Giddings Consulting Group
Person confidentially reporting concerns through nonprofit whistleblower channel
Back to Insights
Board Development

Nonprofit Whistleblower Policy: Template and Best Practices

Drew Giddings
Drew GiddingsFounder & Principal Consultant
April 11, 2026
13 min read

Every nonprofit should have a whistleblower policy — here's why, what it should include, and a practical template you can customize for your organization.

Key Takeaways

Form 990 explicitly asks whether your organization has a whistleblower policy — full 990 filers should have one
The policy must prohibit retaliation and protect individuals who make good-faith reports
Provide multiple reporting channels including anonymous options
Reports involving senior leadership should go directly to the board or audit committee
Document all reports, investigations, and actions in confidential files for at least 7 years

Why Your Nonprofit Needs a Whistleblower Policy

A whistleblower policy protects individuals who report concerns about fraud, financial misconduct, legal violations, or unethical behavior within your organization. The policy establishes confidential reporting mechanisms and prohibits retaliation against those who raise concerns in good faith.

Form 990 explicitly asks whether your organization has a whistleblower policy. Organizations filing the full Form 990 (gross receipts over $200,000 or assets over $500,000) should have one in place. While not technically required, the question signals the IRS's expectation that nonprofits maintain basic governance safeguards.

Legal Context

Two major federal laws protect whistleblowers:

  • Sarbanes-Oxley Act (SOX) — Originally targeting for-profit companies but applicable to nonprofits in some circumstances. Makes it a federal crime to retaliate against whistleblowers who report fraud.
  • Dodd-Frank Act — Extends whistleblower protections and provides rewards for information leading to successful enforcement actions.

    • Additionally, every state has its own whistleblower protection laws that apply to nonprofits, typically prohibiting retaliation against employees who report violations of law.

    Nonprofit Whistleblower Policy Template

    [ORGANIZATION NAME]

    Whistleblower Policy

    Effective Date: [Date]

    #### 1. Purpose

    [Organization Name] is committed to operating in compliance with all applicable laws and ethical standards. This policy establishes procedures for reporting suspected violations and protects individuals who make good-faith reports from retaliation.

    #### 2. Scope

    This policy applies to all directors, officers, employees, volunteers, and contractors of [Organization Name].

    #### 3. Reportable Concerns

    This policy covers reports of suspected:

    • Financial fraud, theft, or embezzlement
    • Misuse of charitable assets or donor-restricted funds
    • Violations of federal, state, or local laws
    • Violations of [Organization Name] policies
    • Unethical business practices
    • Dangerous working conditions
    • Harassment, discrimination, or retaliation
    • Conflicts of interest not properly disclosed
    • Misrepresentation of financial information
    • Accounting irregularities
    #### 4. Reporting Procedures

    Preferred reporting order:

  • Direct supervisor — For routine concerns, start with your immediate supervisor
  • Executive Director — If the concern involves your supervisor or is not resolved
  • Board Chair — If the concern involves the Executive Director
  • Audit/Finance Committee Chair — If the concern involves financial matters

    • Anonymous reporting:

    Reports may be submitted anonymously through:

    • [Anonymous reporting email/hotline]
    • Written letter to Board Chair at [address]
    • Third-party whistleblower hotline (if available)
    What to include in a report:

    • Description of the suspected violation
    • Names of individuals involved
    • Dates and locations of alleged incidents
    • Any supporting documentation
    • Names of witnesses (if known)
    #### 5. Confidentiality

    All reports will be treated as confidential to the extent possible. Information will be shared only with individuals who need to know in order to investigate and resolve the concern. [Organization Name] will make every effort to protect the identity of the person making the report, though anonymity cannot be guaranteed in all circumstances (particularly if legal proceedings result).

    #### 6. Non-Retaliation

    [Organization Name] strictly prohibits retaliation against any individual who, in good faith, reports a suspected violation or participates in an investigation. Retaliation includes, but is not limited to:

    • Termination or demotion
    • Reduction in hours or pay
    • Denial of benefits
    • Reassignment
    • Harassment or intimidation
    • Exclusion from meetings or decision-making
    • Negative performance evaluations
    Any individual who retaliates against a whistleblower is subject to disciplinary action, up to and including termination of employment or removal from the board.

    #### 7. Good Faith Requirement

    This policy protects individuals who make reports in good faith — meaning they have a reasonable belief that the information reported is true and that a violation may have occurred. It does not protect individuals who knowingly make false reports or who report concerns in bad faith (for example, to harass a coworker or gain personal advantage).

