ˇ 2017). Therefore, the maturity levels tleblowing» suggests even more (Culiberg and Mihelič 2017). Therefore, the maturity lev- (see as Figure 1) of the suggested WBMM are: els (see as Figure 1) of the suggested WBMM are: 1. Initial; 1. Initial; 2. Compliance with the Directive; 2. Compliance with the Directive; 3. Compliance with other laws and regulations; 3. Compliance with other laws and regulations; 4. Enhancement of internal control environment and; 4. Enhancement of internal control environment and; 5. Contributing to the achievement of ESG objectives. 5. Contributing to the achievement of ESG objectives. Figure 1. Designed by the authors. Figure 1. Designed by the authors. 3.3. Components 3.3. Components The components identiﬁed through a thorough study of the literature are divided into The components identified through a thorough study of the literature are divided eight categories: into eight categories: 1. The scope of the whistleblowing policy; 1. The scope of the whistleblowing policy; 2. Corporate governance; 2. Corporate governance; 3. Reporting mechanisms; 3. Reporting mechanisms; 4. Protection; 4. Protection; 5. Tone at the top; 6. Organizational culture and human resource practices; 7. Objective investigations and; 8. Monitor and review. Adm. Sci. 2023, 13, 120 5 of 20 Accordingly, these result in 22 elements. The contribution of each main component and element is discussed below. 3.3.1. Scope The scope of whistleblowing is two-dimensional and comprises what wrongdoings or dangers will be reported and followed up on and who can report them. The ﬁrst dimension has already been analyzed. Regarding the second, the (Directive (EU) 2019/1937) also determines the persons who have the right to report. However, in some cases, organizations may be appropriate to expand the possible reporting persons. 3.3.2. Corporate Governance Corporate governance refers to the mechanisms that provide the basis for objective investigations and corporate reporting. This component is divided into three elements: 1. Overall responsibility; 2. Assurance and; 3. Corporate reporting. Consensus has been established that the overall responsibility needs to be assigned to independent, non-executive directors or committees consisting of them. (PCBS 2013; PCW 2013) suggest a non-executive director, preferably the chairman; (CIIA 2014) proposes the audit committee, while (Greene and Latting 2004) suggest the ethics committee. In accordance with (CIIA 2014), organizations should obtain assurance in respect of whistle- blowing either from the internal audit function or elsewhere. In addition, through the reports and the outcomes of the investigations, the internal audit function can conﬁrm or alter its understanding of risks, procedures, and controls, allowing it to fulﬁll its obligations concerning ERM. The (Directive (EU) 2019/1937) does not set an obligation for disclosures relevant to whistleblowing. However, both (TI-NL 2019) and (GRI 2018) suggest certain disclosures in the annual reports or elsewhere. 3.3.3. Reporting Mechanisms Reporting mechanisms include all necessary steps to enable a possible reporting person to make informed decisions on whether and how to report and provide secure reporting channels. The elements considered are: 1. Anonymity; 2. Reporting channels; 3. Advice on reporting and; 4. Visibility, clarity, and completeness of the information. The (Directive (EU) 2019/1937) leaves the member states to decide whether anony- mous reports will be received and investigated. However, (TI-NL 2019) ranked higher organizations that accept anonymous reports because it provides an additional safety line to the reporting person. Organizations also have to establish secure reporting channels that «protect the identity of the whistle-blower and any other individual included in the report» (Directive (EU) 2019/1937). A step further (TI-NL 2019) suggests that at least one to be available at any time and at least allow oral reporting. In addition, the (ACFE 2022) shows the preference of whistle-blowers for electronic reporting methods (email and web-based forms) compared to the traditional ones. The (Directive (EU) 2019/1937) also predicts free of-charge conﬁdential advice to be provided by the facilitator, a «natural person who assists a reporting person in the reporting process in a work-related context, and whose assistance should be conﬁdential». However, in many cases, whistle-blowers face ethical dilemmas and internal conﬂicts (Hersh 2002), and assistance in the bureaucratic process of ﬁlling reports may not be sufﬁcient in the same cases. Adm. Sci. 2023, 13, 120 6 of 20 3.3.4. Protection Academic research, empirical evidence, and the (Directive (EU) 2019/1937) identiﬁed the threat of retaliation as a primary factor negatively affecting the decision to report. The consequences to the whistle-blower may vary signiﬁcantly in terms of severity, from negative perceptions against whistle-blowers (Worth 2013), negative consequences in the work environment such as bullying (Bjørkelo 2013), to blackballing isolation, humiliation (Berry 2004), to psychological effects such as depression (Bechtoldt and Schmitt 2010), anxiety (Bjørkelo 2013), post-traumatic stress (Kreiner et al. 2008) or even to become life- threatening. Protection covers the conﬁdentiality of the reporting person’s identity and any person referred to the reports as required by the (Directive (EU) 2019/1937) and the provision of adequate anti-retaliation measures. A practical implication may arise in cases where the organization has operations in jurisdictions will less robust legal protection. In such a case, it shall determine whether the same protection will be granted voluntarily. 3.3.5. Tone at the Top The (ACFE 2022) identiﬁes the lack of proper tone at the top as an internal control weakness in many frauds. The relationship between whistleblowing and tone at the top is bilateral, employees will only report if they know the whistleblowing policy and they believe that the top management supports it (Tsahuridu and Vandekerckhove 2008). On the other hand, if top the management is negligent in receiving and investigating reports, the wrongdoing could be seen as a routine practice (Kaptein 2011). 