CaseFy
Practical Guide

How to create a whistleblowing channel with full traceability

Brazilian law requires whistleblowing channels, but most companies use email or forms with no tracking. Learn how to build a flow with anonymity, SLA, and audit trail.

Time CaseFy·March 21, 2026·6 min read

Since 2022, Brazilian law requires companies with internal workplace safety committees (CIPA) to maintain a whistleblowing channel. Law 14.457/2022 establishes this obligation as part of the Program for Prevention and Combat of Sexual Harassment and other forms of workplace violence. Decree 11.129/2022, which regulates the Anti-Corruption Law, reinforces the importance of internal channels for receiving reports of irregularities.

The law is clear. The problem is execution.

Most companies address the requirement by creating a generic email — something like ethics@company.com — or publishing a form on their website. The report arrives, someone reads it, and the process continues via email, spreadsheet, or the memory of whoever received it.

This creates serious problems.

Why email and forms are not enough

No real guarantee of anonymity

When a report arrives by email, the server logs the sender. Even if the person uses a personal email, the system administrator can trace the IP, the time, and in many cases identify the author. Generic forms carry the same risk: without end-to-end encryption and access separation, there is no real anonymity.

If the whistleblower does not trust they will be protected, they will not report.

No defined SLA

The report arrived. When will someone analyze it? In 24 hours? In a week? Without a formal deadline, reports sit idle in inboxes. The whistleblower receives no feedback. The company does not know if it is complying with its own internal rules.

No audit trail

Who read the report? When? What was decided? If someone asks — an auditor, the public prosecutor, the board — there is no record. Information is scattered across emails, personal notes, and informal conversations.

Reports get lost

In an email-based flow, it is only a matter of time before a report is buried under other messages. Without a system that tracks the status of each report, there is no way to guarantee that all reports were analyzed and answered.

The ideal whistleblowing channel flow

An effective whistleblowing channel is not just an entry point. It is a complete process with defined stages, clear owners, and end-to-end traceability.

1. Intake

The report enters through an external form accessible to anyone — employees, contractors, suppliers. The form must allow anonymous submission without requiring login or identification. The whistleblower receives a protocol number to track progress without identifying themselves.

2. Triage

A designated person receives the report and performs the initial analysis. The goal is to classify the report (harassment, fraud, conflict of interest, policy violation) and check for conflicts of interest — whether the accused is the very person who would conduct the analysis.

3. Investigation

With the report classified, the inquiry begins. Evidence collection, interviews, document and record analysis. Each action must be documented: who did what, when, based on what information. Access must be restricted with granular controls.

4. Deliberation

The investigation results in an opinion. An ethics committee or the responsible party evaluates the evidence and makes a decision. The decision must be formally recorded with justification, date, and identification of the decision-makers.

5. Resolution

Defined measures are executed: warning, termination, process change, training, internal communication. The whistleblower receives feedback on the outcome — respecting confidentiality limits.

6. Monitoring

The case is closed, but follow-up continues. The company must verify whether the measures were effective, whether there was recurrence, and whether new internal controls are needed.

What each stage requires

Each stage needs four elements: an audit trail, access controls, SLA per stage, and document management.

How CaseFy solves this

CaseFy was designed to orchestrate processes with exactly these characteristics: external forms, access controls, auditable timeline, and document management.

  • External forms for anonymous intake: Published without requiring authentication. The report automatically creates a case with a protocol number.
  • RBAC for access control: Over 90 granular permissions. Define who can view, investigate, and deliberate. Reassign access when conflicts of interest arise — the system logs every change.
  • Timeline for audit trail: Every action generates an immutable record: creation, stage changes, comments, documents, decisions, reassignments.
  • Configurable stages with SLA: Create a template with whistleblowing stages and define transition rules. Automations notify responsible parties when deadlines approach.
  • Integrated document management: Documents are attached directly to the case with version control and access permissions.

How to get started

You do not need months of implementation. The minimum viable flow:

  1. 1Create a template with the stages described in this article
  2. 2Configure an external form for receiving reports
  3. 3Define access permissions by role (triage, investigation, deliberation)
  4. 4Publish the form link on your website and internal channels

In less than an hour, you have a whistleblowing channel with full traceability.

Start for free →

end

Organize your processes in one place

Create your free account. No credit card. No implementation.

Start freeSee pricing
Free plan foreverSetup in minutesSupport included

Related articles

Practical Guide6 min

Template: contract approval process in 7 stages

Read article
Practical Guide6 min

How to create a traceable financial approval process

Read article
Practical Guide6 min

Template: credit analysis in 5 stages (ready for fintechs)

Read article