Exhibit 99.1
Report of the Chairman of the Board of Directors as presented in the French-language document de référence
(Section L. 225-37 of the French Commercial Code)
In preparing this report, the Chairman consulted the Executive Vice President Chief Financial Officer and the Senior Vice President Audit and Internal Control Assessment.
The Board of Directors was informed of the conclusions of the specialist committees and of the Statutory Auditors, and has approved this Chairman’s report.
1. Corporate Governance
Corporate governance is discussed in “Item 16G. Corporate Governance” of the Annual Report on Form 20-F.
2. Internal control procedures and risk management implemented by the Company
The Group’s senior management has a clear ongoing commitment to maintaining and enhancing an effective internal control and risk management system built on ethical principles, appropriate organizational structures, well-defined responsibilities and demonstrated competencies. The objective is to promote the key elements of good corporate governance: transparency of management, and providing shareholders with quality information.
2. A. Internal control system
Internal control is a management tool developed and implemented by the Group’s senior management, middle management and staff with the aim of providing directors, corporate officers and shareholders with reasonable assurance that the following objectives are met:
· reliability of accounting and financial information;
· effectiveness and efficiency in the conduct of operations;
· compliance with applicable laws and regulations; and
· safeguarding of corporate assets.
The internal control system covers the entities and businesses consolidated by the Group, and includes methodologies adapted to specific risk exposures. It is systematically rolled out in newly-acquired entities from the date of acquisition, using a timetable tailored to reflect priorities at each stage of the integration process. Internal audits and self-assessments are used to measure the extent to which the internal control system is being deployed, especially in newly-acquired entities. In order to comply with Section 404 of the Sarbanes-Oxley Act (SOA 404), the system includes procedures to assess the effectiveness of internal control over financial reporting.
2. A.a. Reference framework for the internal control system
The internal control system is based on the five components contained in the “Internal Control — Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO):
· control environment;
· risk identification, assessment and management;
· control activities ensuring the reliability of the internal control system;
· information and communication; and
· monitoring of the internal control system.
The COSO framework, adopted because Sanofi is listed on the U.S. stock market and to comply with the Sarbanes-Oxley Act, is regarded as equivalent to the AMF reference framework by the Autorité des Marchés Financiers (AMF), the French financial markets regulator.
2. A.b. Underlying principles of internal control
The internal control system is built upon the following core principles:
· responsibility of all employees of the Group for implementing and maintaining effective internal control;
· information about risk and control frameworks and about compliance with Group-wide procedures; and
· segregation of duties, in other words ensuring that those who perform tasks are not responsible for approving or controlling the performance thereof.
An internal control system can only give reasonable assurance, and can never give absolute assurance, that these objectives are met. The probability of meeting these objectives is subject to the limitations inherent in all internal control systems, including the possibility of defective judgment in decision-making, the need for cost/benefit analysis before implementing controls, and the risk of deficiencies caused by human failings or mere error.
In its organizational choices, the Group strives to abide by the principles of safe and effective operations while factoring in the constraints imposed by its activities and its regulatory, economic and social environments. A legal and managerial structure based on internal and external delegations of power has been established to conduct operations, and to disseminate and apply the Group’s strategy at the appropriate organizational level.
2. A.c. Organization, formalization and assessment procedure of internal control over financial statements
To comply with legal requirements on internal control in both France and the United States, Sanofi has a dedicated Internal Control Assessment Department which reports to the Group Finance Department.
Capitalizing on the Group’s existing internal control system, this department has developed a methodology to comply with SOA 404, with the objective of assessing and improving the effectiveness of internal control over the production of financial statements. This methodology applies to Group activities in proportion to their contribution to the consolidated financial statements and their risk profile, and provides a consistent basis for identifying, consolidating and rating identified internal control deficiencies in financial processes. The system applies a risk-based approach, defined at Group level and implemented locally, in accordance with the recommendations published by the U.S. Securities and Exchange Commission (SEC) in June 2007.
To ensure the necessary degree of acceptance and implementation of this methodology for the assessment of internal control over financial processes, the Internal Control Assessment Department:
· defines the assessment methodology and establishes timetables;
· ensures that risks relating to financial information are covered in accordance with the reasonable assurance principle;
· supports the internal control assessment network members through communication, leadership and backup, and in sharing good practices;
· assesses the effectiveness of internal control over the production of financial statements;
· contributes to the fraud prevention and detection programs; and
· coordinates these tasks with the procedures conducted by the statutory auditors.
