Firm’s Risk

Assessment
Process Tool
User Guide Ver 2.0
Firm’s Risk Assessment Process Tool User Guide Ver 2.0 1

Introduction

FRAP 1.1 Background

The Crowe Global FRAP Tool is an integrated Quality Management compliance resource
that enables all firms to document their compliance with the requirements for their System
of Quality Management (SOQM).
The Tool has separate sections for Quality Management (QM) and for Risk Assessment.
The QM section is completed at the corporate (central leadership) level in each firm,
possibly with inputs from service lines. For firms that do not offer audit services, questions
relating to Audit will not be shown for response. Similarly, firms that identify themselves as
‘Small Firms’ (i.e., Firms with less than 5 partners and no restricted entity engagements) will
see material that is specific to Small Firms.
The Risk Assessment section involves risk analysis on Engagement Performance which is
required to be completed by each service line; other aspects of Risk Assessment are
instead completed at the corporate (central leadership) level. The Risk Assessment section
does not distinguish between audit and non-audit firms, or small firms.
Dashboards are separately presented for QM and Risk Assessment. The QM Dashboard
reflects the extent of compliance achieved by the Firm, capturing the response options of
‘Yes,’ ‘No,’ ‘Under Action’ or ‘Not Applicable.’ The ultimate goal would be for responses to
be ‘Yes’ (including conversion of an initial ‘Under Action’ to ‘Yes’) or Not Applicable (with
justifiable, documented reasons). The Risk Assessment dashboard reflects the risks
accepted by the firm, with categorisation at Gross Risk level and at Residual Risk level.
The Tool also has a Quality and Risk Library section. Currently, this is locked and changes
by individual firms are not permitted. In due course, changes will be enabled.
Later in 2023 the Tool will be upgraded to assist firms with their Monitoring and
Remediation, and the Evaluation of their SOQM.

FRAP 2.1 Overview

The 2.1 version of the FRAP Tool supports the tasks of Monitoring, Evaluation and
Remediation, based on the Mitigation measures adopted by each firm.
Importantly, the existing data in your version 1.1 files can be migrated to the version 2.2
tool.
The Monitoring section captures responses on Date of Monitoring, Design, Implementation
and Operational Effectiveness.
The Evaluation section captures root causes for each deficiency, and the evaluation
parameter as to the severity and pervasiveness of the deficiency. Responses on
Remediation design and implementation are also captured. If a deficiency does not exist,
the basis for conclusion is captured.
A Dashboard shows Assessment, Monitoring and Evaluation response numbers against
each risk section and Service Line, along with options for entire Corporate, all Service Lines
or the organisation as a whole.
FRAP 2.1 enables you to migrate data from previous assessments thereby doing away with
the need to enter assessment data from start.
This document serves as a User Guide for FRAP Tool Version 2.1 providing key guidance
for effective use of the Tool.

