Exhibit 99.1
3.2. REPORT OF THE CHAIRMAN OF THE BOARD OF DIRECTORS AS PRESENTED IN THE FRENCH-LANGUAGE DOCUMENT DE REFERENCE (ARTICLE L. 225-37 OF THE FRENCH COMMERCIAL CODE)
3.2.1. Chairman’s Report
In preparing this report in accordance with Article L. 225-37 of the French Commercial Code, the Chairman consulted the departments involved in the monitoring of internal control and risk management. This report has been submitted to the Audit Committee, to the statutory auditors and has been approved by the Board of Directors.
1/ Corporate Governance
Corporate governance is discussed in “Item 16G. Corporate Governance” of the Annual Report on Form 20-F.
2/ Internal Control and Risk Management
2.A. General Organization of Internal Control
2.A.a. Internal Control Objectives and Framework
Because Sanofi has a U.S. stock market listing and is subject to the requirements of the Sarbanes-Oxley Act, it applies the “Internal Control — Integrated Framework” issued in 2013 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). This framework is regarded as equivalent to the reference framework of the Autorité des Marchés Financiers (AMF), the French financial markets regulator. In this report, the description of the system of internal control is aligned on the five COSO components:
· control environment;
· risk identification, assessment and management;
· control activities;
· information and communication;
· monitoring of internal control and risk management procedures.
COSO defines internal control as a process effected by the Group’s Board of Directors, management and staff, designed to provide reasonable assurance regarding the achievement of objectives relating to:
· the effectiveness and efficiency of operations;
· reliability of reporting, especially of accounting and financial information;
· adherence to the applicable laws and regulations.
Sanofi senior management has a clear ongoing commitment to maintaining and enhancing its systems of internal control and risk management. In furtherance of this objective, in 2014 senior management launched the Group Processes and Standards (GPS) program, which combines the existing elements of internal control into a unified Group-wide approach. GPS has been approved by the Executive Committee and presented to the Audit Committee.
GPS comprises:
· a harmonized framework of Group operational and support processes, broken down into sub-processes;
· an internal control manual, published at the end of 2014, which includes mandatory controls applicable to all activities and to all fully consolidated entities, along with the Group policies underpinning those controls;
· a financial controls framework designed to assess the effectiveness of the system of internal control relating to the production of financial information, as required for compliance with Section 404 of the Sarbanes-Oxley Act (SOA 404);
· an annual self-assessment process covering the mandatory controls in the internal control manual, to be performed by all activities and in all countries from 2015 onward.
2.A.b. Scope of Internal Control
The system of internal control covers all fully consolidated companies and activities, and is systematically deployed in all new entities when they are acquired.
To meet the requirements of SOA 404, the system of internal control incorporates procedures to assess the effectiveness of internal controls over financial information. In accordance with the recommendations published by the U.S. Securities and Exchange Commission (SEC), those procedures adopt a risk-based approach which is defined at Group level and implemented locally. That approach is based on:
· the financial controls framework and control assessment methodology developed by the Internal Controls and Processes (IC&P) Department;
· an analysis of the adequacy of coverage of risks relating to financial information, consistent with the reasonable assurance principle;
· a definition of the scope of application, and IC&P support for the teams involved via communication, leadership and backup;
· coordination of these tasks with the procedures conducted by the statutory auditors.
1
The “Report of Management on Internal Control Over Financial Reporting” pursuant to SOA 404 is presented in “Item 15. Controls and Procedures” of the Annual Report on Form 20-F for the year ended December 31, 2014.
2.A.c. Main departments contributing to the system of internal control
Finance Department
The Group Finance Department plays an important role in risk management and control, not only at Group level in conjunction with central support functions (Insurance, Group Accounting, IC&P, Financial Planning & Control, Financing & Treasury, Tax, Financial Investments & Legal Restructuring, Investor Relations, Financial Services France) but also at regional and local level, insofar as the Chief Financial Officers at region, zone and country level are responsible for the implementation of internal control.
In particular, the IC&P Department manages the implementation of the system of internal control within the Group, including:
· coordinating the preparation and distribution of the Group internal control manual;
· supervising the local implementation of policies, processes and controls developed at Group level;
· supervising the rollout of the GPS program and reporting back to the Executive Committee;
· assisting operational divisions and support functions in their efforts to improve internal control and to remedy internal control weaknesses;
· coordinating and preparing the assessment of the effectiveness of the system of internal control relating to financial information (SOA 404).
