Each interview took place at the interviewee's work location. Two members of the research team
participated in each interview. At Institutions A, B, and D one researcher conducted the interview in person
and the second participated through a conference call. At Institution C, two members of the research team
were physically present for the interview.We interviewed representatives from both the internal audit and
information security functions at Institutions A, B, and C but only interviewed someone in information
security at Institution D because it outsourced its internal audit function