Based on the scope of the compliance audits (external or internal) and the Capgemini participation solicited, audit schedules must be determined. These could be schedules to conduct internal compliance audits and provide the reports to the Client or participate in Client audits as per their schedules.

The Information Security And Compliance Lead must obtain an agreement with Client on the need to provide an SSAE 16 Type II or ISAE 3402 Type II audit report or participate directly in Client's audits and control testing as per the scope. It is essential to provide guidance to Service Delivery Teams regarding delivery with respect to compliance requirements, e.g. SOX applications and control testing scope, level of involvement with auditors, controls or any functions that are supported directly or in-directly by Capgemini’s Application Support team.