The IC&P Department relies on a network of internal control correspondents at region, country and activity level, whose primary roles include documenting and updating local procedures and ensuring they are consistent with Group policies; documenting and updating internal delegations of authority; ensuring the principle of segregation of duties is applied; implementing the mandatory controls contained in the Group internal control manual; and supervising remedial action on internal control weaknesses and the implementation of Group Internal Audit recommendations.
Global Compliance & Business Integrity Department
The core mission of the Global Compliance & Business Integrity Department is to promote a culture of integrity within the Group so that operational objectives can be attained in compliance with the Group’s ethics, values and policies. The department fulfils that role by providing operational units with the support needed to identify, assess and mitigate risks potentially associated with the Group’s activities.
The Global Compliance & Business Integrity Department develops and implements a Group-wide compliance program built on:
· a dedicated organizational structure including a regional and local network of compliance officers whose primary role is to implement the compliance program regionally and locally;
· policies and procedures;
· the preparation and distribution of an education and training program;
· monitoring activities;
· the handling of compliance breaches;
· implementing a framework for corrective action and/or disciplinary sanctions.
In addition, the Global Compliance & Business Integrity Department (under the auspices of the Compliance Executive Committee) manages a system for collating and managing alerts, the primary purpose of which is to deal with any alerts warning of potential or actual breaches of the Code of Ethics and/or of any applicable law, regulation or procedure.
Group Internal Audit
Group Internal Audit is independent and objective, reporting to the Chief Executive Officer and with free and unrestricted access to the chairman of the Audit Committee.
The role of Group Internal Audit is to provide senior management, and the Board of Directors via the Audit Committee, with reasonable assurance about the level of control over risks associated with operations within the Group and about the effectiveness of internal control. In furtherance of that role, it obtains assurance that:
· risks are appropriately identified and managed, especially those that impact on the Group’s strategic, financial and operational objectives;
· projects, processes and the actions of Group employees are consistent with internal policies, standards and rules and with laws and regulations;
· risks of fraud are identified, reported and dealt with diligently;
· assets are acquired at a fair price, used efficiently, and adequately protected;
· significant financial, managerial and operating information is relevant and reliable.
In order to optimize its understanding of the businesses and environments in which Sanofi operates, Group Internal Audit is organized into three regional hubs, each of which works to the same level of quality and professionalism.
2
Sanofi’s internal audit function is subject to regular independent assessment in order to confirm its compliance with international professional standards.
Other Participants in Internal Control
Operational divisions and support functions play a key role in the system of internal control, contributing to the preparation and updating of the Group processes framework and the internal control manual.
The Group’s managerial committees (described in section 2.F.b of this report) play an active role in managing the risk management and internal control systems.
2.B. Control Environment
The control environment refers to the policies, processes and structures that are collectively essential to the performance of internal controls within the Group.
Code of Ethics
The Sanofi Code of Ethics defines the ethical principles and rules that must be followed when conducting Sanofi business. It helps each employee determine the attitude he or she should adopt in relationships within and outside the Group. It is provided to all employees, and addresses issues such as:
· prevention of conflicts of interest;
· prevention of insider dealing;
· fighting bribery and corruption;
· good promotional practices;
· the compliance helpline.
Deployment of the Code of Ethics is coordinated centrally by the Global Compliance & Business Integrity Department through its network of compliance officers, including in newly-acquired entities. The Global Compliance Department has developed a program designed to give employees a better understanding of the rules and principles contained in the Code of Ethics, which it delivers through various training media.
Financial Code of Ethics
In accordance with U.S. securities law, Sanofi has adopted a Financial Code of Ethics that applies to the Chairman and Chief Executive Officer, the Executive Vice-President Chief Financial Officer and the Vice-President Corporate Accounting. This Code stresses the fundamental importance of irreproachable ethical conduct on the part of key executives with responsibility for financial information and financial reporting. The Chief Financial Officers of Group entities are also required to attest each year that they adhere to and will abide by the Code’s principles.
