Exhibit 99.1
Chapter 3
3.2. Report of the Chairman of the Board of Directors – Internal Control
(Section L. 225-37 of the French Commercial Code)
3.2.1. Chairman’s report
In preparing this report, the Chairman consulted the Senior Vice President Chief Financial Officer and the Senior Vice President Audit and Internal Control Assessment.
The Board of Directors was informed of the conclusions of the specialist committees and of the Statutory Auditors, and approved the Chairman’s report.
3.2.1.1. Corporate Governance
Sanofi-aventis applies the guidance contained in the AFEP-MEDEF corporate governance code of December 2008, available on the MEDEF website:www.medef.fr and on the Company website:www.sanofi-aventis.com.A detailed descriptions of how this code is applied by sanofi-aventis and of other corporate governance practices adopted by sanofi-aventis, are provided in our French-language Annual Report, in sections 1.2. “Gouvernement d’entreprise”, 1.1.10 “Assemblées Générales”, and 3.1.11 “Informations complémentaires”.
For an English-language description of our corporate governance practices, refer to Item 6 “— Directors, Senior Management and Employees” of our Annual Report on Form 20-F, and to Exhibit 99.2 “Extracts from the Internal Rules of the Board of Directors”. References to specific corporate governance practices are provided below:
For a description of the principles and rules agreed by the Board of Directors for the determination of compensation and all other benefits awarded to corporate officers, refer toItem 6B, — “Compensation”.
For a description of the composition of the Board of Directors, and of the preparation and organization of the duties of the Board of Directors, refer toItem 6A, “Directors and Senior Management” and Item 6C, “Board Practices”.
For a description of the limits placed by the Board on the powers of the Chief Executive Officer, refer toItem 6A., “Directors and Senior Management”.
For a description of the arrangements for shareholders to participate in General Meetings of sanofi-aventis, refer to Item 10B, “Memorandum and Articles of Association — Shareholders’ Meetings”.
Factors that are liable to have an impact in the event of a public offer for the Company’s shares are discussed inItem 3 D. “Risk Factors, — “Risks Relating to an Investment in our Shares or ADSs” and Item 10, “Additional Information”, in particular B — Memorandum and Articles of Association”.
3.2.1.2 Internal control procedures and risk management implemented by the Company
The Group’s Senior Management has a clear ongoing commitment to maintaining and enhancing a reliable and effective internal control system built on ethical principles, appropriate organizational structures, well-defined responsibilities and demonstrated competencies. The overall objective is to promote the key elements of good corporate governance: transparency of management and providing shareholders with quality information.
3.2.1.2. A. Internal control system
The internal control system covers all entities consolidated by the Group. Since 2006, this system has included internal control assessment procedures relating to financial reporting with a view to ensuring compliance with Section 404 of the Sarbanes-Oxley Act (SOA 404).
3.2.1.2. A.a. Reference framework for the internal control system
The internal control system is based on the five components contained in the “Internal Control – Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
The internal control system is developed and implemented by the Group’s senior management, middle management and all of its employees, with the aim of providing directors, corporate officers and shareholders with reasonable assurance that the following objectives are met:
• | | reliability of accounting and financial information; |
1
• | | effectiveness and efficiency in the conduct of operations; |
• | | compliance with applicable laws and regulations; and |
• | | safeguarding of corporate assets. |
3.2.1.2. A.b. Underlying principles of internal control
The internal control system is built upon core principles:
• | | responsibility of all employees of the Group for the implementation and effectiveness of internal control; |
• | | distribution of frameworks and compliance with Group-wide policies and procedures; and |
• | | segregation of duties, in other words ensuring that those who perform tasks are not responsible for approving or controlling the performance thereof. |
An internal control system can only give reasonable assurance, and can never give absolute assurance, that these objectives are met. The probability of meeting these objectives is subject to the limitations inherent to all internal control systems, including the possibility of defective judgment in decision-making, the need for cost/benefit analysis before implementing controls, and the risk of deficiencies caused by human failings or mere error.
3.2.1.2. A.c. Organization, formalization and assessment procedure for internal control over financial reporting
In 2004, to comply with legal requirements on internal control in both France and the United States, sanofi-aventis implemented a dedicated internal control assessment department reporting to the Audit and Internal Control Assessment Department.
Capitalizing on the Group’s existing internal control system, this department developed a methodology to comply with Sarbanes-Oxley Act Section 404 (SOA 404), with the objective of improving the effectiveness of internal control over financial reporting. This methodology relies on an approach scaled to local risks and adapted to available resources. It applies to Group activities in proportion to their contribution to the consolidated financial statements and their risk profile, and provides a consistent basis for identifying, consolidating and qualifying identified deficiencies in internal control over financial reporting. The internal control assessment system applies a top-down risk-based approach defined at Group level and implemented locally, in accordance with the recommendations of the Securities and Exchange Commission (SEC) published in June 2007.
