Most nonprofits aren't sure whether they're required to have a whistleblower policy. Here's what the IRS, Sarbanes-Oxley, and your auditor actually expect — and what your policy needs to include.
TL;DR: The short answer is: not technically required, but effectively expected — and the consequences of not having one are real enough that “optional” is the wrong way to think about it.
Here’s what nonprofit leaders actually need to know.
What the IRS Says
The IRS doesn’t mandate a whistleblower policy as a condition of maintaining 501(c)(3) status. But it does ask about one — directly.
IRS Form 990, Part VI, Line 13 asks whether your organization has adopted a written whistleblower policy. If you answer no, you’re not penalized. But the IRS has stated clearly that it views well-governed organizations as more likely to protect charitable assets and comply with tax law. How you answer Form 990 governance questions shapes how the IRS perceives your organization.
Answering no to Line 13 is a yellow flag. It doesn’t trigger an audit — but it doesn’t help you either.
What Sarbanes-Oxley Actually Requires of Nonprofits
There’s a lot of confusion about whether Sarbanes-Oxley (SOX) applies to nonprofits. Most of it doesn’t. But two provisions do apply to all organizations, including nonprofits:
- Prohibition on destroying records — It is a federal crime to destroy, alter, or falsify records to obstruct a federal investigation.
- Prohibition on retaliation — It is a federal crime to retaliate against anyone who reports a potential federal offense to a law enforcement officer.
Your nonprofit doesn’t need a policy to be bound by these rules — they apply regardless. But having a written whistleblower policy is the clearest way to demonstrate that your organization takes them seriously, and provides protection if a retaliation claim is ever made against you.
What Your Auditor Expects
This is the practical reason most nonprofits end up adopting a whistleblower policy.
External auditors routinely flag the absence of a whistleblower policy in their management letters. For organizations that receive grant funding or undergo independent audits, that finding can create friction with funders and board members — even if no actual wrongdoing has occurred.
A written policy signals that your organization has a formal channel for concerns to surface internally, before they become public problems.
It Applies to Volunteers, Not Just Staff
One thing many nonprofit leaders miss: a whistleblower policy isn’t just for paid employees. Organizations that rely entirely on volunteers still benefit from having a policy in place. Volunteers who witness financial mismanagement, safety violations, or ethical concerns need to know there’s a safe path to report them — and that they won’t face retaliation for doing so.
What a Compliant Policy Needs to Include
According to IRS Form 990 instructions, a whistleblower policy must do three things:
- Encourage reporting — Staff and volunteers should feel safe bringing forward credible concerns about illegal practices or policy violations
- Protect from retaliation — The policy must explicitly state that the organization will not retaliate against anyone who reports in good faith
- Identify who receives reports — The policy must name the specific staff member, board member, or outside party designated to receive complaints
If your policy doesn’t address all three, it doesn’t meet the IRS definition — and you’d have to answer no on Form 990 Line 13 even if a policy exists.
The Connection to Your Other Governance Policies
A whistleblower policy doesn’t stand alone. It works alongside your conflict of interest policy (which addresses self-dealing) and your document retention policy (which addresses recordkeeping). Together, these three policies form the core governance framework that the IRS, auditors, and funders look for.
If you’ve already adopted a conflict of interest policy and have your board sign it annually, the whistleblower policy is a natural next step.
Getting Signatures on Your Whistleblower Policy
Having a written policy is step one. Demonstrating that your board, staff, and key volunteers have actually read and acknowledged it is step two — and it’s the step most organizations skip.
If your conflict of interest policy requires annual board signatures, your whistleblower policy should too. ClearPolicy makes it simple to send both policies together, collect acknowledgments electronically, and maintain an audit trail showing exactly who signed what and when.
Download our free Nonprofit Whistleblower Protection Policy template →
This post is for informational purposes only and does not constitute legal advice. Consult a qualified nonprofit attorney regarding your organization’s specific compliance obligations.
Policy compliance doesn't have to be this hard.
ClearPolicy helps small businesses, nonprofits, and churches send policies, collect e-signatures, and track who's acknowledged what — all in one place.
No credit card required.