3.3.6. Organizational Culture and Human Resource Practices For the purposes of this study, organizational culture initially distinguished to: 1. Risk culture; 2. Ethical culture; 3. Learning culture and; 4. Cultural differences. Risk culture is the «part of the organizational culture that helps or hinders the effective risk management» (IIAA 2021) or a «mindful watchfulness for threats» (Berry 2004) that will allow alertness for malpractices and the ethical culture will allow malpractices to be reported once identiﬁed. Research shows that possible reporting persons who do not perceive reporting as their duty are unlikely to report it (Miceli et al. 1991), and they become oblivious to those wrongdoings not addressed in the code of ethics (Painter-Morland 2010). In addition, a lack of learning culture contributes to risk management frameworks failing (Schmidt 2020). Learning culture refers to organizations learning from their mistakes and build resilience to risks by creating, transferring, and retaining knowledge. Lastly, many researchers (Tavakoli et al. 2003; Zhuang et al. 2005) found that cultural differences can affect the decision of an individual to report and how to report. The main practical implication of this perspective is the consideration of cultural differences when an organization operates in multiple jurisdictions. 3.3.7. Investigations The investigation of reports is the ultimate purpose of the whole whistleblowing mechanism. The elements initially considered that will allow unbiased judgments are: 1. Organizational independence of the investigation team; 2. Professional training; 3. Appropriate risk prioritization; 4. Investigation protocols and; 5. Contribution to risk management. The organizational independence of the investigation team may be safeguarded from the corporate governance mechanisms and the ethical decision-making of the team mem- bers. A reasonable assumption is that professionals, subject to a code of conduct and Adm. Sci. 2023, 13, 120 7 of 20 experience in ethical decision-making, may be less likely to accept undue inﬂuence. The professional training of those who manage reports is a mandatory requirement of the (Directive (EU) 2019/1937). In addition, investigation protocols determine key aspects such as the composition of the investigation team and methods of gathering factual evi- dence. Their contribution is that they enhance the effectiveness of the investigations. The risk prioritization is to ensure that the most severe reports are investigated ﬁrst with the possible effect of the minimization and/or the recovery of the losses that the organization suffered. Lastly, the outcomes of the investigations may conﬁrm or alter the understanding of the organization on risks and controls, allowing the enhancement of the internal control environment in total. 3.3.8. Monitoring and Review Consensus on the need for monitoring the effectiveness of whistleblowing has been achieved (TI-NL 2019; IOS 2021, ISO 37002:2021). An interesting aspect of whistleblowing is that it is an entity-level control, not limited to isolated business processes and transactions. Likely, considering whistleblowing in isolation may not provide sufﬁcient grounds to conclude. Therefore, the elements initially considered were (a) the assessment of whistle- blowing in isolation of other controls with KPIs and key statistics and (b) considering the effectiveness of whistleblowing in other assessments. The proposed models before the validation by the experts can be illustrated as follows(Table 1). Table 1. Initially proposed maturity model. Compliance with Contributing to Compliance with Enhancement of Initial Other Laws and Achievement of the Directive Internal Control Regulations ESG Objectives Scope Scope Corporate governance Overall Responsibility Assurance Corporate reporting Reporting mechanisms Anonymity Reporting channels Advice on reporting Visibility, clarity, and completeness of information Protection Anti-retaliation Conﬁdentiality Tone at the top Tone at the top Organizational culture Risk culture Ethical culture Learning culture Cultural differences Adm. Sci. 2023, 13, 120 8 of 20 Table 1. Cont. Compliance with Contributing to Compliance with Enhancement of Initial Other Laws and Achievement of the Directive Internal Control Regulations ESG Objectives Investigations Organizational Independence Investigation Protocols Professional training Risk prioritization Contribution to risk management Monitoring and review Monitoring on separate activities Assess whistleblowing during other assessments 4. Theory of the Delphi Method 4.1. Methodology of the Delphi Method The characteristics of the Delphi method are: 1. The anonymity of the members of the panel of experts that will allow them to modify their opinions; 2. Statistical analysis and; 3. Controlled feedback will provide them with the basis to change their views (Kittell- Limerick 2005). The steps of this method can be summarized in the following Table 2. Table 2. Summary of the Delphi Panel Method. 1. Researchers deﬁne a problem and development of related questions. 2. Researchers select a panel of diverse experts (whose anonymity is generally protected). 3. Researchers distribute the questionnaire to the panel. 4. Researchers analyze and summarize the data and develop follow-up questions. 5. Repeat step 4 as required. 6. As consensus begins forming and issues are clariﬁed, repeat step 4 as required. 7. Researchers invite panelists to revise or review consensus and specify reasons for dissenting opinions. 8. Repeat steps 4–7 as required. 9. Researchers summarize consensus and provide feedback to the panel. 10. Researchers publish the ﬁnal consensus statement. Source: Hohmann et al. (2018). 