Policy on Prevention of Insider Dealing
As a result of the dual listing of Sanofi in France and in the United States, both French and U.S. rules apply. Other countries’ rules may also apply given that Sanofi shares are owned by persons located in different countries. The policy provides background information and familiarizes employees with insider dealing rules under French and U.S. laws, in particular rules relating to confidential information obtained in the course of their employment.
Charters
Support functions may, if they see fit, prepare a charter describing their mission, roles and responsibilities, which is made available to all Group employees.
IC&P, Group Internal Audit and Risk Management each have their own charter.
Reference Documentation
Sanofi provides its employees with policies and standards designed to help organize and implement the requirements of the Group’s central support functions, and to ensure that operations are conducted in an orderly and consistent manner.
These documents are centralized in GeodePlus, a dedicated documentation platform. Two GeodePlus interfaces are available:
· “Global Policies”, which collates policies and documents associated with operational divisions and support functions;
· “Global Quality Documents”, which contains all directives and documents associated with global quality, enabling the Group to ensure that actions performed in all phases of its activities comply with regulatory requirements specific to the pharmaceutical industry.
In discharging their responsibilities, each department must ensure that the rules are up to date and distributed, check that they are being properly applied, and inform the Executive Committee of any difficulties in implementation.
GPS Program
The control environment also relies on the GPS program described in section 2.A.a. of this report. Two key elements of the GPS program were delivered in 2014:
· the harmonized framework of processes and sub-processes, used by Group Internal Audit in conducting its audit assignments;
3
· the internal control manual, including mandatory controls to be applied by all subsidiaries: these controls were defined in active collaboration with the relevant operational divisions and support functions, and with those regions and countries whose input was sought.
In addition, the Chief Executive Officer and the Executive Vice President Chief Financial Officer are required under Section 302 of the Sarbanes-Oxley Act to carry out an evaluation of the effectiveness of the Group’s control procedures in respect of published financial information and fraud. To meet this objective, they push down the certification process to local level, requiring representation letters to be signed off twice a year by the Chief Executive Officers and Chief Financial Officers of Group entities as evidence of certification.
2.C. Risk Identification, Assessment and Management
For a description of the main risks relating to the Group’s activities and financial risks, refer to “Item 3. Key Information — D. Risk Factors” of the Annual Report on Form-20F.
A number of systems for identifying, assessing and managing risks coexist within Sanofi.
2.C.a. Identifying, Assessing and Managing Strategic Risks
The remit of the Risk Committee is to assist the Executive Committee in fulfilling its risk management responsibilities. Co-chaired by the Senior Vice President Corporate Social Responsibility and the Senior Vice President Group Internal Audit, the Committee meets quarterly. Executives from the Group’s operational divisions and support functions sit on the Committee, and the Vice-President Internal Control and Processes is a permanent member. The Committee applies a structured methodology to identify, assess and manage transverse risks that could have a significant impact on the Group’s strategic objectives. More generally, the Risk Committee promotes a responsible risk management culture within the Group.
The Risk Committee is backed by the Risk Management Department, which works closely with all the Group’s activities and assists the Committee by:
· ensuring that the risk management approach is implemented and rolled out across all of the Group’s activities;
· collating and assessing on a regular basis the actions taken to enhance the management of risks, especially those identified as inter-dependent (i.e. common to several operational divisions or support functions) or emerging risks.
The Risk Management Department is in turn backed by a network of designated risk coordinators in each operational division and central support function whose role, within their sphere of responsibility, is to assist management in managing strategic operational risks, to ensure that a system of risk management is properly deployed in line with the Group approach, and to be an active member of the risk coordinator network.
2.C.b. Identifying, Assessing and Managing Operational and Financial Risks
In compliance with SOA 404 and with French legal requirements, a Group-wide approach to identifying, assessing and managing operational and financial risks has been implemented; it provides assurance as to the reliability of the system of internal control (GPS program), especially internal controls relating to the production of the financial statements.
During 2014, as part of the process of enhancing internal control and rolling out the GPS program, Risk Management, IC&P and Group Internal Audit updated the catalogue of operational and financial risks to reflect changes in identified risks.
