Exhibit 99.1
Chapter 3
3.2. Report of the Chairman of the Board of Directors – Internal Control
3.2.1. Report of the Chairman of the Board of Directors on the preparation and organization of the Board of Directors’ duties, on internal control procedures applied by sanofi-aventis, and on limits placed by the Board of Directors on the powers of the Chief Executive Officer.
(Section L. 225- 37 paragraph 6 of theFrench Commercial Code)
In preparing this report, the Chairman consulted the Executive Vice President Finance and Legal, and the Senior Vice President Audit and Internal Control Assessment. In particular, he requested the latter to obtain the descriptions contained in this report.
The Board of Directors was informed of the conclusions of the Audit Committee and of the Statutory Auditors, and the final version of the Chairman’s report was submitted to the Board at the meeting convened to adopt the financial statements, held on February 11, 2008.
3.2.1.1. Preparation and Organization of the Board of Directors’ duties
Regarding the preparation and organization of the Board of Directors’ duties and the limits placed by the Board of Directors on the powers of the Chief Executive Officer, see Exhibit 99.2.
3.2.1.2. Internal control system implemented by the Company
The Group’s Senior Management has a clear ongoing commitment to maintaining and enhancing a reliable and effective internal control system built on ethical principles, appropriate organizational structures, well-defined responsibilities and demonstrated competencies. The overall objective is to promote the key elements of good corporate governance: transparency of management and providing shareholders with quality information.
3.2.1.2. A. Internal control system
The internal control system covers all entities consolidated by the Group. Since 2006, this system has included internal control assessment procedures relating to financial reporting with a view to ensuring compliance with Section 404 of the Sarbanes Oxley Act (SOA 404).
3.2.1.2. A.a. Reference framework for the internal control system
The internal control system is based on the five components contained in the “Internal Control – Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
The internal control system is developed and implemented by Group’s Senior Management, middle management and all Group employees, with the aim of providing directors, corporate officers and shareholders with reasonable assurance that the following objectives are met:
| • | | reliability of accounting and financial information; |
| • | | effectiveness and efficiency in the conduct of operations; |
| • | | compliance with applicable laws and regulations; and |
| • | | safeguarding of corporate assets. |
1
3.2.1.2. A.b. Underlying principles of internal control
The internal control system is built upon core principles:
| • | | responsibility of all employees of the Group for the implementation and effectiveness of internal control; |
| • | | distribution of frameworks and compliance with Group-wide policies and procedures; and |
| • | | segregation of duties, in other words ensuring that those who perform tasks are not responsible for approving or controlling the performance thereof. |
An internal control system can only give reasonable assurance, and can never give absolute assurance that these objectives are met. The probability of meeting these objectives is subject to the limitations inherent to all internal control systems, including the possibility of defective judgment in decision-making, the need for cost/benefit analysis before implementing controls, and the risk of malfunctions caused by human failings or mere error.
3.2.1.2. A.c. Organization, formalization and assessment procedure for internal control over financial reporting
In 2004, to comply with legal requirements on internal control in both France and the United States, sanofi-aventis implemented a dedicated internal control assessment department reporting to the Audit and Internal Control Assessment Department.
Capitalizing on the Group’s existing internal control system, this department developed a methodology to comply with Sarbanes-Oxley Act Section 404 (SOA 404), with the objective of improving the effectiveness of internal control over financial reporting. This methodology relies on an approach scaled to local risks and adapted to available resources. It applies to Group activities in proportion to their contribution to the consolidated financial statements and their risk profile, and provides a consistent basis for identifying, consolidating and qualifying identified deficiencies in internal control over financial reporting. The internal control assessment system applies a top-down risk-based approach defined at group level and implemented locally, in accordance with the recommendations of the Securities and Exchange Commission (SEC) published in June 2007.
