Resources

How to audit spreadsheet risk in your organisation

12 min read

Most organisations have dozens — sometimes hundreds — of spreadsheets carrying business-critical processes. Auditing them systematically is how you move from reacting to errors to preventing them. Here's a practical approach.

Step 1: Define scope

Not every spreadsheet carries the same risk. Focus your audit on workbooks that:

  • Feed financial statements, regulatory reports, or management accounts
  • Are used by more than one person or team
  • Run business processes that would halt without them
  • Have been identified in past incidents or near-misses
  • Have no single clear owner or have changed hands recently

Step 2: Classify risk by category

Spreadsheet risk falls into five categories:

Fragility risk

Broken references, circular dependencies, inconsistent formulas. These are structural faults that can produce wrong results silently or fail catastrophically on the next change.

Audit and compliance exposure

Hardcoded values, hidden sheets, undocumented assumptions. These make it impossible to reproduce results or trace how a number was derived.

Key-person dependency risk

Workbooks where one person built and maintains everything. If they leave, the institutional knowledge goes with them.

Performance risk

Volatile functions (NOW, RAND, OFFSET) and external links that slow recalculation and introduce non-determinism.

Hidden complexity risk

Deep formula chains, external file references, sheet role ambiguity. These are the things that make a workbook hard to modify without breaking something.

Step 3: Score and prioritise

Not every finding needs immediate attention. Prioritise by combining two factors: the severity of the finding (how likely it is to produce an error or cause a failure) and the criticality of the workbook (what breaks if this workbook is wrong).

A broken reference in a planning model used quarterly is lower priority than the same issue in a workbook driving daily operational decisions. A weighted risk score that combines finding type and count is a useful starting point for triage.

Step 4: Document before you remediate

Before touching a high-risk workbook, document what it does. Map the sheets, the inputs, the key outputs, the formulas doing heavy lifting, and any external dependencies. This documentation is your safety net — and the thing that will let someone else maintain the workbook after you.

Step 5: Track remediation as a project

Treat findings as actionable tickets, not observations. Each finding should have a status (open, acknowledged, resolved), an owner, and a due date for anything critical. Regular review cadence — weekly for critical items, monthly for the full estate — keeps remediation moving rather than stalling.

Automate the discovery step

SheetSift automates steps 2 and 3: upload a workbook and get a scored, categorised risk report in under two minutes. It covers nine check types, generates an executive assessment report, and tracks findings through your remediation workflow.

Try it free →

More resources

What is Excel hell? →Key-person dependency risk in business spreadsheets →