The Group is organised into Divisions and Zones. Alongside the management of each country, business or manufacturing entity, the Divisions and Zones are fully responsible for achieving the Internal Control objectives defined by General Management.
A system of delegating authorities is in place and continues to be reinforced. The powers of the legal representatives of Group companies and the people they delegate to are limited and controlled in accordance with the provisions of the Legal Charter. Specialists in management, information systems, human resources, digital, retail, purchasing, logistics, production and legal affairs provide support to operations at all levels and help to ensure the Internal Control objectives are achieved.
Each member of the Executive Committee is entrusted with worldwide responsibility for the Internal Control of the activities that fall within their remit. The Functional Divisions define, in their own areas, the strategies, policies and procedures which they communicate to the countries and entities. They bring their expertise to the operational staff and review the proper functioning of their respective areas of responsibility. They draw on their network of specialists and on regular assessments.
Indicators and reporting procedures simplify regular monitoring of the local activities of these Functional Divisions.
The department assists and monitors operational employees in their administrative, financial and legal activities, as well as in terms of information processing. It sets the operating rules for all entities, defines and rolls out tools, procedures and best practices, particularly in terms of management, accounting and consolidation, M&A, investments (BOLD corporate venture fund) and holdings, financing and cash, taxation, legal matters and data governance (including personal data), financial communication, strategic planning and insurance.
An Internal Control Committee is tasked with taking all measures to promote proper understanding and proper application of the Group’s Internal Control rules, as well as monitoring progress on important Internal Control projects. The Committee comprises the Chief Financial Officer and the Heads of Ethics, Risk and Compliance, Internal Control, Operational Finance, Internal Audit and Information Systems (Global IT).
In particular, this department coordinates the procedures for identifying, assessing and prioritising risks with all those concerned. It keeps the Group’s risk mapping up to date. Its aim is to promote optimal use of resources in order to minimise and control the impact of negative events and maximise opportunities. The Chief Ethics, Risk and Compliance Officer reports directly to the Chief Executive Officer.
This department, which is separate from Internal Audit, is under the responsibility of the Ethics, Risk and Compliance Department. In collaboration with the experts in each business line, it defines and updates the internal control framework relating to their area of activity. This framework is summarised in the Fundamentals of Internal Control guidelines and detailed in standards and procedures that are listed in the Group’s digital framework.
The Internal Control Department also manages and develops a network of around 175 regional and local internal control managers covering all Group entities. Their role is to apply the internal control framework and support employees in this respect. Frequent participation in seminars, training cycles or webinars with the various functions, and the publication of notes of engagement help to strengthen knowledge of the internal control framework within the Group.
As part of a continuous improvement approach, the Internal Control Department develops, disseminates and coordinates self-assessment campaigns focusing on the main risks and issues identified. These campaigns are gradually being rolled out in each of the functions. Self-assessment of Internal Control makes it possible for the Group’s entities to ensure that the system is functioning properly and reinforce it with operational action plans.
The Internal Control Committee is driven by the Internal Control Department, which validates directions and priorities with regard to improving the internal control framework, developing the network of internal control managers and the tools used to perform internal control tasks. This department monitors variations related to Internal Control relating to expectations and market practices.
The Internal Audit Department audits major processes and checks that Group principles and standards are properly applied. Its work is carried out by a central team that reports directly to the Chief Executive Officer.
Internal Audit assignments are submitted to General Management and the Audit Committee. With the approval of those bodies, they result in an annual audit plan that takes account of the Group’s risk mapping, the entities’contributions to the Group’s key economic indicators, and the historical precedence and results of previous audits.
The risk-level assessment carried out by the Zone Departments and experts in the different functions is also a determining factor in the elaboration of the annual audit plan.
In 2024, the Internal Audit Department carried out 56 assignments. Out of this total, 30 involved auditing entities (commercial entities, factories, international marketing and research & innovation departments, Shared Service Centres and newly-acquired entities) and 26 were audits on specific topics conducted at Group, Zone or Country level, targeting key risks as a priority: for example, five assignments were carried out on the cybersecurity programme and three were dedicated to certain objectives of the L’Oréal for the Future programme.
Each audit assignment results in a report that sets out the findings and corresponding risks and proposes an action plan and recommendations for the audited entity. The Internal Audit Department monitors and measures these action plans, then reports on the rate of progress to the departments in question.
To conduct its work, Internal Audit uses the Group’s integrated ERP software. It has developed a number of specific transactions to improve the identification of potential weaknesses in sensitive processes. Data analysis capabilities are strengthened each year. They enhance the standard analyses developed by Internal Audit and the use of dashboards and analysis tools that the businesses are continually developing for their own management needs.
To carry out its work, the Internal Audit Department uses an integrated GRC (Governance, Risk, Compliance) tool to consolidate in real time the progress made on the action plans of audited entities. Shared with the Internal Control function, this tool forms an integrated collaborative platform for the implementation of action plans.
In addition to its role of monitoring the application of the Internal Control system, the Internal Audit Department carries out cross-functional analyses with regard to possible Internal Control weaknesses based on findings noted during its assignments. These analyses steer the work of the Internal Control Committee and identify the priority areas for improvement and strengthening of procedures.
The achievement of the audit plan, the results of assignments and the progress of the action plans are presented to General Management on a regular basis and to the Audit Committee and the Statutory Auditors annually.