4.2. Panel of Experts In relation to the size of the panel of experts, the minimum is seven experts (Linstone and Turoff 1975). Useful results can be drowned by a panel of 10–15 experts provided that the group is homogenous (Cyphert and Gant 1971). The initial sample consisted of 10 experts who are certiﬁed fraud examiners and/or internal auditors and/or PhD holders with relevant research interests. To ensure the completeness of specializations in the panel of experts, they have been asked to identify other professionals who may contribute to the study. Some experts considered external auditors, compliance ofﬁcers and lawyers. However, the panel already included experts who are also external auditors or compliance ofﬁcers. As a result, 3 lawyers with sufﬁcient knowledge of labor law and GDPR legislation have been selected. Adm. Sci. 2023, 13, 120 9 of 20 From the anti-fraud experts (N =10) who accepted to participate in the study; (N = 2) were theorists, (N = 5) were professionals, and (N = 3) were both professionals and theorists (Table 3). In addition, (N = 5) experts were holders of Ph.D.; (N = 2) were Ph.D. candidates with relevant research interests, and (N = 4) had a postgraduate diploma relevant to accounting and auditing (Table 4). Table 3. Final composition of the panel of experts. First Group of Second Group of Category Total Participants Participants Theorists (only) 2 0 2 Professionals (only) 5 3 8 Both theorists and professionals 3 0 3 Total 10 3 13 Table 4. Minimum education level of the panel of experts. Antifraud Category Theorists Lawyers Total Professionals Ph.D. 2 2 0 4 Ph.D. candidates 0 2 0 2 Postgraduate degree 0 4 2 6 University degree 0 0 1 1 All antifraud professionals («professionals» and «both professionals and theorists») (N = 8) had at least one professional qualiﬁcation in internal audit or fraud investigation (MIN = 1), on average (M = 3.750) (Tables 5 and 6). They all comply with the continu- ing professional requirements (Table 7) they have adequate post-qualiﬁcation experience (Table 8). Most anti-fraud experts have more than one relevant occupation which gives them a broader view of the subject matter (Table 9), and they work in senior positions (Table 10). Table 5. Summary of professional qualiﬁcations of anti-fraud professionals. Professional Qualiﬁcations N Min Max Total Average Qualiﬁcations in Internal Audit 8 0 7 14 1.750 Qualiﬁcations in Fraud Examination 8 0 3 9 1.125 Other qualiﬁcations 8 0 2 7 0.875 Total qualiﬁcations 8 1 9 30 3.750 Antifraud professionals and theorists are self-assessed with adequate knowledge of internal auditing, fraud prevention, and whistleblowing (Table 11). Especially in whistle- blowing, the theorists (N = 2) had experience through their research activities, while the antifraud professionals (N = 8), (N = 5) replied that their competency derives from practice and (N = 3) replied that their competency derives from both practice and research. The lawyers (N = 3) rank high in their organizations, and (N = 2) hold a relevant master ’s degree; (N = 1) do not hold a master ’s degree, but their experience exceeds 25 years. In addition, they also self-assessed that they have adequate knowledge of la- bor law, General Data Protection Regulation, the (Directive (EU) 2019/1937) and Law 4990/2022, which incorporates the (Directive (EU) 2019/1937) into the national legislation. As a result, it was ensured (a) completeness of the relative competencies and (b) that the panel meets the qualitative criteria to place reliance on their views. Adm. Sci. 2023, 13, 120 10 of 20 Table 6. Analysis of professional qualiﬁcations of anti-fraud professionals. Qualiﬁcations Relevant to Internal Audit N Certiﬁcation in Control Self-Assessment (CCSA) 1 Certiﬁed Internal Auditor (CIA) 2 Certiﬁed Government Audit Professional (CGAP) 1 Certiﬁcation in Risk Management Assurance (CRMA) 3 Certiﬁed Internal Control Auditor (CICA) 3 COSO ERM 1 COSO IC 1 Registry of Internal Auditors (Ministry of Finance in Greece) 2 Total 14 Qualiﬁcations relevant to Fraud detection and prevention N Association of Certiﬁed Fraud Examiners (ACFE) 6 Certiﬁed Global Sanctions Specialist Certiﬁcation (CGSS) 1 Certiﬁed as an Anti-Money Laundering Specialist (CAMS) 1 Cert (ABC) 7 Total Other relevant qualiﬁcations N Association of Chartered Certiﬁed Accountants (ACCA) 1 Certiﬁed Management accountant (CMA) 1 CPA’s training Institute of Greece 3 Institute of Chartered Accountants in England and Wales (ICAEW) 2 Total 7 Table 7. Compliance with Continuing Professional Requirements. Compliance with CPD Requirements Antifraud Professionals Lawyers Total Yes 8 3 11 No 0 0 0 Table 8. Years of post-qualiﬁcation experience. Post Qualiﬁcation Antifraud Theorists Lawyers Total Experience in Years Professionals 0–5 1 2 0 3 5–10 1 1 2 4 10–15 0 2 0 2 20–25 0 2 0 2 25+ 0 1 1 2 Table 9. Ranking in the organization of primary occupation (antifraud professionals). Secondary Occupation Primary Internal Fraud External Compliance None Professor Occupation Auditor Examiner Auditor Ofﬁcer Internal auditor 1 0 1 0 1 1 Fraud examiner 1 1 0 0 0 0 External auditor 0 1 2 0 1 0 Table 10. Ranking in the organization of primary occupation (antifraud professionals). Position in the Organization of Primary Occupation N Partner 2 Head of department 6 Adm. Sci. 2023, 13, 120 11 of 20 Table 11. Self-assessment of theorists and anti-fraud professionals. Self-Assessment of Theorists and Very High High None Antifraud Professionals Internal audit 8 1 1 Fraud detection and prevention 10 0 0 Whistleblowing 10 0 0 4.3. Achievement of Consensus Consensus does not mean absolute agreement. Usually, the consensus is assessed using 5- or 10-point Likert scales. However, even though the Delphi method aims to achieve the most reliable consensus, there is not yet a commonly accepted method or benchmark. The decision criteria usually involve the mean, median, interquartile range, coefﬁcient, and variation; for this reason, considering more than one criterion has been suggested (Głuszek 2021). Lawshe’s Content Validity Ratio (CVR) was also considered in this study. According to this method, experts are asked to determine whether a component is «essential», «useful but not essential», or «not useful». The following formula gives the ratio. CVR = where n it is the number of experts who indicate that the component is essential, and N is the total number of experts. CVR can rank between 1 and 1. When most experts agree that an item is essential, the CVR is positive, and if there is total agreement, CVR will be equal to 1 (Lawshe 1975). The advantage of this criterion is that provides a clear cut-off decision rule. However, this ratio ignores the useful components. That may be problematic for some organizations that may consider it necessary to include useful, but not necessary elements in their whistleblowing framework. To provide a maturity model of sufﬁcient ﬂexibility, consensus will be achieved where more than half of the respondents consider the suggested elements as «useful but not essential» and «essential», and their contribution will be depicted with lower relative importance. 