To conduct its work, the Internal Audit Department uses the Group's integrated ERP software. It has developed a number of specific transactions to improve the identification of potential weaknesses in sensitive processes. Data analysis capabilities are strengthened each year. They enhance the standard analyses developed by Internal Audit and the use of dashboards and analysis tools that the businesses are continually developing for their own management needs.
To carry out its work, the Internal Audit Department uses an integrated GRC (Governance, Risk, Compliance) tool to consolidate in real time the progress made on the action plans of audited entities. Shared with the Internal Control function, this tool forms an integrated collaborative platform for the implementation of action plans.
In addition to its role of monitoring the application of the Internal Control system, the Internal Audit Department carries out cross-functional analyses with regard to possible Internal Control weaknesses based on findings noted during its assignments. These analyses steer the work of the Internal Control Committee and identify the priority areas for improvement and strengthening of procedures.
The achievement of the audit plan, the results of assignments and the progress of the action plans are presented to General Management on a regular basis and to the Audit Committee and the Statutory Auditors annually.
The Group's Global IT Department sets the strategic priorities for its information systems. In particular, it oversees ERP management software which is used by the vast majority of the Group's commercial subsidiaries, factories and logistics services. It also supports the digital transformation of the Group by developing the use of cloud services (SaaS, IaaS, PaaS) and connected objects.
Within the IT Global Department, the Cybersecurity Department manages the Information Systems Security Policy. Consistent with international market standards (ISO 27001/27002, NIST), this policy covers the main topics of IT security, including the protection of personal data. It describes general principles to be applied for each topic. This ensures that the Group's Information Systems teams, and by extension all employees, share clear objectives, best practices and levels of control that are appropriate for the risks (particularly the risk of cyber attacks). This policy is backed by specific action plans, which include remedial measures if any cybersecurity risks arise, an independent information systems security audit programme, and two codes of practice – the Information and Communication Technologies Charter, and the Code of Good Practice for the Use of Social Media.
L'Oréal's cybersecurity governance is underpinned by a framework based on the three lines of control model presented in section 3.1. Presentations on cybersecurity topics are regularly given to top management, and in 2025, a presentation on the cybersecurity framework was given to the Audit Committee, which then reported on the presentation to the Board of Directors (see section 2.3.2).
The Operations Department covers several stages in the value chain and includes the Packaging Development, Purchasing, Industrial Strategy and Operational Excellence, Quality, EHS (Environment, Health, Safety), Supply Chain and Information Systems (value chain) departments. It defines the overall Operations strategy worldwide and defines the standards and methods applicable in the areas of quality, safety and the environment for roll-out in all the countries where the Group operates. It oversees the overarching strategy so that the Operations teams in the Operational Departments and the Regions can implement innovation, supply, quality, hygiene and security, environmental manufacturing and supply chain policies that are relevant to the markets. It conducts a worldwide Quality-EHS audit programme, assessing the Group's sites and suppliers of direct purchases. It establishes and trains the business communities of these departments.
In line with the Group's Code of Ethics, buyers have had access to a practical and ethical guide, The Way We Work with our Suppliers, since 2011. This guide covers everything they need to know when working with the Group's suppliers. In addition, buyers complete online training programmes based on the Group's The Way We Compete and The Way We Prevent Corruption guides.
The standard for managing suppliers and tender procedures specify the conditions for competitive tendering and for the registration of the main suppliers. The general terms of purchase form the framework for transactions with suppliers. The "Standard for supplier management (Source to contract)" facilitates and strengthens control over spending and investments.
The main tasks of the Supply Chain Department are to supply the Group's customers and consumers via eight distribution channels operated by the Group, to manage the planning processes, from demand through to supply, and to implement and operate an agile supply chain network that is both profitable and sustainable. The processes managed by the Supply Chain Department include managing order processing, from order receipt to preparation, supplying and recovering credit, preparing sales and supply forecasts, deploying inventories of finished products and jobs, managing centres, subcontractors and logistics service providers, and monitoring traceability and logistics continuity plans.
The Packaging Development teams implement a materials vigilance programme that ensures consumer safety in connection with packaging materials, as well as regulatory monitoring in connection with R&I of all legal obligations related to packaging and labelling.
