January 26, 2026

Before we get into what makes a good Whistleblower Policy, here are four real-life examples of why nonprofits need them:

1. A long serving bookkeeper notices unexplained reimbursements approved by the executive director but fears reporting them because the director controls her job.
2. A volunteer becomes aware that restricted donor funds are being used for unrelated expenses but does not know who to tell or whether speaking up could jeopardize their role.
3. A staff member witnesses repeated harassment by a senior manager and worries that reporting the behavior will quietly end their career at the organization.
4. A board member learns that required filings have not been made for several years and is concerned about personal liability if the issue is ignored.

In each of these situations, wrongdoing continues not because people are unaware of it, but because they do not feel safe reporting it. A clear Whistleblower and Retaliation Protection Policy is designed to solve exactly this problem.

As a member of a nonprofit organization, wouldn’t you want to know if someone inside the organization was acting illegally, unethically, or contrary to its mission? Nonprofits exist to serve the public good and depend heavily on trust, transparency, and ethical conduct. Yet studies consistently show that reporting drops sharply when organizations lack a clear and credible whistleblower policy.

A well drafted Whistleblower Policy creates a structured, trusted process for raising concerns. It protects individuals who come forward, helps leadership address problems early, and reduces
legal and reputational risk. This blog post explains what a whistleblower policy is, why it matters, who it protects, how it works in practice, and the best practices every nonprofit should consider adopting.

What It Means to “Blow the Whistle”

To “blow the whistle” means to report suspected wrongdoing within an organization. A whistleblower policy establishes formal guidelines for employees, board members, volunteers, and others to follow when they become aware of potential misconduct.

The goal is not punishment. The goal is early detection, accountability, and correction before harm spreads. Effective policies encourage reporting by assuring individuals that they can raise
concerns without fear of retaliation, job loss, or reputational damage. Federal and state laws across the United States reinforce this principle by protecting whistleblowers from retaliation and encouraging internal reporting before problems escalate.

Legal Framework and IRS Expectations

Federal law explicitly protects whistleblowers. Section 1107 of the Sarbanes-Oxley Act, codified at 18 U.S.C. § 1513(e), makes it a federal crime to knowingly retaliate against a person for providing truthful information to law enforcement about a possible federal offense. Penalties can include fines and imprisonment of up to ten years, and the law also prohibits destruction of evidence.

Practically speaking, this means nonprofit leaders must take whistleblower complaints seriously, preserve documents, and avoid any actions that could be perceived as retaliation, even indirectly. Iowa law reinforces these principles. The Iowa Nonprofit Corporation Act, Iowa Code chapter 504, imposes fiduciary duties of care, loyalty, and obedience on directors and officers. When credible concerns about misuse of funds, conflicts of interest, or legal noncompliance are raised and ignored, directors and officers risk breaching those duties. A whistleblower policy provides a documented process for receiving and addressing concerns, which can be critical in demonstrating that leadership acted prudently and in good faith.

Iowa nonprofits should also be mindful that retaliation claims may arise under Iowa common law, Iowa civil rights statutes, and federal employment laws applied in Iowa courts. Even volunteers and independent contractors may assert claims when adverse actions follow protected reporting.

The Internal Revenue Service reinforces these expectations through Form 990. Although a whistleblower policy is not technically mandatory, the IRS asks whether one exists and treats it as a hallmark of good governance. To meet the Form 990 standard, the policy must clearly state that the organization protects individuals who report suspected violations of law or organizational policy in good faith.

Why Whistleblower Policies Are Essential for Nonprofits

Nonprofits rely on public trust, donor confidence, and community credibility. This is especially true in Iowa, where many nonprofits operate in close-knit communities and rely on long-term relationships with donors, volunteers, and local stakeholders. Many Iowa nonprofits advocate publicly for accountability, fairness, and ethical conduct. That mission is undermined if similar misconduct is tolerated internally or handled informally behind closed doors.

A strong whistleblower policy helps Iowa nonprofits:

• Identify problems early, when they are easier and less costly to fix
• Reduce the risk of regulatory scrutiny by the IRS, Iowa Attorney General, or Iowa Secretary of State
• Demonstrate that directors and officers are fulfilling their fiduciary duties under Iowa law
• Protect staff, volunteers, and board members from retaliation
• Preserve public trust in smaller communities where reputational harm can spread quickly

Without a clear policy, individuals may stay silent, misconduct may continue unchecked, and organizations may face far greater legal, financial, and reputational consequences later.

Who the Whistleblower Policy Is For

A whistleblower and retaliation protection policy should apply broadly. It should cover:

• Employees
• Officers and directors
• Volunteers
• Independent contractors
• Vendors
• Clients and other stakeholders

Even organizations with no paid staff need whistleblower protection. Volunteers often have direct access to sensitive information and must feel safe raising concerns.