The Report of Management on Internal Control Over Financial Reporting pursuant to SOA 404 is presented in “Item 15. Controls and Procedures” of the Annual Report on Form 20-F for the year ended December 31, 2012.
2. B. Control environment
The control environment is a key factor in establishing the internal control system, and is the cornerstone of all other COSO internal control components. It refers to the degree of awareness Group staff have of internal control, and is implemented via standards presented in the form of codes, procedures and charters.
2. B.a. Codes
Code of Ethics
The Sanofi Code of Ethics defines the ethical principles and rules that must be followed when conducting Sanofi business. It helps each employee determine the attitude he or she should adopt in relationships within and outside the Group. It is provided to all employees.
Deployment of the Code of Ethics is coordinated centrally by the Global Compliance Department and locally by a network of Compliance Officers, including in newly-acquired entities.
The Global Compliance Department develops programs designed to give employees a better understanding of the rules and principles contained in the Code of Ethics, delivered through various training media.
Code of Financial Ethics
In accordance with U.S. securities law, Sanofi has adopted a Code of Financial Ethics that applies to the Chief Executive Officer, the Executive Vice-President Chief Financial Officer and the Vice-President Corporate Accounting. The Chief Financial Officers of Group entities are also required to attest each year that they adhere to and will abide by its principles.
Code of Conduct: Prevention of Insider Dealing
As a result of the dual listing of Sanofi in France and in the United States, both French and U.S. rules apply. Other countries’ rules may also apply given that Sanofi shares are owned by individuals located in different countries. The Code provides background information and familiarizes employees with insider dealing rules under French and U.S. law, in particular rules relating to confidential information obtained in the course of their employment.
Code of Internal Control Principles
In order to improve the effectiveness of processes, the reliability of the financial statements, and legal and regulatory compliance, the Code of Internal Control Principles sets out the key principles of governance and internal control, unifying action taken by the Group to implement internal control and improve its effectiveness. Internal control teams at newly-acquired entities receive a copy and are given a presentation about the Code as part of their induction program.
2. B.b. Charters and Procedures
Sanofi has provided all employees with charters that structure and promote the internal control environment. The main charters available are:
· the information systems usage charter, describing the principal risks to which the Group’s information systems are exposed and establishing rules governing the use of information technology resources;
· the personal data protection charter, underscoring the Group’s commitment to respecting privacy and protecting data of a personal nature;
· the social charter, reflecting the Group’s commitment to corporate social responsibility and incorporating the principles of the United Nations Global Compact on Labor, which Sanofi is committed to follow;
· the supplier relationships charter, applying to all Group employees in their ongoing or occasional contacts with suppliers of goods or services on behalf of the Group. The charter defines and sets rules of conduct that must be respected by all Group employees at all points of interaction with suppliers. The charter supplements the Group’s Code of Ethics, in particular as regards the Group’s image and reputation, integrity, ethical conduct and freedom from conflicts of interest.
Contracts signed by the Group are subject to internal control procedures that apply to everyone, ensuring that the Group’s operations are conducted in an orderly and consistent manner. Compliance with these procedures is the responsibility of individual departments.
2. B.c. Other standards
The pharmaceutical industry is subject to very strict regulatory constraints at both national and supra-national level. A large body of laws and regulations governs each stage of operations, from evaluation and selection of compounds to standards applied to the manufacturing, packaging, distribution, sale and promotion of medicines and vaccines.
Sanofi applies many other internal standards derived from these external standards, adapted to the specific activities carried on by each entity, thereby contributing to internal control.
2. C. Risk identification, assessment and management
The internal control system is based on the internal control environment, and is part of an ongoing process of identifying, assessing and managing risk factors which may adversely affect the achievement of goals and opportunities aimed at improving performance.
Responsibility for identifying, assessing and managing risks is drilled down to all appropriate levels of the organization.
For a description of the main risks relating to activities in the pharmaceutical sector and financial risks, refer to “Item 3. Key Information — D. Risk Factors” of the Annual Report on Form-20F. These factors include, without limitation:
· legal risks;
· business risks;
· environmental risks of our industrial activities; and
· market risks.
2. C.a. Bodies responsible for identifying, assessing and managing risks and opportunities
The organizational structure is geared to managing the risks and opportunities associated with Sanofi’s activities. All those involved in internal control contribute to the process of identifying, assessing and managing risks and opportunities by conducting control processes within their area of responsibility.