© 2023 Crowe Global

 Firm’s Risk Assessment Process Tool User Guide Ver 2.0 2

Key Practical Aspects

Key practical aspects for use of the Tool are:
a. The tool is Microsoft Excel based, using Windows Operating system. It will not work
with Apple products or other platforms. Make sure you have an updated version of
Excel on your computer.
b. You will receive the tool as a Zip file. It is important to extract the excel file from the
Zip folder and save it on a separate folder. This will ensure that your assessment is
recorded and saved. If you hold it in the Zip folder or try to operate directly on the
attachment from the email, the data will not save.
c. Extracting the Zip file will also extract a \Bin sub-folder that contains images. This
folder and its contents are integral to the functioning of the tool. If the \Bin sub-
folder is missing, a message pops up when you start the tool.
d. Please save the tool on your computer or server. FRAP 2.1 supports OneDrive, but
not SharePoint; it will not run if it is saved on SharePoint.
e. When you run the tool, make sure all other excel files are closed. The tool needs
macros to be enabled; it will prompt you to do this.
f. FRAP 2.1 supports multiple resolutions. The need to change the screen resolution has
been made optional. If done, the resolution will revert to the original setting when quitting
the tool.
g. FRAP 2.0 supports both New Assessments and Monitoring of previous year
assessments. This is defined at the start of the tool and cannot be changed once set.
h. If the purpose of the tool is Monitoring of a previous year assessment, the consolidated
data version of the FRAP 1.1 should be available for you to migrate the data for
Corporate and Service Lines.
i. If the purpose of the tool is New Assessment, a few minutes spent on the initial set-up
will be valuable. This will help to (a) identify the service lines in your firm; (b) identify
leaders and their email IDs for each service line; (c) select if your firm is a small firm; (d)
identify the assessment period. If the service lines selected do not include audit, the tool
will conclude that the firm is a non-audit firm and will not reflect audit-related QM
questions. Service-line leaders’ emails are useful for export of service-line Risk
Assessment sections to the respective leaders. Selecting the small firm option will reflect
material relevant to a small firm.
j. When the purpose of the tool is New Assessment, as in FRAP 1.1, new assessments
can be initiated as many times as you wish. Offices in different cities could also be asked
to complete independent assessments, if desired; however, the tool cannot consolidate
these automatically. The corporate office will need to consider the responses in
determining the overall firm-level response.
k. Monitoring and Evaluation of Risks is done at a Central level, hence there will be no
option to export or import the data to and from Service Lines. Migrating the data from
previous assessments including Service Lines will be all that is required.
l. The Close Assessment and Cycle Closure existing in FRAP 1.1 has been removed from
FRAP 2.1 and will be reintroduced in later versions, if required.

© 2023 Crowe Global

Firm’s Risk Assessment Process Tool User Guide Ver 2.0 3

Set Up and Starting

1. Do not open the file from the mail attachment. Save the file into a separate folder
before opening the file. The folder should be on your local machine and can also be on
OneDrive.
2. Once the file is saved in a folder, unzip the file and extract the Tool file into the folder.
Ensure that there is a sub-folder “BIN” in the main folder.
3. Microsoft has introduced certain additional controls for security since 2022 that blocks all
files originating from Emails or Internet. These also include Corporate Portals. To
unblock your file, Right Click on the Excel File Crowe-FRAP Tool Version 2.1.xlsb and
click on Properties appearing at the bottom.

If you see a message as shown

• Select Unblock and then Apply.
• The security message will
disappear.

4. The Assessment Tool is a Macro-enabled Excel file. Click on ‘Enable Macros’ and
‘Enable Editing’ when prompted.
5. If you do not get a pop-up for ‘Enable Macros,’ it means that your system is set to
disable macros without notification. In order to change this, please follow the below
steps:
• Open a blank excel document.
• Go to File → Options → Trust Center and click on ‘Trust Center Settings.’
• In the Trust Center Settings, click on ‘Disable macros with notification’ and ‘Trust
access to the VBA project object model.’
• Click ‘OK’ and exit. This will enable the pop-up for ‘Enable Macros’ to open when
the Tool is opened again.

© 2023 Crowe Global

Firm’s Risk Assessment Process Tool User Guide Ver 2.0 4

Starting the Tool

When starting the Tool for the first time, you are provided 2 choices as shown below:

New Cycle enables you to define Service

Lines and initiate Risk Assessment Cycles.
Monitoring requires previous years Risk
Assessment data.
Once defined, you will not be able to change
these options.

Setup – System Configuration

1. About System Configuration – Provides a general overview of the module.

2. Configuration Settings
a. The tool automatically locates OneDrive as it comes installed with Microsoft
Windows. In a rare instance where OneDrive folder is not found, the ‘Locate
OneDrive’ option is enabled and allows you to select the OneDrive folder location
manually.
b. The Tool also identifies your Screen resolution and displays a message if it is
required that you change the resolution and scaling – It does not change
automatically.
c. If required to change the screen resolution, select ‘Change Screen Resolution.’
d. The screen resolution is automatically set back to the existing one when you Quit
the tool.

