Based on the contractual obligations, pre-transition study and the master service agreement, the Information Security And Compliance Lead must understand clearly the audit and /or assessment requirements of the service engagement. Capgemini should typically need to assist Clients in meeting their regulatory compliance requirements (such as Sarbanes-Oxley (SOX) in the United States, etc.). 

Clarity must be obtained on:

• Whether Capgemini is obliged to have the audits conducted to be certified itself, or
• Whether Capgemini is only responsible to participate in the audits for Clients certification
• Whether Capgemini is obliged to conduct internal audits for security and provide reports to the Client.

Clients typically have a control framework which specifies the design and operation of the IT internal controls.

It is common that these framework contain defined control objectives that are grouped into five control areas:

• Information technology control environment
• Program development
• Program changes
• Access to programs and data (security)
• Computer operations.