To ensure full acceptance and implementation of this methodology for the assessment of internal control over financial reporting, the internal control assessment department:
• | | defines responsibilities and establishes timetables; |
• | | circulates an internal control assessment manual, supplemented with instructions, describing the methodology and the relevant tools; |
• | | develops and delivers training modules on the concepts, tools and phases of the approach, and coordinates the network; |
• | | liaises with external auditors; and |
• | | conducts the assessment of internal control over financial reporting. |
The first report complying with SOA 404 was issued in March 2007 and related to the 2006 financial statements. Since that date, the Group has performed an annual assessment of internal control over financial reporting to meet legal requirements in the United States. The Report of Management on Internal Control Over Financial Reporting complying with SOA 404 is presented in Item 15 of the Annual Report for the year ended December 31, 2008 on Form 20-F.
3.2.1.2. B. Control environment
The control environment, which is the cornerstone of all other internal control components, refers to the degree of awareness Group staff have of internal control. It relies on standards presented in the form of codes or charters.
3.2.1.2. B.a. Group code of ethics
The sanofi-aventis code of ethics has been disseminated throughout the Group. Not only has it been posted on the Group’s intranet, but it has also been printed in a booklet distributed to all sanofi-aventis staff worldwide. Within each subsidiary, designated Compliance Officers organize the promotion of the code, and reinforce its messages by awareness campaigns, in particular for new employees, tailored to reflect the cultural diversity of the countries where the Group operates.
2
3.2.1.2. B.b. Code of financial ethics
Sanofi-aventis has adopted a code of financial ethics pursuant to United States securities legislation. This code is available on the Group’s intranet.
3.2.1.2. B.c. Code of conduct – prevention of insider dealing
As a result of the dual listing of sanofi-aventis in France and in the United States, both French and U.S. rules apply. Other countries’ rules may also apply. The code of conduct – prevention of insider dealing aims at providing background information and familiarizing employees with basic concepts of insider dealing and the confidentiality of information obtained in the course of their employment. The code was communicated in 2008 via the Group’s intranet.
3.2.1.2. B.d. Code of internal control principles
The Internal control assessment department published the code of internal control principles in May 2008. This code sets out the key principles of governance and internal control, locking in action taken by the Group to implement internal control and improve its effectiveness. It was distributed to the management of Group entities in an awareness campaign backed by senior management, and has been made available to Group employees via the Group’s intranet.
3.2.1.2. B.e. Charters
Sanofi-aventis has provided all employees with charters that structure and promote the internal control environment. The main charters available to date include:
• | | the information systems usage charter, which establishes rules governing the use of information technology (IT) resources; |
• | | the personal data protection charter, underscoring the Group’s commitment to respecting privacy and protecting data of a personal nature; |
• | | the social charter, reflecting the Group’s commitment to corporate social responsibility which incorporates the principles of the United Nations Global Compact on Labor, which sanofi-aventis is committed to follow; and |
• | | the ethical charter for purchasing provided to all Group employees involved regularly or occasionally in purchasing activities which describes the conduct to be adopted by sanofi-aventis employees when carrying out their duties. |
3.2.1.2. B.f. Other standards
The pharmaceutical industry is subject to very strict regulatory constraints at both national and supra-national level. A large body of laws and regulations governs each stage of operations, from evaluation and selection of compounds to standards applied to the manufacturing, packaging, distribution and marketing of medicines and vaccines.
Sanofi-aventis applies many other internal standards derived from these external standards, adapted to the specific processes carried out by each entity, thereby contributing to internal control.
All Group codes, charters and procedures are available on the Group’s intranet.
3.2.1.2. C. Risk identification, assessment and management
The internal control system is based on the internal control environment and on an ongoing process of identifying, assessing and managing risk factors which may adversely affect the achievement of goals and opportunities aimed at improving performance.
Responsibility for the identification, evaluation and management of risks is drilled down to all appropriate levels of the Group’s organization.
3.2.1.2. C.a. Group bodies responsible for identifying, assessing and managing risks and opportunities
The Group’s organizational structure is geared to managing the risks and opportunities associated with the activities of sanofi-aventis.