The Executive Committee, chaired by the Chief Executive Officer, implements the Group’s overall strategy, oversees arbitration between departments and allocates resources, in furtherance of its high-level management role. It meets as often as required by the need for rapid decision-making. It draws on the experience and competencies of its members to anticipate and monitor risks and opportunities associated with developments affecting the Group itself and the pharmaceutical sector generally. For details of the composition of the Executive Committee, refer to “Item 6. Directors, Senior Management and Employees — A. Directors and Senior Management” of the Annual Report on Form 20-F.
The mission of the Risk Committee is to assist the Executive Committee in fulfilling its risk management responsibilities. The Committee is co-chaired by the Senior Vice President Corporate Social Responsibility and the Senior Vice President Audit and Internal Control Assessment, and meets quarterly. It applies a structured methodology to identify, assess and manage critical risks inherent in the Group’s activities, and reports to the Executive Committee on the effectiveness of critical risk management processes. More generally, the Risk Committee promotes a responsible risk culture within the Group.
2. C.b. Approach to identifying, assessing and managing risks associated with the production of financial statements.
Under SOA 404 and obligations imposed by French legislation, the Group has adopted a methodology for identifying, assessing and managing financial risks. This methodology provides assurance about the reliability of internal control over the production of financial statements; it was developed and is overseen by the Internal Control Assessment Department, which assists entities in identifying the risks that need to be covered and the controls that need to be implemented.
The methodology covers the five COSO components, and comprises:
· a reference framework of processes used in the preparation and processing of financial and accounting information;
· a reference framework of financial risks (including fraud), structured to enable assessments to be conducted at all levels of the Group, and updated periodically to take account of new developments and of the Group’s priorities; and
· an evaluation reference framework applying at different organizational levels, designed to produce a Group-level assessment while adapting the workload in response to identified risks. This framework allows each entity to assess its capacity to control risks and to identify any deficiencies in internal control.
The dedicated internal control assessment teams are responsible for providing reasonable assurance that financial risks are properly controlled, and for notifying management of any deficiencies in internal control.
The methodology also specifies the responsibilities incumbent on each manager to prevent, identify and deal with fraud in coordination with the Finance, Legal and Human Resources departments.
A Rating Committee conducts an annual assessment of internal control, financial risks and fraud incidents designed to assess the materiality and probability of occurrence of each identified financial risk. This committee notifies the Audit Committee of any residual risks that might have a significant or material impact on the published financial statements and hence undermine the reliability of the Group’s financial reporting. This committee comprises the Executive Vice President Chief Financial Officer, the Senior Vice President Audit and Internal Control Assessment, the Vice President Corporate Accounting, the Vice President Information Systems, and the Head of Internal Control Assessment.
2. C.c. Identifying, assessing and managing risks relating to the Group’s activities
The process of identifying, assessing and managing risks relating to the Group’s activities is the responsibility of:
· the Pharmacovigilance and Epidemiology Department;
· and the following departments:
· Legal Affairs, in particular as regards obtaining or enforcing patent rights and other industrial property rights;
· Compliance, responsible for enforcement of and compliance with the rules and principles of the Code of Ethics;
· Global Quality, coordinating quality policy across the entire Group;
· Information Systems, responsible for policies on information systems security, quality, and infrastructures;
· Health, Safety and Environment, which has departments in each business line and on each site, working on the basis of an internal framework;
· Corporate Economic Security, responsible for protecting the Group’s workforce as well as tangible and intellectual property;
· Insurance, which among other things provides Group entities with advice and risk prevention support.
The Group also has a crisis management procedure designed to anticipate potential crises as far as possible, via management principles and early warning systems covering all Group activities.
· Pharmacovigilance and Epidemiology
The Pharmacovigilance and Epidemiology Department reports to the Chief Medical Officer; it develops structures and tools for assessing the safety profile of products under development, and of licensed or marketed drugs and vaccines. Operating procedures define the roles and responsibilities of those involved in the management of pharmacovigilance data, and in the reporting of such data (immediately or periodically) to the healthcare authorities and/or to investigators.
In addition to assessing the safety profile of products under development and marketed products, the Pharmacovigilance Department is responsible for detecting and analyzing warning signals so that it can, if necessary, issue recommendations to limit the occurrence of side-effects, ensure the product is used properly, and provide healthcare professionals and patients with up-to-date medical information.
