LOREAL_Registration_Document_2017

Corporate governance * RISK FACTORS AND CONTROL ENVIRONMENT

The Internal Audit Department In addition to its role of supervision of application of the Internal Control system, the Internal Audit Department carries out cross-functional analyses with regard to possible Internal Control weaknesses based on findings noted during their assignments. These analyses make it possible to orient the work of the Internal Control Committee and to identify the priority areas for improvement and strengthening of procedures. Internal Audit is carried out by a central team that reports directly to the Executive Vice-President Administration and Finance. This department carries out regular assignments to audit major processes and check on the application of Group principles and standards. Internal Audit assignments are submitted to the General Management and the Audit Committee for their approval and give rise, with their agreement, to the preparation of an annual audit plan. The choice of assignments notably takes into account the assessment of the risks identified. The size, the contribution to key economic indicators, the history of the entities together with the pattern of their development, are factors that are also taken into consideration for the preparation of the annual audit plan. The Internal Audit Department carried out 44 assignments in 2017, 33 of which involved commercial entities representing over 31% of the Group’s sales and five involving plants. The audited plants represent 16% of worldwide production in units. Furthermore, 6 other assignments were carried out with regard to specific topics. Audit assignments systematically lead to the preparation of a report comprising a presentation of the findings and related risks and making recommendations regarding an action plan to be put in place by the audited entity. The Internal Audit Department relies on the support of the Group’s integrated "ERP" (Enterprise Resource Planning) software package for the performance of its work and has developed a certain number of specific transactions that contribute to increasing the efficiency of its work. Since 2007, complementary assignments aimed at verifying certain key Internal Control points in the configuration of the "ERP" software have been performed. In addition, in 2014, the Internal Audit Department finalised the GRC (Governance, Risk, Compliance) tool, which now enables it to carry out its assignments using an integrated tool and to consolidate in real-time the progress made in the action plans of the audited entities. The action plans decided on further to the audits are followed up regularly by the Internal Audit Department, which measures the rate of progress made in the implementation of the recommendations, weighted by the risk levels applied. The summary of performance and results of the assignments and the progress of the action plans are presented to the General Management and the Audit Committee every year. The Internal Audit Department shares the results of its audits with the Group’s Statutory Auditors. The remarks made by the external auditors within the scope of their annual audit are also taken into consideration by the Internal Audit Department when it carries out its assignments.

The Global IT Department Strategic choices concerning systems are determined by the Group Information Systems Department, which is responsible, in particular, for the implementation of an "ERP" (Enterprise Resource Planning) management software application used by the vast majority of the Group’s commercial subsidiaries, plants and logistics services. The department issues instructions regarding systems security and supports the Group’s digital transformation. The Group also has an Information Systems Security Policy. Based on the international ISO 27001 standards, this policy covers the main topics of Information Systems security, describing the general principles to be applied for each of them. It enables all the Group’s Information Systems teams, and by extension, all employees, to share clear objectives, best practices and levels of control adapted to the risks incurred, notably, the risk of cyber attack. This policy is accompanied by an information systems security audit programme conducted by an outside firm. It is also supplemented by an Information and Communication Technologies Code of Conduct, and a Code of Good Practice for the use of social media. The Operations Division This Division comprises the departments responsible for Quality, EHS (Environment, Health and Safety), Purchasing, Information Systems (production), Production and Industrial Strategy Management, the supply chain, the Group’s Safety Policy and its entire real estate portfolio. It defines the overall Operations strategy worldwide and establishes the standards and methods applicable in the areas of quality, safety, the environment and security for deployment in all of the countries in which the Group operates. It manages the Group’s comprehensive strategy to enable the Operations teams in the Operational Divisions and regions to implement innovation, industrial and logistics policies suited to the markets. In line with the Group’s Code of Ethics, since 2011, the buyers have a practical and ethical guide The Way We Buy which aims at helping all employees in their relationships with the Group’s suppliers. In addition, the buyers have the Group guides, The Way We Compete and The Way We Prevent Corruption for which online training (e-learning) is given. The standard for Management of suppliers and tender procedures specify the conditions for competitive tendering and for the registration of the main suppliers. The general terms of purchase are used as the framework for transactions with suppliers. The Purchase Commitments and Order Management standard is aimed at facilitating and strengthening control of the spending and investments of Group entities. In the area of the supply chain, the main assignments consist in defining and applying the sales planning, customer demand management, development and control of customer service processes, particularly through management of physical order fulfilment, application of the general terms of sale, the follow-up of orders, management of customer returns and customer disputes as well as accounts receivable collection procedures. Measures are also recommended for the management of distribution centres and inventories, subcontracting, product traceability, business continuity plans and transportation.

2

REGISTRATION DOCUMENT / L'ORÉAL 2017

109