To ensure full acceptance and implementations of this methodology for the assessment of internal control over financial reporting, the internal control assessment department:
| • | | defines responsibilities and establishes timetables; |
| • | | circulates an internal control assessment manual, supplemented with instructions, describing the methodology and the relevant tools; |
| • | | develops and delivers training modules on the concepts, tools and phases of the approach, and coordinates the network; |
| • | | liaises with external auditors; and |
| • | | conducts the assessment of internal control over financial reporting. |
The first report complying with SOA 404 has been issued in March 2007 relating to 2006 financial statements. Sanofi-aventis has conducted in 2007 this assessment and will conduct such an assessment every year to comply with current statutory requirements.
3.2.1.2. B. Control environment
The control environment, which is the cornerstone of all other internal control components, refers to the degree of awareness Group staff have of internal control. It relies on standards presented in the form of codes or charters.
3.2.1.2. B.a. Group Code of Ethics
The sanofi-aventis code of ethics has been disseminated throughout the Group. Not only has it been posted on the Corporate intranet, but it has also been printed in a booklet distributed to all sanofi-aventis staff worldwide. Within each subsidiary, designated Compliance Officers have organized the promotion of the code, and reinforced its messages by awareness campaigns tailored to reflect the cultural diversity of the countries where the Group operates.
2
3.2.1.2. B.b. Code of Financial Ethics
Sanofi-aventis has adopted a code of financial ethics pursuant to United States securities legislation. It has been signed by the Chairman, the Chief Executive Officer, the Executive Vice President Finance and Legal, the Senior Vice President Chief Financial Officer, and the Vice President Corporate Accounting, as well as by regional and country Chief Executives and Chief Financial Officers, and members of the Group Financial Management Committee.
3.2.1.2. B.c. Charters
Sanofi-aventis has provided all employees with charters that structure and promote the internal control environment. The main charters available to date include:
| • | | The information systems usage charter, which establishes rules governing the use of information technology (IT) resources; |
| • | | The personal data protection charter, underscoring the Group’s commitment to respecting privacy and protecting data of a personal nature; |
| • | | The social charter, reflecting the Group’s commitment to corporate social responsibility which incorporates the principles of the United Nations Global Compact on Labor, which sanofi-aventis is committed to follow; and |
| • | | The ethical charter for purchasing provided to all Group employees involved regularly or occasionally in purchasing activities which describes the conduct to be adopted by sanofi-aventis employees when carrying out their duties. |
3.2.1.2. B.d. Other standards
The pharmaceutical industry is subject to very strict regulatory constraints at both national and supra-national level. A large body of laws and regulations governs each stage of operations, from evaluation and selection of compounds to standards applied to the manufacturing, packaging, distribution and marketing of medicines and vaccines.
Sanofi-aventis applies many other internal standards derived from these external standards, adapted to the specific processes carried out by each entity, thereby contributing to internal control.
All Group codes, charters and procedures are available on the Group’s intranet.
3.2.1.2. C. Risk identification, assessment and management
The internal control system is based on the internal control environment and on an ongoing process of identifying, assessing and managing risk factors which may adversely affect the achievement of goals and opportunities aimed at improving performance.
Risks are managed at the appropriate level of the organization. They are discussed in the “Risk factors” section of the management report. See “Item 3. Key Information – D. Risk Factors”.
3.2.1.2. C.a. Group bodies responsible for identifying, assessing and managing risks and opportunities
The Group’s organizational structure is geared to managing the risks and opportunities associated with the activities of sanofi-aventis.
Responsibility for risk management is assumed at all levels within the Group. Corporate, operational and support teams constitute the staff responsible for internal control and contribute to the risk control system by conducting control processes within their area of responsibility. The main committees in charge of identifying, assessing and managing risks and opportunities are the Executive Committee, the Management Committee and the Products and Operations Committees. Their members rely on their experience to anticipate risks and opportunities arising further to developments in the pharmaceutical sector.