5. Results and Discussion 5.1. First Round Questions The ﬁrst round of questions was to record the competencies of the panel of experts, to ensure completeness in the competencies, and verify the appropriateness of the stages of the WBMM and their sequence. Speciﬁcally, in this round, experts were asked to assess the ﬁve maturity levels suggested; their sequence or identify other steps not considered initially and to highlight irrelevant steps. All experts agreed that the maturity levels are relevant and in the appropriate sequence, and no additional maturity level has been suggested. 5.2. Second-Round Questions In the second round of questions, experts were asked (a) to rank each of the elements as «essential», «useful but not essential», or «not useful», and (b) to propose additional elements not identiﬁed by the researchers. Table 12 summarizes the CVR results of the responses to the second-round questions. The results show that all components that are obligatory by the (Directive (EU) 2019/1937) are considered «essential». Those components are the «scope», «reporting channels», «ad- vice on reporting», «visibility, clarity, and completeness of information», «anti-retaliation», «conﬁdentiality», and «professional training». This ﬁnding is also consistent to the maturity levels and their sequence, veriﬁed in the ﬁrst stage. Adm. Sci. 2023, 13, 120 12 of 20 Table 12. Results of the CVR test. Decision n CVR CVR0.54 Scope Scope 13 0.85 Retain Corporate governance Overall Responsibility 13 0.69 Retain Assurance 13 0.69 Retain Corporate reporting 11 1.00 Reject Reporting mechanisms Anonymity 13 1.00 Retain Reporting channels 13 1.00 Retain Advice on reporting 13 1.00 Retain Visibility, clarity, and completeness of the information 13 1.00 Retain Protection Anti-retaliation 13 1.00 Retain Conﬁdentiality 13 1.00 Retain Tone at the top Tone at the top 13 1.00 Retain Organizational culture Risk culture 13 0.85 Retain Ethical culture 13 0.85 Retain Learning culture 13 0.38 Reject Cultural differences 6 1.00 Reject Investigations Organizational Independence 13 0.85 Retain Investigation Protocols 13 0.69 Retain Professional training 13 1.00 Retain Risk prioritization 13 0.69 Retain Contribution to risk management 13 0.69 Retain Monitoring and review Monitoring on separate activities 13 0.69 Retain Assess whistleblowing during other assessments 13 0.85 Reject Moreover, in consistency with prior research, all experts (CVR = 1) agreed that the commitment from the top management is essential for the success of whistleblowing. Another signiﬁcant ﬁnding is that the panel of experts agreed on the importance of the anonymous reports (CVR = 1) irrespectively whether it is required by the national leg- islation. Something that is consistent with the suggestions of (TI-NL 2019). In respect of the corporate governance, experts agreed (CVR = 0.69) that the ultimate responsibility for whistleblowing should be assigned to the top management, preferably to a non-executive di- rector or a committee consisted of non-executive directors and that assurance (CVR = 0.69) should be obtained. Regarding the cultural aspects of whistleblowing, consensus has been achieved in respect of the risk culture (CVR = 0.85) that will allow malpractices to be identiﬁed and the ethical culture that will allow them to be reported (CVR = 0.85). Learning culture was rejected based on the CVR test (CVR = 0.38). However, all experts agreed it is either essential (N = 9) or useful (N = 4). None of the experts considered it irrelevant. For this reason, the model has included it as an optional element. In contrast, cultural differences failed in both tests since the CVR was negative (CVR = 1.00), and fewer than half of the Adm. Sci. 2023, 13, 120 13 of 20 experts (N = 6) consider it «useful but not essential». As a result, cultural differences are excluded from the WBMM. In respect of the investigation phase, experts agreed (CVR = 0.85) that organizational structure is essential to safeguard the objectivity and the impartiality. They also agreed that investigation protocols and risk prioritization enhance the outcomes of the investigations (CVR = 0.69) and (CVR = 0.69) respectively. Therefore, both elements included in WBMM as essential elements. The experts also agreed that whistleblowing can contribute to the risk management (CVR = 0.69) and that its effectiveness shall be monitored through speciﬁcally designed assurance engagements (CVR = 0.69). However, considering the effectiveness of whistleblowing during other monitoring activities failed to pass both tests and is excluded from the WBMM, since the (CVR = 0.85) and most experts considered it irrelevant (N = 8). Lastly, the «corporate reporting» failed to pass the CVR test (CVR = 0.38). None of the experts considered it essential. However, most of the experts considered it useful but not essential (N = 11) and only 2 (N = 2) as not useful, as a result it will be included in the WBMM as an optional element. After eliminating the elements of «cultural differences» and «monitoring whistleblow- ing during other activities». The remaining elements are distinguished into «essential» and «optional» based on the summing of votes technique (Dening et al. 2013; Sanderson et al. 2012), which is usually applied along with the Nominal Group Technique. The nominal Group Technique is also a consensus-seeking technique, with many similarities to the Adm. Sci. 2023, 13, x FOR PEER REVIEW 16 of 20 Delphi Method (Figure 2). Under this method, the scores from each participant for every component are summed. The relative importance is given from the formula: score f or the item Corporate reporting 0 11 2 24 3.22% Relative importance = maximum points per group Total 12 1 0 745 100.00% Relative importance (essential and optional elements) Scope Corporate reporting 5.50% Overall… Learning culture Assurance 5.00% Monitoring on… Anonymity 4.50% 4.00% Contribution to… Reporting channels 3.50% Risk prioritization Advice on reporting 3.00% Professional training Visibility, clarity,… Investigation… Anti-retaliation Organizational… Confidentiality Ethical