At the end of 2014 the Global Compliance & Business Integrity Department updated its fraud risk assessment, supported by an evaluation of the principal fraud risks inherent in the Group’s environment and sector and by a practical analysis of actual fraud cases investigated over the past three years.
The IC&P Department has also developed operational and financial risk indicators, and reports every month to the Executive Vice-President Chief Financial Officer on trends in those indicators and on any action taken to assess and/or mitigate those risks.
A certification committee conducts an annual evaluation of the system of internal control and risk management relating to the production and processing of accounting and financial information, based on the findings established by IC&P. The results are reported to the Audit Committee, as are any internal control deficiencies that might result in material undetected error in the financial statements.
The Risk Management and IC&P departments were involved in preparing the description of risk factors presented in “Item 3. Key Information — D. Risk Factors” of the Annual Report on Form-20F.
2.C.c. Identifying, Assessing and Managing Risks Relating to the Safety of Products Under Development and Marketed Products
The Pharmacovigilance and Epidemiology Department reports to the Group Chief Medical Officer. It develops structures and tools for assessing the safety profile of products under development and of licensed or marketed drugs, medical devices, neutraceuticals, cosmetics and vaccines. Pharmacovigilance is responsible for developing and updating tools and procedures to satisfy all regulatory requirements within its sphere of action. Operating procedures define the roles and responsibilities of those involved in the management of pharmacovigilance data, and in the reporting of such data (immediately or periodically) to the healthcare authorities and/or to investigators.
In addition to assessing the safety profile of products under development and marketed products, Pharmacovigilance is responsible for detecting and analyzing warning signals so that it can, if necessary, issue recommendations to limit the occurrence of side-effects, ensure the product is used properly, and provide healthcare professionals and patients with up-to-date medical information.
Pharmacovigilance helps assess the risk/benefit profile of products, whether in clinical development or already on the market. For a definition of the risk/benefit profile, refer to “Item 4. Information on the Company — B. Business Overview — Global Research & Development” of the Annual Report on Form 20-F.
Working with the clinical development and regulatory affairs teams and the epidemiology unit, Pharmacovigilance coordinates the development of risk management plans and monitors their application. These plans summarize the safety profile of the products as established during the development phase, describe the measures in place to monitor identified or potential risks, and propose guidelines to ensure the drug or vaccine is properly used.
4
In monitoring tolerance through the clinical trials phase and gathering unsolicited information about products already on the market, Pharmacovigilance relies on the network of pharmacovigilance units based in Group subsidiaries, and on contractual ties with development and marketing alliance partners. These units also act as an interface between the local healthcare authorities and other departments within the entity.
Pharmacovigilance handles the pharmaceuticals and vaccines businesses using a single platform and standardized processes. All information collected about side-effects for those businesses is centralized by Pharmacovigilance in a single global database.
An early warning system is in place to detect any risk liable to trigger the crisis management procedure, and to notify the Chief Executive Officer without delay.
As regards the Animal Health business, Merial has a Global Pharmacovigilance Department reporting to the head of Global Regulatory Affairs within Merial’s R&D function. Merial Pharmacovigilance systematically applies policies, procedures, and practices for assessing, controlling, communicating and reporting risks in the Animal Health sector. A comprehensive set of procedures ensures quality and consistency for all pharmacovigilance-related activities, including adverse event data collection and reporting across the different Merial subsidiaries as well as by third parties with whom Merial works.
2.C.d. Crisis Management
Sanofi has a crisis management policy, a key objective of which is to anticipate potential crises as far as possible, relying upon organizational and management principles and early warning systems covering all Group activities.
2.D. Control Activities
Conducted at all hierarchical and functional levels of the organization, control activities address the risks described in section 2.C. of this report (“Risk Identification, Assessment and Management”). Control activities are based on codes, policies, information systems, operating methods, and tools and practices.
The internal control manual contains mandatory controls for all processes and sub-processes. Mandatory controls address the operational, financial and strategic risks to which Sanofi is exposed; they contribute to the system of permanent internal control and are within the responsibility of the operating divisions and support functions. From 2015 onward, all mandatory controls will be subject to an annual self-assessment process.
Mandatory controls included in the system of internal control relating to financial information are identified as such in the financial controls framework, which is subject to evaluation in subsidiaries selected using a risk-based approach pursuant to SOA 404.
