How to sarbanes-oxley excel audit: map cell dependencies for financial reporting compliance
- Step 1Open the tool on a Pro account — The trace is Pro-gated; Free returns "Cell Dependency Map requires Pro tier." Sign in on Pro or higher (50 MB / 100,000 rows).
- Step 2Load the reporting workbook (.xlsx) — Drop the
.xlsx. Processing is local, so a confidential reporting file stays on your machine. XLSX only — a CSV carries no formulas to evidence. - Step 3Identify each reported cell in scope — For every figure that flows to the financial statements, enter its address in Target cell (auto-uppercased,
$ignored). - Step 4Set the sheet name — Type the exact reporting-tab name into Sheet name so the right cell is traced; leave blank only if it is the first tab.
- Step 5Run and review every (hardcoded) leaf — Trace each reported cell. Inspect each
(hardcoded)input — confirm it is a sanctioned assumption, not an unauthorised plug — and note any depth cut or skipped named range. - Step 6File the evidence — Copy each text tree into the control workpaper, label it with the figure and the generation date, and attach the access-control and sign-off records SOX also requires.
Every control the tool actually exposes
The whole UI is two text boxes — there is no depth slider, no chart toggle, no export-format picker, no range expansion. Anything not in this table does not exist in the tool.
| Field | Type | Required | Default | What it does |
|---|---|---|---|---|
| Target cell | Text box (auto-uppercased) | Yes | (none) | The cell whose precedents you trace, e.g. B12. $ signs are stripped, so $B$12 and B12 behave identically. Lower-case is forced to upper-case as you type. |
| Sheet name | Text box | No | First sheet in the workbook | Which sheet contains the target cell. Leave blank to use the first sheet. Must match the tab name exactly (case-sensitive in the lookup). |
What the reference parser does and does not follow
Precedents are pulled from each formula string by a regular expression. Knowing its limits prevents surprises when a branch looks shorter than you expected.
| Reference style in a formula | Followed? | Behaviour |
|---|---|---|
Plain cell A1, B12 | Yes | Followed and expanded on the current sheet. |
Range C1:C10 | Partly | Only the FIRST cell (C1) is walked; the rest of the range is not individually traced. |
Cross-sheet Sheet2!B5 | Yes | Followed; the node is labelled with its sheet name. |
Quoted sheet 'P&L'!B5, 'Q1-Actuals'!A3 | No | Sheet names with spaces are fine, but &, -, . or quotes are not matched, so the link is dropped or mis-attributed to the current sheet. |
Named range Revenue, table Table1[Amount] | No | Names and structured table references are not resolved to addresses, so they are skipped. |
Absolute $B$12 | Yes | $ is ignored; treated identically to B12. |
Tier limits for the Cell Dependency Map (excel family)
The Dependency Map needs Pro tier or higher — the Free tier rejects it with "Cell Dependency Map requires Pro tier." File-size and row caps below are the excel-family limits from the codebase; a workbook within these limits processes entirely in your browser.
| Tier | Max file size | Max rows | Batch files | Dependency Map available |
|---|---|---|---|---|
| Free | 5 MB | 10,000 | 1 | No — Pro gate |
| Pro | 50 MB | 100,000 | 5 | Yes |
| Pro-media | 200 MB | 500,000 | 20 | Yes |
| Developer | 500 MB | Unlimited | Unlimited | Yes |
Cookbook
Evidence snippets a reviewer would file. The tree on the right is exactly what the tool prints; the surrounding notes are what you add for the workpaper.
Evidence for a reported revenue figure
Trace the reported revenue cell to its raw inputs and capture it as workpaper evidence with a generation stamp.
Control: Reported revenue (Summary!B6) calculation Generated: 2026-06-12 Dependency tree for Summary!B6: Summary!B6 = =SUM(Detail!D2:D500) └─ Detail!D2 = =Detail!B2*Detail!C2 └─ └─ Detail!B2 = "120" (hardcoded) <-- unit qty input └─ └─ Detail!C2 = "49.99" (hardcoded) <-- unit price input Note: range D2:D500 traced from first cell only (see limits).
Catching an unauthorised plug
A reported subtotal that should be a formula shows up as hardcoded — exactly the control weakness a SOX review looks for.
Control: Reported COGS (Summary!B7) Dependency tree for Summary!B7: Summary!B7 = "2730000" (hardcoded) FINDING: B7 should be =SUM(Costs!D2:D500) per the model spec but holds a typed value. Flag as a manual override; obtain explanation and authorisation; remediate to a formula.
Documenting the limit explicitly
Good evidence states what the trace did not cover. Record the 8-level cut and the named-range gap so the workpaper is complete.
Scope notes for the trace of Summary!B12:
- Recursive precedent trace, depth limit = 8 levels.
- Chain exceeds 8 levels at Calc!Z40; continued in a
separate trace (target Calc!Z40) -> see Exhibit B.
- Formula uses named range TaxRate (not resolved by the
tool); TaxRate maps to Rates!B3, traced manually.Cross-sheet reporting chain
Show the full path from a detail tab through calc to the reported line, all in one exportable tree.
Dependency tree for Statements!C10: Statements!C10 = =Summary!B12 └─ Summary!B12 = =Calc!E20-Calc!E21 └─ └─ Calc!E20 = =Detail!F100 └─ └─ └─ Detail!F100 = "5400000" (hardcoded) └─ └─ Calc!E21 = "1200000" (hardcoded) Path: Detail -> Calc -> Summary -> Statements.
Confirming a control is formula-driven
The clean case: no stray hardcoded leaves where calculation is expected, which is itself documentable evidence.
