Audit Obligation (HinSchG)

Clarification: There is no general audit obligation under the German Whistleblower Protection Act (HinSchG)

2 May 2026 · Category: HinSchG · Compliance-Kit

Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.

Fact-check (as of 02 May 2026)

There is NO general audit obligation for internal reporting offices under the German Whistleblower Protection Act (HinSchG).
Section 22 HinSchG designates the external reporting office at the Federal Cartel Office (Bundeskartellamt) for competition law and Digital Markets Act (DMA) infringements — it is not an audit obligation for companies.
Real HinSchG duties: confidentiality (Section 8), prohibition of reprisals (Section 36), three-year retention (Section 11), seven-day acknowledgement of receipt and three-month substantive feedback (Section 17 (2)).
Best practice (NOT a statutory duty): an annual effectiveness self-review of the reporting office for management reporting plus an ISO 37301 compliance-management-system audit.
Correction: the previously circulated assumption of a „Section 22 HinSchG audit obligation effective 1 January 2026“ was incorrect.

What does „Audit Obligation (HinSchG)“ actually mean?

The term „HinSchG audit obligation“ was used in numerous compliance publications and marketing texts during 2024 and 2025 — usually with reference to an allegedly new Section 22 HinSchG that was said to mandate an annual effectiveness review of the internal reporting office from 1 January 2026. This obligation does not exist. Verification against the actual wording of Section 22 HinSchG (gesetze-im-internet.de/hinschg) shows that Section 22 governs the external reporting office at the Federal Cartel Office.

The German HinSchG transposes EU Directive 2019/1937 (the Whistleblowing Directive), and neither the directive nor the national act imposes a general statutory audit duty on private-sector internal reporting offices. Article 14 of the directive only requires Member States to ensure that competent external authorities regularly — and at least once every three years — review their own procedures; this review duty addresses public authorities, not private companies. Anyone marketing a private-sector audit obligation under Section 22 HinSchG is therefore citing a provision that does not contain such a duty.

Section 22 HinSchG: the actual content

Section 22 HinSchG designates the Federal Cartel Office (Bundeskartellamt) as the external reporting office for information on infringements of the Act against Restraints of Competition (Gesetz gegen Wettbewerbsbeschränkungen, GWB) and of the Digital Markets Act (DMA). Whistleblowers in the fields of antitrust and platform regulation may therefore approach the Federal Cartel Office directly — in parallel with the internal reporting office (Section 12) or with the general external reporting office at the Federal Office of Justice (Section 19).

Other external reporting offices under HinSchG: Section 19 Federal Office of Justice (BfJ, general); Section 20 federal states (Länder, optional); Section 21 Federal Financial Supervisory Authority (BaFin, financial services).

Real HinSchG duties for companies

Section 8 — Confidentiality of the whistleblower's identity; a documented confidentiality concept is required.
Section 11 — Retention of the case documentation for three years after the procedure has been closed.
Section 12 — Duty to establish an internal reporting office from 50 employees upwards (financial-sector entities are covered regardless of headcount under Section 12 (3)).
Section 17 — Processing deadlines: acknowledgement of receipt within seven days, substantive feedback within three months.
Section 16 (1) sentence 4 — Anonymous reports must be processed (mandatory since 1 January 2025).
Section 36 — Prohibition of reprisals with reversal of the burden of proof in favour of the whistleblower.
Section 40 — Administrative fines of up to EUR 50,000 for natural persons; legal persons can be fined up to EUR 500,000 via the tenfold multiplier in Section 30 of the Administrative Offences Act (OWiG).

Best practice: voluntary effectiveness self-review

An annual effectiveness self-review of the internal reporting office is sound compliance practice and is foreseen in ISO 37301:2021 (Compliance Management Systems) as part of the management review — however it is not a HinSchG duty. It is useful as an annual management-reporting instrument for risk and reputation steering, and it dovetails with adjacent obligations under the Works Constitution Act (BetrVG) on co-determination where the reporting office processes employee data.

Sources

HinSchG (Hinweisgeberschutzgesetz / German Whistleblower Protection Act), gesetze-im-internet.de/hinschg
EU Directive 2019/1937 on the protection of persons who report breaches of Union law
Federal Office of Justice (Bundesamt für Justiz, BfJ) — federal reporting office
Federal Cartel Office (Bundeskartellamt) — external HinSchG reporting office under Section 22
ISO 37301:2021 (Compliance Management Systems)