ASIC Report 827: what the whistleblower questionnaire findings mean for Australian companies in 2026

On 4 December 2025, the Australian Securities and Investments Commission published Report 827, Insights from the ASIC whistleblower questionnaire: July 2024 to June 2025. It is the first time the regulator has systematically benchmarked how Australian companies actually run their whistleblower programs. The report is short on rhetoric and long on numbers, which is what makes it useful. The numbers tell a clear story: most listed and large proprietary companies have a policy on paper, far fewer have a program in practice, and a small minority do almost all the work.

The findings will shape how ASIC approaches whistleblower compliance through 2026 and beyond. ASIC has now publicly stated it will directly contact companies whose practices fall short of the report's benchmarks and will increase ongoing monitoring of policy effectiveness, not just policy existence. Boards, audit and risk committees, compliance leads, and general counsel all have homework to do.

What follows is a walk through the report's specific findings, the legal framework they sit inside, the gap between policy and practice the regulator has now formally documented, and a practical action list for the next few months. Statutory references throughout are to the Corporations Act 2001 (Cth) Part 9.4AAA and ASIC Regulatory Guide 270.

What ASIC Report 827 actually contains

Report 827 is the published output of an ASIC questionnaire sent to 134 Australian companies covering the financial year 1 July 2024 to 30 June 2025. The sample spans 18 industries. The report walks through what the surveyed entities reported about their whistleblower program governance, channel design, training, investigation practices, retaliation safeguards, and review processes, then sets those self-reports against ASIC's expectations under the Corporations Act and Regulatory Guide 270.

The data in the report is self-reported, not independently audited. ASIC is candid about that limitation. Some respondents will have presented their programs in the most favourable light available, which means the gaps the report flags should be read as a floor on the actual problem, not a ceiling.

The report is paired with media release 25-294MR. ASIC Commissioner Alan Kirkland framed the findings this way: "Whistleblowers play a crucial role in identifying and exposing misconduct that can harm customers, shareholders, companies and the broader community. Without effective policies and programs to encourage whistleblowers to come forward, misconduct may otherwise go unreported and undetected."

The report is not a regulatory guide and does not change the law. It sits alongside ASIC's existing guidance, including Regulatory Guide 270 Whistleblower policies (issued November 2019) and Report 758, and it tells the market how the regulator currently weighs the evidence of whether a program is working.

If you want the foundational legal framework rather than just the practice benchmark, see our companion guide on Corporations Act whistleblower protections and the broader whistleblower protection in Australia overview.

The headline numbers

Five numbers carry most of the weight in Report 827.

8,095 disclosures across 134 companies in one year. That is the topline volume. It sounds like a lot until you set it against the population: 134 of Australia's largest entities, employing many hundreds of thousands of workers between them, generated about 8,000 protected disclosures over twelve months. Most workers in most years still do not raise concerns through the formal channel.

49 days average investigation time. Whether 49 days is good depends on how you measure. For a complex fraud or harassment investigation, six to seven weeks is brisk. For a simpler disclosure that needed routing to the right team and a confirmation back to the discloser, 49 days is slow. ASIC does not pick a target number; it leaves boards to judge whether their own averages are defensible against the type and complexity of the cases they handle.

69 per cent of disclosures came in via a dedicated web page or hotline. Workers prefer structured, distinct channels when they exist. The remaining 31 per cent flowed in through email, in-person conversation with managers, HR intake, or other ad-hoc routes. Each of those routes lacks the audit trail and routing of a dedicated channel, which is why ASIC keeps coming back to web page and hotline coverage as a baseline expectation.

24 per cent of investigated in-scope disclosures were substantiated. "In-scope" means the disclosure met the Part 9.4AAA threshold (misconduct, or an improper state of affairs, in relation to the regulated entity, made by an eligible whistleblower to an eligible recipient under s1317AA). Roughly one in four investigated in-scope disclosures led to a finding of substantiated wrongdoing. ASIC frames that as a useful signal of program function: surveyed companies are following concerns through to a finding rather than receiving them and quietly closing them out.

13 entities accounted for around 74 per cent of disclosures. This is the finding that gets the least attention and matters the most. About one in ten of the surveyed companies absorbed roughly three-quarters of the total disclosure flow. The other 121 entities, between them, generated about a quarter. Twenty-two per cent reported receiving no disclosures at all over the full year.

