The Group Internal Audit and
Internal Control & Processes
THE GROUP INTERNAL
AUDIT
The Group Internal Audit is an independent and
objective function, reporting directly to the Chief
Executive Officer, and having a free access to the
President of the Audit Committee.
Group Internal Audit’s (GIA’s) mission is to provide
the Executive Committee and the Audit Committee
with independent, objective assurance regarding the
group’s ability to control its operations.
GIA helps Sanofi accomplish its business objectives
by combining competent, experienced professionals
with leading audit practices, and by bringing a
systematic, disciplined approach to evaluate and
improve the effectiveness of Sanofi’s governance,
risk management, and control processes.
GIA’s scope of work is to determine whether
Sanofi’s governance, risk management and internal
control processes, as designed and implemented by
management, are adequate and functioning in a
manner to ensure that:
– Risks are appropriately identified and managed,
using an approach that is both structured and
focused on the group’s strategic, financial and
operational objectives
– Projects, processes and employees’ actions are
relevantly and efficiently compliant with applicable
internal policies, standards, and other rules, as well
as laws and regulations
– Risks of fraud are diligently identified, reported and
managed
– Assets are acquired economically, used efficiently,
and adequately protected
– Significant financial, managerial, and operational
information is accurate, reliable, and timely
In order to better understand the evolving Group
activities and environments, the Group Internal
Audit is organized in three regional hubs, which are
The Group Internal Audit and Internal Control & Processes Factsheet
published in May 2015
conducting their assignments according to the same
professional and quality standards.
Internal Audit plays a major role in global risk
oversight within the Group.
The annual audit plan is elaborated following a riskbased approach, in coordination with the Group
Risk Committee, which is aligned with and relevant
to the business. This method evaluates and
integrates relevant inputs from Sanofi’s overall risk
management functions and includes any additional
risks or potential control concerns identified by
management. The proposed annual audit plan is
reviewed by the Executive Committee members and
validated by the CEO before being submitted to the
Audit Committee.
This plan results in the performance of 70 to 80
audits a year, covering main areas and risks
identified within the organization. Progress against
the audit plan is formally presented to the Audit
Committee at list twice per year.
SANOFI Group Internal Audit seeks regular external
assessment, which demonstrates its compliance
with professionals and international standards.
INTERNAL CONTROL
AND PROCESSES
Internal Control is defined as a process, carried out
by an entity’s Board of Directors, management, and
other personnel, designed to provide reasonable
assurance regarding the achievement of objectives
relating to operations, reporting, and compliance.
The mission of the Internal Control and Processes
(IC&P) Department is to support the Group with its
objectives to have an Internal Control adapted to its
organization and activities, by:

Defining and maintaining group-wide
standards ;

Providing support to management for
improving controls and remediating
failures;
Page 1 of 3

Coordinating the evaluation of Internal
Control over Financial Reporting, program
effectiveness ;

Participating in continuous monitoring of
Group's Internal Control.
The successful implementation and maintenance of
a Group lnternal Control will help Sanofi:






Protecting business and the value created
by the Group over time;
Reducing unforeseen losses, risks to its
reputation and people;
lmproving process quality, effectiveness
and efficiency;
Facilitating decision making with a common
view of processes and their level of control;
lmplementing Group policies, standards
and processes, allowing proper mitigation
of risks,
Ultimately, also improving internal control
over outsourced providers and business
partners
GROUP PROCESSES & STANDARDS 'GPS"
Sanofi senior management has a clear ongoing
commitment to maintaining and enhancing its
systems of internal control and risk management. In
furtherance of this objective, in 2014 senior
management launched the Group Processes and
Standards (GPS) program, which combines the
existing elements of internal control into a unified
Group-wide approach. GPS has been approved by
the Executive Committee and presented to the Audit
Committee.. GPS comprises the following elements:




A Process Framework, presenting the
Group operational and support processes
with a two-level hierarchy: processes and
sub-processes;
An lnternal Control Manual, presenting the
Group mandatory controls, applicable to all
activities in all countries. These controls
are essential to reduce many of the
Group's critical risks to an acceptable level;
A Financial Controls Framework,
presenting the Group's internal controls
over Financial Reporting (used to comply
with Section 404 of the Sarbanes-Oxley
Act);
An lnternal Control Self-Assessment
process to be completed annually by all
activities in all countries and which will be
reviewed by Group internal Audit during its
periodic audits, as well as used by senior
management in their monitoring of
activities.
The lC&P Department's scope of work spans all
activities, functions and affiliates within the Group.
This scope may also extend to the Group's
outsourced service providers and business partners,
to the extent it is permissible and deemed
necessary.
INTERNAL CONTROL
RESPONSIBILITIES
The Executive Committee sets principles and
policies for the Group's lnternal Control, allocates
resources, and monitors adherence to the Group's
lnternal Control by local management teams.
The Audit Committee of the Board of Directors is
responsible for monitoring the effectiveness of the
Group's risk management and internal control
systems including lnternal Control over Financial
Reporting.
The lC&P Department assists the Group to
implement its lnternal Control, and as such:





Coordinates the definition and
communication of the lnternal Control
Manual and of groupwide policies,
standards and tools;
Monitors the implementation of Group
standards, processes and controls;
Monitors compliance with the GPS and
provides regular status to the Senior
Management;
Provides support to management in their
efforts to improve controls and sustainably
remediate control deficiencies;
Coordinates and prepares the evaluation of
the effectiveness of lnternal Control over
Financial Reporting for Group
management.
The lnternal Control network, composed of lnternal
Control and Finance support team members in
regions, countries, affiliates and other relevant
structures, implements GPS, monitors local internal
control effectiveness and supports local control
improvement efforts, under the direction of lC&P.
Global Process Owners are accountable for
designing, implementing and continuously improving
the group processes as set out in the GPS.
The Group Internal Audit and Internal Control & Processes Factsheet
published in May 2015
2 of 3
Local Management incorporates GPS into their
management processes and alerts the lnternal
Control network of any required adjustments on a
timely basis. Local Management is also accountable
for the compliance of operations with Group policies
and standards.
Employees execute internal controls in accordance
with the GPS and contribute to the achievement of
the Group's lnternal Control objectives.
Finally, Group lnternal Audit is responsible for
providing the Executive Committee and the Audit
Committee, with independent, objective assurance
regarding the group's ability to control its operations.
The Group Internal Audit and Internal Control & Processes Factsheet
published in May 2015
3 of 3