APPLICATION SERVICE PROVIDERS (ASP)

DEFINITION:

According to Jaruzelski, Ribeiro, and Lake (2014) they define ASP as “an organization
that provides a contractual service to deploy, host and manage applications for customers
remotely from a centralized location.”

Five (5) Subcategories of ASP industry:

1. Enterprise ASPs -deliver high-end business applications

2. Local/Regional ASPs -supply wide variety of applications services for smaller businesses in a
local or regional area
3. Specialists ASPs -provide applications for a specific need, such as Web site services or
human resources
4. Vertical Market ASPs -provide support to a specific industry such as healthcare
5. Volume Business ASPs -supply general small/medium-sized businesses with prepackaged
application services in volume
COSO’s Enterprise Risk Management – Integrated Framework discusses ASPs as “a form of risk
sharing, one way of responding to risks in an organization’s environment.”

Uses of ASPs by an organizations and individuals:

1. Process insurance claims (www.processclaims.com)

2. Complete the steps in the accounting cycle (http://www.online50.net/)
3. Manage stock transactions electronically (www.tradingtechnologies.com)
4. Provide personal financial planning (www.zywave.com)
5. Prepare income tax returns (www.taxslayer.com)

ASP Benefits VS ASP Risks

 Less costly than purchasing software
outright
 Increased flexibility
 Potentially improved customer service
 Role in disaster recovery plans
 Psychological and behavioral factors
 Service interruptions
 Compromised data
 Inability to pay monthly fees

Internal controls to address some of ASP risks:

1. Establish a budget for ASP project.
2. Back up data on a daily basis.
3. Provide ongoing trainings for employees using the ASP.
4. Create firewalls and encryption protocols.
American Institute of Certified Public Accountants (AICPA), effectively replaced SAS 70 to
SSAE 16 officially titled “Reporting on Controls at a Service Organization”.

AICPA defined Service Organization Control (SOC) Reports as “an internal control reports on
the services provided by a service organization providing valuable information that users need
to assess and address the risks associated with an outsourced service.”

According to Bourke (2012), SSAE 16 includes three broad types of SOC Reports and AICPA
(2014) differentiate the three as follows:

 SOC 1 – reports on controls relevant to user entities internal control over financial
reporting
 SOC 2 – reports on controls over security, availability, processing integrity,
confidentiality, or privacy
 SOC 3 – reports, less-detailed but similar to SOC 2 reports