How to audit external references before a client workbook leaves your hands
- Step 1Audit the delivery candidate before you attach it — Drop the final
.xlsxonto the tool. JSZip unpacks the container in your browser and scans the relationship and connection XML. Do this on the exact file you intend to send, after any last edits — not an earlier draft. - Step 2Read the typed inventory — The report shows
Found N external link(s):then numberedn. [type] urllines. Scan theexternal_refandhyperlinktargets for anything starting\\,file:///, or pointing at an internal host — those are the disclosure and breakage risks. - Step 3Decide what each link should become — Workbook references should usually be broken to cached values for delivery. Internal hyperlinks should be removed or rewritten to a client-reachable URL. Data connections should be deleted unless the client genuinely has access to the source.
- Step 4Break workbook links in Excel — In Excel use Data → Edit Links → Break Link to convert each external workbook reference to its last calculated value. This is the step that stops the Update Links prompt for
external_refentries. - Step 5Strip hyperlinks and connections — Remove internal cell hyperlinks (right-click → Remove Hyperlink) and delete unwanted connections under Data → Queries & Connections. To freeze all formula results to static values in one pass, run the Formula to Value converter.
- Step 6Re-audit and sign off — Drop the cleaned file back onto the auditor. A
No external links found in this workbook.result is your green light to deliver. Save or copy that report as the QA record.
Delivery risk by link type
What each detected type does in the client's hands and the recommended pre-delivery action. The three types are the complete set the auditor reports.
| Report label | What the client experiences | Disclosure risk | Recommended action before sending |
|---|---|---|---|
external_ref | Update Links? prompt on open; #REF! or stale values when the source isn't reachable | High — reveals internal file paths / server names | Data → Edit Links → Break Link to convert to cached values |
hyperlink | Clicking opens an intranet/staging URL or local path that doesn't resolve | Medium — leaks internal URLs and UNC paths | Remove the hyperlink, or rewrite it to a client-reachable address |
data_connection | Refresh fails or errors; may prompt for credentials the client doesn't have | High — exposes connection strings / data-source hosts | Delete under Data → Queries & Connections before delivery |
Pre-delivery checklist mapped to the audit
A practical sign-off sequence. The auditor proves the before/after state; Excel performs the removal.
| Step | Tool / action | Pass criterion |
|---|---|---|
| 1. Initial audit | External Link Auditor on the delivery file | Inventory captured; risky targets identified |
| 2. Break workbook links | Excel Data → Edit Links → Break Link | No external_ref should remain after re-audit |
| 3. Strip hyperlinks | Excel Remove Hyperlink (or clear the cells) | No internal hyperlink targets remain |
| 4. Remove connections | Excel Data → Queries & Connections | No data_connection entries remain |
| 5. Final re-audit | External Link Auditor again | No external links found in this workbook. |
Cookbook
Real pre-delivery scenarios with the literal report text. Internal hostnames and paths are anonymised but the structure is exactly what you'll see.
A model leaking an internal network path
The single most common delivery failure: one cell pulls from a workbook on a UNC share. The path is invisible in the grid but glaring in the audit.
Report: Found 1 external link(s): 1. [external_ref] file:///\\fin-nas01\models\rate-card.xlsx Action: Data > Edit Links > Break Link, then re-audit.
Staging-URL hyperlink that means nothing to the client
A cell links to an internal staging dashboard. It opens nothing useful on the client's machine and reveals your environment naming.
Report: Found 1 external link(s): 1. [hyperlink] https://staging.internal.example/dash/q3 Action: Remove Hyperlink, or rewrite to the client portal URL.
A live database connection that will fail off-network
A refresh-on-open connection points at an internal database. The client sees an error or a credential prompt.
Report: Found 1 external link(s): 1. [data_connection] Data Source=sql-prod-03;Initial Catalog=Sales;Integrated Security=SSPI Action: Delete under Data > Queries & Connections before sending.
Mixed deliverable with all three risks
A consolidated client report often carries one of each type. Audit catches them together so nothing slips through.
Report: Found 3 external link(s): 1. [external_ref] file:///\\fin-nas01\models\inputs.xlsx 2. [hyperlink] file:///\\fin-nas01\docs\methodology.docx 3. [data_connection] Provider=MSOLEDBSQL;Data Source=sql-prod-03
The clean re-audit that lets you hit Send
After breaking links and removing connections, the second pass returns the one line you want to see before delivery.
Pass 2 (after remediation): No external links found in this workbook. -> Safe to deliver: no Update Links prompt, no #REF!, no leaked paths.
Edge cases and what actually happens
Link breaks for the client but not for you (path resolves on your machine)
Why pre-delivery audit mattersAn external_ref to file:///C:/Finance/source.xlsx or a mapped drive resolves fine on your machine, so you never see the prompt — but the client's Excel can't find the path and shows #REF!. The auditor reports the link regardless of whether the source is currently reachable, which is exactly why you run it before sending rather than relying on what you see when you open the file.
The report shows the path but not which cell uses it
Not reportedThe inventory gives you the type and target URL, not the source cell. To find and break the link in Excel, search (Ctrl+F) for the file token (e.g. [rate-card.xlsx]) for an external_ref, or inspect the sheet owning a hyperlink. The audit's role is to prove the risky reference exists before delivery.
