Compliance & auditing

Ensuring compliance with our policies and standards is an essential part of good corporate governance and risk management.

Work in our global, regional, local and functional Compliance and Audit functions is dedicated to ensuring that we deliver on our commitments and continue to have appropriate and effective risk, governance and compliance frameworks in place.

COMPLIANCE

Our Global Compliance function leads the development of global frameworks and programmes designed to drive best practice in compliance and support effective management of the highest compliance risks facing the business. As part of this, they are working to streamline our governance and compliance framework to ensure clear accountabilities and assurance reporting within the business as well as among our compliance functions. Global Compliance also works closely with the Global CR Team in setting the CR agenda.

A network of regional, local and functional compliance officers across the Company helps to implement Global Compliance programmes within their geography or functional area. These officers work within the business to promote compliance with our policies and standards through effective training, monitoring, auditing and enforcement processes.

Our Global Compliance Officer chairs the Global Compliance Committee - a high-level cross-functional team of SET area representatives, including MedImmune, whose role is to oversee and co-ordinate implementation of an effective global compliance programme and evaluate its effectiveness.

Global Compliance led the review of our Code of Conduct in 2007 and designed and managed the training of all employees following the launch of the new, expanded Code in July 2008. To ensure the new Code is fully supported by an appropriate policy framework, Global Compliance also led a project focused on strengthening our Global Policies – revising and enhancing content to increase clarity and focus on key business activities and risk, and streamlining other supporting policies and standards.

AUDITING

Auditing is critical to our understanding of the areas in which we are doing well, and those where further improvement is needed. Audits are also a useful opportunity for managers to discuss any practical difficulties they face in interpreting our global commitment at a local level, which can help to inform the ongoing development of our management frameworks.

Our Group Internal Audit function (GIA) is an independent assurance and advisory function, providing a service to the Board, that reviews, among other things, the effectiveness of selected aspects of AstraZeneca’s risk control framework through its annual audit plan, including the work and independence of other audit and compliance functions in the Company. In 2008, GIA focused on core assurance areas, including compliance processes, as well as the effectiveness of risk management processes and activities in several key areas, including Information Security, Treasury and Insurance.

The AstraZeneca Audit Committee, a committee of the AstraZeneca Board, which consists of three Non-Executive Directors, reviews GIA audit findings, Global Compliance reports and other key items reported through management. Among other things, the Audit Committee reviews and reports on the overall framework of internal controls, and has a responsibility to bring promptly to the Board’s attention any significant concerns about the conduct, results or outcome of internal audits. The Audit Committee also oversees the Azethics helpline.

INTERNAL FACILITY AUDITS

During 2008, we continued our rolling risk-based programme of internal audits that focus specifically on the performance of local facilities and regions against our policies, standards and programmes relating to safety, health & environment (SHE) and security aspects of our CR agenda. Specific protocols help to guide auditors in this work, which is a critical component of our performance assessment. The ongoing development of our CR and compliance programmes during 2009 will include a review of this internal audit process to ensure that the appropriate CR risks continue to be addressed.

Co-ordinated by our global SHE team, trained accredited auditors are drawn from across the organisation to perform the audits on a risk-based programme established annually. This schedule reflects the individual risk profile of particular facilities and functions, management changes, timing and other considerations.

18 such audits were conducted in 2008 (26 in 2007). Audit results confirm that our local operations are effectively managing SHE and security risks and maintaining compliance with internal and external requirements. There continue to be areas where further improvement is required, including driver safety, incident investigation and risk assessment.

Audit findings are reported to the function or facility senior management and specific action plans are established to resolve any findings in a timely manner. Progress against action plans is tracked and reviewed on a quarterly basis. The audit programme is designed to both evaluate performance against internal and external requirements and to share learning in a way that fosters continuous improvement across the organisation.

The content of this page was externally assured by Bureau Veritas, February 2009.