    #### 8. Investigation Process

    Upon receipt of a report:

  • Acknowledgment — The recipient will acknowledge receipt within [3-5 business days] when the reporter's identity is known
  • Preliminary assessment — Within [7-10 business days], determine whether the concern warrants investigation
  • Investigation — Conduct an impartial investigation, which may involve interviews, document review, and consultation with legal counsel
  • Findings — Document the investigation process and conclusions
  • Action — Take appropriate corrective action if violations are confirmed
  • Communication — When possible, inform the reporter (if known) of the outcome

    • #### 9. Board Oversight

    The [Audit Committee / Finance Committee / Full Board] will:

    • Review this policy annually
    • Oversee any investigation involving senior management or board members
    • Ensure the policy is communicated to all relevant parties
    • Report on policy compliance in their annual report to the board
    #### 10. Policy Communication

    This policy will be:

    • Included in the employee handbook
    • Reviewed during new employee and board member orientation
    • Posted in a visible location at organizational offices
    • Available on the organization's website
    • Reviewed annually by the board
    #### 11. Records Retention

    Records of whistleblower reports and investigations will be maintained in confidential files for at least [7 years] following the conclusion of any investigation.

    Best Practices for Implementation

    Make Reporting Easy

    • Offer multiple reporting channels (in-person, email, phone, anonymous hotline)
    • Ensure channels are accessible outside normal business hours
    • Consider a third-party hotline service for true anonymity (some are free for small nonprofits)

    Ensure Board Independence

    • The audit committee or a designated board member should be the final reporting channel
    • This committee should be composed of independent directors without management responsibilities
    • Board members should not investigate concerns about themselves

    Respond Promptly and Seriously

    • Delays in acknowledgment or investigation signal that concerns are not taken seriously
    • Failure to act on credible reports creates legal liability
    • Protect the reporter's identity to the maximum extent possible

    Document Everything

    • Written records protect both the organization and the reporter
    • Document initial reports, investigation steps, findings, and actions taken
    • Retain records in confidential files per your retention policy

    Train Staff and Board

    • Annual training on the policy ensures everyone understands their rights and obligations
    • New employee orientation should include policy review
    • Board orientation should cover the policy and board oversight responsibilities

    Common Mistakes

    1. Having a policy but no process. A policy document without actual reporting infrastructure (email accounts, designated recipients, investigation procedures) provides false comfort.

    2. Allowing managers to retaliate subtly. Formal termination is easy to identify; subtle retaliation (cold shoulder, exclusion, negative reviews) is harder but still prohibited.

    3. Ignoring anonymous reports. Anonymous reports can be harder to investigate but should not be dismissed. Many fraud cases begin with anonymous tips.

    4. Investigating internally when you shouldn't. Serious concerns — especially those involving senior leadership or potential legal violations — may require independent external investigation.

    5. Not communicating the policy. A policy locked in a filing cabinet helps no one. Staff and board must know it exists and how to use it.

    Frequently Asked Questions

    Is a whistleblower policy legally required for nonprofits?

    Federally, no — but Form 990 asks whether you have one, and most state charity regulators expect it. Some states have specific requirements for nonprofits above certain size thresholds.

    Can volunteers and contractors use the whistleblower policy?

    Yes. Best practice is to extend the policy to all individuals associated with the organization — employees, volunteers, board members, contractors, and consultants.

    What if the concern is about the Executive Director?

    Reports about the Executive Director should go directly to the Board Chair or the chair of the audit/finance committee. The ED should never be involved in investigating concerns about themselves.

    Do we need a third-party hotline?

    Not required. However, third-party hotlines provide stronger anonymity protection and are considered best practice, especially for larger organizations. Several services offer free or low-cost options for nonprofits.

    Governance Support

    Giddings Consulting Group helps nonprofit organizations develop and implement governance policies that protect the organization, support ethical culture, and meet funder expectations.

    Contact us to strengthen your organization's governance practices, or explore our Conflict of Interest Policy Guide.

    whistleblower policynonprofit governancenonprofit policysarbanes-oxleynonprofit ethics
    Share this article
    Drew Giddings

    About the Author

    Drew Giddings

    Founder & Principal Consultant

    Drew Giddings brings more than two decades of experience working with mission-driven organizations to strengthen their capacity for equity and community impact. His work focuses on helping nonprofits build sustainable strategies that center community voice and create lasting change.

    Ready to Transform Your Organization?

    Let's discuss how equity-centered strategic planning can strengthen your mission and community impact.

    Schedule a Consultation

    Stay Connected

    Get nonprofit leadership insights delivered to your inbox. Practical tools, real examples, and sector updates you can use right away.

    Join nonprofit leaders who get practical strategy, governance tips, and sector updates every month.

    Subscribe to Newsletter

    We respect your privacy. Unsubscribe anytime.

    Schedule a 60-minute strategy session.

    Explore more insights and resources.