Dependency tree for Summary!B8 (Gross Margin %): Summary!B8 = =(B6-B7)/B6 └─ Summary!B6 = =SUM(Detail!D2:D500) └─ └─ Detail!D2 = =Detail!B2*Detail!C2 └─ Summary!B7 = =SUM(Costs!D2:D500) └─ └─ Costs!D2 = =Costs!B2*Costs!C2 Note: leaves are all formula-driven down to authorised input cells; no unexpected plugs at the reported level.
Edge cases and what actually happens
Hardcoded plug in a reported cell
Audit findingA reported cell that holds a typed value where a formula is expected shows as (hardcoded) with no precedents — a classic SOX control weakness. Treat it as a finding: obtain the explanation, confirm authorisation, and remediate to a formula.
Dependency tree alone as the control
InsufficientA trace is evidence of the calculation logic, not a complete control. SOX 404 also requires access controls, change/version history, and documented reviewer sign-off, none of which this tool provides. File the tree alongside those records.
Chain longer than 8 levels
Truncated silentlyThe trace stops at 8 levels with no marker. For complete evidence, state the limit in the workpaper and run a follow-up trace from a level-8 cell so the whole chain to the reported figure is covered.
Named range in a reporting formula
SkippedA reporting formula using a named range (=Revenue-COGS) does not resolve, so those inputs are absent from the tree. Document the named-range-to-cell mapping manually and trace the underlying cells.
Range like D2:D500 in a total
First cell onlyA reported total summing a range is traced from its first cell only. Note in the evidence that the node represents the full range so a reviewer does not read it as a single-cell driver.
Confidential figures and data residency
SupportedBecause everything runs in the browser via SheetJS, the reporting workbook never leaves the machine — a meaningful control benefit for sensitive financial data subject to confidentiality requirements.
Tab named P&L referenced in the chain
Not followedReferences into a tab named P&L or Q4-Close are not matched by the parser, leaving a gap in the evidenced chain. Rename such tabs to plain alphanumerics before generating evidence, or trace the linked cell manually and note it.
Free tier
Pro requiredSOX evidence generation needs Pro or higher; Free returns the Pro-required message. Pro covers 50 MB / 100,000-row reporting workbooks.
Frequently asked questions
Is a dependency map sufficient for SOX control documentation?
No — it is one component. The tree evidences the calculation logic and surfaces hardcoded plugs, but SOX 404 also requires access controls, change/version history, and documented reviewer sign-off. File the tree alongside those records; consult your compliance team for the full control set.
Can the output be exported to PDF?
The tool emits a text report. Copy it into Word or Google Docs and save as PDF for the evidence pack, or paste it into a workpaper. There is no built-in PDF export.
How does it help catch unauthorised manual overrides?
Every leaf without a formula is tagged (hardcoded). A reported cell that shows as (hardcoded) where a formula is expected is exactly the manual-override (plug) weakness SOX reviews target — flag it, get authorisation evidence, and remediate.
Does the trace cover the whole chain to the reported figure?
Up to 8 levels — a hardcoded cap with no "depth limit reached" marker. For longer chains, document the limit in the workpaper and run a follow-up trace from a level-8 cell so the full path is evidenced.
Will using this tool send our confidential figures to a server?
No. The workbook is parsed and traced entirely in your browser with SheetJS — nothing is uploaded. This local processing is itself a useful control point for sensitive financial reporting data.
What does the trace NOT capture that I should note in the evidence?
Three things: named ranges and table references are not resolved (skipped); a range like D2:D500 is traced from its first cell only; and references into tabs with &, -, or . in the name are not followed. State these limits in the workpaper so the evidence is complete and defensible.
Can I evidence multiple reported figures at once?
No — run the tool once per reported cell; each run produces one tree. For a reporting package, generate one tree per in-scope figure and file them as labelled exhibits.
How should I label each tree for the workpaper?
Record the figure it evidences, the cell address, the sheet, and the date/time you ran the trace (it is a snapshot, not a live link). Re-generate after any model change and replace the prior exhibit.
Does it detect circular references that could misstate a figure?
It will not loop on a cycle (revisited cells collapse to (already traced ↑)), but it does not enumerate cycles. Use the Circular Reference Finder to scan the workbook for circulars as a separate control check.
Can I check for risky external links in the reporting workbook?
Yes — the External Link Auditor lists links to other workbooks, a common SOX concern because an external source can change outside the control. Pair it with this tool's internal trace.
Are there other spreadsheet-control checks worth running for SOX?
Two complement the dependency trace: the Format Inspector flags numbers stored as text (a silent misstatement risk in totals), and the Formula Explainer gives a reviewer a plain-English read of any complex reporting formula in the chain.
What file types can I trace?
XLSX workbooks only — that is the single accepted format for this tool. A standalone CSV has no formulas, so there is nothing to trace; if your data is in CSV, open it in Excel/Sheets, build or paste the formulas, and save as .xlsx first.
Does my workbook get uploaded anywhere?
No. The whole trace runs in your browser using SheetJS — the workbook is parsed locally and never sent to a server. That matters for confidential models: you can run the trace offline once the page has loaded.
Why does it require Pro?
The Cell Dependency Map is gated to Pro tier or higher. On the Free tier the tool returns "Cell Dependency Map requires Pro tier." The free excel limits are 5 MB / 10,000 rows / 1 file; Pro raises that to 50 MB / 100,000 rows / 5 files.
Privacy first
Every JAD Excel tool runs entirely in your browser using SheetJS and ExcelJS. Your spreadsheets, formulas, and data never leave your device — verified by zero outbound network requests during processing.