Responsibility for risk management is assumed at all levels within the Group. Corporate, operational and support teams constitute the staff responsible for internal control and contribute to the risk control system by conducting control processes within their area of responsibility. The main committees in charge of identifying, assessing and managing risks and opportunities are the Executive Committee, the Management Committee, the Operations Committee, the Drug Development Board and the Product Value Proposition. Their members rely on their experience to anticipate risks and opportunities arising further to developments in the pharmaceutical sector.
3
Ø Executive Committee and Management Committee
The Executive Committee, chaired by the Chief Executive Officer, is a select group of key executives that meets twice a month in order to facilitate rapid decision-making.
It implements the Group’s overall strategy, oversees arbitration between departments and allocates resources, in furtherance at its high-level management role.
Its members comprise the Senior Vice President Research and Development, the Senior Vice President Chief Financial Officer, the Senior Vice President Legal Affairs and General Counsel, the Senior Vice President Industrial Affairs, the Executive Vice President Pharmaceutical Operations and the Senior Vice President Group Human Resources. Other participants are invited on an ad hoc basis, according to the agenda.
The Management Committee is also chaired by the Chief Executive Officer and meets once a month. Its members comprise all the senior executive officers of the Group’s major Departments. It reviews ongoing group operations, and is a forum for exchanging ideas and information between functions and for coordinating transversal projects across the organization.
Ø Operations Committee
The Operations Committee is chaired by the Executive Vice President Pharmaceutical Operations. It meets once a month and is attended by the regional managers and corporate managers from Pharmaceutical Operations. It deals with Group performance issues, and assesses changes in the environment and the requisite responses.
Ø New committees in 2008
The operating model adopted by the Group to address the changes and constraints affecting the pharmaceuticals sector is built on two key principles: transversality, and decentralization of operations, implemented via Regional Strategic Councils that aim to maximize local growth opportunities.
Two other new committees have been established:
The Drug Development Board intervenes in the early phases of a product’s life cycle making decisions on whether to move the product into development. As part of this role, the Board sets projected development timelines, devises development strategies and validates the successive phases.
• | | Product Value Proposition |
This committee’s role is to optimize the conditions for bringing products to market and to implement Phase III programs. It examines a product’s potential, competitive environment and probability of success. The committee also devises a differentiation strategy for product development, aimed at documenting medical and cost benefits for patients while taking into account of healthcare budget constraints.
Product Value Proposition recommendations are built into the Phase III strategy proposed by the Drug Development Board and presented to the Executive Committee.
3.2.1.2. C.b. Approach to identifying, assessing and managing financial risks
Under SOA 404 and obligations imposed by French legislation, the Group has adopted a process of identifying, assessing and managing financial risks. This process has identified the control activities that need to be put in place and ensures that the internal control system over financial reporting is reliable.
To ensure the reliability of internal control over financial reporting, the approach identifies risks to be covered and then identifies controls to be implemented.
The methodology developed by the internal control assessment department covers the five COSO components and comprises:
• | | a reference framework of processes used to prepare and process financial and accounting information; |
• | | a reference framework of the financial risks, integrating the risk of fraud. This framework is structured to carry out the assessment at all levels of the Group; |
• | | a group evaluation tool comprising three reference frameworks applying at different levels of the organization and designed to produce an evaluation at Group level while adapting the workload to the identified risks. On the basis of these frameworks, each entity can assess its capacity to control risks and identify any deficiency in its internal control system; and |
• | | a fraud detection and prevention process based on the various elements of the control environment (See section “3.2.1.2.B. Control environment”) that specifies the obligations incumbent on each manager in respect of identifying, reporting and dealing with acknowledged fraud incidents. This process also covers safeguarding of assets and corruption issues, which fall outside the financial reporting process. |
4
The purpose of this methodology is to identify, track and report financial risks. All those whose permanent duties include assessing internal control are responsible for ensuring that all such financial risks are under control. They are also required to notify the Group of any residual deficiency in internal control.
A Qualification Committee conducts an annual assessment of internal control and financial risks, the purpose of which is to assess the materiality of each duly identified financial risk and the likelihood of occurrence. It notifies the Audit Committee of any residual risks that may have a significant or material impact on published financial statements that could call into question the reliability of the Group’s disclosures. This committee comprises the Senior Vice President Chief Financial Officer, the Senior Vice President Audit and Internal Control Assessment, the Vice President Corporate Accounting, the Vice President Information Systems and the Director of Internal Control Assessment, assisted if need be by representatives of the Group’s functions.