culture Tone at the top Risk culture Figure 2. Designed by the authors. Figure 2. Designed by the authors. In summary, experts considered as essential not only the elements that derive di- Table 13 presents the relative importance of each element of the WBMM if only the rectly from the (Directive (EU) 2019/1937), but also some elements that derive from best essential elements are included; Table 14 presents the relative importance if the learning practices, and are likely to make whistleblowing work as intended, for example, commit- ment from the top management; ethical culture and risk culture. From the above-weighted factors and the performance in each component, organiza- tions can have a score in each component and an overall score when the individual scores are amalgamated. For example, an organization that assess both the obligatory and the optional elements in its assessment and ranks in the second level of maturity in respect of the scope, its score will be 5.10% × = 0.0204 from the 0.051, which is the maximum for this element. Possible assessment criteria for external benchmarking may include mean, median, quartiles, and interquartile range. However, there are some limitations on this study. One limitation is that the first two steps of developing maturity models have been validated while the third is not. That is partially compensated because having verified the previous steps it is not hard for organ- izations to follow a reasonable escalation from the lower to the highest level of maturity. Another limitation is that most experts derive from a single member state of the EU, and, likely, research in a larger scale and experts from other member states may be needed. Moreover, the suggested model does not assess the differences in the legal environment and the effectiveness of the judicial system. Although one of the aims of the Directive is to provide common minimum standards across the member states, there are substantial differences in the effectiveness of the judicial systems across the member states (World Justice Project 2022). In addition, the member states can extend the provision of the Di- rective into their national legislation. In addition, the proposed model does not address differentiations among industries since some of them are highly regulated or Adm. Sci. 2023, 13, 120 14 of 20 culture also included Table 15 if the corporate reposting is included and ﬁnally, Table 16 present the relative importance of the elements of the WBMM if all essential and valuable elements included. Table 13. Table of relative importance if only the essential elements included. Responses from Experts Useful but Essential Irrelevant Not Essential Sum Relative 3 2 1 Scores Importance Scope 12 1 0 38 5.54% Overall Responsibility 11 2 0 37 5.39% Assurance 11 2 0 37 5.39% Anonymity 13 0 0 39 5.69% Reporting channels 13 0 0 39 5.69% Advice on reporting 13 0 0 39 5.69% Visibility, clarity, and completeness of 13 0 0 39 5.69% information Anti-retaliation 13 0 0 39 5.69% Conﬁdentiality 13 0 0 39 5.69% Tone at the top 13 0 0 39 5.69% Risk culture 12 1 0 38 5.54% Ethical culture 12 1 0 38 5.54% Organizational 12 1 0 38 5.54% Independence Investigation Protocols 11 2 0 37 5.39% Professional training 13 0 0 39 5.69% Risk prioritization 11 2 0 37 5.39% Contribution to risk 11 2 0 37 5.39% management Monitoring on separate 11 2 0 37 5.39% engagements Total 12 1 0 686 100.00% Table 14. Table of relative importance—essential elements and learning culture. Responses from Experts Useful but Essential Irrelevant Not Essential Sum Relative 3 2 1 Scores Importance Scope 12 1 0 38 5.27% Overall Responsibility 11 2 0 37 5.13% Assurance 11 2 0 37 5.13% Anonymity 13 0 0 39 5.41% Reporting channels 13 0 0 39 5.41% Advice on reporting 13 0 0 39 5.41% Visibility, clarity, and completeness of 13 0 0 39 5.41% information Anti-retaliation 13 0 0 39 5.41% Conﬁdentiality 13 0 0 39 5.41% Tone at the top 13 0 0 39 5.41% Risk culture 12 1 0 38 5.27% Ethical culture 12 1 0 38 5.27% Organizational 12 1 0 38 5.27% Independence Adm. Sci. 2023, 13, 120 15 of 20 Table 14. Cont. Responses from Experts Useful but Essential Irrelevant Not Essential Sum Relative 3 2 1 Scores Importance Investigation Protocols 11 2 0 37 5.13% Professional training 13 0 0 39 5.41% Risk prioritization 11 2 0 37 5.13% Contribution to risk 11 2 0 37 5.13% management Monitoring on separate 11 2 0 37 5.13% engagements Learning culture 9 4 0 35 4.85% Total 12 1 0 721 100.00% Table 15. Table of relative importance—essential elements and corporate reporting. Responses from Experts Useful but Essential Irrelevant Not Essential Sum Relative 3 2 1 Scores Importance Scope 12 1 0 38 5.35% Overall Responsibility 11 2 0 37 5.21% Assurance 11 2 0 37 5.21% Anonymity 13 0 0 39 5.49% Reporting channels 13 0 0 39 5.49% Advice on reporting 13 0 0 39 5.49% Visibility, clarity, and completeness of 13 0 0 39 5.49% information Anti-retaliation 13 0 0 39 5.49% Conﬁdentiality 13 0 0 39 5.49% Tone at the top 13 0 0 39 5.49% Risk culture 12 1 0 38 5.35% Ethical culture 12 1 0 38 5.35% Organizational 12 1 0 38 5.35% Independence Investigation Protocols 11 2 0 37 5.21% Professional training 13 0 0 39 5.49% Risk prioritization 11 2 0 37 5.21% Contribution to risk 11 2 0 37 5.21% management Monitoring on separate 11 2 0 37 5.21% engagements Corporate reporting 0 11 2 24 3.38% Total 12 1 0 710 100.00% Adm. Sci. 2023, 13, 120 16 of 20 Table 16. Table of relative importance—essential elements and corporate reporting and learning culture. Responses from Experts Useful but Essential Irrelevant Not Essential Sum Relative 3 2 1 Scores Importance Scope 12 1 0 38 5.10% Overall Responsibility 11 2 0 37 4.97% Assurance 11 2 0 37 4.97% Anonymity 13 0 0 39 5.23% Reporting channels 13 0 0 39 5.23% Advice on reporting 13 0 0 39 5.23% Visibility, clarity, and completeness of 13 0 0 39 5.23% information Anti-retaliation 13 0 0 39 5.23% Conﬁdentiality 13 0 0 39 5.23% Tone at the top 13 0 0 39 5.23% Risk culture 12 1 0 38 5.10% Ethical culture 12 1 0 38 5.10% Organizational 12 1 0 38 5.10% Independence Investigation Protocols 11 2 0 37 4.97% Professional training 13 0 0 39 5.23% Risk prioritization 11 2 0 37 4.97% Contribution to risk 11 2 0 37 4.97% management Monitoring on separate 11 2 0 37 4.97% engagements Learning culture 9 