© 2023 Crowe Global

Firm’s Risk Assessment Process Tool User Guide Ver 2.0 5

Tool Configuration

This option only appears when ‘New Assessment’ has been selected.

Firm Details Tab

1. Enter the Full Name of your Firm.
2. Alias is an abbreviation of your Firm Name to be used as a Prefix when exporting
documents. You may retain the system generated alias or change it to your choice.
3. Enter the city and country where your office is located.
4. The Geography auto-populates based on the country selected.
5. The Assessment Period auto-populates to the month in which you start the assessment,
but may be changed as per your choice. Preferably use short month names, e.g., APR,
JUN, DEC.
6. If your firm is a SMALL firm as per the definition, click on the check box.
7. CLICK SAVE to save the INPUTS

© 2023 Crowe Global

Firm’s Risk Assessment Process Tool User Guide Ver 2.0 6

Firm Structure Tab

This helps identify the firm’s service lines and creates service-line specific Risk Assessment
work files for export to heads of service lines.

• Click on the service line in the left panel; the line will automatically appear in the field for
Service Line
• Add leader name under Responsibility; and then leader’s Email ID
• Click ‘Update’ to update the Email ID
• Click on ‘Select,’ so that Service Line now appears under ‘Selected for Assessment’
• Once FIRM DETAILS and FIRM STRUCTURE are defined, click SETUP
ASSESSMENT.

© 2023 Crowe Global

Firm’s Risk Assessment Process Tool User Guide Ver 2.0 7

Manage Assessments

This option only appears when ‘New Assessment’ has been selected.
Manage Assessments helps to export and import assessments to and from Service Lines. To
recap, this is only required for Engagement Performance risk evaluation for each service line;
hence, all applicable service lines, their leaders and leader’s email address should be
correctly captured in the Firm Structure Tab.
Data Migration – Allows you to roll over the data from the previous year and then re-assess
the Risk without requiring you to start all over again. This option can only be done for
Service Lines that were part of the assessment in the previous year.
Example: If Tax and Audit service lines participated in the assessment in the previous year,
the data of these service lines can be rolled over or migrated to the current assessment for
re-assessment.

For data migration to happen, the service lines should have been defined under Tool
configuration.
Select the previous year assessment file, click Verify File to checking Service Lines and then
Click on Migrate to migrate the Data.

Export Assessments - If a file name shows in ‘RED,’ it means a file is not available for
Export and has to be created – Select the service lines (not Corporate) that you want to
create the Assessment workbooks for and click ‘Proceed with Export.’ The files created will
be automatically saved in the Export sub-folder that is system created in the FRAP Tool
Folder on your machine.

© 2023 Crowe Global

Firm’s Risk Assessment Process Tool User Guide Ver 2.0 8

Exporting with Previous Year Assessment Values exports the Assessment workbooks
with data where existing. You may also choose to export the Assessment workbooks without
the previous year’s data (Export Fresh).
Email Assessments – Once the assessment workbooks have been created, select the
Service Lines to export and click ‘E-mail Documents.’ Note: When you select ‘E-Mail
Documents’, this requires Outlook to be Open for emails to be sent. Outlook may seek
permission to email the file and you should Allow this.

A ZIP File is created and emailed to the Service line leaders defined earlier. Only Exported
Assessment workbooks will be emailed. The RED type denotes the Assessment workbook
for Technology was not exported.
Action by service-line leaders: Service-line leaders receiving the email should follow the
process of saving and extracting the file on the leader’s computer, completing the
assessment (25 risk questions for each service line) and emailing the completed assessment
to the corporate leader / assessment coordinator who must then save this file in the Import
sub-folder that is itself system created in the FRAP Tool Folder on your machine.
Importing Assessments – once the completed file for a service line is saved in the Import
Folder, the file can be imported into the corporate assessment by clicking ‘Import
Assessments.’ Files ready for import will appear in green. Select these and click ‘Proceed
with Import’.

1. You can import files simultaneously for multiple service lines, or individually by service
line. These will be merged with the overall corporate risk assessment, when imported.
2. You may import the same service line multiple times – each time the existing data is
overwritten.
3. Data for the service line has now been merged and the metrics can be viewed under
Risk Management Dashboard.