Ø Executive Committee and Management Committee
The Executive Committee chaired by the Committee Executive Officer, is a select group of key executives that meets twice a month in order to facilitate rapid decision-making.
It implements the Group’s overall strategy, oversees arbitration between departments and allocates resources, in furtherance at its high-level management role.
3
Its members include the Senior Vice President Research and Development(1), the Executive Vice President Finance and Legal, the Senior Vice President Industrial Affairs and the Executive Vice President Pharmaceutical Operations. Other participants are invited on an ad hoc basis, according to the agenda.
The Management Committee is also chaired by the Chief Executive Officer and meets once a month. Its members include all the senior executive officers of the Group’s major Departments. It reviews ongoing group operations, and is a forum for exchanging ideas and information between functions and for coordinating of transversal projects across the organization.
Ø Products Committee
The Products Committee is chaired by the Senior Vice President Research and Development(1) and meets once a month. It deals with the development and marketing of products, and is attended by key managers from Pharmaceutical Operations, Financial Strategy and Plan, and Business Development.
Ø Operations Committee
The Operations Committee is chaired by the Executive Vice President Pharmaceutical Operations. It meets once a month and is attended by the regional managers and corporate managers from Pharmaceutical Operations. It deals with Group performance issues, and assesses changes in the environment and the requisite responses.
3.2.1.2. C.b. Approach to identifying, assessing and managing financial risks
Under SOA 404 and obligations imposed by French legislation, the Group has adopted a process of identifying, assessing and managing financial risks. This process has identified the control activities that need to be put in place and ensures that the internal control system over financial reporting is reliable.
The methodology developed by the internal control assessment department covers the five COSO components and comprises:
| • | | a reference framework of processes used to prepare and process financial and accounting information; |
| • | | a group evaluation tool comprising three reference frameworks applying at different levels of the organization and designed to produce an evaluation at Group level while adapting the workload to the identified risks. On the basis of these frameworks, each entity can assess its capacity to control risks and identify any deficiency in its internal control system; and |
| • | | a fraud detection and prevention process based on the various elements of the control environment (See section “3.2.1.2.B. Control Environment”) that specifies the obligations incumbent on each manager in respect of identifying, reporting and dealing with acknowledged fraud incidents. This process also covers safeguarding of assets and corruption issues, which fall outside the financial reporting process. |
The purpose of this methodology is to identify, track and report financial risks. All those whose permanent duties include assessing internal control are responsible for ensuring that all such financial risks are under control. They are also required to notify the Group of any residual deficiency in internal control.
A Qualification Committee conducts an annual assessment of internal control and financial risks, the purpose of which is to assess the materiality of each duly identified financial risk and the likelihood of occurrence. It notifies the Audit Committee of any residual risks that may have a significant or material impact on published financial statements that could call into question the reliability of the Group’s disclosures. This committee includes the Executive Vice President Finance and Legal, the Senior Vice President Chief Financial Officer, the Senior Vice President Audit and Internal Control Assessment, the Vice President Corporate Accounting, the Vice President Information Systems and the Director of Internal Control Assessment, assisted if need be by representatives of the Group’s functions.
| (1) | Research and Development was formerly known as Scientific and Medical Affairs. |
4
3.2.1.2. C.c. Participants involved in managing risks relating to activities in the pharmaceutical sector
Ø Pharmacovigilance
The Pharmacovigilance Department reports to the Research and Development Department (pharmaceuticals) or the Vaccines Department (vaccines). The department is responsible for implementing organizational structures and tools that enable the safety profile of products under development, and of licensed and marketed drugs or vaccines, to be assessed. Operating procedures define the roles and responsibilities of those involved in the management of pharmacovigilance data, and in the reporting of such data (immediately or periodically) to the healthcare authorities and/or to investigators.
In addition to assessing the safety profile of products under development and marketed products, the Pharmacovigilance Department is responsible for detecting and analyzing warning signals in order to, if necessary, issue recommendations to limit the occurrence of side-effects, ensure the product is used properly, and provide healthcare professionals and patients with up-to-date medical information.