4 0 35 4.70% Corporate reporting 0 11 2 24 3.22% Total 12 1 0 745 100.00% In summary, experts considered as essential not only the elements that derive directly from the (Directive (EU) 2019/1937), but also some elements that derive from best practices, and are likely to make whistleblowing work as intended, for example, commitment from the top management; ethical culture and risk culture. From the above-weighted factors and the performance in each component, organiza- tions can have a score in each component and an overall score when the individual scores are amalgamated. For example, an organization that assess both the obligatory and the optional elements in its assessment and ranks in the second level of maturity in respect of the scope, its score will be 5.10% = 0.0204 from the 0.051, which is the maximum for this element. Possible assessment criteria for external benchmarking may include mean, median, quartiles, and interquartile range. However, there are some limitations on this study. One limitation is that the ﬁrst two steps of developing maturity models have been validated while the third is not. That is partially compensated because having veriﬁed the previous steps it is not hard for organizations to follow a reasonable escalation from the lower to the highest level of maturity. Another limitation is that most experts derive from a single member state of the EU, and, likely, research in a larger scale and experts from other member states may be needed. Moreover, the suggested model does not assess the differences in the legal environment and the effectiveness of the judicial system. Although one of the aims of the Directive is to provide common minimum standards across the member states, there are substantial differences in the effectiveness of the judicial systems across the member states (World Justice Project 2022). In addition, the member states can extend the provision of the Adm. Sci. 2023, 13, 120 17 of 20 Directive into their national legislation. In addition, the proposed model does not address differentiations among industries since some of them are highly regulated or differentiations deriving from the different sizes of organizations. Finally, the suggested model provides objective criteria to antifraud professionals to provide assurance or consulting engagements. Assessing the implementation of the policy and if those criteria are met is the next stage of engagement, and it is not addressed in the model. 6. Conclusions Despite the extensive research on the factors inﬂuencing reporting behavior and the effects of whistleblowing, there is limited research on the contribution of whistleblowing as an internal control, despite its importance as a preventive, entity-level internal control and one of the most effective anti-fraud measures. This study identiﬁed and assessed twenty- two elements related to whistleblowing based on expert opinions, out of which eighteen were considered essential for effective whistleblowing, while two were rejected and two were considered optional. Weightings were calculated for various combinations of essential and optional elements to create a suggested model that can help businesses understand their current performance and design responses to fully realize whistleblowing’s potential. This model can also assist anti-fraud professionals in conforming to the code of ethics, deﬁnition, and standards of internal audit in their engagements, as well as facilitate internal and external benchmarking. However, there are limitations to this research. Firstly, the expert panel consisted of members from a single member state of the European Union, which may limit the generalizability of the ﬁndings to other jurisdictions. Further research on a larger scale, encompassing multiple countries and regions, may be needed to validate the results and provide a more comprehensive understanding of whistleblowing as an internal control. Additionally, the suggested model should be tested and validated in real-world settings to assess its practical applicability and effectiveness. Furthermore, as the regulatory landscape and business environment continue to evolve, future research should also consider the dynamic nature of whistleblowing and its implications for internal controls. In future research, exploring the impact of cultural and contextual factors on whistle- blowing as an internal control would be valuable. Different organizational cultures, legal frameworks, and societal norms may inﬂuence the effectiveness of whistleblowing prac- tices, and studying these factors could provide valuable insights for organizations and policymakers. Additionally, the research can further investigate the relationship between whistleblowing and other internal controls, such as risk management and corporate gover- nance, to better understand their interactions and synergies. To conclude, while this study contributes to understanding whistleblowing as an internal control, further research is needed to address the limitations and explore the potential of whistleblowing in different contexts. This will provide valuable insights for organizations, policymakers, and anti-fraud professionals in designing and implementing effective whistleblowing practices as part of their internal control frameworks. Author Contributions: Conceptualization, P.K. (Paschalis Kagias), N.S and I.P.; methodology P.K. (Paschalis Kagias), I.P. and P.K. (Panagiotis Kyriakogkonas); software, P.K. (Paschalis Kagias) and I.P.; validation, P.K. (Paschalis Kagias), A.G. and I.P.; formal analysis, P.K. (Paschalis Kagias), N.S. and I.P.; investigation, P.K. (Paschalis Kagias) and I.P.; resources, P.K. (Paschalis Kagias), A.G., I.P. and P.K. (Panagiotis Kyriakogkonas); data curation, P.K. (Paschalis Kagias) A.G., I.P. and P.K. (Panagiotis Kyriakogkonas); writing—original draft preparation, P.K. (Paschalis Kagias) N.S., I.P. and P.K. (Panagiotis Kyriakogkonas); writing—review and editing, P.K. (Paschalis Kagias), A.G. and I.P.; visualization, P.K. (Panagiotis Kyriakogkonas), A.G. and I.P.; supervision, P.K. (Paschalis Kagias), A.G. and I.P.; project administration, P.K. (Paschalis Kagias) and I.P. All authors have read and agreed to the published version of the manuscript. Funding: This research received no external funding. Institutional Review Board Statement: Not applicable. Adm. Sci. 2023, 13, 120 18 of 20 Informed Consent Statement: Not applicable. Data Availability Statement: Not applicable. Conﬂicts of Interest: The authors declare no conﬂict of interest. References ACFE (Association of Certiﬁed Fraud Examiners), and Grant Thornton. 