The Pharmacovigilance Department helps assess the risk/benefit profile of products, whether in clinical development or already on the market. For a definition of the risk/benefit profile, refer to “Item 4. Information on the Company — B. Business Overview — Pharmaceutical Research & Development” of the Annual Report on Form 20-F.
Working with the clinical development and regulatory affairs teams and the epidemiology unit, the Pharmacovigilance Department coordinates the development of pharmacovigilance risk management plans and monitors their application. These plans summarize the safety profile of the products as established during the development phase, describe the measures in place to monitor identified or potential risks, and propose guidelines to ensure the drug or vaccine is properly used.
In monitoring tolerance through the clinical trials phase and gathering unsolicited information about products already on the market, the department relies on the network of pharmacovigilance units based in Group entities, and on contractual ties with development and marketing alliance partners. These units also act as an interface between the local healthcare authorities and other departments within the entity.
The Pharmacovigilance Department develops and updates tools and procedures designed to ensure all regulatory requirements falling within its responsibilities are met.
A Group-level pharmacovigilance unit collates all information about side-effects worldwide, whatever the source. An early warning procedure has been put in place to detect any risk liable to trigger the crisis management procedure, and to notify the Chief Executive Officer without delay.
As regards the Animal Health business, Merial has a Global Pharmacovigilance department reporting to the Head of Global Regulatory Affairs within R&D. Merial Pharmacovigilance systematically applies policies, procedures, and practices for assessing, controlling, communicating and reporting risks in the Animal Health sector. A comprehensive set of procedures ensure quality and consistency for all pharmacovigilance related activities, including adverse event data collection and reporting across the different Merial subsidiaries as well as by third parties with whom Merial works.
2. D. Control activities ensuring the reliability of the internal control system
Conducted at all hierarchical and functional levels of the organization, control activities address the risks described in section 2.C., “Risk identification, assessment and management”. Control activities are based on procedures, on information systems, on operating methods, and on tools and practices. They are structured by process, and decentralized to Group entities. They contribute to the permanent internal control system, and are the responsibility of operational management.
Control activities relating specifically to the financial statements preparation process rely on operational processes encompassing sales administration, purchasing, production processes and inventory management, human resources, information systems, and the monitoring of legal affairs, all of which contribute to the production of financial and accounting information. Control activities identified in all of these processes are included in the scope of the assessment conducted under SOA 404.
The Internal Control Assessment Department also supports newly-acquired entities as they deploy the methodology used to assess the effectiveness of internal control over financial processes, and supervises the implementation of this methodology.
The Group Finance Department is structured so as to enable it to carry out its various duties. It coordinates and oversees operational finance departments for the purposes of the preparation and publication of the Group’s financial statements. Annual accounts committees play a role in preparing for the year-end accounting close at both consolidated and individual entity level. They also review the tax, legal, treasury and financing aspects of Group entities, and validate the application of Group accounting policies.
A Treasury Committee meets monthly to review strategies on financing and investment and on the hedging of interest rate risk, currency risk, banking counterparty risk and liquidity risk.
The fraud prevention and detection program specifies tools available to identify and detect fraud. Any incidents of fraud are investigated, corrective measures are implemented, and a summary is presented to the Audit Committee.
Under Section 302 of the Sarbanes-Oxley Act, the Chief Executive Officer and the Executive Vice President Chief Financial Officer are required to carry out an evaluation of the effectiveness of the Group’s control over published financial information and fraud. To meet this objective, they push down the certification process to local level, requiring representation letters to be signed off twice a year by the Chief Executive Officers and Chief Financial Officers of Group entities as evidence of certification.
2. E. Information and communication
Information and communication refers to the flow of information accompanying internal control procedures, from the guidelines laid down by management to action plans. It contributes to establishing the control environment and to disseminating and promoting a culture of internal control, and enables relevant control activities to be performed in order to manage risks.
Information and communication media rely on information systems placed under the responsibility of the Chief Information Officer (CIO). These systems are organized so as to encourage autonomy in the way the Group’s operational divisions run their operations and business-specific activities; the organizational structure comprises units under the direct authority of the Group Information Systems Department, and decentralized departments within each business line. The decentralized information systems departments develop and administer business-specific applications.
The Group’s Information Systems Department formulates Group information systems policies, coordinates processes for managing the information systems function, and administers transverse IT infrastructures and services consistently with Group priorities.