ASIC's reading of the concentration finding is that it is far more likely to indicate channel under-use than corporate virtue. A board sitting on a "zero disclosures" annual report should ask three questions before celebrating: Do workers know the channel exists? Do they trust it? And is there an anonymous, low-friction option that does not require a worker to identify themselves to a manager they may not trust?

Where the gaps are

The report identifies four practice gaps that recur across companies of every size.

Dedicated whistleblower web pages. More than one-third of surveyed entities did not provide one. A web page is the single most accessible point of formal entry for a worker thinking about disclosing, and it is the channel the surveyed companies most commonly attributed disclosures to. Without it, the policy is in a PDF on the intranet and the channel is a manager's email address.

Regular staff training. Around 25 per cent of companies did not provide regular training to staff on the whistleblower program. ASIC reads training as a leading indicator, since it is one of the few program elements a company controls completely and one of the few that workers reliably remember. A program that exists but is not actively communicated tends not to get used.

Employee feedback on the program. More than half had not sought feedback from employees in the previous year on how the program was designed or how it operated. This is the closest the report comes to an opinion on culture: a program that has never asked workers what they think of it is unlikely to be earning their trust.

Regular review of program effectiveness. Thirty per cent of surveyed companies did not regularly review whether the program was working. Without that review cycle, problems compound: training falls out of date, channels stagnate, retaliation safeguards drift.

The four gaps are connected. A program without a dedicated web page tends to lack training that points workers at it. A program without training tends not to ask for feedback. A program that does not seek feedback rarely gets reviewed for effectiveness. The pattern that recurs in the data is of programs designed once, blessed by the board at adoption, and left alone for years.

The mistreatment finding

The single hardest finding in Report 827 to read past is the figure on whistleblower mistreatment.

24 of the 134 surveyed companies (about 18 per cent) reported at least one disclosure that raised concerns about whistleblower mistreatment over the survey year. When ASIC narrowed the calculation to companies that had received any in-scope reports at all, the figure rose to roughly 28 per cent (24 of 75).

That is not a marginal number. Around one in five surveyed companies had at least one allegation that the company had handled a whistleblower badly. Among companies actually receiving disclosures, roughly one in four. The mistreatment finding is the most direct evidence in the report that the legal protection regime, on paper since 1 July 2019 in its current form under the Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019, is not yet matching practice.

Mistreatment is the precise harm the Corporations Act regime was strengthened in 2019 to prevent. Sections 1317AC and 1317AD make it a contravention to cause detriment to a discloser, with penalties that escalate quickly: civil penalties up to 5,000 penalty units (approximately $1.65 million at the current $330 Commonwealth penalty unit value) for an individual, and up to 50,000 penalty units (approximately $16.5 million), three times the benefit derived, or 10 per cent of annual turnover (capped at 2.5 million penalty units) for a body corporate.

ASIC's first whistleblower retaliation civil penalty case, ASIC v TerraCom Ltd (No 3) [2025] FCA 1017, concluded on 26 August 2025 when the Federal Court (Justice Jackman) ordered a $7.5 million penalty plus $1 million in costs after TerraCom admitted contraventions. The penalty represented roughly 30 per cent of the maximum (~$24.49 million, calculated as 10 per cent of TerraCom's annual turnover for the 12 months to February 2020). That outcome and the timing of Report 827 are not unrelated. The regulator is signalling, with both data and enforcement, that whistleblower retaliation is a live risk and that companies cannot rely on policy text alone to manage it.

For a deeper walk-through of the protections in question, see Corporations Act whistleblower protections, and for the practical investigation pathway that minimises retaliation risk, see our guide to dealing with workplace misconduct.

What listed and large proprietary entities have to do

The legal baseline has not moved. Public companies and large proprietary companies still have to maintain a whistleblower policy that meets s 1317AI of the Corporations Act, in force since 1 January 2020. What Report 827 changes is how the regulator now expects to see that policy translated into a working program. Three things are worth restating because the report makes them more enforceable in practice.