2020. Anti-Fraud Playbook. Available online: https: //www.grantthornton.com.tr/globalassets/1.-member-ﬁrms/turkey/rapor-ve-aratrmalar/antifraud-playbook.pdf (accessed on 1 December 2022). ACFE (Association of Certiﬁed Fraud Examiners). 2022. Occupational Fraud 2022. A Report to the Nations. Available online: https://legacy.acfe.com/report-to-the-nations/2022/ (accessed on 1 December 2022). Alford, C. F. 2002. Whistleblowers: Broken Lives and Organizational Power. Austin: Cornell University Press. Ayers, Susan, and Steven E. Kaplan. 2005. Wrongdoing by consultants: An examination of employees’ reporting intentions. Journal of Business Ethics 57: 121–37. [CrossRef] Bechtoldt, Myriam N., and Kathrin D. Schmitt. 2010. It’s not my fault, it’s theirs: Explanatory style of bullying targets with unipolar depression and its susceptibility to short-term therapeutical modiﬁcation. Journal of Occupational and Organizational Psychology 83: 395–417. [CrossRef] Becker, Jörg, Ralf Knackstedt, and Jens Pöppelbuß. 2009. Developing maturity models for IT management: A procedure model and its application. Business & Information Systems Engineering 1: 213–22. Berry, Benisa. 2004. Organizational culture: A framework and strategies for facilitating employee whistleblowing. Employee Responsibilities and Rights Journal 16: 1–11. [CrossRef] Bjørkelo, Brita. 2013. Workplace bullying after whistleblowing: Future research and implications. Journal of Managerial Psychology 28: 306–23. [CrossRef] CIIA (Chartered Institute of Internal Auditors). 2014. Whistleblowing and Corporate Governance. In The Role of Internal Audit in Whistleblowing. London: Chartered Institute of Internal Auditors. Culiberg, Barbara, and Katarina Katja Mihelic ˇ. 2017. The evolution of whistleblowing studies: A critical review and research agenda. Journal of Business Ethics 146: 787–803. Cyphert, Frederick R., and Walter L. Gant. 1971. The Delphi technique: A case study. Phi Delta Kappan 52: 272–73. De Bruin, Tonia, Michael Rosemann, Ronald Freeze, and Uday Kaulkarni. 2005. Understanding the main phases of developing a maturity assessment model. In Australasian Conference on Information Systems (ACIS). Brisdane: Brisdane Australasian Chapter of the Association for Information Systems, pp. 8–19. Dening, Karen H., Louise Jones, and Elizabeth L. Sampson. 2013. Preferences for end-of-life care: A nominal group study of people with dementia and their family carers. Palliative Medicine 27: 409–17. [CrossRef] [PubMed] Directive (EU). 2019. Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the Protection of Persons Who Report Breaches of Union Law. Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX: 32019L1937 (accessed on 1 December 2022). Dworkin, Terry Morehead, and Melissa S. Baucus. 1998. Internal vs. external whistleblowers: A comparison of whistleblowering processes. Journal of Business Ethics 17: 1281–98. [CrossRef] Głuszek, Ewa. 2021. Use of the e-Delphi method to validate the corporate reputation management maturity model (CR3M). Sustainability 13: 12019. [CrossRef] GRI (Global Reporting Initiative). 2018. GRI 102: General Disclosures 2016. Amsterdam: Global Reporting Initiative. Greene, Annette D., and Jean Kantambu Latting. 2004. Whistle-blowing as a form of advocacy: Guidelines for the practitioner and organization. Social Work 49: 219–30. [CrossRef] [PubMed] Henik, Erika. 2015. Understanding whistle-blowing: A set-theoretic approach. Journal of Business Research 68: 442–50. [CrossRef] Hersh, Marion A. 2002. Whistleblowers—Heroes or traitors?: Individual and collective responsibility for ethical behaviour. Annual Reviews in Control 26: 243–62. [CrossRef] Hohmann, Erik, Jefferson C. Brand, Michael J. Rossi, and James H. Lubowitz. 2018. Expert opinion is necessary: Delphi panel methodology facilitates a scientiﬁc approach to consensus. Arthroscopy: The Journal of Arthroscopic & Related Surgery 34: 349–51. ICAEW (Institute of Chartered Accountants in England and Wales). 2019. How Whistleblowing Helps Companies. Available online: https://www.icaew.com/technical/corporate-governance/committees/corporate-culture/culture-articles/how- whistleblowing-helps-companies#:~:text=Whistleblowing%20is%20central%20to%20a,ICAEW%20chief%20executive%20 Michael%20Izza (accessed on 5 October 2022). IIA (The Institute of Internal Auditors). 2013. Selecting, using, and creating maturity models. In A Tool for Assurance and Consulting Engagements. Lake Mary: The Institute of Internal Auditors. IIA (The Institute of Internal Auditors). 2017. International Standards for the Professional Practice of Internal Auditing. Standard 2210.A3. Lake Mary: The Institute of Internal Auditors. IIA (The Institute of Internal Auditors). 2019. Internal Audit Capability Model (IA-CM) For the Public Sector. Lake Mary: The IIA Research Foundation. Adm. Sci. 2023, 13, 120 19 of 20 IIAA (The Institute of Internal Auditors Australia). 2021. Auditing Risk Culture: Practical Guide. Available online: https://www.iia. org.au/sf_docs/default-source/technical-resources/iia_auditing-risk-culture-guide-fa.pdf?sfvrsn=4 (accessed on 16 December 2022). IOS (International Organization for Standardization). 2021. Whistleblowing Management Systems—Guidelines. ISO 37002:2021. Available online: https://www.iso.org/standard/65035.html (accessed on 1 December 2022). Kaptein, Muel. 2011. From inaction to external whistleblowing: The inﬂuence of the ethical culture of organizations on employee responses to observed wrongdoing. Journal of Business Ethics 98: 513–30. [CrossRef] Kittell-Limerick, Patricia. 2005. Perceived Barriers to Completion of the Academic Doctorate: A Delphi Study. Commerce: Texas A&M University-Commerce. KPMG. 2013. Transforming Internal Audit: A Maturity Model from Data Analytics to Continuous Assurance. Available online: https:// assets.kpmg.com/content/dam/kpmg/pdf/2015/09/ch-pub-20150922-transforming-internal-audit-maturity-model-en.pdf (ac- cessed on 1 December 2022). Kreiner, Barbara, Christoph Sulyok, and Hans-Bernd Rothenhäusler. 