3.2.1.2. C.c. Identification, assessment and monitoring of risks relating to activities in the pharmaceutical sector
The identification, assessment and monitoring of risks relating to the activities of the pharmaceutical sector are the responsibility of the following departments:
• | | legal department, in particular as regards obtaining or enforcing patent rights and other industrial property rights; |
• | | a structured health, safety and environment department in each of the Group’s activities and in each business unit, relying on the application of an internal policy; |
• | | an insurance department, which among other things provides subsidiaries with advice and risk prevention support; and |
• | | a corporate economic security department, responsible for protecting the Group’s workforce and tangible and intellectual property and assets. |
The main risks relating to the activities in the pharmaceutical sector and the main financial risks are discussed in “Item 3. Key Information – D. Risk Factors” of the Annual Report on Form-20F.
The Group also has a crisis management procedure designed to anticipate, as far as possible, the potential emergence of crises, via management principles and early warning systems covering all Group activities
Ø Pharmacovigilance
The Pharmacovigilance Department reports to the Research and Development Department (pharmaceuticals) or the Vaccines Department (vaccines). The department is responsible for implementing organizational structures and tools that enable the safety profile of products under development, and of licensed and marketed drugs or vaccines, to be assessed. Operating procedures define the roles and responsibilities of those involved in the management of pharmacovigilance data, and in the reporting of such data (immediately or periodically) to the healthcare authorities and/or to investigators.
In addition to assessing the safety profile of products under development and marketed products, the Pharmacovigilance Department is responsible for detecting and analyzing warning signals in order to, if necessary, issue recommendations to limit the occurrence of side-effects, ensure the product is used properly, and provide healthcare professionals and patients with up-to-date medical information.
The Pharmacovigilance Department helps assess the risk/benefit profile of products, whether they are in clinical development or already on the market.
Working with the clinical development and regulatory affairs teams and the epidemiology unit, the Pharmacovigilance Department helps prepare and follow up the related risk management plans. These plans summarize the safety profile of the products as established during the development phase, describe the measures in place to monitor identified or potential risks, and propose steps to ensure the drug or vaccine is properly used.
In monitoring tolerance through the clinical trials phase and gathering unsolicited information about products already on the market, this department relies on the network of pharmacovigilance units based in the subsidiaries, and on contractual ties with development and marketing alliance partners. These units also act as an interface between the local healthcare authorities and other departments within the subsidiary.
The Pharmacovigilance Department develops or updates tools or specific procedures designed to ensure all regulatory requirements falling within its responsibilities are met.
5
A Group pharmacovigilance unit collates all information about side-effects from all over the world, whatever the source. An early warning procedure has been put in place to detect any risk liable to trigger the crisis management procedure and to notify the Chief Executive Officer without delay.
3.2.1.2. D. Control activities ensuring the reliability of the internal control system
Conducted at all hierarchical and functional levels of the organization, control activities are based on procedures that are available on the Group’s intranet, information systems, operating methods, tools and good practices. They are geared to the existing internal control environment and the risks and errors to be prevented, and are under the responsibility of management.
The process of preparing financial statements relies on operational processes encompassing sales administration, purchases, production process and inventory management, human resources, information systems and the monitoring of legal affairs as they contribute to the production of financial and accounting information. Control activities identified in all these processes are included in the scope of the assessment conducted under the Sarbanes-Oxley Act section 404.
The Group Finance Department is structured to enable it to carry out its various duties (preparing separate and consolidated financial statements, accounting standards, controlling, treasury and tax affairs). It coordinates and oversees local finance departments. Accounts committees, which are responsible for reviewing the tax, legal, cash and financing position of companies and validating the application of Group accounting policies, meet annually on the basis of the accounts as of end of September. Their objective is to review the accounts of Group companies with a view to preparing the Group’s annual consolidated financial statements and the separate financial statements of Group companies. For each entity examined, these accounts committees are made up of the Chief Financial Officers of the main subsidiaries, representatives from the zone or activity finance department, representatives from the expert functions of the Group Finance Department (tax, consolidation, treasury, financing, etc) and representatives from Legal Affairs.
A treasury committee, chaired by the Senior Vice President Chief Financial Officier, meets monthly to review strategies related to financing, investment, and the hedging of interest rate risk, currency risk, banking counterparty risk and liquidity risk.
Further to the requirement to file an Annual Report with the United States Securities and Exchange Commission (SEC), and pursuant to section 302 of the Sarbanes-Oxley Act, the Chief Executive Officer and the Senior Vice President Chief Financial Officer are required to carry out an evaluation of the adequacy and effectiveness of the Group’s control over published financial information and over fraud, relying partly on representation letters signed by the Chief Executive Officers and Chief Financial Officers of the different consolidated legal entities and on the fraud prevention and detection process (see section “ 3.2.1.2. C.b. Approach to identifying, assessing and managing financial risks”).