Information systems governance is monitored by the Information Systems Strategic Board, which includes business line heads, the Executive Vice President Chief Financial Officer, and the CIO. The Board is tasked with ensuring that the Group’s information systems strategy is aligned with current and future business strategy, and with maximizing the use of information systems to create value.
The Information Systems Leadership Committee, comprising the managers of the decentralized information systems departments and of the Group Information Systems Department, provides transverse coordination on Group-wide matters and approves Group-wide policies, in particular policies on information systems security, quality and strategy, including a common framework for the governance of processes.
The Group Information Systems Department has a team dedicated to implementing the internal control assessment process for the information systems function. Working within the Group’s overall methodological framework, this team conducts transverse risk assessments to determine the requisite level of controls.
2. F. Monitoring of the internal control system
2. F.a. The Board of Directors and its specialist committees
The Board of Directors, through its specialist committees and particularly the Audit Committee, obtains assurance that the Group has reliable procedures for monitoring the internal control system and for identifying, assessing and managing risks.
The composition of the Board of Directors and its specialist committees, the way their work is organized, and their contribution to the effective and transparent conduct of the Group’s affairs, are described in “Item 6. Directors, Senior Management and Employees”.
The Board Charter requires that a discussion of the operating procedures of the Board be included on the agenda of one Board meeting a year. Every three years, a formal evaluation must be performed.
In accordance with the publications and recommendations issued by the AMF :
· The roles, responsibilities, composition and operation of the Audit Committee are defined in the Board Charter, and are consistent with the AMF report on audit committees published in 2010.
· The Board Charter, as updated and approved by the Board in 2011, specifies that the Audit Committee is responsible for monitoring:
· the process of preparing financial information;
· the effectiveness of internal control and risk management systems;
· the audit of the individual and consolidated financial statements by the statutory auditors;
· and the independence of the statutory auditors.
The Audit Committee is informed periodically, and at its request, about the process used to identify, assess and manage the principal risks to which the Group is exposed.
2. F.b. The Executive Committee
The Executive Committee sets guidelines for internal control and risk management, and monitors actions that are implemented within the Group and supervised by local management committees in each operational unit.
The Group has a decentralized structure based on stand-alone units, breaking the business down into key divisions. This gives genuine autonomy and decision-making power to the front line, while strategic decisions are made centrally. As part of its duties, operational management is required to disseminate these rules, check that they are applied, and alert the Executive Committee if any adjustments are necessary.
2. F.c. Executive Compliance Committee
The role of the Executive Compliance Committee is to oversee implementation of the compliance program developed by the Global Compliance department, thereby fostering a continued commitment to Sanofi values. The Committee reports to the Chief Executive Officer on the effectiveness of the program, and also reviews alerts received by the Group about potential or actual breaches of the Code of Ethics.
2. F.d. Published Information Review Committee
The Published Information Review Committee is responsible for reviewing and validating key documents intended for shareholders and the public, and for assessing the procedures and controls used in preparing such documents.
The Committee has implemented a process of reporting information to the Committee’s secretary to ensure that the Committee is kept informed of any significant event liable to impact the share price. The secretary then consults Committee members to determine what approach to adopt as far as informing the public is concerned.
2. F.e. Audits
Various types of audit are conducted, covering all Group companies.
The roles and responsibilities of the Internal Audit and Information Systems Audit functions are described in a charter.
The Internal Audit function is independent and objective, reporting to the Chief Executive Officer. It has neither authority over nor responsibility for the operations it reviews, and has complete freedom of action. Internal Audit is responsible for providing the Group’s senior management, and the Board of Directors via the Audit Committee, with reasonable assurance about the level of control over risks associated with operations within the Group and about the effectiveness of internal control. The Audit Committee is periodically informed about the results of internal audit activities, the implementation status of internal audit recommendations, the annual audit plan, and related resource needs.
The Sanofi Internal Audit function is certified by IFACI, the French Institute of Internal Audit and Internal Control, indicating that it operates to international professional standards.
The Information Systems Audit function is completely independent of the Group Information Systems Department. It is organized along similar lines to the Group Internal Audit function, but conducts its assignments using a methodology specific to information systems audit.
The Internal Audit and Information Systems Audit functions are under the authority of the Audit and Internal Control Assessment Department.
The Quality Assurance departments embedded in the Group’s support functions and business lines conduct regular audits to assess good practice and obtain assurance as to compliance with procedures and regulations on quality issues in their area of expertise.