2008. Does mobbing cause posttraumatic stress disorder? Impact of coping and personality. Neuropsychiatrie: Klinik, Diagnostik, Therapie und Rehabilitation: Organ der Gesellschaft Osterreichischer Nervenarzte und Psychiater 22: 112–23. Lawshe, Charles H. 1975. A quantitative approach to content validity. Personnel Psychology 28: 563–75. [CrossRef] Linstone, Harold A., and Murray Turoff, eds. 1975. The Delphi Method. Reading: Addison-Wesley. Martinek-Jaguszewska, Klaudia, and Waldemar Rogowski. 2022. Development and Validation of the Business Process Automation Maturity Model: Results of the Delphi Study. Information Systems Management 2022: 1–17. [CrossRef] Miceli, Marcia P., Janelle B. Dozier, and Janet P. Near. 1987. Personal and Situational Determinants of Whistleblowing. Paper presented at the Meeting of the Academy of Management, New Orleans, LA, USA, November 1. Miceli, Marcia P., Janet P. Near, and Charles R. Schwenk. 1991. Who blows the whistle and why? ILR Review 45: 113–30. [CrossRef] Murphy, M. K., N. A. Black, D. L. Lamping, C. M. McKee, C. F. Sanderson, J. Askham, and T. Marteau. 1998. Consensus development methods, and their use in clinical guideline development. Health Technology Assessment 2: i-88. [CrossRef] Near, Janet P., and Marcia P. Miceli. 1985. Organizational dissidence: The case of whistle-blowing. Journal of Business Ethics 4: 1–16. [CrossRef] OECD. 2019a. Tax Compliance Burden Maturity Model. Available online: https://www.oecd.org/tax/forum-on-tax-administration/ publications-and-products/tax-compliance-burden-maturity-model.htm (accessed on 2 January 2023). OECD. 2019b. Tax Debt Management Maturity Model. Available online: https://www.oecd.org/tax/forum-on-tax-administration/ publications-and-products/tax-debt-management-maturity-model.htm (accessed on 2 January 2023). OECD. 2020. Tax Crime Investigation Maturity Model. Available online: https://www.oecd.org/tax/crime/tax-crime-investigation- maturity-model.htm (accessed on 2 January 2023). OECD. 2021. Enterprise Risk Management Maturity Model. Available online: https://www.oecd.org/tax/forum-on-tax- administration/publications-and-products/enterprise-risk-management-maturity-model.htm (accessed on 2 January 2023). OECD. 2022. Tax Administration Maturity Model Series Analytics Maturity Model. Available online: https://www.oecd.org/tax/ forum-on-tax-administration/publications-and-products/analytics-maturity-model.htm (accessed on 2 January 2023). Ono, Ryota, and Dan J. Wedemeyer. 1994. Assessing the validity of the Delphi technique. Futures 26: 289–304. [CrossRef] Painter-Morland, Mollie. 2010. Questioning corporate codes of ethics. Business Ethics: A European Review 19: 265–79. [CrossRef] PCBS (Parliamentary Commission on Banking Standards). 2013. Available online: https://www.parliament.uk/globalassets/ documents/banking-commission/Banking-ﬁnal-report-volume-i.pdf (accessed on 16 December 2022). PCW (Public Concern at Work). 2013. Report on the Effectiveness of Existing Arrangements for Workplace Whistleblowing in the UK. London: Public Concern at Work. Ravishankar, Lilanthi. 2003. Encouraging Internal Whistleblowing in Organizations. Available online: https://www.scu.edu/ethics/ publications/submitted/whistleblowing.html (accessed on 11 November 2022). Sanderson, Tessa, Sarah Hewlett, Pam Richards, Marianne Morris, and Michael Calnan. 2012. Utilizing qualitative data from nominal groups: Exploring the inﬂuences on treatment outcome prioritization with rheumatoid arthritis patients. Journal of Health Psychology 17: 132–42. [CrossRef] [PubMed] Schmidt, Chris. 2020. Why risk management frameworks fail to prevent wrongdoing. The Learning Organization 27: 133–45. [CrossRef] Tavakoli, A. Assad, John P. Keenan, and Biljana Cranjak-Karanovic. 2003. Culture and whistleblowing an empirical study of Croatian and United States managers utilizing Hofstede’s cultural dimensions. Journal of Business Ethics 43: 49–64. [CrossRef] The Guardian. 2010. The Man Who Blew the Whistle on Bernard Madoff. Available online: https://www.theguardian.com/business/ 2010/mar/24/bernard-madoff-whistleblower-harry-markopolos (accessed on 16 December 2022). TI-NL (Transparency International Netherland). 2019. Whistleblowing Frameworks 2019. In Assessing Companies in Trade, Industry, Finance, and Energy in the Netherlands. Amsterdam: Transparency International Netherland. Tsahuridu, Eva E., and Wim Vandekerckhove. 2008. Organisational whistleblowing policies: Making employees responsible or liable? Journal of Business Ethics 82: 107–18. [CrossRef] Turoff, Murray, and Harold A. Linstone. 2002. The Delphi Method-Techniques and Applications. Boston: Addison Wesley Publishing Company. Adm. Sci. 2023, 13, 120 20 of 20 Turoff, Murray, and Starr Roxanne Hiltz. 1996. Computer based Delphi processes. In Gazing into the Oracle: The Delphi Method and Its Application to Social Policy and Public Health. London: Jessica Kingsley Publishers, pp. 56–85. World Justice Project. 2022. The 2022 WJP Rule of Law Index. Available online: https://worldjusticeproject.org/rule-of-law-index/ (accessed on 12 April 2023). Worth, Mark. 2013. Whistleblowing in Europe: Legal protections for whistleblowers in the EU. Transparency International Secretariat 2013: 91–111. Zhuang, Jinyun, Stuart Thomas, and Diane L. Miller. 2005. Examining culture’s effect on whistle-blowing and peer reporting. Business & Society 44: 462–86. Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Journal

Administrative Sciences – Multidisciplinary Digital Publishing Institute

Published: Apr 29, 2023

Keywords: whistleblowing; EU Directive 1937; benchmarking; internal audit; ESG

Get 20M+ Full-Text Papers For Less Than $1.50/day. Start a 14-Day Trial for You or Your Team.

Learn More →

Validating the Whistleblowing Maturity Model Using the Delphi Method

Validating the Whistleblowing Maturity Model Using the Delphi Method

Get 20M+ Full-Text Papers For Less Than $1.50/day. Start a 14-Day Trial for You or Your Team.

Learn More →

Validating the Whistleblowing Maturity Model Using the Delphi Method

Validating the Whistleblowing Maturity Model Using the Delphi Method

References (29)

Abstract

Journal

Recommended Articles

There are no references for this article.

Our policy towards the use of cookies