3.2.1.2. E. Information and communication
Information and communication represents the flow of information accompanying internal control procedures, from the guidelines laid down by management to action plans. It contributes to establishing the control environment, disseminating a culture of internal control and promoting relevant control activities that contribute to risk control.
In its organizational choices, the Group strives to abide by the principles of safe and effective operations while factoring in the constraints imposed by its pharmaceutical activities and its regulatory, economic and social environments. A legal unit and a managerial organization, structured around internal and external delegations of power, have been established to conduct operations and to circulate and apply the Group’s strategy at the appropriate level of the organization.
Information and communication rely on information systems. The Group intranet is a communication vector for the elements of the internal control environment. The information systems (IS) function is responsible for all the Group’s information systems. It is organized in such a way that Group operations (Research and Development, Industrial Affairs, Pharmaceutical Operations, Vaccines) are encouraged to run their operational and business-specific activities independently. It comprises departments under the direct authority of the Group information systems department and decentralized departments within operations.
The various departments of the Group’s information systems department formulate Group IS policies, coordinate processes for managing the IS function and administer infrastructures and IT services worldwide consistent with Group priorities. The decentralized information system departments develop and administer business-specific applications and run dedicated IT infrastructures and services.
The information systems function council, comprising the managers of the decentralized IS departments and of the Group information systems department, coordinates Group-wide matters and approves Group-wide policies, in particular IS security, quality policies and IT infrastructures.
The Group information systems department has a team dedicated to facilitating implementation of the internal control assessment process for the IS function.
6
3.2.1.2. F. Monitoring of the internal control system
The Group’s senior management oversees and supervises internal control, largely through managerial committees and the departments of each business unit.
This supervisory role is supplemented by active monitoring of internal control practices with a view to taking corrective action or adapting the internal control system.
Through the Audit Committee, the Board of Directors participates in monitoring and supervising activities.
3.2.1.2. F.a. The Board of Directors and its Committees
The composition of the Board of Directors and its specialist committees, and the way their work is organized, contributes to the effective and transparent conduct of the Group’s affairs; see Exhibit 99.2.
3.2.1.2. F.b. Senior management
The Group’s senior management sets overall guidelines for internal control and ensures they are implemented. In the subsidiaries, each manager is required to follow these guidelines and ensure they are duly applied.
The Group’s decentralized structure, organized into autonomous units, means the Group can be broken down into key Departments. This gives the front line genuine autonomy and the power to make decisions, while strategic decisions are prepared and decided at Group level.
3.2.1.2. F.c. Ethics Committee
The Ethics Committee reports to senior management. Its main role is to monitor Group-wide compliance with the ethical principles, values and rules of conduct contained in the code of ethics. The committee meets at least once a quarter, as required by its operating charter. The early warning procedure set up in accordance with the code of ethics empowers staff to report any violation or breach of the principles set out in the code to the corporate compliance department, which then informs the Ethics Committee of its response to reported violations or breaches. The Ethics Committee approves this information for communication to the Audit Committee.
3.2.1.2. F.d. Published Information Review Committee
The Published Information Review Committee is responsible for reviewing and validating key documents intended for shareholders and the public, and for assessing the procedures and controls used in preparing such documents.
The Committee has implemented a process of reporting information to the Committee’s secretary to ensure that the Committee is kept informed of any significant event liable to impact the share price. The secretary then consults Committee members to determine what approach to adopt as far as informing the public is concerned.
3.2.1.2. F.e. Audits
Several types of audits are in place, covering all Group consolidated companies.
The roles and missions of internal audit and information system audit are described in a charter, available on the Group’s intranet.
The Group’s internal audit department is independent and objective, reporting directly to the Chief Executive Officer. It has neither authority over nor responsibility for the operations it reviews, and has complete freedom of action. Internal audit is responsible for providing senior management, and the Board of Directors via the Audit Committee, with reasonable assurance on the level of control over operations within the Group and the effectiveness of internal control. The Audit Committee is periodically informed about the results of internal audit activities, the implementation status of internal audit recommendations, the audit plan and the related resource needs. The internal audit function of sanofi-aventis obtained certification from IFACI (the French Institute of Internal Audit and Internal Control) in 2006, providing assurance that it complies with international professional standards.
The information systems audit department is completely independent of the Group Information Systems Department. It is organized along similar lines to the Group internal audit function, but conducts its assignments using a methodology specific to information systems auditing.
Internal audit and information systems audit are under the authority of the Audit and Internal Control Assessment Department.
The quality assurance departments, which are an integral part of functions and activities, carry out regular audits to assess good practices and ensure that procedures are applied and comply with the regulations governing their area of expertise.
7