In 2022, the Internal Audit Department carried out 51 assignments, 26 of which involved entities (commercial entities, factories, international marketing departments, R&I) and 17 of which were on targeted processes at Group, Zone or Country level. In addition, two specific assignments were devoted to certain objectives of the L’Oréal for the Future programme, three were dedicated to the management of key projects and three were carried out on the cyber security programme.
Each audit assignment results in a report that sets out the corresponding findings and risks, and that proposes an action plan and recommendations for the audited entity. The Internal Audit Department monitors and measures these action plans, then reports the rate of progress to the Departments in question.
To conduct its work, Internal Audit relies on the Group’s integrated ERP software. It has developed a number of specific transactions to improve the identification of potential weaknesses in sensitive processes. Data analysis capabilities are strengthened each year. They enhance the standard analyses developed by Internal Audit and the use of dashboards and analysis tools that the businesses are continually developing for their own management needs.
To carry out its work, the Internal Audit Department uses an integrated GRC (Governance, Risk, Compliance) tool, which enables it to consolidate in real-time the progress made on the action plans of audited entities. Shared with the Internal Control function, this tool represents an integrated collaborative platform for the implementation of action plans.
In addition to its role of monitoring the application of the Internal Control system, the Internal Audit Department carries out cross-functional analyses with regard to possible Internal Control weaknesses based on findings noted during its assignments. These analyses direct the work of the Internal Control Committee and identify the priority areas for improvement and strengthening of procedures.
The achievement of the audit plan, the results of assignments and the progress of the action plans are presented to General Management on a regular basis and to the Audit Committee and the Statutory Auditors annually.
The Group’s Global IT Department determines the strategic orientations of its IT systems. In particular, it implements ERP, a management software which is used by the vast majority of the Group’s commercial subsidiaries, factories and logistics services. It also supports the digital transformation of the Group by developing the use of Cloud services (SaaS, IaaS, PaaS)and connected objects.
Within the Department, the Information Systems Security Department manages the Information Systems Security Policy. Consistent with market standards (ISO 27001/27002, NIST), this policy covers the main topics of IT security, including the protection of personal data. It describes general principles to be applied for each topic. This ensures that the Group’s Information Systems teams, and by extension, all employees, share clear objectives, best practices and levels of control that are appropriate for the risks (notably, the risk of cyberattacks). This policy is accompanied by an independent information systems security audit programme and two codes of practice: the Information and Communication Technologies Code of Practice, and the Code of Good Practice for the use of Social Media.
This division comprises the Innovation, Product Packaging and Development, Quality, EHS (Environment, Health, Safety), Production management and operational excellence, Purchasing, Supply Chain, Information Systems (production)and industrial strategy departments. It defines the overall Operations strategy worldwide and defines the standards and methods applicable in the areas of quality, safety and the environment for deployment in all the countries in which the Group operates. It manages the Group’s comprehensive strategy to enable the Operations teams in the operational Divisions and the Zones to implement innovation, quality, security, environmental manufacturing and supply chain policies that are relevant to the markets.
In line with the Group’s Code of Ethics, buyers have had access to a practical and ethical guide, “The Way We Work with Suppliers”, since 2011. This guide aims to help all employees in their relationships with the Group’s suppliers. Buyers also complete e-learning modules based on the Group’s “The Way We Compete” and “The Way We Prevent Corruption” guides.
The standard for managing suppliers and tender procedures specify the conditions for competitive tendering and for the registration of the main suppliers. The general terms of purchase form the framework for transactions with the suppliers. The “Purchase Commitments and Order Management” standard facilitates and strengthens control of spending and investments.
In the area of supply chain, the main tasks are to define and apply the sales planning, demand management and customer service development and control processes. The methods used include managing physical order fulfilment, applying the general terms of sale, following-up orders, managing customer returns and customer disputes, as well as accounts receivable collection procedures. Measures are also recommended for the management of distribution centres and inventories, subcontracting, product traceability, business continuity plans and transportation.