The Pharmacovigilance Department helps assess the risk/benefit profile of products, whether they are in clinical development or already on the market.
Working with the clinical development and regulatory affairs teams and the epidemiology unit, the Pharmacovigilance Department helps prepare and follow up the related risk management plans. These plans summarize the safety profile of the products as established during the development phase, describe the measures in place to monitor identified or potential risks, and propose steps to ensure the drug or vaccine is properly used.
In monitoring tolerance through the clinical trials phase and gathering unsolicited information about products already on the market, this department relies on the network of pharmacovigilance units based in the subsidiaries, and on contractual ties with development and marketing alliance partners. These units also act as an interface between the local healthcare authorities and other departments within the subsidiary.
The Pharmacovigilance Department develops or updates tools or specific procedures designed to ensure all regulatory requirements falling within its responsibilities are met.
A Group pharmacovigilance unit collates all information about side-effects from all over the world, whatever the source. An early warning procedure has been put in place to detect any risk liable to trigger the crisis management procedure and to notify the Chief Executive Officer without delay.
Ø Other participants
The management of pharmaceutical activities also relies on:
| • | | a structured health, safety and environment department in each of the Group’s activities and in each business unit, relying on the application of an internal policy; |
| • | | a sustainable development department, which devises global policy and related reporting procedures; |
| • | | an insurance department, which among other things provides subsidiaries with advice and risk prevention support; and |
| • | | a corporate economic security department, responsible for protecting the Group’s workforce and tangible and intellectual property and assets. |
The Group also has a crisis management procedure designed to anticipate, as far as possible, the potential emergence of crises, via management principles and early warning systems covering all Group activities.
3.2.1.2. D. Control activities ensuring the reliability of the internal control system
Conducted at all hierarchical and functional levels of the organization, control activities are based on procedures that are available on the Group’s intranet, information systems, operating methods, tools and good practices. They are geared to the existing internal control environment and the risks and errors to be prevented, and are under the responsibility of management.
The process of preparing financial statements relies on operational processes encompassing sales administration, purchases, production process and inventory management, human resources, information systems and the monitoring of legal affairs as they contribute to the production of financial and accounting information.
5
The Group Finance Department is structured to enable it to carry out its various duties (preparing separate and consolidated financial statements, accounting standards, controlling, treasury and tax affairs). It coordinates and oversees local finance departments. Accounts committees, which are responsible for reviewing the tax, legal, cash and financing position of companies and validating the application of Group accounting policies, are set up annually on the basis of the accounts as of end of September. Their objective is to review the accounts of Group companies with a view to preparing the Group’s annual consolidated financial statements and the separate financial statements of Group companies. For each entity examined, these accounts committees are made up of the Chief Financial Officers of the main subsidiaries, representatives from the zone or activity finance department, representatives from the expert functions of the Group Finance Department (tax, consolidation, treasury, financing, etc) and representatives from Legal Affairs.
Further to the requirement to file an annual report with the United States Securities and Exchange Commission (SEC), and pursuant to section 302 of the Sarbanes-Oxley Act, the Chief Executive Officer and the Executive Vice President Finance and Legal are required to carry out an evaluation of the adequacy and effectiveness of the Group’s control over published financial information and over fraud, relying partly on representation letters signed by the Chief Executives and Chief Financial Officers of the different consolidated legal entities.
3.2.1.2. E. Information and communication
Information and communication represents the flow of information accompanying internal control procedures, from the guidelines laid down by management to the action plans. It contributes to establishing the control environment, disseminating a culture of internal control and promoting relevant control activities that contribute to risk control.
In its organizational choices, the Group strives to abide by the principles of safe and effective operations while factoring in the constraints imposed by its pharmaceutical activity and its regulatory, economic and social environments. A legal unit and a managerial organization, organized around internal and external delegations of power, have been formed to conduct operations, circulate and apply the Group’s strategy at the appropriate level of the organization.