© 2023 Crowe Global

Firm’s Risk Assessment Process Tool User Guide Ver 2.0 9

Assessment Migration

This option only appears when ‘Monitor and Evaluate Previous Year’s Assessment’ has
been selected at the start.

• Select the Previous Year Assessment workbook that was consolidated at the corporate
level.
• Clicking on Verify File extracts the Firm and Service Line information and displays that will
be imported into the Assessment.
• Migrate Now – imports all the relevant data and then displays the Firm Information on the
next Tab once imported.
• The Assessment Migration Tab will not be visible once the data has been migrated.
Instead, the Firm information will be displayed. You will not be able to save any changes
that you make to the Firm details.

© 2023 Crowe Global

Firm’s Risk Assessment Process Tool User Guide Ver 2.0 10

Quality Management

1. QM assessment is grouped into 8 areas. Questions are grouped and presented in

multiple cards which may carry one or multiple questions.
2. Each question has four options - ‘Yes,’ ‘No,’ ‘Under Action’ or ‘Not Applicable.’ Click
‘Save and Next’ as each card is completed.
3. If the card has the question greyed out because it is an audit question not applicable to a
practice which does not have audit as a service line, simply click ‘Save and Next’ to
proceed.
4. For each response, the pie chart refreshes.
5. You may Exit at any time and return back to continue the Assessments.

Please Note:
If you had selected Monitor and Evaluate Previous Year’s Assessment, the response
option is locked and you will be able to update only Monitoring and Remediation values.
Only New Assessment gives you the options to modify Response, Monitoring and
Remediation.

© 2023 Crowe Global

Firm’s Risk Assessment Process Tool User Guide Ver 2.0 11

Risk Management
Risk Assessment - Selecting Assessment shows Corporate-Assesment and Services-
Assessment.

Monitor and Evaluate Previous Year’s Assessment does not allow you to change the
Response or the Impact of the Risk. Only the Mitigation Steps can be modified and saved.
The mitigation steps from previous year assessment is imported and displayed – which can
be further modified as required.

For Service-Lines – only the Mitigation steps are editable at a corporate level irrespective of
whether it is a New Assessment or Monitoring a previous year’s assessment. To work on a
Service Line, select the required Service Line from the drop-down combo on the
Assessment Screen.

Risk Assessment at Corporate Level comprises 10 sections, each with a set of Questions.
Service lines will have only 1 section i.e., Engagement Performance.

1. Against Response select Accept if you accept the Risk or Reject if you reject the Risk
a. If you Reject the risk, you must record the reasons why you reject the risk.
Select Save and Next to move onto the next question
2. If you ‘Accept’ the risk
a. Select the applicable parameters for Impact and Likelihood.
b. If the risk is insignificant (based on parameters selected), the Mitigation tab will
show in a dark green colour and requires no further response as regards
‘Mitigation,’ ‘Mitigated On’ and ‘Frequency of Mitigation.’
c. In all other cases, you are required to complete the tabs for Mitigation, Mitigated
on and Frequency of Mitigation.
d. For comprehensiveness, state the Mitigation Steps taken in response to the
Risk. The “+” option allows you to add as many Mitigation steps as
required, a feature that was introduced in FRAP 2.1.
3. Location of Supporting Documents – gives you an option to record the location on your
system where the relevant supporting documents to the risk assessment and mitigation
are saved.
4. Click Save and Next to proceed to the next risk card. Gross Risk Score and Residual
Risk Score will be automatically updated as a cumulative running score.
5. View Objectives – This Tab enables access to the section Objectives, without having to
exit the card or assessment.

© 2023 Crowe Global

Firm’s Risk Assessment Process Tool User Guide Ver 2.0 12

General Section - This section comprises a few questions on both Monitoring and
Evaluation that are required to be answered. All questions are mandatory.

Monitoring – All Monitoring is done only at a corporate level for both Corporate and Service
Lines irrespective of the type of Assessment – New or Monitoring.

