a. Companies considering utilizing an ASP might start the process by identifying a need to
lower costs and increase flexibility. What other steps would a manager likely take in selecting an ASP? Who should be involved in such a decision?
b. Refer to www.sas70.com to determine which of the following statements are true about service audits conducted under that standard.
i. The audit provides positive proof that an ASP is not vulnerable to fraud.
ii. An SAS 70 audit is sometimes called a “service auditor’s examination.”
iii. An SAS 70 audit can be an important component of an internal control examination and assessment.
iv. The audit consists of going through a checklist of required controls and activities.
v. As defined in the standard, a “service organization” can be an ASP.
vi. Service auditors can issue a Type I report or a Type II report.
vii. A Type I report means that the service organization has good internal control; a Type
II report indicates internal control problems.
viii. Without an SAS 70 examination, an ASP may need to be audited by its clients’ independent auditors.
ix. SAS 70 audits are generally performed by professionals with a background in accounting, auditing, and information security.
x. Section 404 of the Sarbanes-Oxley Act of 2002 has increased the importance and relevance of SAS 70 examinations.
c. All professional accounting certifications and licenses (such as the CPA and CFE) require continuing professional education (CPE) on an annual basis. Suppose you and a group of friends started an ASP designed to track CPE requirements for accounting professionals.
Design a database that would capture the required information about your clients. What internal controls would you implement to promote the integrity of those data?