Title Page

  • Site conducted

  • undefined

  • Conducted on

  • Auditor

  • Auditees

  • Objective

  • Reference Document No.

Internal Audit Questions

  • What are the legal, regulatory, business technical and security requirements applicable to Marine link? Are they documented?

  • Who is the regulatory class for Marine link, if applicable?

  • Do you have different environments for development and production activities? Do they have different credentials?

  • How is access management performed in Marine link? Who is the approving authority?

  • How do Marine link team manage the risk of unauthorised access or changes? Any process/procedures documented?

  • What type of data is used in development environment? How is it different from production data?

  • What criteria is followed when selecting test data for testing purposes?

  • What process is followed by Marine link to store the development code securely and manage all changes, access and version control happening around it?

  • Is there any code reviewing process/matrix to ensure system and operating environment is secure?

  • What is the process? Is it documented?

  • Who's responsible and how often is it reviewed?

  • Is there any training provided to all developers regarding secure software development practices?

  • What standards are followed by Marin link when outsourcing the development activities? Any documented process, forms or checklist?

  • How do you handle situations where insecure Coding practices are followed? What tools are used for analysis? Any examples?

  • Is there any documented Change management process used by Marine link? Who drives the change at organisational level?

  • Any examples/demonstration of successful testing schedule?

  • How often is penetration testing done and what tools are used to do this testing?

  • How do Marine link decide to perform penetration testing and what matrix is used to categorise risk as major or minor?

  • How is the change managed in production environment? Any documented process pre or post change?

  • What type of testing phases are completed before implementing a new system/application?

  • What kind of data is stored in CMDB? Is it regularly monitored data?

  • How is version control done in Marine link?

  • Do Marine link have documented process for decommissioning activities? is it in accordance with Change management process?

  • What are the data retention and disposal standards followed by Marine link? Are they documented?

Documentation Checklist (SDLC)

  • Can you explain the SDLC for Marine link and demonstrate using an example?

  • Demonstrate any testing schedule produced during SDLC.

  • Demonstrate any Standard Operating Procedures (SOP) produced during SDLC.

  • Demonstrate any System Security Standard (SSP) produced during SDLC.

  • Demonstrate any Security Risk Assessment (SRA) produced during SDLC.

  • Demonstrate any User guide produced during SDLC.

  • Demonstrate any Release Plan produced during SDLC.

  • Demonstrate any Training Plan produced during SDLC.


The templates available in our Public Library have been created by our customers and employees to help get you started using SafetyCulture's solutions. The templates are intended to be used as hypothetical examples only and should not be used as a substitute for professional advice. You should seek your own professional advice to determine if the use of a template is permissible in your workplace or jurisdiction. You should independently determine whether the template is suitable for your circumstances.