1. The Mitigation steps that were updated under Risk Assessments are reproduced here
2. Against each step, select the Date of Monitoring by clicking on the calendar icon
3. Effective Design, Effective Implementation, Effective Operation are all Toggle Buttons for
YES and NO – Clicking on them once, displays YES and clicking on them a second time
makes it a NO.
4. If there are any documents supporting monitoring activities, you may either manually
enter the path of the documents, or selecting the Locate Path option and pointing to the
document will update the path. Please Note: Document Path is at a Risk level and not at
individual mitigation steps.

© 2023 Crowe Global

Firm’s Risk Assessment Process Tool User Guide Ver 2.0 13

Evaluation and Remediation – Similar to Monitoring, this is a corporate level activity carried
out at Corporate for both Corporate and Service Lines.

1. Only after Monitoring is done can you update Evaluation and Remediation.
2. Like in Monitoring, the Mitigation steps that were updated under Risk Assessments are
reproduced here.
3. Against each step, specify if Deficiency still Exists
a. If Deficiency still Exists, then enter the Root Cause, Severity, Pervasiveness. Also
specify if Remediation has been Designed and Implemented.
b. If Deficiency does not Exist, provide a basis for concluding so in the space provided.
4. Use the ‘Color Codes’ option to identify what those values mean.

© 2023 Crowe Global

Firm’s Risk Assessment Process Tool User Guide Ver 2.0 14

Risk Catalogue – The Risk Catalogue is a Dashboard that allows you to see all Assessment,
Monitoring and Evaluations of a Risk all in one place. This is purely a visual board.

Assessment Section

Monitoring and Evaluation Section

1. Select Corporate or Service Line from the top

2. Corporate provides a list of the 10 sections to select from, each section all the Risks
pertaining to the section. Selecting Service Line lists all 25 Risks pertaining to
Engagement Performance.
3. The Accept, Reject and Pending Buttons show the status of the Risk question. Clicking
on the Status Buttons displays the Assessment Values and Monitoring and
Remediation Values against each of the Risks.

© 2023 Crowe Global

 Firm’s Risk Assessment Process Tool User Guide Ver 2.0 15

Risk Management Dashboard – Provides a numerical Dashboard on the

Assessment, Monitoring and Evaluation options chosen for each of the sections. This
may be viewed at a Corporate and Service Line level including entire Corporate,
Service Lines or company level.

Technical Support Contact

For any technical issues related to the tool, please contact:

N Mahesh Murthi, India

E-Mail: mahesh.murthi@crowe.in

Some Known Issues

Following are the Known Issues and Possible Solutions
I. Compile error in hidden module:
"This error commonly occurs when code is incompatible with the version or architecture
of this application (for example, code in a document targets 32-bit Microsoft Office
applications but it is attempting to run on 64-bit Office)."

1. Excel Version is not up to date

2. Excel is missing MSCOMCTL.OCX – this was included in later versions of MS-Excel. If
this is missing, it would be required to manually download and register the component.

Refer to PDF Document: Crowe Global - Assessment Tools-Known Issues on

how to fix the issue.

II. Development Tool Box opens Up abruptly

During the course of Assessment, Monitoring or Evaluation – the Visual Basic Toolbox
appears out of nowhere – This has been very rarely observed only on Developer
machines and may not appear at all in end user’s systems.
The box can be closed by clicking on the
“X”

This does not impact the tool or its functionality.

It is a known feature from across the world and there is no

reported issue arising out of it.

© 2023 Crowe Global

Firm’s Risk Assessment Process Tool User Guide Ver 2.0 16

Crowe Global is a leading international network of separate and independent accounting

and consulting firms that are licensed to use “Crowe” in connection with the provision of
professional services to their clients. Crowe Global itself is a non-practicing entity and does
not provide professional services to clients. Services are provided by the member firms.
Crowe Global and its member firms are not agents of, and do not obligate, one another and
are not liable for one another’s acts or omissions.

© 2023 Crowe Global