Information and communication rely on information systems. The Information Systems (IS) function is responsible for all the Group’s information systems. It is organized in such a way that Group operations (Research and Development, Industrial Affairs, Pharmaceutical Operations, Vaccines) are encouraged to run their operational and business-specific activities independently. It comprises departments under the direct authority of the Group Information Systems Department and decentralized departments within operations.
The various departments of the Group’s Information Systems Department formulate Group IS policies, coordinate processes for managing the IS function and administer infrastructures and IT services worldwide. The decentralized information system departments develop and administer business-specific applications and run dedicated IT infrastructures and services.
The Information Systems function council, comprising the managers of the decentralized IS departments and of the Group Information Systems Department, coordinates Group-wide matters and approves Group-wide policies, in particular IS security and quality policies.
The Group Information Systems Department has a team dedicated to facilitating implementation of the internal control assessment process for the IS function.
3.2.1.2. F. Monitoring of the internal control system
The Group’s senior management oversees and supervises internal control, largely through managerial committees and the departments of each business unit.
This supervisory role is supplemented by active monitoring of internal control practices with a view to taking corrective action or adapting the internal control system.
Through the Audit Committee, the Board of Directors participates in monitoring and supervising activities.
3.2.1.2. F.a. The Board of Directors and its Committees
The composition of the Board of Directors and its specialist committees, and the way their work is organized, contributes to the effective and efficient operations of the Group, in all transparency, see Exhibit 99.2.
6
3.2.1.2. F.b. Senior Management
The Group’s senior management sets overall guidelines for internal control and ensures they are implemented. In the subsidiaries, each manager is required to follow these guidelines and ensure they are duly applied.
The Group’s decentralized structure, organized into autonomous units, means the Group can be broken down into key Departments. This gives the front line genuine autonomy and the power to make decisions, while strategic decisions are prepared and decided at Group level.
3.2.1.2. F.c. Ethics Committee
The Ethics Committee reports to Senior Management. Its main role is to monitor Group-wide compliance with the ethical principles and rules of conduct contained in the code of ethics. The committee meets at least once a quarter, as required by its operating charter. The early warning procedure set up in accordance with the code of ethics empowers staff to report any violation or breach of the principles set out in the code to the corporate compliance department, which then informs the Ethics Committee of its response to reported violations or breaches. The Ethics Committee approves this information for communication to the Audit Committee.
3.2.1.2. F.d. Published Information Review Committee
The Published Information Review Committee is responsible for reviewing and validating key documents intended for shareholders and the public, and for assessing the procedures and controls used in preparing such documents.
The Committee has implemented a process of reporting information to the Committee’s secretary to ensure that the Committee is kept informed of any significant event liable to impact the share price. The secretary then consults Committee members to determine what approach to adopt as far as informing the public is concerned.
3.2.1.2. F.e. Audits
Several types of audits are in place, covering all Group consolidated companies.
The roles and missions of internal and information system audits are described in a charter, available on the Group’s intranet.
The Group’s internal audit department is independent and objective, reporting directly to the Chief Executive Officer. It has neither authority over nor responsibility for the operations it reviews, and has complete freedom of action. Internal Audit is responsible for providing Senior Management, and the Board of Directors via the Audit Committee, with reasonable assurance on the level of control over operations within the Group and the effectiveness of internal control. The internal audit function of sanofi-aventis obtained certification from IFACI (the French Institute of Internal Audit and Internal Control) in 2006, providing assurance that it complies with international professional standards.
The information systems audit department is completely independent of the Group Information Systems Department. It is organized along similar lines to the Group internal audit function, but conducts its assignments using a methodology specific to information systems auditing.
The quality assurance departments, which are an integral part of functions and activities, carry out regular audits to assess best practices and ensure that procedures are applied and comply with the regulations governing their area of expertise.
7