When and Where to Report Misconduct

Concerns should be reported as soon as reasonably possible. Prompt reporting allows the organization to stop ongoing harm, preserve evidence, and respond appropriately. Best practice policies provide multiple reporting channels, such as:

• A direct supervisor
• Another manager or officer
• A designated ethics or compliance contact
• The board chair or audit committee
• An external or anonymous reporting mechanism

Multiple options are essential, especially when the concern involves a supervisor or senior leadership.

Covered Wrongdoing

A well drafted policy clearly defines the types of conduct that may be reported, including:

• Fraud or financial misconduct
• Theft or misuse of organizational assets
• Violations of law or regulations
• Conflicts of interest
• Discrimination or harassment
• Violations of confidentiality obligations
• Unsafe or unhealthy working conditions
• Abuse of authority
• Retaliation against whistleblowers

Clear definitions reduce uncertainty and encourage reporting.

Reporting Procedures

Effective policies explain how to report concerns and make the process accessible. Best practices include:

• Clear written reporting instructions
• Options for confidential or anonymous reporting
• Identification of who receives and reviews reports
• Escalation paths if concerns are not addressed

Good documentation protects both the whistleblower and the organization.

Investigation Procedures

Once a report is received, the organization must act promptly and responsibly. The policy should describe:

• How investigations are initiated
• Who conducts them
• How evidence is collected and preserved
• Expected timelines
• How findings are documented and addressed

Investigations should be objective, thorough, and conducted by individuals with appropriate independence and authority.

Confidentiality

Confidentiality is critical to effective whistleblower protection. Policies should commit to maintaining confidentiality to the greatest extent reasonably possible. While absolute confidentiality cannot always be guaranteed, especially if legal proceedings follow, failing to promise confidentiality at all will strongly discourage reporting.

Protection Against Retaliation

The policy must clearly prohibit retaliation. Retaliation includes termination, demotion, harassment, intimidation, reduced hours, or any adverse action taken because someone reported
concerns in good faith. Anyone who retaliates should face discipline, up to and including termination or removal from office or board service.

Good Faith Reporting and False Allegations

Whistleblowers must act in good faith and have reasonable grounds to believe misconduct has occurred. Knowingly false or malicious allegations should result in discipline. Importantly, an allegation that cannot be substantiated does not mean it was made in bad faith.

Disciplinary Action and Outcomes

Policies should outline potential consequences when allegations are substantiated, including corrective action, discipline, or termination. They should also address consequences for retaliation and bad faith reporting.

Training and Communication

This is critical. A whistleblower policy is ineffective if people do not know it exists or how to use it.

For Iowa nonprofits, this section should align closely with other governance disclosures and practices reflected on IRS Form 990, including policies addressing conflicts of interest, document retention and destruction, compensation review, and Form 990 review and approval itself. The IRS looks at governance holistically, not in isolation. Best practices include:

• Distributing the policy during onboarding
• Providing periodic training
• Including the policy in employee handbooks
• Training investigators on process and confidentiality

Consistent implementation across these policies strengthens credibility if the organization’s governance practices are ever reviewed by the IRS or state regulators.

Support for Whistleblowers

This is equally important. Whistleblowers often experience stress, fear, or emotional strain. Providing access to support resources demonstrates a genuine commitment to ethical culture and
reinforces trust.

Policy Review and Updates

Whistleblower policies should be reviewed periodically and updated to reflect changes in law, organizational structure, and best practices.

Conclusion

A well designed whistleblower and retaliation protection policy is a cornerstone of strong nonprofit governance. It protects individuals, strengthens organizational integrity, and reinforces public trust.

For Iowa nonprofits, whistleblower protection should be viewed alongside other core governance practices reported on IRS Form 990, including conflict of interest policies, document retention policies, compensation approval processes, and board oversight procedures. These policies work together to demonstrate that directors and officers are meeting their fiduciary obligations under Iowa law.

Nonprofits should not treat whistleblower policies as boilerplate or check-the-box documents. They should be tailored to the organization’s structure, actively implemented, and supported by leadership.

I advise Iowa nonprofits on governance, compliance, and risk management. I work with Iowa charities, churches, foundations, associations, and membership organizations to draft, review, and align whistleblower policies with Articles of Incorporation, Bylaws, Form 990 disclosures, and the full suite of IRS-recommended governance policies.

If your Iowa nonprofit needs assistance drafting, reviewing, or updating a whistleblower policy or strengthening its overall Form 990 governance framework, contact me anytime. I offer free consultations. My email is: gordon@gordonfischerlawfirm.com