Hyperlink on an image/logo in the header
Not detectedA hyperlink attached to a shape or image lives in xl/drawings/_rels/*.rels, outside the cell-hyperlink relationships the scan reads. If your template puts a clickable logo linking to an intranet page, the auditor won't surface it — review header/footer images manually before client delivery.
Encrypted deliverable
Cannot parseIf you password-protected the file with Encrypt with Password, it's an encrypted container JSZip can't open, so no scan runs. Audit the unencrypted file first, then apply encryption as the final step — or send the password separately. To gauge the open-password's strength, see the Password Entropy Auditor.
Cached values look correct, so you assume there's no link
Hidden riskAn external_ref displays its last cached value, which can look like a normal number — the dependency is invisible until the client's Excel tries (and fails) to update it. The audit reports the link even when the displayed value looks fine, catching the trap that visual inspection misses.
Workbook over your tier's size limit
RejectedLarge client packs can exceed the 50 MB Pro cap. The file is rejected before scanning. Such files are often bloated by embedded media rather than data — run the Workbook Weight Analyzer to see what's consuming space, slim it down, then audit.
Hyperlink to a public, client-safe URL
By design (reported, not a defect)Not every hyperlink is a problem. A link to your public marketing site or a published documentation page is fine to ship. The auditor reports all hyperlinks; you decide which are client-safe. The point is to make every link visible so the decision is deliberate.
Defined name referencing another workbook
Detected via the relationshipA named range built on =[Inputs.xlsx]Sheet1!$A$1 is backed by an externalLinks relationship, so its target appears as an external_ref in the report — even though Edit Links may show it confusingly. Break it like any other workbook reference, then re-audit to confirm it's gone.
Macro that builds links at runtime
Not detected at audit timeVBA that constructs external references dynamically when the workbook opens won't have static relationship parts to scan, so the auditor can't see links that don't yet exist in the file. Strip macros for delivery with the VBA Macro Stripper; clients rarely need them and they're a security flag.
Clean result on the final pass
ExpectedAfter remediation, No external links found in this workbook. means the file is self-contained: no Update Links prompt, no #REF!, no leaked internal paths. Save that report as your delivery QA artefact.
Frequently asked questions
Will the client see an Update Links prompt if I send the file as-is?
If the audit shows any external_ref entry, yes — the client's Excel will prompt to update links to external workbooks on open, and the cells will show #REF! or stale values when the source path doesn't resolve from their machine. Break those links in Excel (Data → Edit Links → Break Link) and re-audit to a clean result before sending.
Can the tool break the links automatically?
No — it audits only and never modifies the file. Removal is a deliberate step in Excel: break workbook references, remove hyperlinks, and delete connections. To freeze all live formula results to static values in one pass (a common pre-delivery move), use the Formula to Value converter, then re-audit.
Why is auditing before delivery better than just opening the file?
Because links that resolve on your machine (mapped drives, local paths, on-network shares) won't prompt when you open the file — but will break for the client. The auditor reports every reference regardless of whether the source is currently reachable, so you see the risk the client would hit, not the risk you happen to see.
What does a zero-link result guarantee?
It guarantees the workbook is self-contained on the three axes scanned: no external workbook references, no cell hyperlinks with relationship targets, and no data connections. The client won't get Update Links prompts or #REF! from external sources. It does not vet image-anchored hyperlinks or runtime-built macro links — those are separate checks.
Will it detect a connection to a web API or database?
Yes — data connections stored in xl/connections.xml, including ODBC/OLEDB and Power Query, are reported as data_connection with their connection string. That's exactly what you want to catch before delivery, since those refreshes fail or prompt for credentials once the file is off your network.
Does the audit show internal server names and paths?
Yes — it lists each link's target verbatim, so UNC paths (\\server\share\…), local paths (file:///C:/…), and internal URLs are shown exactly as embedded. That visibility is the point: you can see and remove infrastructure disclosures before they leave with the file.
Is the client's file uploaded anywhere?
No. The workbook is unpacked and scanned in your browser with JSZip — nothing is sent to a server. That keeps confidential client deliverables on your machine throughout the audit.
What if I can't tell which cell a flagged link is in?
Use Excel's Ctrl+F to search the embedded path or file token (e.g. [rate-card.xlsx]) shown in the report — that lands you on the cell or named range using it. The auditor confirms the link exists and what it points at; Excel's search pinpoints the location.
Why was my deliverable rejected on upload?
Either it's not an .xlsx (legacy .xls and binary .xlsb aren't accepted — re-save as .xlsx), it's encrypted (remove the open-password first), or it exceeds your tier's size cap (50 MB on Pro, 500 MB on Developer).
Can I use the report as a QA sign-off record?
Yes. Copy or download the before-and-after reports; the clean No external links found in this workbook. line is a concise, timestamped-by-you artefact you can attach to a delivery checklist or change ticket.
Does it catch hyperlinks on logos or images in the header?
No. Image- and shape-anchored hyperlinks live in the drawings relationship parts, outside the cell-hyperlink relationships the scan reads. Review template logos and header/footer images manually if they might link to internal pages.
How does this beat Excel's own Edit Links dialog for delivery prep?
Edit Links shows only workbook-to-workbook references — it won't reveal the intranet hyperlinks or live data connections that also embarrass you in front of a client. This auditor reports all three classes in one pass from the raw OOXML, so your pre-delivery check is complete.
Privacy first
Every JAD Excel tool runs entirely in your browser using SheetJS and ExcelJS. Your spreadsheets, formulas, and data never leave your device — verified by zero outbound network requests during processing.