Who carries the s1317AI policy obligation. Public companies, large proprietary companies, and proprietary companies that are corporate trustees of registrable superannuation entities. A "large proprietary company" is defined in s 45A of the Corporations Act 2001 (Cth) as one that satisfies at least two of: consolidated revenue of $50 million or more for the financial year, consolidated gross assets of $25 million or more at the end of the financial year, and 100 or more employees at the end of the financial year. These thresholds were set by the Corporations Amendment (Proprietary Company Thresholds) Regulations 2019 (commenced 1 July 2019) and have been unchanged since.

What the policy must contain. Section 1317AI(5) requires the policy to set out: information about the protections available to whistleblowers (including under Part 9.4AAA); information about who can receive protected disclosures and how; information about how the company will support whistleblowers and protect them from detriment; information about how disclosures will be investigated; information about how the company will ensure fair treatment of employees mentioned in or related to disclosures; and information about how the policy will be made available to officers and employees.

What ASIC expects beyond the statutory minimum. Regulatory Guide 270, issued in November 2019, sets out ASIC's view of how a compliant policy should look in practice. Report 827 is the operational evidence of how that policy should translate into a working program: a dedicated reporting channel, staff training delivered on a regular cycle rather than once at adoption, an investigation workflow with documented timelines and decisions, anonymous two-way communication where requested, retaliation safeguards that are actively tracked, and senior management and board oversight of disclosures, outcomes, and any mistreatment concerns.

Compliance with the policy obligation is a strict liability offence under s1317AI(4), with a penalty of 60 penalty units (currently $19,800 at the $330 Commonwealth penalty unit value, indexed each financial year). The dollar exposure of non-compliance with the policy obligation alone is small; the dollar exposure of mishandling a discloser, given the s1317AD penalty levels, is much larger.

The gap between policy and practice

Read together, the findings tell a consistent story. Most surveyed entities had a policy. Far fewer had the operational scaffolding that makes the policy useful: a discoverable channel, training that workers can recall, a feedback mechanism, a review cadence, and visible board oversight. The regulator sees the gap and is not pretending it does not exist.

Two structural factors keep the gap open.

The first is that whistleblower programs sit awkwardly across functions. Compliance owns the policy. People and culture often own training. Legal handles disclosures of certain types. Internal audit reviews the program. Risk reports to the board. When five functions own bits of one program, none of them owns the whole. Report 827's emphasis on regular review and visible accountability is a direct response to that fragmentation.

The second is that the program only generates feedback when something has gone wrong. A board that hears nothing about whistleblower disclosures concludes, reasonably enough, that there is nothing to hear. The Report 827 concentration finding (74 per cent of disclosures sit with 10 per cent of companies) suggests that "nothing to hear" usually means "the channel is not being used", not "everything is fine". That distinction is the one ASIC is now asking directors to make on the record.

Practical action list for 2026

Six actions sit at the top of most boards' lists after Report 827. None of them require new technology by default; all of them are easier with the right platform.

1. Re-confirm the policy meets s1317AI(5) and reflects the 2019 amendments. If the last substantive review was before 1 January 2020, the policy almost certainly does not. RG 270 is the gap-test reference. A policy that pre-dates RG 270 should be rewritten, not patched.

2. Make sure there is a discoverable, dedicated reporting channel. A web page accessible from the homepage, plus a hotline if appropriate, plus a mobile-friendly path for workers without desktop access. The "more than one-third had no dedicated web page" finding is the single fastest gap to close.

3. Confirm anonymous disclosures can be received and supported through the full lifecycle. Genuine anonymity (no IP logging, no device fingerprints, no metadata that lets the discloser be identified later) and two-way communication that lets the company ask follow-up questions without forcing the discloser to identify themselves. Without two-way contact, anonymous channels collect signals the company cannot act on.

4. Schedule training as a recurring obligation. Every new starter, plus an annual refresh for everyone, plus targeted training for senior managers, eligible recipients, and case handlers. ASIC's flag on the 25 per cent training gap is a leading indicator the regulator can test against organisations easily.

5. Run a feedback cycle at least annually. A short, anonymous staff survey on awareness of the program, confidence in its handling, and willingness to use it produces the data the board now needs to demonstrate oversight. The "more than half had not sought feedback" finding is a direct invitation for a regulator to ask why.

