The Changing Face of Internal Audit at Estée Lauder

The Changing Face of Internal Audit at Estée Lauder

Changing Face of Internal Audit at Estée Lauder

Company Headquarters — United States

Number of Countries Operates in — 135

Number of Employees in Company — 40,000

Industry — Consumer Products

Annual Revenues — US$10.2 billion (as of June 30, 2013)

Number in IA Function — 20

​Number of Years IA Function Has Been in Place — 30+

IA Director/CAE Reports to — Audit Committee Chair and Chief Financial Officer


"Internal audit is a much more interesting and challenging job than it was 10 years ago. A lot depends upon how your company views the function."

- Bob Tyler


Estée Lauder Companies, founded in 1946 in New York, is a world leader in makeup, skin care, fragrance and hair care products. Estée Lauder products are sold in more than 135 countries and territories around the world.

Bob Tyler, corporate vice president and chief internal control officer, has been with the company for more than 25 years. He leads a group of 20 professionals, and reports to the audit committee chair and the CFO. The internal control team at Estée Lauder focuses on risk assessment, operational and compliance reviews, Sarbanes-Oxley testing and compliance, and managing internal talent to ensure the function is at peak performance in the midst of ongoing change and evolution throughout the company.

“Estée Lauder’s business model has changed significantly,” says Tyler. “Fifteen years ago we were basically a wholesaler. Today we are a wholesaler/retailer and in the near future, we will be our second largest customer, apart from Macy’s. We are opening stand-alone company-branded stores in several key global locations, such as Brazil, India, China and Africa, where high-end department store distribution does not presently exist. Instead of waiting for that distribution to happen, we are opening our own branded stores including MAC, Clinique and Estée Lauder. The company is also increasingly ‘locally relevant’ by developing products that align with ethnic skin around the world. We recently created a skin care line named Osiao, specifically for Asia.”

Additionally, the Estée Lauder Companies’ portfolio contains major brands including Origins, Clinique, Bobbi Brown, MAC, Jo Malone, Smashbox and Aveda, and has developed licensing agreements with many designers, including Tom Ford, Ermenegildo Zegna, Donna Karan and Tommy Hilfiger.

In this culture of change, the internal control team has to keep pace. “A decade ago internal audit was viewed as a necessary function, one that had to be tolerated,” Tyler says. “Today, it’s a function that pro-vides value. We have adapted our ERM (enterprise risk management) process over the years by adopting a subcommittee ERM approach that deals with major topics such as reputation, strategy, technology, human resources, emerging markets, and more. The subcommittees identify risks related to those topics, and funnel the risks and related mitigation plans to the internal audit team for inclusion into their risk universe and profile.” In addition, a member of the internal control team sits on each subcommittee in order to have a voice in the process.

Developing strategies and new skills

Ten years ago, the internal control function at Estée Lauder did not have a stated or defined strategy. Five years ago, Tyler and his team developed one, and presented it to executive management and the audit committee. Now, they share the updates to the strategy and their progress once a year with senior management and the audit committee. They also have quarterly updates on audit results with the CEO and the heads of the company’s business functions.

The internal audit function today also has new skills criteria for its auditors. “We primarily recruit from top accounting firms. We look for candidates to have the appropriate certifications (CPA, CIA or CISA) or a master’s degree, or they have 18 months to get it to remain on the team. The company supports their efforts to obtain these credentials with tuition reimbursement assistance,” Tyler says.

This requirement stems from collaborating with Estée Lauder’s external auditors. “They rely on the work of the internal control department to the maximum allowed by professional standards related to the SOX testing we do, so we need to demonstrate that we have a professional, educated group whose work they can rely on. At the end of the day, Estée Lauder is a very competitive organization. The more education and credentials you have, the better it is for your next opportunity here. I strongly believe in the internal audit function being a talent developer and talent exporter for the company, so I encourage my team to focus on their own improvement and growth.”

Taking the initiative

“I think that internal audit has to continually push the envelope,” Tyler says. “We have to proactively put a lot of our services in front of business owners for them to see our value and capabilities and leverage us. The real challenge is motivating business units to ask for our services. Sometimes people want to fix things themselves, and not involve us. Eventually, of course, they have to involve us, and I explain that we could have helped them earlier, and more effectively, if they came to us first.”

Tyler now sits on the Corporate Ethics and Compliance committee along with the heads of the legal and human resources functions and the CFO. Achieving this level of visibility and acceptance has at times not been easy. “Again, it required demonstrating that internal audit provides value and insight,” he says. “Be a proponent and take the initiative.”

Estée Lauder’s brands encompass a digital ecosystem made up of 17 websites. The internal audit team works with the appropriate departments to ensure that the company has controls in place. It is important that everything, from back-end integration to external-facing components such as social media, is consistent. Reputation risk, cyber risk, e-commerce risk – all of these are top of mind for Tyler and his team.

“Years ago, the key area of concern for internal audit was identified risks,” Tyler says. “Today, we are giving a lot more attention to evolving risks such as digital risks, including the pervasive threat of cybercrime and the reputational risk associated with social media. We have accepted the challenge to understand all of the exposures and controls and build a program around what we can do to validate the effectiveness of those controls. In today’s digital landscape, if you have a real or perceived issue, the whole world knows about it in 15 seconds.”

Technology risks

Of all the factors that have contributed to the evolution of internal audit, technology is likely the most significant. From automated work papers to audit tools and knowledge-sharing vehicles, the function has been completely reshaped by technological advancements.

For Tyler, harnessing big data and understanding how best to apply analytics are two key areas for enhancement in the coming years. “Few if any internal audit departments are going to have the additional headcount or resources to keep up. We have to be able to do our work more quickly and smarter, and the only way we can achieve that is through technology. This represents the biggest opportunity for us as a profession, and few are probably as knowledgeable or skilled today as they will need to be.”

He says that another challenge is to merge business process auditors and IT auditors. “Right now, I have a business process staff and an IT staff. Over time, their skills will need to be blended,” he says.

The next chapter

“Internal audit is a much more interesting and challenging job than it was 10 years ago,” Tyler says. “A lot depends upon how your company views the function. Some people hide behind the concept of independence. While you have to adopt an independent view, you are still part of the company. There are ways to be independent in a constructive, collaborative way and the more that internal audit can achieve that balance, the better it will be.”

He believes that everyone needs to get comfortable with what the internal audit function can and should do versus what it should not do.

“We have to consider what management wants and what the audit committee wants,” Tyler says. “Many times, those are different goals. The audit committee, which performs an oversight role, wants comfort that processes and risks are well managed, that the numbers are correct, and that there is a system in place to limit the potential for fraud. Management wants those things too, but they also want operational and financial efficiencies. To satisfy all of your stakeholders who are looking at risk from a top-down basis and checking it from a bottom-up basis – that will be a challenge.”

“Internal auditors want to take their collaboration with business partners to a new level – Internal audit’s longstanding desire to improve collaboration with the rest of the business has intensified, as is evident in the priority that CAEs and respondents place on communicating, and even marketing, the expertise and value that internal audit provides to the rest of the enterprise.”

Assessing the Top Priorities for Internal Audit Functions: 2014 Internal Audit Capabilities and Needs Survey, Protiviti,