Those mandatory controls that address the risk of fraud are identified as participating in the Group’s anti-fraud program.
The Group Finance Department organizes annual meetings of Accounts Committees, which play a role in preparing the year-end accounting close at both consolidated and individual entity level. Their remit includes reviewing the status of Group entities in terms of tax, legal, treasury/financing and internal control processes, and validating the application of Group accounting policies.
2.E. Information and Communication
Information and communication refers to the flow of information supporting systems of internal control and risk management, from guidelines laid down by management through to action plans. It contributes to establishing the control environment and to disseminating and promoting a culture of internal control, and enables relevant control activities to be performed in order to manage risks.
Within Sanofi, information and communication relies upon:
· the way the Group is organized around the Executive Committee, in a structure that ensures clear and timely communication of senior management objectives to the operational divisions, support functions and regions;
· tools such as GeodePlus (a Group-wide documentation platform), MyRVR (a tool for documenting and reporting internal control deficiencies relating to financial information), Magnitude (accounting consolidation) and HFM (budget reporting);
· internal control training sessions provided by IC&P to new members of the internal control correspondents network;
· initiatives to inform operational divisions and support functions about implementation of the GPS program.
2.F. Monitoring of Internal Control and Risk Management Procedures
2.F.a. The Board of Directors and its Specialist Committees
The Board of Directors, through its specialist committees and particularly the Audit Committee, obtains assurance that the Group has reliable procedures for monitoring the system of internal control and for identifying, assessing and managing risks.
The composition of the Board of Directors and its specialist committees, the way their work is organized, and their contribution to the effective and transparent conduct of the Group’s affairs, are described in “Item 6. Directors, Senior Management and Employees” of the Annual Report on Form 20-F.
The Board Charter requires a discussion of the operating procedures of the Board to be included on the agenda of one Board meeting a year, with a formal evaluation performed every three years.
In accordance with the publications and recommendations issued by the AMF:
· the roles, responsibilities, composition and operation of the Audit Committee are defined in the Board Charter, and are consistent with the AMF report on audit committees published in 2010;
· the Board Charter, as updated and approved by the Board on a regular basis, specifies that the Audit Committee is responsible for monitoring:
5
– the process of preparing financial information;
– the effectiveness of internal control and risk management systems;
– the audit of the individual and consolidated financial statements by the statutory auditors; and
– the independence of the statutory auditors.
The Audit Committee is informed periodically, and on request, about the process used to identify, assess and manage the principal risks to which the Group is exposed.
2.F.b. Managerial Committees
Executive Committee
The Executive Committee, chaired by the Chief Executive Officer, sets guidelines for internal control and risk management, allocates resources, and monitors actions that are implemented within the Group and supervised by local management committees in each operational unit.
The Committee meets as often as required by the need for rapid decision-making. It draws on the experience and competencies of its members to anticipate and monitor risks and opportunities associated with developments affecting the Group itself and the pharmaceutical sector generally.
For details of the composition of the Executive Committee, refer to “Item 6. Directors, Senior Management and Employees — A. Directors and Senior Management” of the Annual Report on Form 20-F.
Risk Committee
For details of how the Risk Committee participates in the system of risk management, refer to section 2.C.a. of this report.
Compliance Executive Committee
Senior management has also set up a Compliance Executive Committee (CEC). The role of the CEC is to facilitate and oversee the effectiveness of all aspects of the Sanofi compliance program. It sets overall guidelines, and also has an operational role in proposing and implementing actions to reinforce the effectiveness of the program and foster a continuing commitment to Sanofi values. The Committee is chaired by the Chief Executive Officer.
Published Information Review Committee
The Published Information Review Committee is responsible for reviewing and validating key documents intended for shareholders and the public, and for assessing the procedures and controls used in preparing such documents. The Committee has implemented a process of reporting information to the Committee’s secretary to ensure that the Committee is kept informed of any significant event liable to impact the share price. The secretary then consults Committee members to determine what approach to adopt as far as informing the public is concerned.
2.F.c. Audits
Various types of audit, covering all Group entities, are conducted by Group Internal Audit and by expert audit teams from the Global Quality Department and the Health, Safety and Environment (HSE) Department.
6