6. Build the board pack. Volume of disclosures, channels used, in-scope vs out-of-scope split, average and longest investigation times, substantiation rate, retaliation concerns received and how they were handled, training completion rate, employee awareness survey results. The Aged Care Quality and Safety Commission, APRA, and ASIC are all moving towards expecting this level of structured oversight reporting. The data is much easier to assemble from a dedicated case management platform than from spreadsheets.

For more on the operational design of speak-up channels, see the advantages and disadvantages of anonymous reporting and how an ethics hotline fits the broader speak-up program. On the program design layer, ISO 37002:2021 is the international standard for whistleblowing management systems and is closely aligned with what RG 270 and Report 827 are now asking for.

How this connects to the existing Part 9.4AAA framework

Report 827 sits inside a regulatory architecture that has been building since 2019. Five reference points are worth remembering.

The 2019 amendments. The Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 commenced on 1 July 2019 and substantially rewrote Part 9.4AAA of the Corporations Act 2001 (Cth). The amendments expanded the class of eligible whistleblowers, broadened the definition of disclosable conduct, strengthened identity confidentiality, raised civil penalties for retaliation, and introduced the s1317AI policy obligation for public and large proprietary companies (in force from 1 January 2020).

Regulatory Guide 270. Issued by ASIC in November 2019 to support implementation of the s1317AI policy obligation. RG 270 is the regulator's view on what a compliant whistleblower policy should contain, how it should be communicated, and how disclosures should be investigated. It remains the operative guidance.

Report 758 (predecessor benchmarking). Issued earlier in ASIC's whistleblower programme of work. Report 827 builds on Report 758 by drawing on a structured questionnaire rather than a sample review of policies.

The TerraCom retaliation case. ASIC v TerraCom Ltd (No 3) [2025] FCA 1017 concluded on 26 August 2025 when the Federal Court (Justice Jackman) ordered a $7.5 million penalty plus $1 million in costs after TerraCom admitted contraventions for retaliating against a whistleblower. It is the first successful civil penalty action by ASIC under the strengthened retaliation provisions and a clear signal that the regulator is willing to use them.

The Parliamentary Joint Committee inquiry and the current reform pipeline. The 2017 Parliamentary Joint Committee on Corporations and Financial Services inquiry into whistleblower protections produced 35 recommendations; the Government's April 2019 response delivered the corporate-sector reforms now embedded in Part 9.4AAA. Reform of the parallel public-sector regime is now under way: in September 2025 the Albanese Government announced re-commencement of consultation on the Public Interest Disclosure Act 2013 framework, and the Public Interest Disclosure and Other Legislation Amendment (Whistleblower Protections) Bill 2025 is before Parliament. Further corporate-sector reform from Treasury (additional changes to Part 9.4AAA) remains less defined.

The architecture is now mature enough that the legal baseline (Corporations Act + RG 270), the enforcement signal (TerraCom), and the program-level expectation (Report 827) line up. A board that is clear on all three has a defensible position. A board that has only the policy text is exposed.

For a comprehensive walk through Part 9.4AAA's protections, including who is an eligible whistleblower, what counts as disclosable conduct, and the specific remedies for retaliation, see Corporations Act whistleblower protections.

How Elker fits in

Elker is a speak-up and case management platform built for organisations handling sensitive disclosures, including the Part 9.4AAA disclosures that Report 827 was concerned with. The platform pairs secure multi-channel intake (a dedicated web page accessible to workers, a hotline option, mobile-friendly forms, and email aliases) with a comprehensive case management workflow that takes a disclosure through triage, investigation, decision, communication, and board-level reporting.

Anonymity is genuine: no IP logging, no device fingerprinting, no retained metadata that could be used to reconstruct a discloser's identity later. Two-way anonymous messaging lets case handlers ask follow-up questions without forcing the discloser to identify themselves, which is the capability the surveyed companies most often lacked.

For the board pack ASIC now effectively expects, Elker produces aggregate analytics on disclosure volumes, channels, in-scope vs out-of-scope routing, investigation timelines, substantiation rates, training completion, retaliation concerns, and employee awareness signals. Cybersecurity, information security, and granular access controls are designed into every layer of the platform following secure-by-design and privacy-by-design principles. Elker is ISO 27001 certified and SOC 2 attested.

For more, see the whistleblowing platform page, the case management software page, or the broader speak-up platform overview. For a comparison of platform categories and what to look for in a tender, see our case management software guide.