Independent Ethical Audit & Whistleblower Protection
This criterion assesses the organization's commitment to ethical conduct and integrity through independent ethical audits and whistleblower protection mechanisms. It evaluates the implementation of robust systems that enable the identification, reporting, and resolution of ethical breaches, conflicts of interest, and violations of professional standards. The audit must be conducted by an independent, qualified third party focusing on ethical conduct, conflict of interest management, and adherence to the organization's code of conduct and relevant Islamic principles. Whistleblower protection policies must encourage reporting without fear of reprisal, providing confidential channels for raising concerns. This includes the establishment of clear reporting procedures, thorough investigations, and appropriate corrective actions. The criterion examines the frequency and scope of ethical audits, the effectiveness of whistleblower protection mechanisms, and the demonstrable impact of these measures on fostering a culture of ethical behavior and accountability within the organization. The system operationalizes Hisbah through Nasiha (sincere counsel) and Muhasabah (accountability), ensuring verification and fairness (per Qur’an 49:6 and principles of la darar wa la dirar) while protecting whistleblowers from harm. This aligns with Qur’an 16:90, emphasizing the dual imperative of justice and excellence in conduct and oversight. It specifically integrates UK Public Interest Disclosure Act (PIDA) standards, Charity Commission Serious Incident Reporting (SIR) protocols, and UK GDPR controls to ensure regulatory compliance alongside spiritual excellence.
Compliance 1
-
Whistleblowing data handled per UK GDPR/DPA 2018: Conduct a specific DPIA; maintain a lawful-basis register; implement DSAR protocols with redaction rules to protect identities; and ensure secure retention.Technology Essential
Good 17
-
Regular (at least annual) independent ethical audits by qualified third parties. (Proportionality: Entities with <£1m income or <20 staff may conduct biennial independent reviews plus annual internal self-assessments).Monitoring Essential
-
A documented code of conduct aligned with Islamic principles and professional standards.Documentation Essential
-
A clear and confidential whistleblower policy that explicitly distinguishes 'protected disclosures' (PIDA) from personal grievances, includes a triage decision-tree, signposts 'prescribed persons' for external reporting, and clarifies confidentiality limits.Documentation Essential
-
Thorough and impartial investigations of all reported ethical breaches, utilizing an 'Islamic Ethics Checklist' (covering Adl, Amanah, avoidance of Ghibah/Buhtan) to ensure procedural fairness.Process Essential
-
Implementation of appropriate corrective actions based on audit findings and investigation outcomes, tracked in a CAPA register with defined owners and escalation for overdue items.Process Essential
-
Role-based training and awareness programs: Annual for all staff; enhanced for Managers/HR; certified training for investigators; specific oversight training for Trustees.Training Essential
-
A designated ethics officer or committee responsible for overseeing ethical compliance.Governance Essential
-
Audit scope must include at a minimum: conflicts of interest; gifts/hospitality; procurement/third parties; bribery and fraud; client asset safeguarding (Hifz al-Mal); fair treatment of clients; harassment/bullying; AML/sanctions escalation ethics; data privacy; confidential information handling; regulators’ disclosures; Islamic compliance of conduct; and modern slavery concerns.Monitoring Essential
-
Investigation protocol with (1) independence criteria for investigators (mandatory recusal if in reporting line/COI), (2) documented plan and evidence chain-of-custody, (3) right of reply for respondents, (4) legal privilege decisioning, (5) root-cause analysis, (6) remediation tracking, and (7) documentation retention periods compliant with UK GDPR.Process Essential
-
Serious Incident Reporting (SIR) integration: Triage must identify SIR triggers (harm, loss, criminality, safeguarding). Timeline: Notify ARC Chair/CEO ≤24h; draft SIR ≤72h; file with Charity Commission ≤7 days.Compliance Essential
-
The independent ethical audit scope covers all relevant organizational activities.Leadership High
-
The organization utilizes a multi-channel reporting system, including online portals and designated hotlines.Technology Medium
-
Audit findings and corrective actions are transparently communicated to relevant stakeholders.Transparency High
-
Senior management demonstrates a strong commitment to ethical conduct and actively promotes a culture of integrity.Leadership High
-
The whistleblower policy is regularly reviewed and updated to ensure its effectiveness.Continuous Improvement Medium
-
A comprehensive risk assessment process identifies potential ethical vulnerabilities and informs audit priorities.Leadership High
-
Utilize an 'Islamic Ethics Checklist' during audits to verify alignment with Adl (justice), Amanah (trust), and avoidance of Rishwah (bribery).Excellence Medium
Better 13
-
Established channels for reporting ethical concerns, including anonymous options. Third-party vendors must meet assurance standards (ISO 27001, ≥99.5% uptime, breach notification ≤24h).Process Essential
-
Independent ethical audits must be conducted by a third party that (a) has no consulting engagements creating self-review threats, (b) signs an annual independence/COI declaration, (c) rotates lead reviewer at least every 3 years, and (d) reports to the Board/Audit & Risk Committee (ARC) without management veto.Governance Essential
-
Formal non-retaliation policy with retaliation risk assessment at case intake; protective measures (role changes, paid leave, confidentiality flags); post-case monitoring for 12 months; board escalation route; disciplinary consequences for retaliators.Process Essential
-
Mandatory external investigator triggers: If allegation involves CEO, Trustee, ARC member, or Head of HR/Compliance, an independent external investigator must be appointed by the ARC Chair.Governance Essential
-
Provide reporting access for employees, contractors, volunteers, clients, suppliers, and other stakeholders; include at least one third-party managed anonymous channel (web and phone, 24/7) and postal option.Process Essential
-
Whistleblower Care Protocol: Acknowledgement ≤2 business days; periodic updates (e.g., every 14 days); offer of EAP/counselling; and documented re-integration plan.Process Essential
-
Anonymous reporting channels are managed by an independent third party.Transparency High
-
The organization benchmarks its ethical practices against industry best practices and international standards.Excellence Medium
-
Appoint a board-level Whistleblowers’ Champion (for FCA/PRA firms) or equivalent trustee/NED for others. In healthcare, appoint or align with a Freedom to Speak Up Guardian role.Governance High
-
Risk-based triage framework with defined SLAs (intake acknowledgement ≤2 business days; high-risk cases assigned within 3 days; standard closure target 60 days), with escalation if breached.Process High
-
Publish in the annual report anonymized metrics (cases received, categories, substantiation rate, time to close, actions taken) and describe learning outcomes and control improvements.Transparency High
-
Establish an Investigation Oversight Panel (Ethics Officer + ARC delegate + external adviser) to sign off investigation plans and final reports for high-risk cases.Governance High
-
Quarterly ARC reporting pack includes: case volumes, severity, substantiation rates, time-to-close, retaliation flags, CAPA status, and regulator reporting logs.Governance High
Best 1
-
Align the speak-up system with ISO 37002 and embed in the compliance management system aligned to ISO 37301; annually assess effectiveness against these standards.Excellence High
Related Criteria
Discussion (1)
📋 **Version updated: 1.0.0 → 2.9.7** **Changes:** Updated islamic_references from mizan-297.json
Sign in to post a comment.